Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible 007guard.com Issues


  • Please log in to reply
1 reply to this topic

#1 krehbiel8or

krehbiel8or

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 01 February 2008 - 01:52 PM

I was hunting for spyware...

AVG firewall told me that wgatray.exe was trying to contact Microsoft, which I blocked.
(I still haven't figured out why I have a system process trying to contact Napster every time I power back up from Stand By mode)

so I downloaded and ran Process Explorer, which showed that I'm running some processes that I don't want (like Remote Registry - waiting for the hotfix link for that one)


Under Process Explorer, I found that one of the svchost.exe processes ( 908 if that matters ) had two UDP connections listed:


Protocol: UDP Local Address: freighter:ntp Remote Address: *.* ( btw: freighter is my machine's name )
Protocol: UDP Local Address: 007guard.com:ntp Remote Address: *.* <-- this is the one that concerned me.

I had to edit in the field names for each line since I don't know how to use blog formatting hardly.


I googled 007guard and found listings of the exe files that are installed as part of that worm. Having checked for those files, I found none installed. I also did a full system scan with AVG Internet Security last night, so I'd be a little surprised to find an infection just after that.


I checked my hosts file, and "127.0.0.1 007guard.com" is my first entry. Is the entry shown above just a result of my hosts file? If so then all is fine, and I've got no worries. :thumbsup:



but if just a little more tech info is needed to see if I've got some weird malware, here's more info:

Hitting the "Stack" button (thread stack at the time port was opened) in Process Explorer gives me this:

ntoskrnl.exe+0x8c36cntoskrnl.exe+0x9049antoskrnl.exe+0x98a23ntoskrnl.exe!IoCreateFile+0x4fntoskrnl.exe!NtCreateFile+0x30ntoskrnl.exe!ZwYieldExecution+0xb78ntoskrnl.exe!ZwCreateFile+0x11netbt.sys+0x1f785netbt.sys+0xc368netbt.sys+0x20049netbt.sys+0x1deebTDI.SYS+0x1bd7


Hoping that this is at least nominally clear, thanks for your help!
-Scott

Edit: Moved topic to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:14 AM

Posted 01 February 2008 - 02:14 PM

"I also did a full system scan with AVG Internet Security last night, so I'd be a little surprised to find an infection just after that."

I wouldn't be surprised at all. In fact you probably do. I would recommend going to the Hijack This forum and read the Preparation guide
and take it from there
Mark

Edited by garmanma, 01 February 2008 - 02:17 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users