Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Connection found in Netstat -A -B Parameter


  • Please log in to reply
13 replies to this topic

#1 InsufficientFunds

InsufficientFunds

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Location, Location.
  • Local time:07:21 AM

Posted 14 February 2016 - 01:38 AM

I'm not sure about this, and what it is. After checking my ports, apparently there is a loopback connection on 127.0.0.1 and dead route 0.0.0.0  connecting to the foreign address anchorfree:0 and I want to get rid of it, permanently.

 

I have used Hotspot Shield Elite VPN in the past, and I since uninstalled it completed from my system.

 

However, I do not know why it still has it's company name embedded into my system and I do not know how to remove it.

 

Does anybody else have the same anchorfree:0 port showing?

 

uJhvDZf.png?1

 

This is so strange. I'm even bewildered.


Edited by hamluis, 14 February 2016 - 08:32 AM.
Moved from Win 7 to Networking - Hamluis.

HP Pavilion dv6t-7k Custom Windows 7 Professional x64 iPhone 6, iOS 9.2 (awaiting jailbreak) 

 

Cyber Security Instructor in Linux, Cisco Networking Academy and  Windows (XP thru 10, Servers)

 

I try to make my tomorrow better than yesterday.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:21 AM

Posted 14 February 2016 - 10:09 AM

From a elevated cmd prompt copy/paste or type in whats below and hit enter. Do you see any hot shield or anchorfree listed?

 

netsh winsock show catalog

 

 


How Can I Reduce My Risk to Malware?


#3 InsufficientFunds

InsufficientFunds
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Location, Location.
  • Local time:07:21 AM

Posted 14 February 2016 - 12:12 PM

From a elevated cmd prompt copy/paste or type in whats below and hit enter. Do you see any hot shield or anchorfree listed?

 

netsh winsock show catalog

 

 

I piped it out for you to take a look at too, but I cannot see anything related to anchorfree, or hotspot shield for that matter.

Spoiler

Do you think resetting the winsock catalog is a good idea?

 

EDIT: I reset it and no luck with a script I made, along with numerous other settings... Still showing it in netstat.

 

Any other ideas?


Edited by InsufficientFunds, 14 February 2016 - 12:39 PM.

HP Pavilion dv6t-7k Custom Windows 7 Professional x64 iPhone 6, iOS 9.2 (awaiting jailbreak) 

 

Cyber Security Instructor in Linux, Cisco Networking Academy and  Windows (XP thru 10, Servers)

 

I try to make my tomorrow better than yesterday.


#4 InsufficientFunds

InsufficientFunds
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Location, Location.
  • Local time:07:21 AM

Posted 14 February 2016 - 03:59 PM

Someone please do help. I mean there has to be someone better than me out there to figure this out. Seriously.


HP Pavilion dv6t-7k Custom Windows 7 Professional x64 iPhone 6, iOS 9.2 (awaiting jailbreak) 

 

Cyber Security Instructor in Linux, Cisco Networking Academy and  Windows (XP thru 10, Servers)

 

I try to make my tomorrow better than yesterday.


#5 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:21 AM

Posted 14 February 2016 - 04:12 PM

Have you looked in Windows service panel to see if some service failed to uninstall?   Isnt it ad supported also? Maybe something else to remove via add/remove programs panel?

 


How Can I Reduce My Risk to Malware?


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,430 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:21 AM

Posted 14 February 2016 - 04:18 PM

You could also try having netstat list the PID so you can track the process in Task Manager. You can then use ProcessMonitor to see the call stack of what called that executable (particularly if it is just a system process being called by another).

netstat -a -b -o

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 InsufficientFunds

InsufficientFunds
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Location, Location.
  • Local time:07:21 AM

Posted 15 February 2016 - 03:04 AM

Have you looked in Windows service panel to see if some service failed to uninstall?   Isnt it ad supported also? Maybe something else to remove via add/remove programs panel?

 

 

I can assure you that those have been the places I've checked far before I would post here. Almost insulting, lol. Take no offense, I appreciate it. Great minds think alike.

 

HSS is ad-supported if you do not purchase the VPN's elite service.

 

As of now, it seems to me that anchorfree has hooked into executables bolded below...

 

After some analysis, the ports 135 (Distributed Computing Environment (DCE), 49154 and all other pre 49 numbers are nonsensical. The 9990 and 1001 after also no good news.

 

I will check the call stacks now.

 

EDIT: Apparently this holds some truth since procmon crashed instantly on launch... Procmon is not compatible with my version of windows. Also, apparently, a 64-bit version is included in the procmon.exe file, binded. I attempted to extract it, and the file does not work anyways.

 

pulnVbJ.png

 

This looks like an infection, but I can assure you, no infection here.

 

lRpgD83.png

 

3pJ39lX.png

 

Spoiler


Edited by InsufficientFunds, 15 February 2016 - 03:33 AM.

HP Pavilion dv6t-7k Custom Windows 7 Professional x64 iPhone 6, iOS 9.2 (awaiting jailbreak) 

 

Cyber Security Instructor in Linux, Cisco Networking Academy and  Windows (XP thru 10, Servers)

 

I try to make my tomorrow better than yesterday.


#8 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:21 AM

Posted 15 February 2016 - 05:20 PM

 

Procmon is not compatible

How about Process Hacker


How Can I Reduce My Risk to Malware?


#9 InsufficientFunds

InsufficientFunds
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Location, Location.
  • Local time:07:21 AM

Posted 16 February 2016 - 02:03 AM

 

 

Procmon is not compatible

How about Process Hacker

 

 

Process Hacker for finding the handles?... I have process hacker. Do you mean I must look through all the handles to find something related?


HP Pavilion dv6t-7k Custom Windows 7 Professional x64 iPhone 6, iOS 9.2 (awaiting jailbreak) 

 

Cyber Security Instructor in Linux, Cisco Networking Academy and  Windows (XP thru 10, Servers)

 

I try to make my tomorrow better than yesterday.


#10 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:21 AM

Posted 21 February 2016 - 11:59 AM

Sorry been offline for awhile. I was suggesting process hacker in place of Procman. Apparently you already have it.


How Can I Reduce My Risk to Malware?


#11 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,430 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:21 AM

Posted 21 February 2016 - 12:37 PM

I would suspect a network filter driver, very common to be left behind by VM or VPN software. Check the Network Connection Properties for your NIC for anything that doesn't belong.

 

Is there any trace of a folder or registry value left behind? You could use a trial of Revo Pro to search for anything that wasn't removed by the uninstaller.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 InsufficientFunds

InsufficientFunds
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Location, Location.
  • Local time:07:21 AM

Posted 21 February 2016 - 01:45 PM

I would suspect a network filter driver, very common to be left behind by VM or VPN software. Check the Network Connection Properties for your NIC for anything that doesn't belong.

 

Is there any trace of a folder or registry value left behind? You could use a trial of Revo Pro to search for anything that wasn't removed by the uninstaller.

 

These are all great ideas people.

 

VreCJH9.png

 

No traces on the Pro version.

 

Are these the networking properties you mention?

 

 

LguKsNA.png

 

 

EDIT:

 

Solution found, perhaps it's these host entries I've made a while ago, lol. That's where these Windows processes like lsass and svchost are reading the values from.

 

GwN4m7L.png


Edited by InsufficientFunds, 21 February 2016 - 01:48 PM.

HP Pavilion dv6t-7k Custom Windows 7 Professional x64 iPhone 6, iOS 9.2 (awaiting jailbreak) 

 

Cyber Security Instructor in Linux, Cisco Networking Academy and  Windows (XP thru 10, Servers)

 

I try to make my tomorrow better than yesterday.


#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,430 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:21 AM

Posted 21 February 2016 - 01:56 PM

Haha, that was almost my next idea. Of course it had to be simple. :)

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 InsufficientFunds

InsufficientFunds
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Location, Location.
  • Local time:07:21 AM

Posted 21 February 2016 - 01:59 PM

Haha, that was almost my next idea. Of course it had to be simple. :)

 

I'm sure it was. You should have figured it out before me. Lol.

 

How did I figure that out? I have no idea. It just happened.

 

I literally sat here for a few minutes trying to determine how it hit me aside the head.


HP Pavilion dv6t-7k Custom Windows 7 Professional x64 iPhone 6, iOS 9.2 (awaiting jailbreak) 

 

Cyber Security Instructor in Linux, Cisco Networking Academy and  Windows (XP thru 10, Servers)

 

I try to make my tomorrow better than yesterday.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users