Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Passwords being stolen?


  • Please log in to reply

#16
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,331 posts
  • MVP

Close all browsers.  Wait 5 minutes for all connections to time out.

Search for

cmd

Run As Administrator

Type: 

netstat -bn

hit Enter

 

Should look something like:

 

 
Active Connections
 
  Proto  Local Address          Foreign Address        State
  TCP    192.168.68.128:49202   20.25.241.18:443       ESTABLISHED
  WpnService
 [svchost.exe]
  TCP    192.168.68.128:49722   37.156.185.137:443     ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.68.128:50691   108.174.10.24:443      CLOSE_WAIT
 [SearchApp.exe]
  TCP    192.168.68.128:50729   184.28.224.185:443     CLOSE_WAIT
 [SearchApp.exe]
  TCP    192.168.68.128:50765   142.250.217.238:443    ESTABLISHED
 [brave.exe]
  TCP    192.168.68.128:50766   172.217.3.78:443       ESTABLISHED
 [brave.exe]
  TCP    192.168.68.128:50772   172.217.2.202:443      ESTABLISHED
 [brave.exe]
  TCP    192.168.68.128:50773   172.217.2.202:443      ESTABLISHED
 [brave.exe]
  TCP    192.168.68.128:50784   172.67.159.116:80      ESTABLISHED
 [brave.exe]
  TCP    192.168.68.128:50885   34.210.188.234:443     CLOSE_WAIT
 [brave.exe]
  TCP    192.168.68.128:50887   142.250.64.229:443     TIME_WAIT
  TCP    192.168.68.128:59062   77.234.42.239:80       ESTABLISHED
 Can not obtain ownership information
 
You may want to copy and paste the result into notepad and print it out since things will change once you open a browser
 
 
Take the 2nd IP address (ignore the colon and anything after the colon) from each line that says ESTABLISHED example from first line: 20.25.241.18
Go to https://whois.domaintools.com/in your browser
 
put the IP address in the search box (not up top in the URL box) and search for it.  You may have to check that you are not a robot but eventually it will tell you who owns the IP address.  In my example it tells me the owner is:
 
IP Location United States United States Chicago Microsoft Corporation
ASN United States AS8075 MICROSOFT-CORP-MSN-AS-BLOCK, US (registered Mar 31, 1997)
 
so it's just a Microsoft connection and thus nothing suspicious.  If it were something suspicious you can just look at the entry below the line which tells you what program is using the connection and we can hunt it down an kill it.  (In my example I didn't wait for things to time out and I have my browser up so there are more entries than you will get)  (The bottom line where it says:  Can not obtain ownership information is just Avast being sneaky)
 
The second time you search for an IP address you can use the little box near the top that says  Whois lookup.  Go through all of the ESTABLISHED lines the same way and verify that you know  the owner.
 
Once you know things are good without a browser then try again with the browser but only go to one site like google.com.   Any extensions in your browser may have their own connections but will show up as coming from the browser so you may want to try with all extensions disabled then enable extensions and see what changes.
 
This is a way of making sure nothing is secretly connecting to and outside party.  Really works too.  When I did this the first time I found a connection to Anydesk.  This is a remote control program I was using to talk to a friend's old computer and I forgot to remove the program after I finished with it.
 
 
 
 

  • 0

Advertisements


#17
isolationary

isolationary

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts

So I started to do what you said and immediately ran into some problems. (Also Google said It logged me out of my email cause it says it still thinks I have malware on my pc).

 

I ran the cmd prompt and got a BILLION lines that said:

 

TCP    127.0.0.1:60967        127.0.0.1:49350        TIME_WAIT

 

before I finally got one that said:

 

TCP    127.0.0.1:64182        127.0.0.1:27060        ESTABLISHED

 

When I ran it through whois it said:

NetRange:       127.0.0.0 - 127.255.255.255
CIDR:           127.0.0.0/8
NetName:        SPECIAL-IPV4-LOOPBACK-IANA-RESERVED
NetHandle:      NET-127-0-0-0-1
Parent:          ()
NetType:        IANA Special Use
OriginAS:       
Organization:   Internet Assigned Numbers Authority (IANA)
RegDate:        
Updated:        2013-08-30
Comment:        Addresses starting with "127." are used when one program needs to talk to
another program running on the same machine using the Internet
Comment:        Protocol.  127.0.0.1 is the most commonly used address and is called the
"loopback" address.
Comment:        
Comment:        These addresses were assigned by the IETF, the organization that develops
Internet protocols, in the Standard document, RFC 1122, which can  
Comment:        be found here:
Comment:        http://datatracker.i...org/doc/rfc1122
Ref:            https://rdap.arin.ne...ry/ip/127.0.0.0

OrgName:        Internet Assigned Numbers Authority
OrgId:          IANA
Address:        12025 Waterfront Drive
Address:        Suite 300
City:           Los Angeles
StateProv:      CA
PostalCode:     90292
Country:        US
RegDate:        
Updated:        2012-08-31
Ref:            https://rdap.arin.ne...try/entity/IANA

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName:   ICANN
OrgAbusePhone:  +1-310-301-5820
OrgAbuseEmail:  
OrgAbuseRef:    https://rdap.arin.ne...ty/IANA-IP-ARIN

OrgTechHandle: IANA-IP-ARIN
OrgTechName:   ICANN
OrgTechPhone:  +1-310-301-5820
OrgTechEmail:

 

I then started to go down the list and got about 4-5 more IPs in before whois said I cannot check any more without buying a subscription to the service. Should I copypaste the before and after netstat logs?


  • 0

#18
isolationary

isolationary

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts

So I got this guy who I couldn't trace back (i switched to nordvpns ip lookup tool)

 

 Can not obtain ownership information
 34.117.122.6:443       ESTABLISHED

These also came up with nothing:

52.33.84.190

104.17.49.74

204.79.197.222


Edited by isolationary, 29 June 2022 - 03:33 PM.

  • 0

#19
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,331 posts
  • MVP

Once a connection drops it sits in Time_Wait for a minute or so and then should be removed automatically.  That's why I said to wait 5 minutes after you close your browser before doing this.

 

127.0.0.1 is a loopback port.  Some process is using TCP/IP to connect to another local process.  Did it say on the next line which process that was?

 

Sorry for the bad Whois link.  Didn't realize it had a limit.  As an alternative you can just put the IP address in a Google Search box and read a few of the hits.

 

 34.117.122.6 Google Cloud

 

52.33.84.190  Amazon

104.17.49.74  Nord VPN or Cloudflare  supposedly safe per VirusTotal but what process does it say on the next line?

204.79.197.222 Microsoft


  • 0

#20
isolationary

isolationary

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts

Yeah I set a timer for five minutes and it still gave me those time_wait things so I ran it again today. I didn't see anything suspicious really. A lot of stuff when my browser opened but it was mostly google or amazon. I also got this:

 

151.101.193.21 

 

This is from Fastly? I'm not sure what that is but a quick google search shows its some company I assume is associated with networking and not malicious But otherwise everything looks legit. I also uninstalled my firefox browser and then installed a new version and signed in and I don't seem to be getting Gmail malicious software warnings anymore when I try to sign in so I'm wondering if It didn't highjack the browser I was using. All of my firefox IP addresses seem to be legit now? I'm still a bit anxious about it but nobody's seemed to log into any of my stuff the last day or so and I've regained control of my duolingo account. 


  • 0

#21
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,331 posts
  • MVP

You are running netstat -BN (caps don't matter but it's easier to read).  Right?

 

I seldom get very many time_waits so I wonder why.  If you click on the Start button to get the menu of programs do you see a lot of Microsoft's little windows like News, Sports, Weather, Office. various games?

I've gone in and removed all of the little windows since I have no use for them and they just waste bandwidth and CPU cycles.  (Just right click on them and there should be an option to remove them)  Also if you see little pictures down in the Search Box these can be removed by right clicking then Search and uncheck Show Search Highlights.  Also some of Microsoft's spyware may be active:

 

Search for
 
task scheduler
 
When it finds it, right click and Run As Administrator
 
Click on the arrow in front of Task Scheduler Library then
 
Click on the arrow in front of Microsoft
 
Click on the arrow in front of Windows
 
Click on Application Experience.  In the next pane to the right, right click on each Task and Delete.  Should be three or four (later versions) tasks.
 
Click on Customer Experience Improvement Program.  In the next pane to the right, right click on each Task and Delete.  Should be two tasks.
 
Close Task Scheduler.
 
 
Download OOSU10.exe:
 
 
Download and Save it (You will get a popup while it's downloading.  You can X out of it)
then go to the Download folder and Right click on the downloaded file and Run As Admin.
Allow it to make a System Restore Point.
Click on Actions then on Apply Recommended Settings.
 
Close the program and reboot.
 
Do you still see a lot of time-waits?

  • 0

#22
isolationary

isolationary

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts

I did as you suggested and I'm still getting a ton of TIME_WAITs it says its from the esrv_svc.exe, svchost.exe and  SearchApp.exe mostly.

 

When I run a netsat -bn after I open firefox it also (firefox.exe) has a large number of TIME_WAITs.

 

When I run the established IPs through NordVPN ip lookup they seem to be reputable.


  • 0

#23
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,331 posts
  • MVP

esrv_svc.exe is part of

 

Intel® Driver & Support Assistant 

 

which never worked well.  I would uninstall it and see if that cuts down the number of time_waits.


  • 0

#24
isolationary

isolationary

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts

Yeah that cleared up the TIME_WAITs significantly. (by pages worth). Now its a lot more manageable to navigate. Triple checked the IP addresses and everything looks legit. I also haven't had any of my passwords cracked or accounts logged into in the last couple days so I'm hoping we finally got it. Thanks so much for all your help and being thorough.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP