# Explain the 127.xxxx.xxx universe



## sigman (Mar 30, 2011)

I've been using Hitman Pro for several years. Its sole function is to remove tracking cookies that accumulate in your browser and will also remove some malware. I first came across it when I watched an online support service do virus removal on my machine. They ran the software after the main AV run. I have a licensed version. It is from Sophos which I understand is a big network security company.

Recently it started failing and I called support. They couldn't fix it and started pocking around. They ran some IP scan program and came up with a bunch of 127 IPs. They circled two and said these indicated that someone had access to my computer and wanted $100 to fix it and provide a year of online support. I said that was a lot of money and I'm going to get a second opinion. It was like pulling taffy to get them to hang up.

Gibson Reseach Company, a long time vendor in hardware and security has an online test called Shields Up! Basically, it runs tests on 1024 ports to see if any are susceptible to penetration. My scan came up perfect.

So two questions. How do you determine if someone has access to your computer and what is the function of the 127 domain?


----------



## tristar (Aug 12, 2008)

The 127.X.X.X is a localhost or loopback IP address, so any request which goes to the host name (website) defined in the hosts file is circled back to your local host, thereby restricting access to the Application. This is usually used to block unwanted sites/background internet activities and is done through the hosts file.

If someone has access to your computer, unless they actually move their mouse when you're using it or delete any files, there is no way for a novice or someone with basic technical skills to figure it out..

First step, don't download or install apps just because they were used by someone. Some tools are intended for specific purposes and not recommended for the average home user. That being said, post the 2 IP addresses identified by them, chances are they picked it up from the hosts file.


----------



## sigman (Mar 30, 2011)

After ending the call I reran the scan command myself but unfortunately didn't save it. I did save the results in a text file. I'd attach it but I don't see that option so here it is.
Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING
CDPSvc
[svchost.exe]
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING
DoSvc
[svchost.exe]
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING
EventLog
[svchost.exe]
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING
Schedule
[svchost.exe]
TCP 0.0.0.0:49673 0.0.0.0:0 LISTENING
[spoolsv.exe]
TCP 0.0.0.0:50881 0.0.0.0:0 LISTENING
[OneDrive.exe]
TCP 0.0.0.0:54940 0.0.0.0:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:54954 0.0.0.0:0 LISTENING
[lsass.exe]
TCP 0.0.0.0:58091 0.0.0.0:0 LISTENING
[mms_mini.exe]
TCP 127.0.0.1:668 0.0.0.0:0 LISTENING
[carboniteservice.exe]
TCP 127.0.0.1:668 LAPTOP-HNTDIHSC:51018 ESTABLISHED
[carboniteservice.exe]
TCP 127.0.0.1:668 LAPTOP-HNTDIHSC:51019 ESTABLISHED
[carboniteservice.exe]
TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING
[mDNSResponder.exe]
TCP 127.0.0.1:5354 LAPTOP-HNTDIHSC:49675 ESTABLISHED
[mDNSResponder.exe]
TCP 127.0.0.1:5354 LAPTOP-HNTDIHSC:54936 ESTABLISHED
[mDNSResponder.exe]
TCP 127.0.0.1:5905 LAPTOP-HNTDIHSC:54941 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:5905 LAPTOP-HNTDIHSC:54943 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:5905 LAPTOP-HNTDIHSC:54944 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:5905 LAPTOP-HNTDIHSC:54945 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:5905 LAPTOP-HNTDIHSC:54946 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:5905 LAPTOP-HNTDIHSC:54947 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:5905 LAPTOP-HNTDIHSC:54949 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:5905 LAPTOP-HNTDIHSC:54950 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:6109 0.0.0.0:0 LISTENING
[anti_ransomware_service.exe]
TCP 127.0.0.1:6109 LAPTOP-HNTDIHSC:51014 ESTABLISHED
[anti_ransomware_service.exe]
TCP 127.0.0.1:11000 0.0.0.0:0 LISTENING
[gs-server.exe]
TCP 127.0.0.1:11456 0.0.0.0:0 LISTENING
[DashlanePlugin.exe]
TCP 127.0.0.1:11456 LAPTOP-HNTDIHSC:51012 ESTABLISHED
[DashlanePlugin.exe]
TCP 127.0.0.1:12110 0.0.0.0:0 LISTENING
[avgsvc.exe]
TCP 127.0.0.1:12119 0.0.0.0:0 LISTENING
[avgsvc.exe]
TCP 127.0.0.1:12143 0.0.0.0:0 LISTENING
[avgsvc.exe]
TCP 127.0.0.1:12563 0.0.0.0:0 LISTENING
[avgsvc.exe]
TCP 127.0.0.1:12993 0.0.0.0:0 LISTENING
[avgsvc.exe]
TCP 127.0.0.1:12995 0.0.0.0:0 LISTENING
[avgsvc.exe]
TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING
[AppleMobileDeviceService.exe]
TCP 127.0.0.1:27275 0.0.0.0:0 LISTENING
[avgsvc.exe]
TCP 127.0.0.1:33333 0.0.0.0:0 LISTENING
[gs-server.exe]
TCP 127.0.0.1:33334 0.0.0.0:0 LISTENING
[gs-server.exe]
TCP 127.0.0.1:43227 0.0.0.0:0 LISTENING
[mbamservice.exe]
TCP 127.0.0.1:49675 LAPTOP-HNTDIHSC:5354 ESTABLISHED
[AppleMobileDeviceService.exe]
TCP 127.0.0.1:50581 0.0.0.0:0 LISTENING
[Dashlane.exe]
TCP 127.0.0.1:51012 LAPTOP-HNTDIHSC:11456 ESTABLISHED
[chrome.exe]
TCP 127.0.0.1:51014 LAPTOP-HNTDIHSC:6109 ESTABLISHED
[TrueImageMonitor.exe]
TCP 127.0.0.1:51018 LAPTOP-HNTDIHSC:668 ESTABLISHED
[CarboniteUI.exe]
TCP 127.0.0.1:51019 LAPTOP-HNTDIHSC:668 ESTABLISHED
[CarboniteUI.exe]
TCP 127.0.0.1:54936 LAPTOP-HNTDIHSC:5354 ESTABLISHED
[AppleMobileDeviceService.exe]
TCP 127.0.0.1:54941 LAPTOP-HNTDIHSC:5905 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:54943 LAPTOP-HNTDIHSC:5905 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:54944 LAPTOP-HNTDIHSC:5905 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:54945 LAPTOP-HNTDIHSC:5905 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:54946 LAPTOP-HNTDIHSC:5905 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:54947 LAPTOP-HNTDIHSC:5905 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:54949 LAPTOP-HNTDIHSC:5905 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:54950 LAPTOP-HNTDIHSC:5905 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:54963 LAPTOP-HNTDIHSC:54964 ESTABLISHED
[anti_ransomware_service.exe]
TCP 127.0.0.1:54964 LAPTOP-HNTDIHSC:54963 ESTABLISHED
[anti_ransomware_service.exe]
TCP 127.0.0.1:54965 LAPTOP-HNTDIHSC:54966 ESTABLISHED
[anti_ransomware_service.exe]
TCP 127.0.0.1:54966 LAPTOP-HNTDIHSC:54965 ESTABLISHED
[anti_ransomware_service.exe]
TCP 127.0.0.1:54967 LAPTOP-HNTDIHSC:54968 ESTABLISHED
[anti_ransomware_service.exe]
TCP 127.0.0.1:54968 LAPTOP-HNTDIHSC:54967 ESTABLISHED
[anti_ransomware_service.exe]
TCP 127.0.0.1:54969 LAPTOP-HNTDIHSC:54970 ESTABLISHED
[anti_ransomware_service.exe]
TCP 127.0.0.1:54970 LAPTOP-HNTDIHSC:54969 ESTABLISHED
[anti_ransomware_service.exe]
TCP 127.0.0.1:54971 LAPTOP-HNTDIHSC:54972 ESTABLISHED
[anti_ransomware_service.exe]
TCP 127.0.0.1:54972 LAPTOP-HNTDIHSC:54971 ESTABLISHED
[anti_ransomware_service.exe]
TCP 127.0.0.1:54973 LAPTOP-HNTDIHSC:54974 ESTABLISHED
[anti_ransomware_service.exe]
TCP 127.0.0.1:54974 LAPTOP-HNTDIHSC:54973 ESTABLISHED
[anti_ransomware_service.exe]
TCP 127.0.0.1:55005 LAPTOP-HNTDIHSC:55006 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:55006 LAPTOP-HNTDIHSC:55005 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:55007 LAPTOP-HNTDIHSC:55008 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:55008 LAPTOP-HNTDIHSC:55007 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:55009 LAPTOP-HNTDIHSC:55010 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:55010 LAPTOP-HNTDIHSC:55009 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:55011 LAPTOP-HNTDIHSC:55012 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:55012 LAPTOP-HNTDIHSC:55011 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:55013 LAPTOP-HNTDIHSC:55014 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:55014 LAPTOP-HNTDIHSC:55013 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:55015 LAPTOP-HNTDIHSC:55016 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:55016 LAPTOP-HNTDIHSC:55015 ESTABLISHED
[mms_mini.exe]
TCP 127.0.0.1:64991 LAPTOP-HNTDIHSC:58082 SYN_SENT
[TrueImageMonitor.exe]
TCP 192.168.1.180:139 0.0.0.0:0 LISTENING
Can not obtain ownership information
TCP 192.168.1.180:50096 HPB4B52F13C132:8080 ESTABLISHED
[HPNetworkCommunicator.exe]
TCP 192.168.1.180:50267 r-253-41-234-77.ff.avast.com:http CLOSE_WAIT
[VpnSvc.exe]
TCP 192.168.1.180:50358 13.89.187.212:https ESTABLISHED
WpnService
[svchost.exe]
TCP 192.168.1.180:50381 HOMELINK-2-4:microsoft-ds ESTABLISHED
Can not obtain ownership information
TCP 192.168.1.180:50411 qr-in-f188.1e100.net:5228 ESTABLISHED
[chrome.exe]
TCP 192.168.1.180:50983 17.248.143.94:https CLOSE_WAIT
[iCloudServices.exe]
TCP 192.168.1.180:50997 17.248.134.201:https CLOSE_WAIT
[ApplePhotoStreams.exe]
TCP 192.168.1.180:51000 17.249.108.89:5223 ESTABLISHED
[APSDaemon.exe]
TCP 192.168.1.180:51003 17.248.143.56:https CLOSE_WAIT
[ApplePhotoStreams.exe]
TCP 192.168.1.180:54935 fe-self006.nos-avg.cz:http ESTABLISHED
[avgsvc.exe]
TCP 192.168.1.180:54948 185.151.160.15:7790 ESTABLISHED
[mms_mini.exe]
TCP 192.168.1.180:54995 mia04-012.ff.avast.com:http ESTABLISHED
[avgsvc.exe]
TCP 192.168.1.180:55083 13.94.139.40:https CLOSE_WAIT
[anti_ransomware_service.exe]
TCP 192.168.1.180:61271 r-253-41-234-77.ff.avast.com:https CLOSE_WAIT
[avgsvc.exe]
TCP 192.168.1.180:61740 17.248.143.91:https CLOSE_WAIT
[iCloudDrive.exe]
TCP 192.168.1.180:61743 17.248.134.140:https CLOSE_WAIT
[iCloudDrive.exe]
TCP 192.168.1.180:61746 iad30s09-in-f170.1e100.net:https ESTABLISHED
[VueMinder.exe]
TCP 192.168.1.180:62137 HPB4B52F13C132:8080 ESTABLISHED
[HPNetworkCommunicatorCom.exe]
TCP 192.168.1.180:62704 ruirt1.revulytics.com:http TIME_WAIT
TCP 192.168.1.180:62754 a23-194-116-102.deploy.static.akamaitechnologies.com:https CLOSE_WAIT
[WinStore.App.exe]
TCP 192.168.1.180:62757 a23-194-116-102.deploy.static.akamaitechnologies.com:https CLOSE_WAIT
[WinStore.App.exe]
TCP 192.168.1.180:62763 ec2-34-226-13-253.compute-1.amazonaws.com:https ESTABLISHED
[chrome.exe]
TCP 192.168.1.180:62769 192.35.249.123:https TIME_WAIT
TCP 192.168.1.180:62770 192.35.249.123:https TIME_WAIT
TCP 192.168.1.180:62771 192.35.249.127:https TIME_WAIT
TCP 192.168.1.180:62772 26.42.3ca9.ip4.static.sl-reverse.com:https TIME_WAIT
TCP 192.168.1.180:62773 pr-bh.pbp.vip.bf1.yahoo.com:https TIME_WAIT
TCP 192.168.1.180:62775 104.16.92.60:https TIME_WAIT
TCP 192.168.1.180:62777 69.20.20.4:https TIME_WAIT
TCP 192.168.1.180:62780 74.217.253.61:https TIME_WAIT
TCP 192.168.1.180:62781 ns514803.ip-167-114-173.net:https TIME_WAIT
TCP 192.168.1.180:62784 ec2-54-210-233-204.compute-1.amazonaws.com:https TIME_WAIT
TCP 192.168.1.180:62786 192.35.249.127:https TIME_WAIT
TCP 192.168.1.180:62787 ec2-54-83-153-181.compute-1.amazonaws.com:https TIME_WAIT
TCP 192.168.1.180:62789 192.35.249.127:https TIME_WAIT
TCP 192.168.1.180:62790 192.35.249.127:https TIME_WAIT
TCP 192.168.1.180:62791 192.35.249.127:https TIME_WAIT
TCP 192.168.1.180:62792 192.35.249.127:https TIME_WAIT
TCP 192.168.1.180:62795 dsp.adfarm1.adition.com:https TIME_WAIT
TCP 192.168.1.180:62803 192.35.249.111:https TIME_WAIT
TCP 192.168.1.180:62813 ads6-us-east.stickyadstv.com:https TIME_WAIT
TCP 192.168.1.180:62821 ec2-54-164-80-132.compute-1.amazonaws.com:https TIME_WAIT
TCP 192.168.1.180:62829 146.20.133.117:https TIME_WAIT


----------



## tristar (Aug 12, 2008)

All look ok, did you purchase the Acronis application or did you receive it as part of your PC, I'm not too sure, but this may be a cracked/illegal version of the software.


----------



## sigman (Mar 30, 2011)

tristar said:


> All look ok, did you purchase the Acronis application or did you receive it as part of your PC, I'm not too sure, but this may be a cracked/illegal version of the software.


Purchased TI 11/19/17.


----------



## tristar (Aug 12, 2008)

There seems to be nothing out of order, but I'd recommend completely uninstalling the Acronis application and test your computer for a few days and install it back with the license key again.


----------



## sigman (Mar 30, 2011)

UPDATE HELLO TECH a service providing botn on-line and onsite service for a reasonable price checked out my computer online. They ran commercial anti-virus and anti-malware software, some of which they used my copies. They checked for any left-over remote access software that might have been from prior service and found none. The service person did not address the 127.xxx.xxx.xxx issue. My online searches did not identify any case of that type of address being an indication of outside intervention and my understanding is that Malwarebytes and Malwarebytes Ad Aware would identify keyloogers and similar risks so for now I'm thinking I'm OK.


----------



## tristar (Aug 12, 2008)

Yep, we didn't see anything out of the ordinary either, besides the Acronis which seems to be resource hog in your case for some reason.

Do not use multiple AV/AM software, just leave MBAM (MalwareBytes) on, remove the others, keep updating MBAM and do monthly or bi-weekly full scans, you should be all set.


----------

