1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

suspicious activity

Discussion in 'General Software' started by AsRock, Nov 2, 2009.

  1. AsRock

    AsRock TPU addict

    Joined:
    Jun 23, 2007
    Messages:
    10,690 (4.15/day)
    Thanks Received:
    1,623
    Location:
    US
    Just lately i have noticed this connection attempt and wondering if anyone knows any thing more of it.

    Near all sites that i have seen seems to say it's some thing to do with malware\virus's\ads.

    COH p2p and Firefox trigger it.

    fr.a2dfp.net and a2dfp.net

    Any thoughts ?

    I tried numberus programs to see if there is a virus or some thing but all come back negative. Here's what i have tired

    aVast
    AVG
    S&D
    Ad-Aware
    Norton
    Kaspersky

    It's even blocked in the host file too as it tries to connect to 127.0.0.1. Maybe it's the company's starting to advertise ?.
  2. TheMailMan78

    TheMailMan78 Big Member

    Joined:
    Jun 3, 2007
    Messages:
    20,855 (8.03/day)
    Thanks Received:
    7,414
    Run hijack and MSE also just to be safe.
  3. AsRock

    AsRock TPU addict

    Joined:
    Jun 23, 2007
    Messages:
    10,690 (4.15/day)
    Thanks Received:
    1,623
    Location:
    US
    MSE ?

    Nothing in hijack from what i can see.

    Here it is maybe you'll see some thing

    Running processes:
    C:\Program Files (x86)\ASUS\AASP\1.00.59\aaCenter.exe
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe
    C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
    C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\Program Files (x86)\Razer\Diamondback 3G\razertra.exe
    C:\Program Files (x86)\Razer\Diamondback 3G\razerofa.exe
    F:\Utils\Trillian\trillian.exe
    F:\Utils\Teamspeak2_RC2\TeamSpeak.exe
    C:\PROGRA~2\mozilla.org\SEAMON~1\SEAMON~1.EXE
    L:\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=userinit.exe
    O4 - HKLM\..\Run: [Diamondback] "C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe"
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [SoundTray] "C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe"
    O4 - HKCU\..\Run: [SeaMonkey Quick Launch] "C:\Program Files (x86)\mozilla.org\SeaMonkey\SeaMonkey.exe" -turbo
    O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files (x86)\Download Manager\DLM.exe /windowsstart /startifwork
    O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{20B57B6C-1AE2-443D-8959-A54C73E81C6F}: NameServer = xx.xx.xx.xx,xx.xx.xx.xx
    O17 - HKLM\System\CS1\Services\Tcpip\..\{20B57B6C-1AE2-443D-8959-A54C73E81C6F}: NameServer = xx.xx.xx.xx,xx.xx.xx.xx
    O17 - HKLM\System\CS2\Services\Tcpip\..\{20B57B6C-1AE2-443D-8959-A54C73E81C6F}: NameServer = xx.xx.xx.xxx,xx.xx.xx.xx
    O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
    O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
    O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Unknown owner - C:\Windows\system32\AEADISRV.EXE (file missing)
    O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: DFS Replication (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
    O23 - Service: Fax - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: CNG Key Isolation (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: Netlogon - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Software Licensing (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
    O23 - Service: SNMP Trap (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    O23 - Service: Interactive Services Detection (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: Virtual Disk (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: Block Level Backup Engine Service (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: WMI Performance Adapter (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
  4. Jstn7477

    Jstn7477

    Joined:
    Aug 30, 2009
    Messages:
    3,779 (2.12/day)
    Thanks Received:
    1,485
    Location:
    Sarasota, Florida, USA
    MSE = Microsoft Security Essentials, IIRC.
    Crunching for Team TPU
  5. DonInKansas

    DonInKansas

    Joined:
    Jun 2, 2007
    Messages:
    5,096 (1.96/day)
    Thanks Received:
    1,265
    Location:
    Kansas
    You try Malwarebytes?
    AsRock says thanks.
  6. Solaris17

    Solaris17 Creator Solaris Utility DVD

    Joined:
    Aug 16, 2005
    Messages:
    17,065 (5.24/day)
    Thanks Received:
    3,501
    Location:
    Florida
    127.0.0.1 is a local address. in my case thunderbird uses it o connect to ypops wich connects to my yahoo accounts. in either case something is trying to use the net by connecting to another program that has access thats my best guess anyway.

    EDIT: upon further examination it seems to be an alexa type of website. so its probably trying to install some type of cookie to monitor what you visit and desplay ads accordingly? though i have no idea why it would be on yoursytem and trying to bradcast out.
    AsRock says thanks.
  7. Steevo

    Steevo

    Joined:
    Nov 4, 2005
    Messages:
    8,107 (2.55/day)
    Thanks Received:
    1,123
    127.0.0.1 is "home" address. It is the map through IP for internal .net and other connections.

    The connectino is created usually when a item requests a specific handoff of information, such as current revision level of software like Firefox asking if 1.01 is the most current revision. It gets handled by internal interfaces untill the result is achieved, then it is handed off to the internet enabled application. The request is sent off and the application uses the information sent back.



    So application on home requests a connection to a specific IP and port number through the .net interface much like F@H communicates between applications through the same interface. F@H uses PID and other information for communications.

    This is probably a P2P/otehr application asking for tracking/session cookies, reverse DNS resolution to start a broadcast, or to start a update query.

    On the routes table shown a item might request access to another application through 127.0.0.1 even though it is internet enabled and the current firewall settings allow communications through 192.168.0.3 to all other IP's. Since it is a new request on a different IP it will ask if it is OK.

    Attached Files:

    AsRock says thanks.
    10 Million points folded for TPU
  8. revin

    revin

    Joined:
    Oct 18, 2007
    Messages:
    649 (0.26/day)
    Thanks Received:
    67
    If you install Comodo Firewall it will ask you about outbound connections, and also identify's
    suspious behavior on the pc, and will ask if you want to allow or deny.
    Might be able to help.

    I like it that you can look at what/where the connection wants to go before allowing.
    AsRock says thanks.
  9. TheMailMan78

    TheMailMan78 Big Member

    Joined:
    Jun 3, 2007
    Messages:
    20,855 (8.03/day)
    Thanks Received:
    7,414
    As the others have stated it sounds like a tracking cookie. Did Spybot pick up anything?
  10. AsRock

    AsRock TPU addict

    Joined:
    Jun 23, 2007
    Messages:
    10,690 (4.15/day)
    Thanks Received:
    1,623
    Location:
    US
    Trying it now all though 471800 objects scanned and nothing.

    I believe you right and seems like it's from WCG BOINC as when i block it though global rules in my firewall it will not connect at all were as any other program i have noticed have had no issue with me blocking it. The other installed OS on this system is free of it so will have to check the other two as they have it on them.


    Been thinking about trying that but never got around to it lol.. Think one of the reasons i did not was due to like of content blocking on websites. I like OUtpost it's pretty kick ass.

    Zip nothing..

    Attached Files:

    Last edited: Nov 3, 2009

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)

Share This Page