• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

suspicious activity

AsRock

TPU addict
Joined
Jun 23, 2007
Messages
15,381 (3.98/day)
Likes
4,796
Location
US
Processor 2500k \ 3770k
Motherboard ASRock Z68 \ Z77
Memory Samsung low profile 1600
Video Card(s) XFX 6770 \ XFX R9 390X
Storage Intel 80Gb (SATA2) WD 250Gb \ Team SSD+Samsung Evo 250Gb+500Gb+ 2xCorsair Force+WD250GbHDD
Display(s) Samsung 1080P \ Toshiba HDTV 1080P
Case HTPC400 \ Thermaltake Armor case ( original ), With Zalman fan controller ( wattage usage ).
Audio Device(s) Yamaha RX-V475 \ Marantz SR5008 Tannoy Mercury MKII Paradigm 5SE + Tannoy Mercury F4
Power Supply PC&Power 750w \ Seasonic 750w MKII
Mouse MS intelimouse \ Logitech G700s + Steelseries Sensei wireless
Keyboard Logitech K120 \ ROCCAT MK Pro ( modded amber leds )
Benchmark Scores Meh benchmarks.
#1
Just lately i have noticed this connection attempt and wondering if anyone knows any thing more of it.

Near all sites that i have seen seems to say it's some thing to do with malware\virus's\ads.

COH p2p and Firefox trigger it.

fr.a2dfp.net and a2dfp.net

Any thoughts ?

I tried numberus programs to see if there is a virus or some thing but all come back negative. Here's what i have tired

aVast
AVG
S&D
Ad-Aware
Norton
Kaspersky

It's even blocked in the host file too as it tries to connect to 127.0.0.1. Maybe it's the company's starting to advertise ?.
 
Joined
Jun 3, 2007
Messages
22,432 (5.77/day)
Likes
8,947
Location
'Merica. The Great SOUTH!
System Name TheMailbox 5.0 / The Mailbox 4.5
Processor RYZEN 1700X / Intel i7 2600k @ 4.2GHz
Motherboard Fatal1ty X370 Gaming K4 / Gigabyte Z77X-UP5 TH Intel LGA 1155
Cooling MasterLiquid PRO 280 / Scythe Katana 4
Memory ADATA RGB 16GB DDR4 2666 16-16-16-39 / G.SKILL Sniper Series 16GB DDR3 1866: 9-9-9-24
Video Card(s) MSI 1080 "Duke" with 8Gb of RAM. Boost Clock 1847 MHz / ASUS 780ti
Storage 256Gb M4 SSD / 128Gb Agelity 4 SSD , 500Gb WD (7200)
Display(s) LG 29" Class 21:9 UltraWide® IPS LED Monitor 2560 x 1080 / Dell 27"
Case Cooler Master MASTERBOX 5t / Cooler Master 922 HAF
Audio Device(s) Realtek ALC1220 Audio Codec / SupremeFX X-Fi with Bose Companion 2 speakers.
Power Supply Seasonic FOCUS Plus Series SSR-750PX 750W Platinum / SeaSonic X Series X650 Gold
Mouse SteelSeries Sensei (RAW) / Logitech G5
Keyboard Razer BlackWidow / Logitech (Unknown)
Software Windows 10 Pro (64-bit)
Benchmark Scores Benching is for bitches.
#2
Just lately i have noticed this connection attempt and wondering if anyone knows any thing more of it.

Near all sites that i have seen seems to say it's some thing to do with malware\virus's\ads.

COH p2p and Firefox trigger it.

fr.a2dfp.net and a2dfp.net

Any thoughts ?

I tried numberus programs to see if there is a virus or some thing but all come back negative. Here's what i have tired

aVast
AVG
S&D
Ad-Aware
Norton
Kaspersky

It's even blocked in the host file too as it tries to connect to 127.0.0.1. Maybe it's the company's starting to advertise ?.
Run hijack and MSE also just to be safe.
 

AsRock

TPU addict
Joined
Jun 23, 2007
Messages
15,381 (3.98/day)
Likes
4,796
Location
US
Processor 2500k \ 3770k
Motherboard ASRock Z68 \ Z77
Memory Samsung low profile 1600
Video Card(s) XFX 6770 \ XFX R9 390X
Storage Intel 80Gb (SATA2) WD 250Gb \ Team SSD+Samsung Evo 250Gb+500Gb+ 2xCorsair Force+WD250GbHDD
Display(s) Samsung 1080P \ Toshiba HDTV 1080P
Case HTPC400 \ Thermaltake Armor case ( original ), With Zalman fan controller ( wattage usage ).
Audio Device(s) Yamaha RX-V475 \ Marantz SR5008 Tannoy Mercury MKII Paradigm 5SE + Tannoy Mercury F4
Power Supply PC&Power 750w \ Seasonic 750w MKII
Mouse MS intelimouse \ Logitech G700s + Steelseries Sensei wireless
Keyboard Logitech K120 \ ROCCAT MK Pro ( modded amber leds )
Benchmark Scores Meh benchmarks.
#3
Run hijack and MSE also just to be safe.
MSE ?

Nothing in hijack from what i can see.

Here it is maybe you'll see some thing

Running processes:
C:\Program Files (x86)\ASUS\AASP\1.00.59\aaCenter.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razertra.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razerofa.exe
F:\Utils\Trillian\trillian.exe
F:\Utils\Teamspeak2_RC2\TeamSpeak.exe
C:\PROGRA~2\mozilla.org\SEAMON~1\SEAMON~1.EXE
L:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Diamondback] "C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundTray] "C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe"
O4 - HKCU\..\Run: [SeaMonkey Quick Launch] "C:\Program Files (x86)\mozilla.org\SeaMonkey\SeaMonkey.exe" -turbo
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files (x86)\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20B57B6C-1AE2-443D-8959-A54C73E81C6F}: NameServer = xx.xx.xx.xx,xx.xx.xx.xx
O17 - HKLM\System\CS1\Services\Tcpip\..\{20B57B6C-1AE2-443D-8959-A54C73E81C6F}: NameServer = xx.xx.xx.xx,xx.xx.xx.xx
O17 - HKLM\System\CS2\Services\Tcpip\..\{20B57B6C-1AE2-443D-8959-A54C73E81C6F}: NameServer = xx.xx.xx.xxx,xx.xx.xx.xx
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Unknown owner - C:\Windows\system32\AEADISRV.EXE (file missing)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DFS Replication (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Fax - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CNG Key Isolation (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Netlogon - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Software Licensing (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: SNMP Trap (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: Interactive Services Detection (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Virtual Disk (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: Block Level Backup Engine Service (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: WMI Performance Adapter (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
Joined
Aug 30, 2009
Messages
4,001 (1.30/day)
Likes
1,652
Location
Sarasota, Florida, USA
System Name Awesomesauce 4.3 | Laptop (MSI GE72VR 6RF Apache Pro-023)
Processor Intel Core i7-5820K 4.16GHz 1.28v/3GHz 1.05v uncore | Intel Core i7-6700HQ @ 3.1GHz
Motherboard Gigabyte GA-X99-UD5 WiFi LGA2011-v3| Stock
Cooling Corsair H100i v2 w/ 2x EK Vardar F4-120ER + various 120/140mm case fans | Stock
Memory G.Skill RJ-4 16GB DDR4-2666 CL15 quad channel | 12GB DDR4-2133
Video Card(s) ASUS ROG Strix A8G Gaming GTX 1080 @ 2075/1368 boost | NVIDIA GTX 1060 6GB +200/+500 + Intel 530
Storage Samsung 840 EVO 500GB + Seagate 3TB 7200RPM + others | Kingston 256GB M.2 SATA + 1TB 7200RPM
Display(s) Acer G257HU 1440p 60Hz AH-IPS 4ms | 17.3" 1920*1080 60Hz wide angle TN notebook panel
Case Fractal Design Define XL R2 | MSI
Audio Device(s) Creative Sound Blaster Z | Realtek with quad stereo speakers and subwoofer
Power Supply Corsair HX850i Platinum | 19.5v 180w Delta brick
Software Windows 10 Pro x64 | Windows 10 Home x64
Benchmark Scores GTX 1080 please?
#4
MSE = Microsoft Security Essentials, IIRC.
 
Joined
Jun 2, 2007
Messages
5,105 (1.31/day)
Likes
1,249
Location
Kansas
Processor Core i5 3570K
Motherboard AsRock z77 Pro4
Cooling Zalman CNPS10X Extreme
Memory 2x4GB GSkill Sniper
Video Card(s) MSI GTX970 Gaming
Storage 240GB OCZ ARC 100, Samsung Spinpoint F3 1TB
Display(s) LG 23" 1920x1080
Case Antec P100
Audio Device(s) Onboard
Power Supply Antec Edge 750W
Software Windows 8.1 Pro 64
#5
You try Malwarebytes?
 

Solaris17

Creator Solaris Utility DVD
Joined
Aug 16, 2005
Messages
19,389 (4.27/day)
Likes
6,300
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EKWB L360 R2.0
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Gigabyte 1080TI
Storage 2x SG 3TB HDDs (RAID 0) | 1x ADATA 128 SSD (Cache) | 1x Drevo 256 SSD | 1x 1TB Samsung 850 EVO (OS)
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Realtek ALC 1220 on Audio-Technica ATH-AG1
Power Supply Seasonic 1050W Snow
Mouse Roccat Tyon White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
#6
127.0.0.1 is a local address. in my case thunderbird uses it o connect to ypops wich connects to my yahoo accounts. in either case something is trying to use the net by connecting to another program that has access thats my best guess anyway.

EDIT: upon further examination it seems to be an alexa type of website. so its probably trying to install some type of cookie to monitor what you visit and desplay ads accordingly? though i have no idea why it would be on yoursytem and trying to bradcast out.
 
Joined
Nov 4, 2005
Messages
9,977 (2.23/day)
Likes
2,337
System Name MoFo 2
Processor AMD PhenomII 1100T @ 4.2Ghz
Motherboard Asus Crosshair IV
Cooling Swiftec 655 pump, Apogee GT,, MCR360mm Rad, 1/2 loop.
Memory 8GB DDR3-2133 @ 1900 8.9.9.24 1T
Video Card(s) HD7970 1250/1750
Storage Agility 3 SSD 6TB RAID 0 on RAID Card
Display(s) 46" 1080P Toshiba LCD
Case Rosewill R6A34-BK modded (thanks to MKmods)
Audio Device(s) ATI HDMI
Power Supply 750W PC Power & Cooling modded (thanks to MKmods)
Software A lot.
Benchmark Scores Its fast. Enough.
#7
127.0.0.1 is "home" address. It is the map through IP for internal .net and other connections.

The connectino is created usually when a item requests a specific handoff of information, such as current revision level of software like Firefox asking if 1.01 is the most current revision. It gets handled by internal interfaces untill the result is achieved, then it is handed off to the internet enabled application. The request is sent off and the application uses the information sent back.



So application on home requests a connection to a specific IP and port number through the .net interface much like F@H communicates between applications through the same interface. F@H uses PID and other information for communications.

This is probably a P2P/otehr application asking for tracking/session cookies, reverse DNS resolution to start a broadcast, or to start a update query.

On the routes table shown a item might request access to another application through 127.0.0.1 even though it is internet enabled and the current firewall settings allow communications through 192.168.0.3 to all other IP's. Since it is a new request on a different IP it will ask if it is OK.
 

Attachments

Joined
Oct 18, 2007
Messages
1,201 (0.32/day)
Likes
587
System Name Firebird
Processor Intel i7 2600K @5.0'ish 24/7 stock core Voltage {5.2 w/102 bCLK}
Motherboard Intel Extreme DZ68BC SkullTrail Z68 Cougerpoint, Excellent MCH !
Cooling Scythe NINJA PLUS Rev.B[skt478] Modded to 1155 Scythe SH12 fan
Memory Samsung 32nm 16Gb 4x4 (@19xxmhz} low profile[ better than 2133 banwidth]
Video Card(s) EVGA Titan SC }@Norton F@H Kreij GigaByte 7950 ARCTIC Accelero Xtreme III / XFX HD5870-XXX Edition
Storage Intel 512 SSD, Toshiba 3Tbx2,Hitachi 320,1TBx2,'Cuda 400 7200.10, WD1TBUSB,moved to SATA
Display(s) Acer K272HUL 1440 27" WQHD, Samsung 226W, Vizio M60C3 4K 60",Vizio XVT3D554SV
Case CoolerMaster HAF 932
Audio Device(s) Intel 10ch[9+1] HD Audio X540> Pioneer VSX39TX[copper chasis,Rosewood sides 5x6LCD remote
Power Supply Seasonic X750 @ 24/7
Mouse Logictech G300s
Keyboard Saitek Cyborg v7
Software Windows 7 ROG E3 X64 by Neuropass/tweakscene
Benchmark Scores 4642@665/1600 220/GAT F1 4544 220/667strap 2.5/3/2/6 Bliss 650/1500 6490 Q6700 Bliss 690/1500
#8
If you install Comodo Firewall it will ask you about outbound connections, and also identify's
suspious behavior on the pc, and will ask if you want to allow or deny.
Might be able to help.

I like it that you can look at what/where the connection wants to go before allowing.
 
Joined
Jun 3, 2007
Messages
22,432 (5.77/day)
Likes
8,947
Location
'Merica. The Great SOUTH!
System Name TheMailbox 5.0 / The Mailbox 4.5
Processor RYZEN 1700X / Intel i7 2600k @ 4.2GHz
Motherboard Fatal1ty X370 Gaming K4 / Gigabyte Z77X-UP5 TH Intel LGA 1155
Cooling MasterLiquid PRO 280 / Scythe Katana 4
Memory ADATA RGB 16GB DDR4 2666 16-16-16-39 / G.SKILL Sniper Series 16GB DDR3 1866: 9-9-9-24
Video Card(s) MSI 1080 "Duke" with 8Gb of RAM. Boost Clock 1847 MHz / ASUS 780ti
Storage 256Gb M4 SSD / 128Gb Agelity 4 SSD , 500Gb WD (7200)
Display(s) LG 29" Class 21:9 UltraWide® IPS LED Monitor 2560 x 1080 / Dell 27"
Case Cooler Master MASTERBOX 5t / Cooler Master 922 HAF
Audio Device(s) Realtek ALC1220 Audio Codec / SupremeFX X-Fi with Bose Companion 2 speakers.
Power Supply Seasonic FOCUS Plus Series SSR-750PX 750W Platinum / SeaSonic X Series X650 Gold
Mouse SteelSeries Sensei (RAW) / Logitech G5
Keyboard Razer BlackWidow / Logitech (Unknown)
Software Windows 10 Pro (64-bit)
Benchmark Scores Benching is for bitches.
#9
As the others have stated it sounds like a tracking cookie. Did Spybot pick up anything?
 

AsRock

TPU addict
Joined
Jun 23, 2007
Messages
15,381 (3.98/day)
Likes
4,796
Location
US
Processor 2500k \ 3770k
Motherboard ASRock Z68 \ Z77
Memory Samsung low profile 1600
Video Card(s) XFX 6770 \ XFX R9 390X
Storage Intel 80Gb (SATA2) WD 250Gb \ Team SSD+Samsung Evo 250Gb+500Gb+ 2xCorsair Force+WD250GbHDD
Display(s) Samsung 1080P \ Toshiba HDTV 1080P
Case HTPC400 \ Thermaltake Armor case ( original ), With Zalman fan controller ( wattage usage ).
Audio Device(s) Yamaha RX-V475 \ Marantz SR5008 Tannoy Mercury MKII Paradigm 5SE + Tannoy Mercury F4
Power Supply PC&Power 750w \ Seasonic 750w MKII
Mouse MS intelimouse \ Logitech G700s + Steelseries Sensei wireless
Keyboard Logitech K120 \ ROCCAT MK Pro ( modded amber leds )
Benchmark Scores Meh benchmarks.
#10
You try Malwarebytes?
Trying it now all though 471800 objects scanned and nothing.

127.0.0.1 is "home" address. It is the map through IP for internal .net and other connections.

The connectino is created usually when a item requests a specific handoff of information, such as current revision level of software like Firefox asking if 1.01 is the most current revision. It gets handled by internal interfaces untill the result is achieved, then it is handed off to the internet enabled application. The request is sent off and the application uses the information sent back.



So application on home requests a connection to a specific IP and port number through the .net interface much like F@H communicates between applications through the same interface. F@H uses PID and other information for communications.

This is probably a P2P/otehr application asking for tracking/session cookies, reverse DNS resolution to start a broadcast, or to start a update query.

On the routes table shown a item might request access to another application through 127.0.0.1 even though it is internet enabled and the current firewall settings allow communications through 192.168.0.3 to all other IP's. Since it is a new request on a different IP it will ask if it is OK.
I believe you right and seems like it's from WCG BOINC as when i block it though global rules in my firewall it will not connect at all were as any other program i have noticed have had no issue with me blocking it. The other installed OS on this system is free of it so will have to check the other two as they have it on them.


If you install Comodo Firewall it will ask you about outbound connections, and also identify's
suspious behavior on the pc, and will ask if you want to allow or deny.
Might be able to help.

I like it that you can look at what/where the connection wants to go before allowing.
Been thinking about trying that but never got around to it lol.. Think one of the reasons i did not was due to like of content blocking on websites. I like OUtpost it's pretty kick ass.

As the others have stated it sounds like a tracking cookie. Did Spybot pick up anything?
Zip nothing..
 

Attachments

Last edited: