# suspicious activity



## AsRock (Nov 2, 2009)

Just lately i have noticed this connection attempt and wondering if anyone knows any thing more of it.

Near all sites that i have seen seems to say it's some thing to do with malware\virus's\ads.

COH p2p and Firefox trigger it.

fr.a2dfp.net and a2dfp.net

Any thoughts ?

I tried numberus programs to see if there is a virus or some thing but all come back negative. Here's what i have tired

aVast 
AVG
S&D
Ad-Aware
Norton 
Kaspersky

It's even blocked in the host file too as it tries to connect to 127.0.0.1. Maybe it's the company's starting to advertise ?.


----------



## TheMailMan78 (Nov 2, 2009)

AsRock said:


> Just lately i have noticed this connection attempt and wondering if anyone knows any thing more of it.
> 
> Near all sites that i have seen seems to say it's some thing to do with malware\virus's\ads.
> 
> ...


Run hijack and MSE also just to be safe.


----------



## AsRock (Nov 2, 2009)

TheMailMan78 said:


> Run hijack and MSE also just to be safe.



MSE ?

Nothing in hijack from what i can see.

Here it is maybe you'll see some thing

Running processes:
C:\Program Files (x86)\ASUS\AASP\1.00.59\aaCenter.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razertra.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razerofa.exe
F:\Utils\Trillian\trillian.exe
F:\Utils\Teamspeak2_RC2\TeamSpeak.exe
C:\PROGRA~2\mozilla.org\SEAMON~1\SEAMON~1.EXE
L:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Diamondback] "C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundTray] "C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe"
O4 - HKCU\..\Run: [SeaMonkey Quick Launch] "C:\Program Files (x86)\mozilla.org\SeaMonkey\SeaMonkey.exe" -turbo
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files (x86)\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20B57B6C-1AE2-443D-8959-A54C73E81C6F}: NameServer = xx.xx.xx.xx,xx.xx.xx.xx
O17 - HKLM\System\CS1\Services\Tcpip\..\{20B57B6C-1AE2-443D-8959-A54C73E81C6F}: NameServer = xx.xx.xx.xx,xx.xx.xx.xx
O17 - HKLM\System\CS2\Services\Tcpip\..\{20B57B6C-1AE2-443D-8959-A54C73E81C6F}: NameServer = xx.xx.xx.xxx,xx.xx.xx.xx
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Unknown owner - C:\Windows\system32\AEADISRV.EXE (file missing)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DFS Replication (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Fax - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CNG Key Isolation (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Netlogon - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Software Licensing (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: SNMP Trap (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: Interactive Services Detection (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Virtual Disk (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: Block Level Backup Engine Service (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: WMI Performance Adapter (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)


----------



## Jstn7477 (Nov 2, 2009)

MSE = Microsoft Security Essentials, IIRC.


----------



## DonInKansas (Nov 2, 2009)

You try Malwarebytes?


----------



## Solaris17 (Nov 2, 2009)

127.0.0.1 is a local address. in my case thunderbird uses it o connect to ypops wich connects to my yahoo accounts. in either case something is trying to use the net by connecting to another program that has access thats my best guess anyway.

EDIT: upon further examination it seems to be an alexa type of website. so its probably trying to install some type of cookie to monitor what you visit and desplay ads accordingly? though i have no idea why it would be on yoursytem  and trying to bradcast out.


----------



## Steevo (Nov 2, 2009)

127.0.0.1 is "home" address. It is the map through IP for internal .net and other connections. 

The connectino is created usually when a item requests a specific handoff of information, such as current revision level of software like Firefox asking if 1.01 is the most current revision. It gets handled by internal interfaces untill the result is achieved, then it is handed off to the internet enabled application. The request is sent off and the application uses the information sent back.



So application on home requests a connection to a specific IP and port number through the .net interface much like F@H communicates between applications through the same interface. F@H uses PID and other information for communications.

This is probably a P2P/otehr application asking for tracking/session cookies, reverse DNS resolution to start a broadcast, or to start a update query.

On the routes table shown a item might request access to another application through 127.0.0.1 even though it is internet enabled and the current firewall settings allow communications through 192.168.0.3 to all other IP's. Since it is a new request on a different IP it will ask if it is OK.


----------



## revin (Nov 2, 2009)

If you install Comodo Firewall it will ask you  about outbound connections, and also identify's 
 suspious behavior on the pc, and will ask if you want to allow or deny.
Might be able to help.

I like it that you can look at what/where the connection wants to go before allowing.


----------



## TheMailMan78 (Nov 2, 2009)

As the others have stated it sounds like a tracking cookie. Did Spybot pick up anything?


----------



## AsRock (Nov 3, 2009)

DonInKansas said:


> You try Malwarebytes?



Trying it now all though 471800 objects scanned and nothing.



Steevo said:


> 127.0.0.1 is "home" address. It is the map through IP for internal .net and other connections.
> 
> The connectino is created usually when a item requests a specific handoff of information, such as current revision level of software like Firefox asking if 1.01 is the most current revision. It gets handled by internal interfaces untill the result is achieved, then it is handed off to the internet enabled application. The request is sent off and the application uses the information sent back.
> 
> ...



I believe you right and seems like it's from WCG BOINC as when i block it though global rules in my firewall it will not connect at all were as any other program i have noticed have had no issue with me blocking it.  The other installed OS on this system is free of it so will have to check the other two as they have it on them.




revin said:


> If you install Comodo Firewall it will ask you  about outbound connections, and also identify's
> suspious behavior on the pc, and will ask if you want to allow or deny.
> Might be able to help.
> 
> I like it that you can look at what/where the connection wants to go before allowing.



Been thinking about trying that but never got around to it lol..  Think one of the reasons i did not was due to like of content blocking on websites.  I like OUtpost it's pretty kick ass.



TheMailMan78 said:


> As the others have stated it sounds like a tracking cookie. Did Spybot pick up anything?



Zip nothing..


----------

