TCP connection to downloads.aaa1screensavers.com

Hello all. a few hours ago i checked netstat and it shows a TCP connection from my pc to downloads.aaa1screensavers.com. I have run Norton Antivirus 2005, Ad-Aware SE and Spybot S&D, all with the latest updates and in safe mode with system restore disabled, but i cant get ride of these connections.
It seems now that there are two Established connections to that site, both TCP, and - unless i'm wrong - netstat shows them only when firefox is running. i've been serching the net for a while but cant seem to find a way to fix this.

Here is my Hijackthis! log:

Removed by Pilli -

[Jooske]

Hi there!
I'm afraid we don't check hjt logs here anymore as per announcement time ago. There are several ASAP forums offering this service still.

Port Explorer shows you which application is responsible for that connection and needs deeper study.
You can close that connection, enable the socket spy on it and see what is exactly happening.
Then you also know to scan that file extra with TDS and your other scanners for possible infections.
Most probably you installed some screensaver, which does connect to that site. So you can find that application, rename or zip it and see if your system still works properly and if the connection has gone with that before you delete it entirely.

Think yuou will feel very happy with JavaCool's browser hijack protection tools!

See for instance this nice instructive thread too!
http://www.wilderssecurity.com/showthread.php?t=50286

i have this same problem. and i didn't install any screensavers. i ran port explorer and it seems that firefox.exe itself is what's making these connections to downloads.aaa1screensavers.com. if i kill the sockets they usually pop back up, but if i disable sending and receiving, that shuts them up, but then new ones appear after a while. It also randomely connects to other web pages. I have no idea how to fix this. i've tried everything.

[Jooske]

Hmm.. seems to ask for a discussion with Firefox support.
And putting the URL in your HOSTS file of course.
Are you sure FireFox is really spyware/adware free? Thought it would be....
Have you also installed the Javacool spywareblaster and all that to guard your browser?

Can't find real proper info on internet, but i get the feeling it could be part of an infection, a parasdite at least (Bargin Buddy) -- does any scan reveal anything? Or if you tried the HJT log, did you see anything special? Googling i noticed in several HJT logs people posted elsewhere on O16 a downloaded file with that name. Something like this for instance (other file names seen too in the end)
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297B} - hxxp://downloads.aaa1screensavers.co...-aug-acx22.exe
(changed tt in xx to avoid clicking it!!)
But i guess there should belong a directory to be deleted too but i did not get that clear yet from googling.

Getting the feeling a full cleansing service like posted on BlackSpear's thread should be in place!
http://www.wilderssecurity.com/showthread.php?t=50662

[marceli7]

Quote:

Originally Posted by Jooske

downloads.aaa1screensavers.com/download/rist-aug-acx22.exe

File marked by Kaspersky as a "Trojan-Downloader.Win32.Small.yl"
http://www.viruslist.com/en/search?V...Win32.Small.yl

[Jooske]

Thanks a lot for posting that.
It is one of the names (files) the site is connected with, as i saw other filenames googling around in HJT logs posted in other forums.
I'm surprised FireFox users seem to be infected with it. Now the question is how / where they got infected and the art of cleansing.
BTW: TDS detects it as well (it's in the primaries list).
Port Explorer should show which application is responsible and can be closed to clean out the infected system.
Disconnect from internet after updating TDS, close all other applications and scanners with their resident protection and do a full system scan.
In the end rightclick in the bottom console for saving to scandump.txt which you can paste in the next posting.
After cleansing you might need to reinstall your firefox, so it might be a good idea to have a fresh download ready in a safe place before you disconnect. You'll scan the download anyway for nasties before installing.

[Pieter_Arntz]

Hi gurth4ng,

Please download RKFiles from here:
http://skads.org/special/rkfiles.zip
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in safe mode and run RKFiles.bat. It may take a while. When it is finished a windows should appear with a log.

Restart your computer in normal mode, and please post the contents of the logfile, which should be at c:\log.txt.

Regards,

I just discovered a similar "problem" on my computer and have figured it out.
Firefox is actually just connecting to your local machine normally, not to downloads.aaa1screensavers.com.

I use a host file (in C:\windows\system32\drivers\etc) with a list of "bad" sites set to 127.0.0.1 so my browsers and other applications won't actually go to the sites. I am assuming you do the same. The copy I have did not have the required entry of

127.0.0.1 localhost

at the top of the file. The first entry is downloads.aaa1screensavers.com
The application is accessing the localhost (your machine) using 127.0.0.1 and when netstat did a lookup on the address it picked the first matching line one out of your hosts file. I commented out the aaa1screensavers lines and reran the netstat command, and the site reported was abcsearch.com (the next in the list). When I removed the comments and added the line above to the top of my hosts file (like it is supposed to be), netstat returned the correct information.

Quote:

The copy I have did not have the required entry of

127.0.0.1 localhost

at the top of the file.

I don't understand this.
That SHOULD be the first line (well, except for lines that are beginning with # ).

[Jooske]

Mind you, in your windows or somewhere else in XP systems among others there are a HOSTS (without extension) and a Hosts.sam file.
If there is no HOSTS, you might like to copy the Hosts.sam to a HOSTS and make sure that first line
127.0.0.1 localhost
is there.
If it's not there just type it in yourself.
For those with a permanet IP address it can be nice to have a next line with you IP number and add some phantasy not-existing URLname behind it.
So you see in your Port Explorer connections remote / local connections between your computername, localhost, the URL you just added as localhost, etc and you have any idea more what is connecting to what. Just nice to know, not essential.
So for yourself on your system your own IP will resolve to that URL name, for all others on internet it will resolve to your normal ISP's name.