TCP connection to downloads.aaa1screensavers.com

Discussion in 'Port Explorer' started by gurth4ng, May 15, 2005.

Thread Status:
Not open for further replies.
  1. gurth4ng

    gurth4ng Guest

    Hello all. a few hours ago i checked netstat and it shows a TCP connection from my pc to downloads.aaa1screensavers.com. I have run Norton Antivirus 2005, Ad-Aware SE and Spybot S&D, all with the latest updates and in safe mode with system restore disabled, but i cant get ride of these connections.
    It seems now that there are two Established connections to that site, both TCP, and - unless i'm wrong - netstat shows them only when firefox is running. i've been serching the net for a while but cant seem to find a way to fix this.

    Here is my Hijackthis! log:

    Removed by Pilli -
     
    Last edited by a moderator: May 15, 2005
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there!
    I'm afraid we don't check hjt logs here anymore as per announcement time ago. There are several ASAP forums offering this service still.

    Port Explorer shows you which application is responsible for that connection and needs deeper study.
    You can close that connection, enable the socket spy on it and see what is exactly happening.
    Then you also know to scan that file extra with TDS and your other scanners for possible infections.
    Most probably you installed some screensaver, which does connect to that site. So you can find that application, rename or zip it and see if your system still works properly and if the connection has gone with that before you delete it entirely.

    Think yuou will feel very happy with JavaCool's browser hijack protection tools!

    See for instance this nice instructive thread too!
    https://www.wilderssecurity.com/showthread.php?t=50286
     
  3. blah121

    blah121 Guest

    i have this same problem. and i didn't install any screensavers. i ran port explorer and it seems that firefox.exe itself is what's making these connections to downloads.aaa1screensavers.com. if i kill the sockets they usually pop back up, but if i disable sending and receiving, that shuts them up, but then new ones appear after a while. It also randomely connects to other web pages. I have no idea how to fix this. i've tried everything.
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hmm.. seems to ask for a discussion with Firefox support.
    And putting the URL in your HOSTS file of course.
    Are you sure FireFox is really spyware/adware free? Thought it would be....
    Have you also installed the Javacool spywareblaster and all that to guard your browser?

    Can't find real proper info on internet, but i get the feeling it could be part of an infection, a parasdite at least (Bargin Buddy) -- does any scan reveal anything? Or if you tried the HJT log, did you see anything special? Googling i noticed in several HJT logs people posted elsewhere on O16 a downloaded file with that name. Something like this for instance (other file names seen too in the end)
    O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297B} - hxxp://downloads.aaa1screensavers.com/download/rist-aug-acx22.exe
    (changed tt in xx to avoid clicking it!!)
    But i guess there should belong a directory to be deleted too but i did not get that clear yet from googling.

    Getting the feeling a full cleansing service like posted on BlackSpear's thread should be in place!
    https://www.wilderssecurity.com/showthread.php?t=50662
     
    Last edited: May 21, 2005
  5. marceli7

    marceli7 Registered Member

    Joined:
    May 6, 2005
    Posts:
    33
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks a lot for posting that.
    It is one of the names (files) the site is connected with, as i saw other filenames googling around in HJT logs posted in other forums.
    I'm surprised FireFox users seem to be infected with it. Now the question is how / where they got infected and the art of cleansing.
    BTW: TDS detects it as well (it's in the primaries list).
    Port Explorer should show which application is responsible and can be closed to clean out the infected system.
    Disconnect from internet after updating TDS, close all other applications and scanners with their resident protection and do a full system scan.
    In the end rightclick in the bottom console for saving to scandump.txt which you can paste in the next posting.
    After cleansing you might need to reinstall your firefox, so it might be a good idea to have a fresh download ready in a safe place before you disconnect. You'll scan the download anyway for nasties before installing.
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi gurth4ng,

    Please download RKFiles from here:
    http://skads.org/special/rkfiles.zip
    Unzip it to the desktop but please do NOT run it yet.

    Next, please reboot your computer in safe mode and run RKFiles.bat. It may take a while. When it is finished a windows should appear with a log.

    Restart your computer in normal mode, and please post the contents of the logfile, which should be at c:\log.txt.

    Regards,
     
  8. Shiva42

    Shiva42 Guest

    I just discovered a similar "problem" on my computer and have figured it out.
    Firefox is actually just connecting to your local machine normally, not to downloads.aaa1screensavers.com.

    I use a host file (in C:\windows\system32\drivers\etc) with a list of "bad" sites set to 127.0.0.1 so my browsers and other applications won't actually go to the sites. I am assuming you do the same. The copy I have did not have the required entry of

    127.0.0.1 localhost

    at the top of the file. The first entry is downloads.aaa1screensavers.com
    The application is accessing the localhost (your machine) using 127.0.0.1 and when netstat did a lookup on the address it picked the first matching line one out of your hosts file. I commented out the aaa1screensavers lines and reran the netstat command, and the site reported was abcsearch.com (the next in the list). When I removed the comments and added the line above to the top of my hosts file (like it is supposed to be), netstat returned the correct information.
     
  9. FanJ

    FanJ Guest

    I don't understand this.
    That SHOULD be the first line (well, except for lines that are beginning with # ).
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Mind you, in your windows or somewhere else in XP systems among others there are a HOSTS (without extension) and a Hosts.sam file.
    If there is no HOSTS, you might like to copy the Hosts.sam to a HOSTS and make sure that first line
    127.0.0.1 localhost
    is there.
    If it's not there just type it in yourself.
    For those with a permanet IP address it can be nice to have a next line with you IP number and add some phantasy not-existing URLname behind it.
    So you see in your Port Explorer connections remote / local connections between your computername, localhost, the URL you just added as localhost, etc and you have any idea more what is connecting to what. Just nice to know, not essential.
    So for yourself on your system your own IP will resolve to that URL name, for all others on internet it will resolve to your normal ISP's name.
     
Thread Status:
Not open for further replies.