Firefox.exe Tries to Connect to 127.0.0.1? So does jqsnotify.exe? Etc.?
Whenever I start Ffx 3.6.13, my firewall alerts me that firefox.exe is trying to connect TCP Out to 127.0.0.1:443(https). Three or 4 seconds later, alerts for jqsnotify.exe TCP out to 127.0.0.1:5152. Others, incl. AAWService.exe (Ad-Aware) (when commanded to open or update). On a Windows startup and on restart, during the login to my Admin user account, Explorer.exe tries to connect 127.0.0.1.
Wót FFx
Wšykne wótegrona (13)
Please check whether those find anything
Malware Removal Links: http://www.safer-networking.org , http://www.malwarebytes.org , http://www.spywareterminator.com , http://www.microsoft.com/security/malwareremove/default.aspx
OK, Gryllida, thanks, will try. I just now updated/corrected my initial post again, FYI.
P.S. - (a) The Forum window displayed to me AFTER posting my opening, is lacking most of the info I posted there, including the Troubleshooting details with critically important things. Are you seeing all those data, or is your view restricted as mine, to a single paragraph ending with APAgent.exe? (b) Do you know how many characters are allowed, in the first text entry window under the subject question? Mozilla.org ought to post their capacities by each window.
Wót FFx
Stage 1 Result:
Your link to microsoft.com offered me a download of the Windows MRT which I already updated per Patch Tuesday and have run it a couple of times since then. I have been updating and running it every month for years. It hardly ever reports finding anything, and it didn't report finding nothing, and I couldn't find any results file on the system drive. Any comments?
Not really, please just try a few scans and let us know if they find anything.
Well, back to work. Windows Malicious Software Removal Tool (windows-kb890830-v3.16.exe) (February 2011) scanned the short scan and found nothing - nada. I am proceeding now to download another of your recommended scanners, and will report result.
BTW - The Forum window displayed to me AFTER posting my opening, is lacking most of the info I posted there, including the Troubleshooting details with critically important things including local system description. It is irritating, having done all that work to give a clear and complete picture of the issue - that Mozilla.org should set up a less than fully functional forum, here. Are you seeing all those data, or is your view as restricted as mine, to a single paragraph ending with "Explorer.exe tries to connect 127.0.0.1."? Please tell me, while I am working.
Your post seems to be full
We're waiting for next scans results.
127.0.0.1 is a local address (local host). Firefox uses that loopback connection to communicate with the Software Security Device.
See:
Gryllida, "seems to be full" is a bit obscure to me. One guess I could make is, you know what "full" means in terms of characters allowed, although I do not. (Each of these message balloons stretches in size to contain the words it contains - so any inflated balloon is always "full." ) How full is full? How many chars.?
Wót FFx
Gryllida, I ran Spybot a while ago, and it found a sizeable number of items that were invalid shortcuts, and I authorized removal of those. Haven't seen any adverse reaction yet. So, then I ran a registry-only scan, and it found three red items in Internet Explorer keys, one of those in HKLM and the other two in different userpaths in HKU. Path of each is HKLM\(user account code S-1-5-xxx)... or "HKU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe [is not] W=1". FYI, I had installed the Cumulative Security Update for IE (KB2482017) last week, after the Patch Tuesday items and then after the Silverlight update. So, I told it to correct these items.
Gryllida - So, after Spybot ran it process on those three keys, it jiggled the entries in the results window, but nothing visibly changed in the listed items, each still contains the "funny-looking" (to this untrained user) appendages following \iexplore.exe, i.e. ..."\iexplore.exe [is not] W=1"
Can you enlighten me a little, on the meaning and significance of these, what shall I call them, "parameters?"
cor-el, Thanks for that information. I had supposed that the use by HOSTS file of 127.0.0.1 to "dead-end" anything outbound toward a known malicious hostname/IP meant that this loopback would have no impact on the system software. But, you said otherwise. What does the term mean, "the Software Security Device"? It's a new term to this untrained user of Win 3.0 through XP.
Wót FFx
Here's a related item. Just saw a Comodo firewall alert (Comodo Internet Security Complete 2011 v5.3) saying that svchost.exe was trying to receive a connection from the Internet giving IP address (on my LAN) of my NetGear WNR2000 router, that is connected via CAT 5e, 10/100BASE-T lines between my DSL modem (ISP is AT&T) and my HP Pavilion PC, and also, my HPLJ wireless-capable printer is on the same 172.16.0.xxx network, connected through the 802.11n wireless part of this router. The same IP of the router is listed in Windows Local Area Connection Status > Support > Details for Default Gateway, DNS Server, and DHCP Server, all of these are provided Automatically in TCP/IP Properties and were not set manually. Is this safe to Allow? I have been blocking these incoming connections whenever I can. Over to you. It's past my bedtime, so, good night for tonight.
Wót FFx
not sure whether the connections really matter until you find any other symptoms, specifically taken that the programs found no malware.
How to stop Firefox from making automatic connections once again can explain some but not sure whether there are any other programs making connections.
http://www.wireshark.org/ can help to get a more detailed overview of the connections your machine is making.
Wót Svetlana