IE directed to random loopback port

Discussion in 'Malware Help (A Specialist Will Reply)' started by bemoosed, Feb 19, 2007.

  1. bemoosed

    bemoosed Private E-2

    Hello,

    This morning I installed the latest Windows Update for XP SP2 and rebooted. After the restart, I attempted to run IE (7.0). Zone Alarm notified me that IE was attempting for the first time to enter the trusted zone and asked me to approve the action. IE was trying to access 127.0.0.1 on port 1042 (I think it was 1042). I have Zone Alarm configured such that the loopback is in its trusted zone.

    This was new behavior. I denied it, closed IE and ran it again. Same message, but now for a higher port. Each time I try it (I deny it access each time), it chooses a higher port number by something less than a 100.

    While the Zone Alarm approval/denial dialog waited, I ran netstat to see if it reported any tcp listener on that port but it didn't.

    Firefox does not display the same behavior; yet both it and IE are not configured in Zone Alarm to allow access to the trusted zone (the loopback), so apparently Firefox is not affected. However, in running a Java program (sorry, no details), it also tried one time to access 127.0.0.1 at some port over 1000.

    I have followed your instructions in READ & RUN ME FIRST as I've been able to; however, I didn't want to run IE through a possible local proxy so some steps I didn't run. I'd be glad to if you recommend it.

    So, following the instructions in R&RMF:

    0-4. Done.

    5. I couldn't run CounterSpy so I ran AVG. It only found a few tracking cookies. The log is attached.

    6A. Both BitDefender and Panda Active Scan require IE. I know that I could have run them in Safe Mode with Networking if I didn't launch Zone Alarm manually, but - as I said earlier - I didn't trust running IE, knowing it was being redirected to 127.0.0.1. (By the way, IE had the same behavior in Safe Mode with Networking.)

    6B. Done. The logs are attached.

    7-8. Done. I will attach the hijackthis log in my next post.

    Thanks MUCH in advance for any help you can kindly offer!

    Regards,
    Don

    P.S. You might notice that my hosts file was modified today. That was just me removing a line a had associating 127.0.0.1 with comscore.com.
     

    Attached Files:

    bemoosed, Feb 19, 2007
    #1
  2. bemoosed

    bemoosed Private E-2

    Here's the hijackthis log.

    Don
     

    Attached Files:

    bemoosed, Feb 19, 2007
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You don't have a malware problem.
    This first line of the HOSTS file should list the local IP address:

    127.0.0.1 localhost

    That tells the rest of the file, 127.0.0.1 is your local machine!

    You should allow it!!
     
    TimW, Feb 20, 2007
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds