Sign in to follow this  
pds324

Disturbing entries in Firewall Status Window - Help, Please

Recommended Posts

I noticed today in my Firewall Status Window (Online Armor Free Firewall) several entries relating to Facebook.com -- there are 6 of them. Rather than list them here, I have attached a jpeg to show the entries directly.

In researching this on Google, I have been able to find out very little, other than the entries for Facebook appear to be proxies. There are no Facebook cookies on my computer, and I haven't visited the site for over a year.

What do these svchost.exe/TCP and the System/TCP associations with Facebook mean? I am concerned it is indicative of malware of some sort.

Thanks very much.

Share this post


Link to post
Share on other sites

The processes in your screenshot (with the exception of one system one that doesn't have Facebook associated with it's local address anyway) are not connected to any remote location. They are just listening.

Have you installed some kind of proxy tool perhaps at some point that is supposed to unblock Facebook if your school/employer has blocked it? If you untick the "Resolve addresses" box in the Firewall Status Window, what does it say in the "local address" column?

Share this post


Link to post
Share on other sites

The processes in your screenshot (with the exception of one system one that doesn't have Facebook associated with it's local address anyway) are not connected to any remote location. They are just listening.

Have you installed some kind of proxy tool perhaps at some point that is supposed to unblock Facebook if your school/employer has blocked it? If you untick the "Resolve addresses" box in the Firewall Status Window, what does it say in the "local address" column?

I have never (knowingly) installed any kind of proxy tool. To be honest, I don't even know what a proxy tool is. As far as Facebook, I joined a long time ago, never participated, and haven't visited their site in ages, which is why I'm so concerned that an address associated with Facebook is "listening." I work at home for myself so there's no school or employer blocking anything.

You mention a proxy tool. Hitman Pro, when I run it, says my computer contains a proxy server, but when I went through a *long* and *thorough* analysis of my computer for a proxy server with a volunteer at Bleeping Computer, no proxy server could be found.

I unticked Resolve Addresses in the Firewall Status Window, and have attached a jpeg to show you the results.

THANKS for your help -- all those Facebook entries listening really has me worried.

Share this post


Link to post
Share on other sites

Can you open your Hosts file in Notepad and attach the contents here as a text file? It should be located in C:\WINDOWS\System32\drivers\etc

catprincess, I see why you're listed as a malware expert -- the first entry in my hosts file is the one I'm concerned about. Those entries in hosts got there via the hosts option in Online Armor, but I thought I was *blocking* those sites, not allowing them. Anyway, I'm confused about whether those entries in the hosts file are blocked or allowed, and await further direction from you. Thanks for getting to the heart of the problem so quickly.

Share this post


Link to post
Share on other sites

catprincess, I see why you're listed as a malware expert -- the first entry in my hosts file is the one I'm concerned about. Those entries in hosts got there via the hosts option in Online Armor, but I thought I was *blocking* those sites, not allowing them. Anyway, I'm confused about whether those entries in the hosts file are blocked or allowed, and await further direction from you. Thanks for getting to the heart of the problem so quickly.

hehe, sorry to disappoint you on this, but the "Malware expert" title is just a forum setting that corresponds to the number of posts a user has made (when you reach 100 your title becomes "Malware expert"). I'm not trained in malware removal I'm afraid, though I have great respect for those that are. There is a malware removal section on this forum here http://support.emsisoft.com/forum/6-malware-removal-help/ where you can get assistance with malware removal from "real" malware experts if you should ever need to and I would certainly be suggesting that route if anything you had posted here seemed to indicate a possible infection :)

It seems to be just a slight issue with your Hosts file though that should be easily fixed. If you add this entry to your hosts file (add it directly above the Facebook entry) and then reboot, you shouldn't see your IP address associated with the Facebook entry in the Firewall Status window anymore).

0.0.0.0       localhost

Share this post


Link to post
Share on other sites

It seems to be just a slight issue with your Hosts file though that should be easily fixed. If you add this entry to your hosts file (add it directly above the Facebook entry) and then reboot, you shouldn't see your IP address associated with the Facebook entry in the Firewall Status window anymore).

0.0.0.0       localhost

I made the change and rebooted. Unfortunately, the problem's still there -- in the Firewall Status window there are 3 associations listed between my svchost.exe and Facebook, and 1 association each for System/TCP and System/UDP and Facebook. I've attached a screen capture to show you. I've also attached the hosts file to show you the change I made per your instructions. Did I do it wrong? Should I manually delete the hosts file entries below the localhost entry?

Thanks again.

Share this post


Link to post
Share on other sites

Perhaps try replacing the contents of your Hosts file with a standard host file which looks as follows:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

Share this post


Link to post
Share on other sites

Hi, stapp. File sharing wasn't the issue. All is o.k. now. I went into Online Armor and deleted out the entries related to Facebook from the hosts file. I thought I was *blocking* those entries via the hosts file, but instead they were being allowed. Now, the Firewall Status window shows no connection between Facebook and svchost and System/UDP and TCP. Big thanks catprincess for pointing me in the direction of the hosts file for the source of the problem.

Share this post


Link to post
Share on other sites

I went into Online Armor and deleted out the entries related to Facebook from the hosts file. I thought I was *blocking* those entries via the hosts file, but instead they were being allowed. Now, the Firewall Status window shows no connection between Facebook and svchost and System/UDP and TCP.

The entries in your hosts file weren't actually being allowed. What it's doing is when you go to a website, your computer has to first look up it's IP address, to locate the server that the website resides on. Your system does this by asking your internet service provider’s DNS server, but first it checks the HOSTS file on your computer for any addresses that have been stored there. Some people (or security software) add entries to the Hosts file to prevent your computer from connecting to undesirable websites by connecting back to your own computer when a connection is attempted to one of the listed websites.

In any case, you're welcome :) If you still want block certain websites, you might try adding them to the Websites list and setting them to Blocked. It can be easier and less messy than editing the Hosts file.

Share this post


Link to post
Share on other sites

I went into Online Armor and deleted out the entries related to Facebook from the hosts file.

Hi pds324,

What version of OA do you use?

Looks like it's a really old one...

Best regards,

Andrey.

Share this post


Link to post
Share on other sites

The entries in your hosts file weren't actually being allowed. What it's doing is when you go to a website, your computer has to first look up it's IP address, to locate the server that the website resides on. Your system does this by asking your internet service provider’s DNS server, but first it checks the HOSTS file on your computer for any addresses that have been stored there. Some people (or security software) add entries to the Hosts file to prevent your computer from connecting to undesirable websites by connecting back to your own computer when a connection is attempted to one of the listed websites.

In any case, you're welcome :) If you still want block certain websites, you might try adding them to the Websites list and setting them to Blocked. It can be easier and less messy than editing the Hosts file.

Thanks for the clarification on the purpose and operation of the HOSTS file. It *was* my understanding that entries in the file were blocked, but that understanding was undermined by the linkage of the svchost.exe and the Facebook ip address being linked together in the Firewall Status window. I did a lot of research and couldn't figure out why svchost.exe and Facebook were linked there, especially since Facebook was in the HOSTS file. And then, when I removed the Facebook entry from HOSTS, the linkage to svchost.exe disappeared. I would think that *no* entry in HOSTS would make it more likely for a linkage between the two, so I'm still puzzled on that one.

Meanwhile, as I previously said, I had removed the Facebook HOSTS entry, and all others except the 0.0.0.0 localhost, but when I just checked it, the Facebook entry was back in the HOSTS file, so a program is putting it back in. I thought Online Armor could lock my HOSTS file, but I couldn't find the setting if it can, so I fired up a program called WinPatrol, which will monitor my HOSTS file for any changes. I don't like running WinPatrol because it's a resource hog, and if you know of any way of locking the HOSTS file, please let me know. (Can I set the attribute for the HOSTSFILE to "read only" without intefering with its function?)

You mention the Websites list, but it's grayed-out on my version, probably because I have the free version. I'd like to update, but there's a reason I haven't (see my response to Andrey, who posted immediately below your reply).

Share this post


Link to post
Share on other sites

Hi pds324,

What version of OA do you use?

Looks like it's a really old one...

Best regards,

Andrey.

Hello, Andrey,

Yes, my version is out of date. I have version 4.0.0.10.Free. I looked into updating to what I think is now version 4.5, but I see a requirement is Service Pack 3 with XP. I don't know if you recall this, as it's now a long time ago, but when SP3 was released there was a flurry of discussion about broken apps. I use my computer for work, and there's numerous, fairly esoteric video production applications, that if they broke upon installation of Service Pack 3, I'd be in huge trouble. (I do maintain all the latest Windows Updates, though.) If you think I can upgrade to the 4.5 version on SP2, please let me know as I'd certainly like the latest release of Online Armor -- I really love it.

Share this post


Link to post
Share on other sites

Thanks for the clarification on the purpose and operation of the HOSTS file. It *was* my understanding that entries in the file were blocked, but that understanding was undermined by the linkage of the svchost.exe and the Facebook ip address being linked together in the Firewall Status window. I did a lot of research and couldn't figure out why svchost.exe and Facebook were linked there, especially since Facebook was in the HOSTS file. And then, when I removed the Facebook entry from HOSTS, the linkage to svchost.exe disappeared. I would think that *no* entry in HOSTS would make it more likely for a linkage between the two, so I'm still puzzled on that one.

I think it was displayed this way because you had the first key entry missing from the Hosts file which is normally 127.0.0.1 localhost. I guess you tried to add it from within OA, but it probably didn't work due a bug with the display of these entries.

Meanwhile, as I previously said, I had removed the Facebook HOSTS entry, and all others except the 0.0.0.0 localhost, but when I just checked it, the Facebook entry was back in the HOSTS file, so a program is putting it back in. I thought Online Armor could lock my HOSTS file, but I couldn't find the setting if it can, so I fired up a program called WinPatrol, which will monitor my HOSTS file for any changes. I don't like running WinPatrol because it's a resource hog, and if you know of any way of locking the HOSTS file, please let me know. (Can I set the attribute for the HOSTSFILE to "read only" without intefering with its function?)

This is a bug in the version of OA you are using where entries weren't being displayed when they should. Hosts has been changed a lot with the latest versions. If you have WinPatrol installed at the moment, an easy way to open your Hosts file is go to Options and click the "View Hosts files" button. Then delete all the contents and replace it with the copy I provided earlier. Then Save the file before exiting. OA may not update to reflect this in the Hosts section due to the bug, but it will be a fresh Hosts file. OA will still alert you of any attempted changes to your Hosts file.

You mention the Websites list, but it's grayed-out on my version, probably because I have the free version. I'd like to update, but there's a reason I haven't (see my response to Andrey, who posted immediately below your reply).

I think someone on the forum had a recent version installed on SP2. The only thing that they mentioned wasn't working as intended was that the OA feature to turn Windows Firewall on when OA is turned off wasn't working. So current versions of OA probably work okay with SP2 for the moment.

Share this post


Link to post
Share on other sites

I think it was displayed this way because you had the first key entry missing from the Hosts file which is normally 127.0.0.1 localhost. I guess you tried to add it from within OA, but it probably didn't work due a bug with the display of these entries.

This is a bug in the version of OA you are using where entries weren't being displayed when they should. Hosts has been changed a lot with the latest versions. If you have WinPatrol installed at the moment, an easy way to open your Hosts file is go to Options and click the "View Hosts files" button. Then delete all the contents and replace it with the copy I provided earlier. Then Save the file before exiting. OA may not update to reflect this in the Hosts section due to the bug, but it will be a fresh Hosts file. OA will still alert you of any attempted changes to your Hosts file.

I think someone on the forum had a recent version installed on SP2. The only thing that they mentioned wasn't working as intended was that the OA feature to turn Windows Firewall on when OA is turned off wasn't working. So current versions of OA probably work okay with SP2 for the moment.

I thought 127.0.0.1 was "normal" for localhost, but the 0.0.0.0 localhost you suggested is working fine. I'll keep it unless you think I should switch back to 127.0.0.1. Also, I made the HOSTS file read only and there are no further problems.

I'll bite the proverbial bullet and upgrade to the most recent version of Online Armor, in a few days, after I have run Acronis for my C drive, in case things go seriously wrong on the update. Hopefully, you won't hear back from me!

Thanks so much for your great support, catprincess.

Share this post


Link to post
Share on other sites

You're welcome :)

I thought 127.0.0.1 was "normal" for localhost, but the 0.0.0.0 localhost you suggested is working fine.

I suggested 0.0.0.0 as this seemed to be the address you were already using for the other entries in your hosts file so I thought you had done this deliberately. Some hosts files you can download use 0.0.0.0 instead of 127.0.0.1. I don't personally use a custom Hosts file so I haven't really looked into it in great deal, but I gather that using 0.0.0.0 may allow a faster failure when visiting a blocked site than using 127.0.0.1. However, like I say, I haven't tried it :)

Share this post


Link to post
Share on other sites

UPDATE:

Despite having only SP2 on XP, my update to Online Armor 4.5.1.431 went flawlessly. After the update, I elected to run the safety check wizard and everything was fine.

Meanwhile, the Facebook association with svchost.exe *still* appears in the Firewall Status window. And I now know it's not the HOSTS file, because the only entry is still just 127.0.0.1, and it's read-only for good measure. The really weird thing is, the Facebook entries (the ones shown in my first jpeg attachment at the beginning of this thread) only appear when my computer is first turned on in the morning. After a couple of minutes, they're gone and never reappear until the next day's start-up. Can anyone recommend a forum where I can take it further, as I certainly don't think it's an issue with Online Armor. I *try* to run a secure computer, as I surf in Sandboxie, use a variety of Firefox add-ons -- Adblock Plus, Roboform, BetterPrivacy (a "super cookie" safeguard), CookieKiller, Ghostery, KeyScrambler, and Noscript -- and in addition to all that use Avast for antivirus, have the full version of Malwarebytes running (realtime website blocking and other protection enabled), Zemana Antilogger in realtime, and just did an very deep search for malware using Malwarebytes (took almost 3 hours to complete -- hundreds of thousands of files), Hitman Pro, and Norton PowerEraser, all of which didn't find a thing. I even fire up X-NetStat Professional occasionally and if I see a Facebook connection, I make a kill rule so it doesn't reappear. (X-NetStat can't help my startup problem in the morning as there's no active connection to Facebook, it's just "listening.") And I've never experienced a browser hijack.

So with all that security, and no sign of infection anywhere, I still face 6 or so Facebook entries every morning, for a few minutes at least.

Any thoughts as to what to do (including, possibly, doing nothing) would be most welcome. Thanks!

Share this post


Link to post
Share on other sites

UPDATE:

Despite having only SP2 on XP, my update to Online Armor 4.5.1.431 went flawlessly. After the update, I elected to run the safety check wizard and everything was fine.

Meanwhile, the Facebook association with svchost.exe *still* appears in the Firewall Status window. And I now know it's not the HOSTS file, because the only entry is still just 127.0.0.1, and it's read-only for good measure. The really weird thing is, the Facebook entries (the ones shown in my first jpeg attachment at the beginning of this thread) only appear when my computer is first turned on in the morning. After a couple of minutes, they're gone and never reappear until the next day's start-up. Can anyone recommend a forum where I can take it further, as I certainly don't think it's an issue with Online Armor. I *try* to run a secure computer, as I surf in Sandboxie, use a variety of Firefox add-ons -- Adblock Plus, Roboform, BetterPrivacy (a "super cookie" safeguard), CookieKiller, Ghostery, KeyScrambler, and Noscript -- and in addition to all that use Avast for antivirus, have the full version of Malwarebytes running (realtime website blocking and other protection enabled), Zemana Antilogger in realtime, and just did an very deep search for malware using Malwarebytes (took almost 3 hours to complete -- hundreds of thousands of files), Hitman Pro, and Norton PowerEraser, all of which didn't find a thing. I even fire up X-NetStat Professional occasionally and if I see a Facebook connection, I make a kill rule so it doesn't reappear. (X-NetStat can't help my startup problem in the morning as there's no active connection to Facebook, it's just "listening.") And I've never experienced a browser hijack.

So with all that security, and no sign of infection anywhere, I still face 6 or so Facebook entries every morning, for a few minutes at least.

Any thoughts as to what to do (including, possibly, doing nothing) would be most welcome. Thanks!

P.S.: PeerBlock runs amongst all of the above, too.

Share this post


Link to post
Share on other sites

I think someone on the forum had a recent version installed on SP2. The only thing that they mentioned wasn't working as intended was that the OA feature to turn Windows Firewall on when OA is turned off wasn't working. So current versions of OA probably work okay with SP2 for the moment.

pds324, i feel your pain regarding SP3. We still don't go there and don't plan to anytime soon. In spite of this [thread] being somewhat dated, perhaps it may still be helpful to others who don't completely trust the SP3 code bloat.

I wanted to let you know that we've tested version 5.0.0.1097 with XP SP2 and again, the ONLY thing we can find that seems awry is when OA is closed, WFW is not re-enabled. We just setup simple scripts to handle this and stick 'em on the desktop & start menu for easy access.

Again, we haven't found one other snafu that we can document is a problem. Of course this may change over time but we've really tested this on numerous systems with same results. Of course don't try this version on Win2k3 Server unless you want to experience BSOD. ;) Prior version 4.5.1.431 does work on that OS with some minor caveats which are posted elsewhere in this great forum.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.