X
Tap here to go to the mobile version of the site.

Support Forum

Something calling home from Firefox.

Posted

Sir/Madame With both CF and FF after installation within a week or so something started to call home and was stopped by Malwarebytes. I contacted Malwarebytes. Below is is the issue information:

Malwarebytes Pro has just started "stopping" an item from sending something outbound. I did complete scans and also scanned the folder that MB said was where the outbound message was blocked from. In both scans MB found no threats. The item originated in the Mozilla Firefox folder at C/Program Files/Mozilla Firefox (86)/Mozilla firefox exe. When I started using CF the same issue started again, this time it was identified as originating at C/Program Files/Cyberfox (86)/Cyberfox exe I looked there and also found nothing but I don't know what to look for. The found the item "xml.ckl1031"(.com) Google found it and said that "This domain is used by the RevenueHits Ad Network and is malware/adware". I use a new, up to date PC with Win 10 pro and FF as my default browser and often use Cyberfox. I would appreciate any help as it seems to be riding along with both FF and CF. I have scanned my system with Malwarebytes, adwcleaner, HiJackThis, Hitman Pro, Housecall, rkill, and Stinger64. and none have found anything that causes this calling home. At the Malwareytes forum, I received the listed info and I am including it to see if you all can help. It is to be found at this address, (se below). I am also sending this request for help to to CyberFox, to see if they have some insight on this issue. I DO NOT believe that Firefox or Cyberfox would slip something like this into your software, as an added revenue stream. I await your reply, thank you, S Rubin

Sir/Madame With both CF and FF after installation within a week or so something started to call home and was stopped by Malwarebytes. I contacted Malwarebytes. Below is is the issue information: Malwarebytes Pro has just started "stopping" an item from sending something outbound. I did complete scans and also scanned the folder that MB said was where the outbound message was blocked from. In both scans MB found no threats. The item originated in the Mozilla Firefox folder at C/Program Files/Mozilla Firefox (86)/Mozilla firefox exe. When I started using CF the same issue started again, this time it was identified as originating at C/Program Files/Cyberfox (86)/Cyberfox exe I looked there and also found nothing but I don't know what to look for. The found the item "xml.ckl1031"(.com) Google found it and said that "This domain is used by the RevenueHits Ad Network and is malware/adware". I use a new, up to date PC with Win 10 pro and FF as my default browser and often use Cyberfox. I would appreciate any help as it seems to be riding along with both FF and CF. I have scanned my system with Malwarebytes, adwcleaner, HiJackThis, Hitman Pro, Housecall, rkill, and Stinger64. and none have found anything that causes this calling home. At the Malwareytes forum, I received the listed info and I am including it to see if you all can help. It is to be found at this address, (se below). I am also sending this request for help to to CyberFox, to see if they have some insight on this issue. I DO NOT believe that Firefox or Cyberfox would slip something like this into your software, as an added revenue stream. I await your reply, thank you, S Rubin

Chosen solution

This site suggests some sort of Xml.clk1013.com malware is causing the requests to the xml.clk1013.com domain. http://blog.removevirusnow.org/xml-clk1013-com-removal/

The site also has manual removal instructions. That's what I'd rather try first, than installing yet another scanner/removal tool.

How the malware interacts with your Firefox and Cyberfox, I don't now. What's a little disturbing, is that none of your anti-malware scanners seem to find any trace of Xml.clk1013.com on your computer.

I don't understand your question, "Just curious, why would you trust a questionable anti-malware software over Firefox?".

What I meant to say is that I don't trust Malwarebytes and I wouldn't install their software. But that's my personal view, and you're of course entitled to your opinion. On the other hand I do trust Mozilla and the Firefox browser not to cause these kind of requests to questionable sites. But I guess you figured that out yourself by now, that the requests are being caused by some sort of malware on your system. I have no experience with Cyberfox, so I can't comment on them.

I'd also question the filtering of outgoing traffic, but at least Malwarebytes did catch the requests to xml.clk1013.com. So may be there is a point doing that.

Read this answer in context 0

Additional System Details

Installed Plug-ins

  • Epic Privacy Browser Installer
  • Shockwave Flash 23.0 r0
  • 5.1.50709.0
  • VLC media player Web Plugin

Application

  • Firefox 49.0.1
  • User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
  • Support URL: https://support.mozilla.org/1/firefox/49.0.1/WINNT/en-US/

Extensions

  • Adblock Plus 2.7.3 ({d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d})
  • AutoPager Fixed 0.8.0.10.1-signed.1-signed (autopagerfixed@mozilla.org)
  • AutoPagerizeTweaked 0.9.17.5 (@autopagerizetweaked)
  • Customizations for Adblock Plus 1.0.5 (customization@adblockplus.org)
  • Element Hiding Helper for Adblock Plus 1.3.9 (elemhidehelper@adblockplus.org)
  • Hover Hand 0.31.1-signed.1-signed (chikit@gmail.com)
  • HTTPS Everywhere 5.2.5 (https-everywhere@eff.org)
  • LastPass 3.3.1 (support@lastpass.com)
  • Multi-process staged rollout 1.2 (e10srollout@mozilla.org)
  • Reddit Enhancement Suite 5.0.2 (jid1-xUfzOsOFlzSOXg@jetpack)
  • Thumbnail Zoom 1.4.3.1-signed.1-signed ({E10A6337-382E-4FE6-96DE-936ADC34DD04})
  • Thumbnail Zoom Plus 4.0 (thumbnailZoom@dadler.github.com)
  • uBlock Origin 1.9.8 (uBlock0@raymondhill.net)
  • Web Compat 1.0 (webcompat@mozilla.org)
  • WOT 20151208 ({a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7})
  • Pocket 1.0.4 (firefox@getpocket.com) (Inactive)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: Intel(R) HD Graphics 530
  • adapterDescription2: NVIDIA GeForce GTX 950M
  • adapterDeviceID: 0x191b
  • adapterDeviceID2: 0x139a
  • adapterDrivers: igdumdim64 igd10iumd64 igd10iumd64 igd12umd64 igdumdim32 igd10iumd32 igd10iumd32 igd12umd32
  • adapterDrivers2: nvd3dumx,nvwgf2umx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um,nvwgf2um
  • adapterRAM: Unknown
  • adapterRAM2: 2048
  • adapterSubsysID: 65081558
  • adapterSubsysID2: 65081558
  • adapterVendorID: 0x8086
  • adapterVendorID2: 0x10de
  • clearTypeParameters: Gamma: 2200 Pixel Structure: R ClearType Level: 100 Enhanced Contrast: 50
  • crashGuards: []
  • direct2DEnabled: True
  • directWriteEnabled: True
  • directWriteVersion: 10.0.14393.0
  • driverDate: 6-30-2016
  • driverDate2: 6-29-2016
  • driverVersion: 21.20.16.4481
  • driverVersion2: 10.18.13.6869
  • featureLog: {u'fallbacks': [], u'features': [{u'status': u'available', u'description': u'Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'HW_COMPOSITING'}, {u'status': u'available', u'description': u'Direct3D11 Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'D3D11_COMPOSITING'}, {u'status': u'available', u'description': u'Direct3D9 Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'D3D9_COMPOSITING'}, {u'status': u'available', u'description': u'Direct2D', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'DIRECT2D'}, {u'status': u'available', u'description': u'Direct3D11 hardware ANGLE', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'D3D11_HW_ANGLE'}]}
  • info: {u'AzureCanvasAccelerated': 0, u'AzureCanvasBackend': u'direct2d 1.1', u'AzureFallbackCanvasBackend': u'cairo', u'AzureContentBackend': u'direct2d 1.1'}
  • isGPU2Active: False
  • numAcceleratedWindows: 1
  • numTotalWindows: 1
  • supportsHardwareH264: Yes; Using D3D11 API
  • webglRenderer: Google Inc. -- ANGLE (Intel(R) HD Graphics 530 Direct3D11 vs_5_0 ps_5_0)
  • windowLayerManagerRemote: True
  • windowLayerManagerType: Direct3D 11

Modified Preferences

Misc

  • User JS: No
  • Accessibility: Yes
cliffontheroad 2 solutions 57 answers

I have a variation of this problem, I think. During the course of another bug investigation, I've been using microsoft Process Explorer on Windows 7.

When I use start FF or Icedragon, I see that the TCP/IP page has dozens of connections to my Westel Modem (status Connected). This does not occur using IE browser.

I have a variation of this problem, I think. During the course of another bug investigation, I've been using microsoft Process Explorer on Windows 7. When I use start FF or Icedragon, I see that the TCP/IP page has dozens of connections to my Westel Modem (status Connected). This does not occur using IE browser.

Question owner

Cliff, I guess yes and no would be a better answer. I will run "Process Explorer" the next time the Malwarebytes notice pops up, to see what I can see. (although I'm not an a PC pro when it comes to stuff like this). Also I use Win 10 anniversary update. I only use FF and now Cyberfox and rarely a Chrome clone, when they don't open something. My isp in comcast and I use my own purchased modem/router. Thank you for trying, I get no help from FF or CF, it's very frustrating....SR

Cliff, I guess yes and no would be a better answer. I will run "Process Explorer" the next time the Malwarebytes notice pops up, to see what I can see. (although I'm not an a PC pro when it comes to stuff like this). Also I use Win 10 anniversary update. I only use FF and now Cyberfox and rarely a Chrome clone, when they don't open something. My isp in comcast and I use my own purchased modem/router. Thank you for trying, I get no help from FF or CF, it's very frustrating....SR
christ1
  • Top 25 Contributor
2191 solutions 16025 answers
The found the item "xml.ckl1031"(.com)

Please explain in detail what that means and how xml.ckl1031 is related to Firefox.

Also see http://kb.mozillazine.org/Connections_established_on_startup_-_Firefox

Just curious, why would you trust a questionable anti-malware software over Firefox?

<blockquote> The found the item "xml.ckl1031"(.com) </blockquote> Please explain in detail what that means and how xml.ckl1031 is related to Firefox. Also see http://kb.mozillazine.org/Connections_established_on_startup_-_Firefox Just curious, why would you trust a questionable anti-malware software over Firefox?

Modified by christ1

Question owner

christ1 Thank you. When the warning notification pops up in Malwarebytes, it informs me that MB stopped a an outgoing something, from the Mozilla Firefox folder at C/Program Files/Mozilla Firefox (86)/Mozilla firefox exe. When it happens with Cyberfox running as the browser, the warning changes to C/Program Files/Cyberfox (86)/Cyberfox exe. These warnings can show up upon opening the browsers or when opening a new tab. The warnings are the same, except the originating folder given. Information is xml.clk1013.com, ip 174.137.155.139 trying to contact someone or something, and it gives the port. Googling xml.clk1013.com, reveals that this is know ad/malware, from the scum at RevenueHits Ad Network. MB recommends further scanning and sending logs if pertinent. The recommended online scanners are as listed. They are again, Malwarebytes, adwcleaner, HiJackThis, Hitman Pro, Housecall, rkill, and Stinger64 to these I've added some other recommended scanners. NONE of the scan turns up anything in the FF or the CF folders. Some turned up some minor PUPs but nothing suggestive of xml.clk1013.com or RevenueHits Ad Network. Whois for 174.137.155.139 shows more info, none of which means anything to me. This also seems to be an intermittent problem, which makes it even more frustrating. Sometime I get the warning upon opening the browsers and sometimes it appears when a new tab is opened. Something is attempting to call home, it seems able to hide from scanners and "spoof" the folders where it originates from.

I don't understand your question, "Just curious, why would you trust a questionable anti-malware software over Firefox?". Firefox is a browser, not anti-malware software, although it may have some anti-malware facets, of that, I don't know. You terming the listed anti-malware as "questionable" is also not understandable, as these products are well known and have been around for a long time with positive reputations. This Malwarebytes Pro I use, is a paid for product, that I have used for many a year with no issues. In fact, when an issue crops up, they work hard and bend over backwards to make the issue go away. I am sure, I have misunderstood your query and I do thank you for your response. I'm sure that I'm not the only one who has bumped in this "xml.clk1013.com" or "RevenueHits Ad Network" crap and I have only contacted Mozilla Firefox and Cyberfox because it was their folders that that were identified in the warning. I am very happy using FF and CF also seems well put together also. I hope I have restated the issue accurately and that someone with more IT knowledge, can find much more and "understand" the information better then I can, thanks again. S Rubin

christ1 Thank you. When the warning notification pops up in Malwarebytes, it informs me that MB stopped a an outgoing something, from the Mozilla Firefox folder at C/Program Files/Mozilla Firefox (86)/Mozilla firefox exe. When it happens with Cyberfox running as the browser, the warning changes to C/Program Files/Cyberfox (86)/Cyberfox exe. These warnings can show up upon opening the browsers or when opening a new tab. The warnings are the same, except the originating folder given. Information is xml.clk1013.com, ip 174.137.155.139 trying to contact someone or something, and it gives the port. Googling xml.clk1013.com, reveals that this is know ad/malware, from the scum at RevenueHits Ad Network. MB recommends further scanning and sending logs if pertinent. The recommended online scanners are as listed. They are again, Malwarebytes, adwcleaner, HiJackThis, Hitman Pro, Housecall, rkill, and Stinger64 to these I've added some other recommended scanners. NONE of the scan turns up anything in the FF or the CF folders. Some turned up some minor PUPs but nothing suggestive of xml.clk1013.com or RevenueHits Ad Network. Whois for 174.137.155.139 shows more info, none of which means anything to me. This also seems to be an intermittent problem, which makes it even more frustrating. Sometime I get the warning upon opening the browsers and sometimes it appears when a new tab is opened. Something is attempting to call home, it seems able to hide from scanners and "spoof" the folders where it originates from. I don't understand your question, "Just curious, why would you trust a questionable anti-malware software over Firefox?". Firefox is a browser, not anti-malware software, although it may have some anti-malware facets, of that, I don't know. You terming the listed anti-malware as "questionable" is also not understandable, as these products are well known and have been around for a long time with positive reputations. This Malwarebytes Pro I use, is a paid for product, that I have used for many a year with no issues. In fact, when an issue crops up, they work hard and bend over backwards to make the issue go away. I am sure, I have misunderstood your query and I do thank you for your response. I'm sure that I'm not the only one who has bumped in this "xml.clk1013.com" or "RevenueHits Ad Network" crap and I have only contacted Mozilla Firefox and Cyberfox because it was their folders that that were identified in the warning. I am very happy using FF and CF also seems well put together also. I hope I have restated the issue accurately and that someone with more IT knowledge, can find much more and "understand" the information better then I can, thanks again. S Rubin
FredMcD
  • Top 10 Contributor
4299 solutions 60388 answers

Something is calling home from my PC - General PC Help https://forums.malwarebytes.org/topic/186978-something-is-calling-home-from-my-pc/

Artical says may be malware.

Web search finds no other data.


You may have ad / mal-ware. Further information can be found in the Troubleshoot Firefox issues caused by malware article.

Run most or all of the listed malware scanners. Each works differently. If one program misses something, another may pick it up.

Something is calling home from my PC - General PC Help https://forums.malwarebytes.org/topic/186978-something-is-calling-home-from-my-pc/ Artical says may be malware. Web search finds no other data. ---------------- You may have ad / mal-ware. Further information can be found in the [[Troubleshoot Firefox issues caused by malware]] article. Run most or all of the listed malware scanners. Each works differently. If one program misses something, another may pick it up.
christ1
  • Top 25 Contributor
2191 solutions 16025 answers

Chosen Solution

This site suggests some sort of Xml.clk1013.com malware is causing the requests to the xml.clk1013.com domain. http://blog.removevirusnow.org/xml-clk1013-com-removal/

The site also has manual removal instructions. That's what I'd rather try first, than installing yet another scanner/removal tool.

How the malware interacts with your Firefox and Cyberfox, I don't now. What's a little disturbing, is that none of your anti-malware scanners seem to find any trace of Xml.clk1013.com on your computer.

I don't understand your question, "Just curious, why would you trust a questionable anti-malware software over Firefox?".

What I meant to say is that I don't trust Malwarebytes and I wouldn't install their software. But that's my personal view, and you're of course entitled to your opinion. On the other hand I do trust Mozilla and the Firefox browser not to cause these kind of requests to questionable sites. But I guess you figured that out yourself by now, that the requests are being caused by some sort of malware on your system. I have no experience with Cyberfox, so I can't comment on them.

I'd also question the filtering of outgoing traffic, but at least Malwarebytes did catch the requests to xml.clk1013.com. So may be there is a point doing that.

This site suggests some sort of Xml.clk1013.com malware is causing the requests to the xml.clk1013.com domain. http://blog.removevirusnow.org/xml-clk1013-com-removal/ The site also has manual removal instructions. That's what I'd rather try first, than installing yet another scanner/removal tool. How the malware interacts with your Firefox and Cyberfox, I don't now. What's a little disturbing, is that none of your anti-malware scanners seem to find any trace of Xml.clk1013.com on your computer. <blockquote> I don't understand your question, "Just curious, why would you trust a questionable anti-malware software over Firefox?". </blockquote> What I meant to say is that I don't trust Malwarebytes and I wouldn't install their software. But that's my personal view, and you're of course entitled to your opinion. On the other hand I do trust Mozilla and the Firefox browser not to cause these kind of requests to questionable sites. But I guess you figured that out yourself by now, that the requests are being caused by some sort of malware on your system. I have no experience with Cyberfox, so I can't comment on them. I'd also question the filtering of outgoing traffic, but at least Malwarebytes did catch the requests to xml.clk1013.com. So may be there is a point doing that.

Question owner

Thanks Fred McD, that was me asking the question to Malwarebytes, thanks for your interest.SR

christ1 Thanks again, I will check out your link

http://blog.removevirusnow.org/xml-clk1013-com-removal/

and post what happens if it pertains to my issue and can help others. You guys have been a great help. Now if we could get rid of these AHs who put, slip this junk into other's software. There should be a way, short of sending them a bomb........

Thanks Fred McD, that was me asking the question to Malwarebytes, thanks for your interest.SR christ1 Thanks again, I will check out your link http://blog.removevirusnow.org/xml-clk1013-com-removal/ and post what happens if it pertains to my issue and can help others. You guys have been a great help. Now if we could get rid of these AHs who put, slip this junk into other's software. There should be a way, short of sending them a bomb........
FredMcD
  • Top 10 Contributor
4299 solutions 60388 answers

Helpful Reply

It’s very sad, but many of the software downloaders / installers will trick you into installing not only their program, but other programs as well. You have heard of the fine print in shady contracts, right? Well, some installers you need to look at the itsy bitsy teeny weeny fine print. You are thinking you are giving the installer permission to install the program you want by using the recommended option. But if you use the Manual Option Instead, you discover all kinds of stuff that you do not even know what it is or what it does. From now on, everyone needs to Use The Manual Option to put a stop to this.

It’s very sad, but many of the software downloaders / installers will trick you into installing not only their program, '''but other programs as well'''. You have heard of the '''fine print in shady contracts''', right? Well, some installers you need to look at the '''itsy bitsy teeny weeny fine print'''. You are thinking you are giving the installer permission to install the program you want by using the '''recommended''' option. But if you use the '''Manual Option Instead''', you discover all kinds of stuff that '''you do not even know what it is or what it does'''. From now on, everyone needs to '''Use The Manual Option''' to put a stop to this.