X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Upgrade Firefox

Support Forum

Firefox.exe Tries to Connect to 127.0.0.1? So does jqsnotify.exe? Etc.?

Posted

Whenever I start Ffx 3.6.13, my firewall alerts me that firefox.exe is trying to connect TCP Out to 127.0.0.1:443(https). Three or 4 seconds later, alerts for jqsnotify.exe TCP out to 127.0.0.1:5152. Others, incl. AAWService.exe (Ad-Aware) (when commanded to open or update). On a Windows startup and on restart, during the login to my Admin user account, Explorer.exe tries to connect 127.0.0.1.

Modified by FallingRock

Additional System Details

This happened

Every time Firefox opened

This started when...

Around two weeks ago, M$SE caught&removed Trojan:Win32/Dynamer!dtc, and it quarantined Win32/OpenCandy.

Installed Plug-ins

  • IE Tab Plug-in for Mozilla/Firefox
  • NPCIG 1.0.0.3
  • 1.9.0009.1
  • Foxit Reader Plug-In For Firefox and Netscape
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Default Plug-in
  • Shockwave Flash 10.2 r152
  • iTunes Detector Plug-in
  • Next Generation Java Plug-in 1.6.0_23 for Mozilla browsers
  • 4.0.60129.0
  • NPWLPG
  • Motive Plugin for Mozilla Browsers
  • npmnqmp 989898989877
  • OpenOffice.org Plug-in handles all its documents
  • Npdsplay dll
  • DRM Store Netscape Plugin
  • DRM Netscape Network Object

Application

  • User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13

More Information

My LAN is simply, ISP's ADSL modem via 10/100Base-T through Router to PC, plus PC back to Router to HP printer on wireless port out of Router. Also have seen APAgent.exe, etc. N.B. - 127.0.0.1 is the Loopback address, which dead-ends each connection attempt to any host listed in my HOSTS. Am running a HOSTS file in Windows XP Pro x86 SP3. Windows is updated with Feb. Tuesday patches and the new IE8.0 comprehensive rollup. HOSTS includes merged MVPS Hosts file (last updated 12/4/2010).
AV reported yesterday, a new virus detection, W32\Virut.q. I suspect an infectious agent had injected an http command to a known malicious host into each of these major apps. I guess my Comodo Internet Security Complete 2011 v4.3 firewall cannot display the URL that was sent prior to the redirection by Windows' HOSTS file to the Loopback. I also run M$ SE update every two days and scan once or twice/week, and Ad-Aware every week or two.
Has anyone else seen similar behavior of Firefox or Java, etc.? Knowledgeable help will be appreciated.
Falling Rock
---A falling rock gathers no mas.---

Gryllida 76 solutions 892 answers

Helpful Reply

Please check whether those find anything

Malware Removal Links: http://www.safer-networking.org , http://www.malwarebytes.org , http://www.spywareterminator.com , http://www.microsoft.com/security/malwareremove/default.aspx

Question owner

OK, Gryllida, thanks, will try. I just now updated/corrected my initial post again, FYI.

P.S. - (a) The Forum window displayed to me AFTER posting my opening, is lacking most of the info I posted there, including the Troubleshooting details with critically important things. Are you seeing all those data, or is your view restricted as mine, to a single paragraph ending with APAgent.exe? (b) Do you know how many characters are allowed, in the first text entry window under the subject question? Mozilla.org ought to post their capacities by each window.

Modified by FallingRock

Question owner

Stage 1 Result:

  Your link to microsoft.com offered me a download of the Windows MRT which I already updated per Patch Tuesday and have run it a couple of times since then. I have been updating and running it every month for years. It hardly ever reports finding anything, and it didn't report finding nothing, and I couldn't find any results file on the system drive. 

  Any comments?
Gryllida 76 solutions 892 answers

Helpful Reply

Not really, please just try a few scans and let us know if they find anything.

Question owner

Well, back to work. Windows Malicious Software Removal Tool (windows-kb890830-v3.16.exe) (February 2011) scanned the short scan and found nothing - nada. I am proceeding now to download another of your recommended scanners, and will report result.

BTW - The Forum window displayed to me AFTER posting my opening, is lacking most of the info I posted there, including the Troubleshooting details with critically important things including local system description. It is irritating, having done all that work to give a clear and complete picture of the issue - that Mozilla.org should set up a less than fully functional forum, here. Are you seeing all those data, or is your view as restricted as mine, to a single paragraph ending with "Explorer.exe tries to connect 127.0.0.1."? Please tell me, while I am working.

Gryllida 76 solutions 892 answers

Your post seems to be full

We're waiting for next scans results.

cor-el
  • Top 10 Contributor
  • Moderator
10780 solutions 97024 answers

127.0.0.1 is a local address (local host). Firefox uses that loopback connection to communicate with the Software Security Device.

See:

Question owner

Gryllida, "seems to be full" is a bit obscure to me. One guess I could make is, you know what "full" means in terms of characters allowed, although I do not. (Each of these message balloons stretches in size to contain the words it contains - so any inflated balloon is always "full." ) How full is full? How many chars.?

Modified by FallingRock

Question owner

Gryllida, I ran Spybot a while ago, and it found a sizeable number of items that were invalid shortcuts, and I authorized removal of those. Haven't seen any adverse reaction yet. So, then I ran a registry-only scan, and it found three red items in Internet Explorer keys, one of those in HKLM and the other two in different userpaths in HKU. Path of each is HKLM\(user account code S-1-5-xxx)... or "HKU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe [is not] W=1". FYI, I had installed the Cumulative Security Update for IE (KB2482017) last week, after the Patch Tuesday items and then after the Silverlight update. So, I told it to correct these items.

Question owner

Gryllida - So, after Spybot ran it process on those three keys, it jiggled the entries in the results window, but nothing visibly changed in the listed items, each still contains the "funny-looking" (to this untrained user) appendages following \iexplore.exe, i.e. ..."\iexplore.exe [is not] W=1"

  Can you enlighten me a little, on the meaning and significance of these, what shall I call them, "parameters?"

Question owner

cor-el, Thanks for that information. I had supposed that the use by HOSTS file of 127.0.0.1 to "dead-end" anything outbound toward a known malicious hostname/IP meant that this loopback would have no impact on the system software. But, you said otherwise. What does the term mean, "the Software Security Device"? It's a new term to this untrained user of Win 3.0 through XP.

Modified by FallingRock

Question owner

Here's a related item. Just saw a Comodo firewall alert (Comodo Internet Security Complete 2011 v5.3) saying that svchost.exe was trying to receive a connection from the Internet giving IP address (on my LAN) of my NetGear WNR2000 router, that is connected via CAT 5e, 10/100BASE-T lines between my DSL modem (ISP is AT&T) and my HP Pavilion PC, and also, my HPLJ wireless-capable printer is on the same 172.16.0.xxx network, connected through the 802.11n wireless part of this router. The same IP of the router is listed in Windows Local Area Connection Status > Support > Details for Default Gateway, DNS Server, and DHCP Server, all of these are provided Automatically in TCP/IP Properties and were not set manually. Is this safe to Allow? I have been blocking these incoming connections whenever I can. Over to you. It's past my bedtime, so, good night for tonight.

Modified by FallingRock

Gryllida 76 solutions 892 answers

not sure whether the connections really matter until you find any other symptoms, specifically taken that the programs found no malware.

How to stop Firefox from automatically making connections without my permission once again can explain some but not sure whether there are any other programs making connections.

http://www.wireshark.org/ can help to get a more detailed overview of the connections your machine is making.

Modified by Gryllida