Killswitch gone mad? (Network connections fastclick/opencandy)

Comodo Cleaning Essentials + KillSwitch & Auto Help - CCE
1

Hi

I tried running killswitch on my pc today, and it seems it has gone completely mad. On nearly every single running program it shows either a connection to fastclick.net or tracking.opencandy.com.s3.amazonaws.com

The killswitch picture was taken when the hosts file said “127.0.0.1 fastclick.net” instead of “0.0.0.0 fastclick.net”. After changing it to 0.0.0.0, tracking.opencandy.com.s3.amazonaws.com no longer appears, but instead fastclick appears on everything else. If you take a look at the TCPView image you will notice that the only IP-addresses or hosts are anything but those 2.

At first this really made me paranoid, but now i just think that somewhere is “stuck”.

[attachment deleted by admin]

2

I would recommend you download process explorer from sysinternals and see what is inside of svchost.exe that is trying to connect. More than likely it is a service of some kind.

Goodluck and let us know how it turns out.

3

There are 13 instances of svchost.exe and fastclick.net is running as a connection in 6 of them. On one of them it is connected via UDP to a Dnscache via port 5355 (LLMNR). Are they trying to hijack my connection??? I am getting REALLY uneasy now!! I am usually a security freak, I have both NIS 2014 and Webroot SecureAnywhere running and meanwhile i do regular scans with Comodo, Malwarebytes and others. My computer is constantly updated and all software is updated, so i don’t know what the heck is going on.

I have uploaded what it shows in Killswitch - Networking Tab

I have uploaded a logfile from Minitoolbox (Result.txt)

Just tell me if you need anything else

Malwarebytes Anti-Rootkit BETA 1.07.0.1009

Malwarebytes Anti-Rootkit BETA 1.07.0.1009 www.malwarebytes.org

Database version: v2014.03.02.11

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16518
SalihB :: SALIHB-PC [limited]

03-03-2014 00:07:59
mbar-log-2014-03-03 (00-07-59).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 258017
Time elapsed: 4 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

[attachment deleted by admin]

4

Does this removal guide help you to get rid of Open Candy?

5

Well malwarebytes and ADWCleaner didn’t find anything but here you can see the log from JRT which actually removed more usable tools than anything else :p. My pc is pretty clean, just this fastclick.net nonsense that is weird…

Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.2 (02.20.2014:1)
OS: Windows 7 Ultimate x64
Ran by SalihB on 05-03-2014 at  2:19:33,24




~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\opswat"
Successfully deleted: [Folder] "C:\Users\SalihB\AppData\Roaming\software informer"
Successfully deleted: [Folder] "C:\Program Files (x86)\opswat"



~~~ Event Viewer Logs were cleared

Scan was completed on 05-03-2014 at 2:34:31,95
End of JRT log

6

Open HOST file with Notepad. Before you do that remove the read only from HOSTS file.

Then remove everything under 127.0.0.1 localhost and save it. Does that make a difference?

7

I kept thinking about this possibility, but really couldn’t believe something as stupid as this might actually be the correct answer to my question. This is just too weird… Why does 0.0.0.0 act like this? I’ve never seen anything like this before…

This means that you were correct. Changing everything in the hosts file to point to 127.0.0.1 instead actually fixed it, and I’ve read that using 127.0.0.1 instead of 0.0.0.0 might actually be faster as the response from 127.0.0.1 is faster than the TTL of the ICMP packet being sent to 0.0.0.0.

Thank you very much. You wouldn’t know why 0.0.0.0 would act like this would you?

TCPView = Not affected
Killswitch = Affected
Process Explorer = Affected

8

I have no idea…

9

I see… But thanks anyway, was very helpful :).