I tried running killswitch on my pc today, and it seems it has gone completely mad. On nearly every single running program it shows either a connection to fastclick.net or tracking.opencandy.com.s3.amazonaws.com
The killswitch picture was taken when the hosts file said “127.0.0.1 fastclick.net” instead of “0.0.0.0 fastclick.net”. After changing it to 0.0.0.0, tracking.opencandy.com.s3.amazonaws.com no longer appears, but instead fastclick appears on everything else. If you take a look at the TCPView image you will notice that the only IP-addresses or hosts are anything but those 2.
At first this really made me paranoid, but now i just think that somewhere is “stuck”.
I would recommend you download process explorer from sysinternals and see what is inside of svchost.exe that is trying to connect. More than likely it is a service of some kind.
There are 13 instances of svchost.exe and fastclick.net is running as a connection in 6 of them. On one of them it is connected via UDP to a Dnscache via port 5355 (LLMNR). Are they trying to hijack my connection??? I am getting REALLY uneasy now!! I am usually a security freak, I have both NIS 2014 and Webroot SecureAnywhere running and meanwhile i do regular scans with Comodo, Malwarebytes and others. My computer is constantly updated and all software is updated, so i don’t know what the heck is going on.
I have uploaded what it shows in Killswitch - Networking Tab
I have uploaded a logfile from Minitoolbox (Result.txt)
Well malwarebytes and ADWCleaner didn’t find anything but here you can see the log from JRT which actually removed more usable tools than anything else :p. My pc is pretty clean, just this fastclick.net nonsense that is weird…
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.2 (02.20.2014:1)
OS: Windows 7 Ultimate x64
Ran by SalihB on 05-03-2014 at 2:19:33,24
I kept thinking about this possibility, but really couldn’t believe something as stupid as this might actually be the correct answer to my question. This is just too weird… Why does 0.0.0.0 act like this? I’ve never seen anything like this before…
This means that you were correct. Changing everything in the hosts file to point to 127.0.0.1 instead actually fixed it, and I’ve read that using 127.0.0.1 instead of 0.0.0.0 might actually be faster as the response from 127.0.0.1 is faster than the TTL of the ICMP packet being sent to 0.0.0.0.
Thank you very much. You wouldn’t know why 0.0.0.0 would act like this would you?
TCPView = Not affected
Killswitch = Affected
Process Explorer = Affected