Connections to 127.0.0.1 showing up in Process Monitor

All of my hosts file entries use 0.0.0.0.

I noticed strange network activity on my PC yesterday and checked process monitor. I saw a number of connections to 1-1ads.com, despite that site being present in my hosts file and in my routers URL block list.
The connections were showing against system processes, Corsairlink.exe and openvpn.exe. When I ran firefox connections to 1-1ads.com also showed against that.

I ran malwarebytes scan and a hitmanpro scan. I checked for unwanted applications having been installed.
I cleared my browser cache and cookies and flushed my DNS cache.

Malwarebytes and HitmanPro found nothing.

Rebooted and the connections disappeared.Then today I look at process monitor to see if they were present and instead I see a bunch of connections to 127.0.0.1 despite not specifying the loop back address anywhere. Again, on system programs and running applications.

A while ago I had a similar symptom with those processes showing connections to events.gfe.nvidia.com but I didn't think much of it other then it was unusual since that address is also blocked in my hosts file and router.

But now it's getting just a little too weird.

Anyone seen similar behavior? Should I be worried about it?

127.0.0.1 IP Address Explained

@Jacee. Thanks for the link. I had already been throught that guide. There were no programs that needed to be removed, no addons in my browser. Virus programs reported no infections either.

I've since reinstalled Windows and the symptom is now that several processes are connecting to Tanya-PC instead.

@Samuria What? 0.0.0.0 is not the Internet.

What is the Difference Between 127.0.0.1 and 0.0.0.0?

Whether one uses 127.0.0.1 or 0.0.0.0 in their hosts files seems somewhat contentious. I've tried both and opted to stick with 0.0.0.0.

The question is why am I seeing several system and application processes sending and receiving data constantly on that address when the loopback address is not specified anywhere that I know of.

@Digmor Crusher. Thanks for that. I know what 127.0.0.1 is. It's just that I would not expect resource monitor to be showing a bunch of programs sending and receiving data from that address.

If you look at your systems what do you see?

127.0.0.1 address is localhost address, that is your computer, most networking programs use this address for troubleshooting purposes and for inter communication between programs, traffic with this address never goes to internet, it local to computer.

0.0.0.0 is unspecified address, which means it is a placeholder and applies to any address, now to figure out which address would that be you have to look at address of another endpoint, for example:

127.0.0.1 -> 0.0.0.0 means that local computer can connect to any remote address "inside" computer but not to internet!

on another side:

192.168.1.55 -> 0.0.0.0
Here 192.168.1.55 is an example of your interface (local IP) address that is routable to internet, this means program in question may connect (or accept connection) with/from anyone on the internet as follows:

If the request is inbound you firewall must allow connection and may prompt you to do so only first time.
Otherwise if request is outbound it is allowed by default without prior notice.

This is all getting way off topic.
Some ping examples;

Code:

Using 0.0.0.0 www.facebook.com in hosts file results in "ping request could not find www.facebook.com". 
Using 127.0.0.1 www.facebook.com in hosts results in a successful ping to www.facebook.com - to the loop back address

The 0.0.0.0 behavior of totally blocking the traffic is definitely my preferred outcome.

So all ipv4 addresses in my host file use 0.0.0.0.

But the question was "Why am I seeing system and application processes sending and receiving data on 127.0.0.1". They used to send and receive data to events.gfe.nvidia.com too. Programs that have no relationship to that site. They don't do that anymore. They all go to 127.0.0.1.

0.0.0.0 is "unspecified" address, it's not valid to use this address for any purpose.
you seem to want to block something based on an address that is "not an address".

blocking 127.0.0.1 is less insane but you'll be breaking a lot of OS and software functionalities.

But the question was "Why am I seeing system and application processes sending and receiving data on 127.0.0.1".

This address is used by programs and there is no way you can stop them except to remove these programs. (or in rare cases configure them)

if you put following into hosts file:

Code:

127.0.0.1 facebook.com

You get ping success because facebook.com is now your local machine!
I suggest you to clear hosts file completely because none of this makes sense.