Weird connection showing up in TCPView

dotHiro · 29 Aug 2022

Hello,

Lately I've been seeing some weird remote address -1-1ads.com - show up whenever I check connections in TCPView.

Here's a pic

Weird connection showing up in TCPView-tcpview.png

I've tried the following - uninstalling and reinstalling the affected software, starting Firefox in safe mode, refreshing it, manually disabling extensions and re-enabling them, followed this guide, scanned with Malwarebytes, ADWCleaner, Hitman Pro... nothing came up.

I also have the - 1-1ads.com - blocked in windows's hosts file but it still seems to show up.

As a note - whenever firefox/apple services are closed/not running, the address doesn't show up in TCPView.

Win 10, v21H1 (OS Build 19043.1021)

I'm out of ideas here and seek your wisdom.

Samuria · 29 Aug 2022

What Is mDNSResponder.exe / Bonjour and How Can I Uninstall or Remove It?. Remove bonjour

dotHiro · 29 Aug 2022

Samuria said:

What Is mDNSResponder.exe / Bonjour and How Can I Uninstall or Remove It?. Remove bonjour

This seems to have solved part of it.
The address doesn't show up for the rest of Apple services anymore, but it's still there for Firefox (cleared cache and cookies one more time after removing Bonjour)

Any ideas on that? Thanks for the help so far <3

Weird connection showing up in TCPView-tcpview64_pjljf1z4j5.png

Samuria · 29 Aug 2022

Look for any extension in ff you can run ff in its own safe mode(not windows safe mode) try running like that see if it stops

dotHiro · 29 Aug 2022

Unfortunately the issue persists.

I've tried even with another browser and the connection seems to persist.
I'm really curious if this address is something legit that may be tied to Apple when installing iTunes/iCloud and hooks unto everything else it can and phones home (for user experience improvement of course

) or if there's something malicious somewhere in the middle.

Thanks again for all the help so far, if there's any other ideas that I can try (besides a clean Windows reinstall) I'm open to suggestions.

Samuria · 29 Aug 2022

Contact is made via malware the actual web domain is a place were you can rent a server https://otx.alienvault.com/indicator...4c94c98f499500.

Try adaware and malwarebytes again but have the webrowser running when you scan if its only active with a browser it may not have picked it up if the browsers isnt running before running check its connecting

dotHiro · 29 Aug 2022

Still no luck

Neither Malwarebytes, ADWCleaner nor Hitman Pro have detected anything.
At this point I think I'll just have to ignore it :/
As much as I dislike this issue and it's an itch on the back of the head, I'm out of ideas.

Samuria · 29 Aug 2022

Make sure its connecting then open taskmanager click detals at the top now look for the PID numbers the tcip is using and it will tell you what apps using it

MaloK · 30 Aug 2022

If your Firefox is not using the hosts file, it may be because it is configured to use DNS over HTTPS

I just did the test and was unable to block the site via Hosts file while Firefox is using DNS over HTTPS.

As soon as I disabled it, the site became unreachable.

dotHiro · 30 Aug 2022

Sorry for the lack of updates everyone, it's been a long night struggling with this.
In the end I bit the bullet and reinstalled Windows and everything is fine now.

@MaloK - I didn't have FF set up to use DNS over HTTPS so I guess it was something else. @Samuria - thanks once again for all the help offered.

Dunno what it was but I'll keep an eye on things in case it returns (hope it doesn't tho D:)

Thanks everyone!