«

In article <COWGg.250$>, says...

>
> Why is Mozilla/Firefox opening connections to data.coremetrics.com?
> I *DON'T* have any toolbars.
> I *HAVE* run SpyWare/Adaware (with the latest data definitions) and
> Hijackthis! and found nothing.

Maybe these can help:
http://www.spywareremove.com/removeCoreMetrics.html
http://www.scanspyware.net/info/Coremetrics.htm

HTH
--
faun.

Faun wrote:
> In article <COWGg.250$>, says...
>
>>
>> Why is Mozilla/Firefox opening connections to data.coremetrics.com?
>> I *DON'T* have any toolbars.
>> I *HAVE* run SpyWare/Adaware (with the latest data definitions) and
>> Hijackthis! and found nothing.
>
> Maybe these can help:
> http://www.spywareremove.com/removeCoreMetrics.html
> http://www.scanspyware.net/info/Coremetrics.htm
>
> HTH

Thank you.

I tried both. Neither found coremetrics, or anything remotely related to it.

In article <SclHg.361$>, says...

> I tried both. Neither found coremetrics, or anything remotely related to it.

You could try the manual approach. I seem to recall there were some
advice on how to deal with it manually on at least one of the pages.
Probably means starting regedit and looking for some keys, or something.

The human eye is often better than the computer at detecting subtle
things.

Good luck!
--
faun.

Faun wrote:
> In article <SclHg.361$>, says...
>
>> I tried both. Neither found coremetrics, or anything remotely related to it.
>
> You could try the manual approach. I seem to recall there were some
> advice on how to deal with it manually on at least one of the pages.
> Probably means starting regedit and looking for some keys, or something.

Yep. I read the same thing but the article said that even if one edits the
registry, the scumware can rebuild itself.

>
> The human eye is often better than the computer at detecting subtle
> things.

Death to "clever" programmers!

>
> Good luck!

In article <>, says...

> Faun wrote:
> > In article <SclHg.361$>, says...
> >
> >> I tried both. Neither found coremetrics, or anything remotely related to it.
> >
> > You could try the manual approach. I seem to recall there were some
> > advice on how to deal with it manually on at least one of the pages.
> > Probably means starting regedit and looking for some keys, or something.
>
> Yep. I read the same thing but the article said that even if one edits the
> registry, the scumware can rebuild itself.

That is not possible. There must be a second app that does this. If an
application is deleted, or otherwise made defunct, e.g. by not allowing
it to run, the only thing that can restore it is another application.
Even typing HEX values into a HEX editor counts as "another
application." Seriously, though, the problem is that the
application is hidden, and there are any number of ways of doing this.

Check the Run keys in the registry, check and double check that all
calls to run in the registry are valid applications, and /or
applications you know what they're doing. If you suspect something weird
going on, export the key and delete it (you can always import it later
if you need it). Also remember to set a "system restore point" before
you do any serious work on the registry, unless you are certain about
what you delete.

Some keys to check (on XP Pro):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx

And variations on those names, e.g. Run keys under CURRENT_USER and
alike.

Also check the win.ini file, etc., in the windows directory. Stuff may
be hidden everywhere.

Or use this one:
http://www.sysinternals.com/Utilities/Autoruns.html

If that leads nowhere, you can try one or more of the following:
http://www.sysinternals.com/Utilitie...tRevealer.html
http://www.sysinternals.com/Utilitie...sExplorer.html
http://www.sysinternals.com/Utilities/Filemon.html

Read about what they do before you attempt to use them.

There are heaps of other useful little tools over at sysinternals. Have
fun.

> > The human eye is often better than the computer at detecting subtle
> > things.
>
> Death to "clever" programmers!

That would take the fun out of windows...
--
faun.

Faun wrote:
> In article <>, says...
>
>> Faun wrote:
>> > In article <SclHg.361$>, says...
>> >
>> >> I tried both. Neither found coremetrics, or anything remotely related to it.
>> >
>> > You could try the manual approach. I seem to recall there were some
>> > advice on how to deal with it manually on at least one of the pages.
>> > Probably means starting regedit and looking for some keys, or something.
>>
>> Yep. I read the same thing but the article said that even if one edits the
>> registry, the scumware can rebuild itself.
>
> That is not possible. There must be a second app that does this. If an
> application is deleted, or otherwise made defunct, e.g. by not allowing
> it to run, the only thing that can restore it is another application.
> Even typing HEX values into a HEX editor counts as "another
> application." Seriously, though, the problem is that the
> application is hidden, and there are any number of ways of doing this.
>
> Check the Run keys in the registry, check and double check that all
> calls to run in the registry are valid applications, and /or
> applications you know what they're doing. If you suspect something weird
> going on, export the key and delete it (you can always import it later
> if you need it). Also remember to set a "system restore point" before
> you do any serious work on the registry, unless you are certain about
> what you delete.

I usually backup my entire operating system partition so that no matter what
happens, I'm right back to where I started. I use Ghost 2003 and an old
version of DriveImage. DriveImage takes less than 5 minutes to backup the
entire partition.

>
> Some keys to check (on XP Pro):
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx

Good idea. I tried it and didn't find anything in any of the RunXXXX keys.

>
> And variations on those names, e.g. Run keys under CURRENT_USER and
> alike.
>
> Also check the win.ini file, etc., in the windows directory. Stuff may
> be hidden everywhere.

SysEdit revealed nothing.

>
> Or use this one:
> http://www.sysinternals.com/Utilities/Autoruns.html

I already have Autoruns and I didn't find anything there.

Interestingly enough, while I had "Active Ports" up and running, I could see
that Autoruns briefly opened up a port and talked to someone. I didn't have a
network sniffer running at that moment to see what's going. That's for a
later project.

>
> If that leads nowhere, you can try one or more of the following:
> http://www.sysinternals.com/Utilitie...tRevealer.html

I've never had any luck with RKR. I downloaded the latest version and, again,
it just locks up my system.

> http://www.sysinternals.com/Utilitie...sExplorer.html

Tried that too. I looked under FireFox and Mozilla and aside from finding the
open ports I didn't know what else to look for.
I didn't see any obviously suspicious processes running.

> http://www.sysinternals.com/Utilities/Filemon.html

I've used that one too for seeing file activity but I don't see how that's
going to help me for determining how these ports are being opened.

>
> Read about what they do before you attempt to use them.
>
> There are heaps of other useful little tools over at sysinternals. Have
> fun.
>
>> > The human eye is often better than the computer at detecting subtle
>> > things.
>>
>> Death to "clever" programmers!
>
> That would take the fun out of windows...

On the bright side of things, ActivePorts revealed the following:

mozilla.exe 2588 127.0.0.1 1029 127.0.0.1 1028 ESTABLISHED TCP D:\Program
Files\mozilla.org\Mozilla\mozilla.exe
mozilla.exe 2588 127.0.0.1 1028 127.0.0.1 1029 ESTABLISHED TCP D:\Program
Files\mozilla.org\Mozilla\mozilla.exe
firefox.exe 2988 127.0.0.1 1033 127.0.0.1 1032 ESTABLISHED TCP D:\Program
Files\firefox.exe
firefox.exe 2988 127.0.0.1 1032 127.0.0.1 1033 ESTABLISHED TCP D:\Program
Files\firefox.exe

Since I've modified data.coremetrics.com in 'hosts' to point to my own
machine, that data isn't going anywhere. While data isn't leaking out, I'm
still perplexed by how the socket is being instantiated.

Thanks for all of your suggestions.

John wrote:

>
>
>
> Thanks for all of your suggestions.

You might try Codestuff Starter :

http://members.lycos.co.uk/codestuff/

for question about Codestuff Starter :

http://codestuff.7.forumer.com/viewforum.php?f=1
--
Peter

Its not a stolen tagline, it's just "previously viewed."

In article <5UBHg.8116$n%.>,
says...

> I usually backup my entire operating system partition so that no matter what
> happens, I'm right back to where I started. I use Ghost 2003 and an old
> version of DriveImage. DriveImage takes less than 5 minutes to backup the
> entire partition.

And your backup copy also has this problem...? Else, problem solved.

> > If that leads nowhere, you can try one or more of the following:
> > http://www.sysinternals.com/Utilitie...tRevealer.html
>
> I've never had any luck with RKR. I downloaded the latest version and, again,
> it just locks up my system.

Bummer...

> > http://www.sysinternals.com/Utilitie...sExplorer.html
>
> Tried that too. I looked under FireFox and Mozilla and aside from finding the
> open ports I didn't know what else to look for.
> I didn't see any obviously suspicious processes running.

Processes can be hidden. Perhaps even from that tool.

> > http://www.sysinternals.com/Utilities/Filemon.html
>
> I've used that one too for seeing file activity but I don't see how that's
> going to help me for determining how these ports are being opened.

The app in question might be reading some file where it stores its data.
It's a far-fetched idea, I know, but in lieu of better ones...

> Since I've modified data.coremetrics.com in 'hosts' to point to my own
> machine, that data isn't going anywhere. While data isn't leaking out, I'm
> still perplexed by how the socket is being instantiated.

Another thing to try is to look through the list of services that are
started. Suspicious stuff should be checked out.

Can't understand how the damn thing was installed, though. Unless you
had a bad brain day, and hit install on some app you DL without skimming
through the licence stuff...?

BTW, is the connection made as the machine starts, or only after a
while, or when Fx starts? If you can determine when it happens, it could
narrow the search down a bit.

> Thanks for all of your suggestions.

No probs...
--
faun.

In article <ecnds2$sq7$>, boerie1_@euronet.nl says...

> You might try Codestuff Starter :
>
> http://members.lycos.co.uk/codestuff/
>
> for question about Codestuff Starter :
>
> http://codestuff.7.forumer.com/viewforum.php?f=1

Hey, that's a gem.
--
faun.

Faun wrote:
> In article <5UBHg.8116$n%.>,
> says...
>
>> I usually backup my entire operating system partition so that no matter what
>> happens, I'm right back to where I started. I use Ghost 2003 and an old
>> version of DriveImage. DriveImage takes less than 5 minutes to backup the
>> entire partition.
>
> And your backup copy also has this problem...? Else, problem solved.
>
>> > If that leads nowhere, you can try one or more of the following:
>> > http://www.sysinternals.com/Utilitie...tRevealer.html
>>
>> I've never had any luck with RKR. I downloaded the latest version and, again,
>> it just locks up my system.
>
> Bummer...

----------- TA-DAHHHH! ---------

Got RKR running. The 'Cleaning up' phase takes just about forever. It found
one thing but according to the RKR help, I don't think that it was the cause
of my problem.


>
>> > http://www.sysinternals.com/Utilitie...sExplorer.html
>>
>> Tried that too. I looked under FireFox and Mozilla and aside from finding the
>> open ports I didn't know what else to look for.
>> I didn't see any obviously suspicious processes running.
>
> Processes can be hidden. Perhaps even from that tool.
>
>> > http://www.sysinternals.com/Utilities/Filemon.html
>>
>> I've used that one too for seeing file activity but I don't see how that's
>> going to help me for determining how these ports are being opened.
>
> The app in question might be reading some file where it stores its data.
> It's a far-fetched idea, I know, but in lieu of better ones...
>
>> Since I've modified data.coremetrics.com in 'hosts' to point to my own
>> machine, that data isn't going anywhere. While data isn't leaking out, I'm
>> still perplexed by how the socket is being instantiated.
>
> Another thing to try is to look through the list of services that are
> started. Suspicious stuff should be checked out.

Been there, done it. I think I recognize all of the services. None stand out
as being overtly suspicious.

>
> Can't understand how the damn thing was installed, though. Unless you
> had a bad brain day, and hit install on some app you DL without skimming
> through the licence stuff...?

I very rarely download stuff and one else uses my computer. I'm the paranoid
type.

>
> BTW, is the connection made as the machine starts, or only after a
> while, or when Fx starts? If you can determine when it happens, it could
> narrow the search down a bit.

Connection is made/broken *ONLY* when Firefox/Mozilla starts/stops.

>
>> Thanks for all of your suggestions.
>
> No probs...