Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Firefox > Why is Firefox/Mozilla opening a TCP connection to data.coremetrics.com?

Reply
Thread Tools

Why is Firefox/Mozilla opening a TCP connection to data.coremetrics.com?

 
 
Faun
Guest
Posts: n/a
 
      08-24-2006
In article <COWGg.250$(E-Mail Removed)>, http://www.velocityreviews.com/forums/(E-Mail Removed) says...

>
> Why is Mozilla/Firefox opening connections to data.coremetrics.com?
> I *DON'T* have any toolbars.
> I *HAVE* run SpyWare/Adaware (with the latest data definitions) and
> Hijackthis! and found nothing.


Maybe these can help:
http://www.spywareremove.com/removeCoreMetrics.html
http://www.scanspyware.net/info/Coremetrics.htm

HTH
--
faun.
 
Reply With Quote
 
 
 
 
John
Guest
Posts: n/a
 
      08-24-2006
Faun wrote:
> In article <COWGg.250$(E-Mail Removed)>, (E-Mail Removed) says...
>
>>
>> Why is Mozilla/Firefox opening connections to data.coremetrics.com?
>> I *DON'T* have any toolbars.
>> I *HAVE* run SpyWare/Adaware (with the latest data definitions) and
>> Hijackthis! and found nothing.

>
> Maybe these can help:
> http://www.spywareremove.com/removeCoreMetrics.html
> http://www.scanspyware.net/info/Coremetrics.htm
>
> HTH


Thank you.

I tried both. Neither found coremetrics, or anything remotely related to it.
 
Reply With Quote
 
 
 
 
Faun
Guest
Posts: n/a
 
      08-24-2006
In article <SclHg.361$(E-Mail Removed)>, (E-Mail Removed) says...

> I tried both. Neither found coremetrics, or anything remotely related to it.


You could try the manual approach. I seem to recall there were some
advice on how to deal with it manually on at least one of the pages.
Probably means starting regedit and looking for some keys, or something.

The human eye is often better than the computer at detecting subtle
things.

Good luck!
--
faun.
 
Reply With Quote
 
John
Guest
Posts: n/a
 
      08-24-2006
Faun wrote:
> In article <SclHg.361$(E-Mail Removed)>, (E-Mail Removed) says...
>
>> I tried both. Neither found coremetrics, or anything remotely related to it.

>
> You could try the manual approach. I seem to recall there were some
> advice on how to deal with it manually on at least one of the pages.
> Probably means starting regedit and looking for some keys, or something.


Yep. I read the same thing but the article said that even if one edits the
registry, the scumware can rebuild itself.

>
> The human eye is often better than the computer at detecting subtle
> things.


Death to "clever" programmers!

>
> Good luck!

 
Reply With Quote
 
Faun
Guest
Posts: n/a
 
      08-25-2006
In article <(E-Mail Removed)>, (E-Mail Removed) says...

> Faun wrote:
> > In article <SclHg.361$(E-Mail Removed)>, (E-Mail Removed) says...
> >
> >> I tried both. Neither found coremetrics, or anything remotely related to it.

> >
> > You could try the manual approach. I seem to recall there were some
> > advice on how to deal with it manually on at least one of the pages.
> > Probably means starting regedit and looking for some keys, or something.

>
> Yep. I read the same thing but the article said that even if one edits the
> registry, the scumware can rebuild itself.


That is not possible. There must be a second app that does this. If an
application is deleted, or otherwise made defunct, e.g. by not allowing
it to run, the only thing that can restore it is another application.
Even typing HEX values into a HEX editor counts as "another
application." Seriously, though, the problem is that the
application is hidden, and there are any number of ways of doing this.

Check the Run keys in the registry, check and double check that all
calls to run in the registry are valid applications, and /or
applications you know what they're doing. If you suspect something weird
going on, export the key and delete it (you can always import it later
if you need it). Also remember to set a "system restore point" before
you do any serious work on the registry, unless you are certain about
what you delete.

Some keys to check (on XP Pro):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx

And variations on those names, e.g. Run keys under CURRENT_USER and
alike.

Also check the win.ini file, etc., in the windows directory. Stuff may
be hidden everywhere.

Or use this one:
http://www.sysinternals.com/Utilities/Autoruns.html

If that leads nowhere, you can try one or more of the following:
http://www.sysinternals.com/Utilitie...tRevealer.html
http://www.sysinternals.com/Utilitie...sExplorer.html
http://www.sysinternals.com/Utilities/Filemon.html

Read about what they do before you attempt to use them.

There are heaps of other useful little tools over at sysinternals. Have
fun.

> > The human eye is often better than the computer at detecting subtle
> > things.

>
> Death to "clever" programmers!


That would take the fun out of windows...
--
faun.
 
Reply With Quote
 
John
Guest
Posts: n/a
 
      08-25-2006
Faun wrote:
> In article <(E-Mail Removed)>, (E-Mail Removed) says...
>
>> Faun wrote:
>> > In article <SclHg.361$(E-Mail Removed)>, (E-Mail Removed) says...
>> >
>> >> I tried both. Neither found coremetrics, or anything remotely related to it.
>> >
>> > You could try the manual approach. I seem to recall there were some
>> > advice on how to deal with it manually on at least one of the pages.
>> > Probably means starting regedit and looking for some keys, or something.

>>
>> Yep. I read the same thing but the article said that even if one edits the
>> registry, the scumware can rebuild itself.

>
> That is not possible. There must be a second app that does this. If an
> application is deleted, or otherwise made defunct, e.g. by not allowing
> it to run, the only thing that can restore it is another application.
> Even typing HEX values into a HEX editor counts as "another
> application." Seriously, though, the problem is that the
> application is hidden, and there are any number of ways of doing this.
>
> Check the Run keys in the registry, check and double check that all
> calls to run in the registry are valid applications, and /or
> applications you know what they're doing. If you suspect something weird
> going on, export the key and delete it (you can always import it later
> if you need it). Also remember to set a "system restore point" before
> you do any serious work on the registry, unless you are certain about
> what you delete.


I usually backup my entire operating system partition so that no matter what
happens, I'm right back to where I started. I use Ghost 2003 and an old
version of DriveImage. DriveImage takes less than 5 minutes to backup the
entire partition.

>
> Some keys to check (on XP Pro):
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx


Good idea. I tried it and didn't find anything in any of the RunXXXX keys.

>
> And variations on those names, e.g. Run keys under CURRENT_USER and
> alike.
>
> Also check the win.ini file, etc., in the windows directory. Stuff may
> be hidden everywhere.


SysEdit revealed nothing.

>
> Or use this one:
> http://www.sysinternals.com/Utilities/Autoruns.html


I already have Autoruns and I didn't find anything there.

Interestingly enough, while I had "Active Ports" up and running, I could see
that Autoruns briefly opened up a port and talked to someone. I didn't have a
network sniffer running at that moment to see what's going. That's for a
later project.

>
> If that leads nowhere, you can try one or more of the following:
> http://www.sysinternals.com/Utilitie...tRevealer.html


I've never had any luck with RKR. I downloaded the latest version and, again,
it just locks up my system.

> http://www.sysinternals.com/Utilitie...sExplorer.html


Tried that too. I looked under FireFox and Mozilla and aside from finding the
open ports I didn't know what else to look for.
I didn't see any obviously suspicious processes running.

> http://www.sysinternals.com/Utilities/Filemon.html


I've used that one too for seeing file activity but I don't see how that's
going to help me for determining how these ports are being opened.

>
> Read about what they do before you attempt to use them.
>
> There are heaps of other useful little tools over at sysinternals. Have
> fun.
>
>> > The human eye is often better than the computer at detecting subtle
>> > things.

>>
>> Death to "clever" programmers!

>
> That would take the fun out of windows...


On the bright side of things, ActivePorts revealed the following:

mozilla.exe 2588 127.0.0.1 1029 127.0.0.1 1028 ESTABLISHED TCP D:\Program
Files\mozilla.org\Mozilla\mozilla.exe
mozilla.exe 2588 127.0.0.1 1028 127.0.0.1 1029 ESTABLISHED TCP D:\Program
Files\mozilla.org\Mozilla\mozilla.exe
firefox.exe 2988 127.0.0.1 1033 127.0.0.1 1032 ESTABLISHED TCP D:\Program
Files\firefox.exe
firefox.exe 2988 127.0.0.1 1032 127.0.0.1 1033 ESTABLISHED TCP D:\Program
Files\firefox.exe

Since I've modified data.coremetrics.com in 'hosts' to point to my own
machine, that data isn't going anywhere. While data isn't leaking out, I'm
still perplexed by how the socket is being instantiated.

Thanks for all of your suggestions.
 
Reply With Quote
 
Peter Boerhof
Guest
Posts: n/a
 
      08-25-2006
John wrote:

>
>
>
> Thanks for all of your suggestions.


You might try Codestuff Starter :

http://members.lycos.co.uk/codestuff/

for question about Codestuff Starter :

http://codestuff.7.forumer.com/viewforum.php?f=1
--
Peter

Its not a stolen tagline, it's just "previously viewed."
 
Reply With Quote
 
Faun
Guest
Posts: n/a
 
      08-26-2006
In article <5UBHg.8116$n%(E-Mail Removed)>,
(E-Mail Removed) says...

> I usually backup my entire operating system partition so that no matter what
> happens, I'm right back to where I started. I use Ghost 2003 and an old
> version of DriveImage. DriveImage takes less than 5 minutes to backup the
> entire partition.


And your backup copy also has this problem...? Else, problem solved.

> > If that leads nowhere, you can try one or more of the following:
> > http://www.sysinternals.com/Utilitie...tRevealer.html

>
> I've never had any luck with RKR. I downloaded the latest version and, again,
> it just locks up my system.


Bummer...

> > http://www.sysinternals.com/Utilitie...sExplorer.html

>
> Tried that too. I looked under FireFox and Mozilla and aside from finding the
> open ports I didn't know what else to look for.
> I didn't see any obviously suspicious processes running.


Processes can be hidden. Perhaps even from that tool.

> > http://www.sysinternals.com/Utilities/Filemon.html

>
> I've used that one too for seeing file activity but I don't see how that's
> going to help me for determining how these ports are being opened.


The app in question might be reading some file where it stores its data.
It's a far-fetched idea, I know, but in lieu of better ones...

> Since I've modified data.coremetrics.com in 'hosts' to point to my own
> machine, that data isn't going anywhere. While data isn't leaking out, I'm
> still perplexed by how the socket is being instantiated.


Another thing to try is to look through the list of services that are
started. Suspicious stuff should be checked out.

Can't understand how the damn thing was installed, though. Unless you
had a bad brain day, and hit install on some app you DL without skimming
through the licence stuff...?

BTW, is the connection made as the machine starts, or only after a
while, or when Fx starts? If you can determine when it happens, it could
narrow the search down a bit.

> Thanks for all of your suggestions.


No probs...
--
faun.
 
Reply With Quote
 
Faun
Guest
Posts: n/a
 
      08-26-2006
In article <ecnds2$sq7$(E-Mail Removed)>, (E-Mail Removed) says...

> You might try Codestuff Starter :
>
> http://members.lycos.co.uk/codestuff/
>
> for question about Codestuff Starter :
>
> http://codestuff.7.forumer.com/viewforum.php?f=1


Hey, that's a gem.
--
faun.
 
Reply With Quote
 
John
Guest
Posts: n/a
 
      08-28-2006
Faun wrote:
> In article <5UBHg.8116$n%(E-Mail Removed)>,
> (E-Mail Removed) says...
>
>> I usually backup my entire operating system partition so that no matter what
>> happens, I'm right back to where I started. I use Ghost 2003 and an old
>> version of DriveImage. DriveImage takes less than 5 minutes to backup the
>> entire partition.

>
> And your backup copy also has this problem...? Else, problem solved.
>
>> > If that leads nowhere, you can try one or more of the following:
>> > http://www.sysinternals.com/Utilitie...tRevealer.html

>>
>> I've never had any luck with RKR. I downloaded the latest version and, again,
>> it just locks up my system.

>
> Bummer...


----------- TA-DAHHHH! ---------

Got RKR running. The 'Cleaning up' phase takes just about forever. It found
one thing but according to the RKR help, I don't think that it was the cause
of my problem.


>
>> > http://www.sysinternals.com/Utilitie...sExplorer.html

>>
>> Tried that too. I looked under FireFox and Mozilla and aside from finding the
>> open ports I didn't know what else to look for.
>> I didn't see any obviously suspicious processes running.

>
> Processes can be hidden. Perhaps even from that tool.
>
>> > http://www.sysinternals.com/Utilities/Filemon.html

>>
>> I've used that one too for seeing file activity but I don't see how that's
>> going to help me for determining how these ports are being opened.

>
> The app in question might be reading some file where it stores its data.
> It's a far-fetched idea, I know, but in lieu of better ones...
>
>> Since I've modified data.coremetrics.com in 'hosts' to point to my own
>> machine, that data isn't going anywhere. While data isn't leaking out, I'm
>> still perplexed by how the socket is being instantiated.

>
> Another thing to try is to look through the list of services that are
> started. Suspicious stuff should be checked out.


Been there, done it. I think I recognize all of the services. None stand out
as being overtly suspicious.

>
> Can't understand how the damn thing was installed, though. Unless you
> had a bad brain day, and hit install on some app you DL without skimming
> through the licence stuff...?


I very rarely download stuff and one else uses my computer. I'm the paranoid
type.

>
> BTW, is the connection made as the machine starts, or only after a
> while, or when Fx starts? If you can determine when it happens, it could
> narrow the search down a bit.


Connection is made/broken *ONLY* when Firefox/Mozilla starts/stops.

>
>> Thanks for all of your suggestions.

>
> No probs...

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
why why why why why Mr. SweatyFinger ASP .Net 4 12-21-2006 01:15 PM
findcontrol("PlaceHolderPrice") why why why why why why why why why why why Mr. SweatyFinger ASP .Net 2 12-02-2006 03:46 PM
NAT two outside TCP ports to one inside TCP port Kevin Cisco 1 11-10-2004 08:15 AM
20 sec delay opening tcp connection from within IE hosted control =?Utf-8?B?bWZlaW5nb2xk?= ASP .Net 7 11-08-2004 07:45 PM
Secure and compressed TCP/IP connection (for any TCP/IP services and applications) Pavel Aronovich Computer Security 0 02-22-2004 08:35 AM



Advertisments