Why is Firefox/Mozilla opening a TCP connection to data.coremetrics.com?

Discussion in 'Firefox' started by John, Aug 23, 2006.

  1. John

    John Guest

    Why is Mozilla/Firefox opening connections to data.coremetrics.com?
    I *DON'T* have any toolbars.
    I *HAVE* run SpyWare/Adaware (with the latest data definitions) and
    Hijackthis! and found nothing.

    --------- After starting Internet Explorer

    Active Connections

    Proto Local Address Foreign Address State
    TCP myputer:epmap myputer:0 LISTENING
    TCP myputer:microsoft-ds myputer:0 LISTENING
    TCP myputer:1027 myputer:0 LISTENING
    TCP myputer:netbios-ssn myputer:0 LISTENING
    UDP myputer:microsoft-ds *:*
    UDP myputer:ntp *:*
    UDP myputer:ntp *:*
    UDP myputer:netbios-ns *:*
    UDP myputer:netbios-dgm *:*

    ---------- After starting Mozilla

    Active Connections

    Proto Local Address Foreign Address State
    TCP myputer:epmap myputer:0 LISTENING
    TCP myputer:microsoft-ds myputer:0 LISTENING
    TCP myputer:1027 myputer:0 LISTENING
    TCP myputer:1028 http://data.coremetrics.com:1029 ESTABLISHED
    TCP myputer:1029 http://data.coremetrics.com:1028 ESTABLISHED
    TCP myputer:netbios-ssn myputer:0 LISTENING
    UDP myputer:microsoft-ds *:*
    UDP myputer:1030 *:*
    UDP myputer:ntp *:*
    UDP myputer:ntp *:*
    UDP myputer:netbios-ns *:*
    UDP myputer:netbios-dgm *:*

    --------- After starting Firefox

    Active Connections

    Proto Local Address Foreign Address State
    TCP myputer:epmap myputer:0 LISTENING
    TCP myputer:microsoft-ds myputer:0 LISTENING
    TCP myputer:1027 myputer:0 LISTENING
    TCP myputer:1032 http://data.coremetrics.com:1033 ESTABLISHED
    TCP myputer:1033 http://data.coremetrics.com:1032 ESTABLISHED
    TCP myputer:netbios-ssn myputer:0 LISTENING
    UDP myputer:microsoft-ds *:*
    UDP myputer:1030 *:*
    UDP myputer:ntp *:*
    UDP myputer:ntp *:*
    UDP myputer:netbios-ns *:*
    UDP myputer:netbios-dgm *:*

    -------- After closing Firefox/Mozilla, then the connections are closed.
     
    John, Aug 23, 2006
    #1
    1. Advertising

  2. John

    gwtc Guest

    John wrote:
    >
    > Why is Mozilla/Firefox opening connections to data.coremetrics.com?
    > I *DON'T* have any toolbars.
    > I *HAVE* run SpyWare/Adaware (with the latest data definitions) and
    > Hijackthis! and found nothing.
    >
    > --------- After starting Internet Explorer
    >
    > Active Connections
    >
    > Proto Local Address Foreign Address State
    > TCP myputer:epmap myputer:0 LISTENING
    > TCP myputer:microsoft-ds myputer:0 LISTENING
    > TCP myputer:1027 myputer:0 LISTENING
    > TCP myputer:netbios-ssn myputer:0 LISTENING
    > UDP myputer:microsoft-ds *:*
    > UDP myputer:ntp *:*
    > UDP myputer:ntp *:*
    > UDP myputer:netbios-ns *:*
    > UDP myputer:netbios-dgm *:*
    >
    > ---------- After starting Mozilla
    >
    > Active Connections
    >
    > Proto Local Address Foreign Address State
    > TCP myputer:epmap myputer:0 LISTENING
    > TCP myputer:microsoft-ds myputer:0 LISTENING
    > TCP myputer:1027 myputer:0 LISTENING
    > TCP myputer:1028 http://data.coremetrics.com:1029
    > ESTABLISHED
    > TCP myputer:1029 http://data.coremetrics.com:1028
    > ESTABLISHED
    > TCP myputer:netbios-ssn myputer:0 LISTENING
    > UDP myputer:microsoft-ds *:*
    > UDP myputer:1030 *:*
    > UDP myputer:ntp *:*
    > UDP myputer:ntp *:*
    > UDP myputer:netbios-ns *:*
    > UDP myputer:netbios-dgm *:*
    >
    > --------- After starting Firefox
    >
    > Active Connections
    >
    > Proto Local Address Foreign Address State
    > TCP myputer:epmap myputer:0 LISTENING
    > TCP myputer:microsoft-ds myputer:0 LISTENING
    > TCP myputer:1027 myputer:0 LISTENING
    > TCP myputer:1032 http://data.coremetrics.com:1033
    > ESTABLISHED
    > TCP myputer:1033 http://data.coremetrics.com:1032
    > ESTABLISHED
    > TCP myputer:netbios-ssn myputer:0 LISTENING
    > UDP myputer:microsoft-ds *:*
    > UDP myputer:1030 *:*
    > UDP myputer:ntp *:*
    > UDP myputer:ntp *:*
    > UDP myputer:netbios-ns *:*
    > UDP myputer:netbios-dgm *:*
    >
    > -------- After closing Firefox/Mozilla, then the connections are closed.
    >

    check to see what you've got listed as your home page

    --
    Files From The Not To Swift Department . . .

    My neighbor works in the operations department in the central office
    of a large bank. Employees in the field call him when they have
    problems with their computers. One night he got a call from a woman in
    one of the branch banks who had this question: "I've got smoke coming
    from the back of my terminal. Do you guys have a fire downtown?"
     
    gwtc, Aug 23, 2006
    #2
    1. Advertising

  3. John

    gwtc Guest

    gwtc wrote:
    > John wrote:
    >>
    >> Why is Mozilla/Firefox opening connections to data.coremetrics.com?
    >> I *DON'T* have any toolbars.
    >> I *HAVE* run SpyWare/Adaware (with the latest data definitions) and
    >> Hijackthis! and found nothing.
    >>
    >> --------- After starting Internet Explorer
    >>
    >> Active Connections
    >>
    >> Proto Local Address Foreign Address State
    >> TCP myputer:epmap myputer:0 LISTENING
    >> TCP myputer:microsoft-ds myputer:0 LISTENING
    >> TCP myputer:1027 myputer:0 LISTENING
    >> TCP myputer:netbios-ssn myputer:0 LISTENING
    >> UDP myputer:microsoft-ds *:*
    >> UDP myputer:ntp *:*
    >> UDP myputer:ntp *:*
    >> UDP myputer:netbios-ns *:*
    >> UDP myputer:netbios-dgm *:*
    >>
    >> ---------- After starting Mozilla
    >>
    >> Active Connections
    >>
    >> Proto Local Address Foreign Address State
    >> TCP myputer:epmap myputer:0 LISTENING
    >> TCP myputer:microsoft-ds myputer:0 LISTENING
    >> TCP myputer:1027 myputer:0 LISTENING
    >> TCP myputer:1028 http://data.coremetrics.com:1029
    >> ESTABLISHED
    >> TCP myputer:1029 http://data.coremetrics.com:1028
    >> ESTABLISHED
    >> TCP myputer:netbios-ssn myputer:0 LISTENING
    >> UDP myputer:microsoft-ds *:*
    >> UDP myputer:1030 *:*
    >> UDP myputer:ntp *:*
    >> UDP myputer:ntp *:*
    >> UDP myputer:netbios-ns *:*
    >> UDP myputer:netbios-dgm *:*
    >>
    >> --------- After starting Firefox
    >>
    >> Active Connections
    >>
    >> Proto Local Address Foreign Address State
    >> TCP myputer:epmap myputer:0 LISTENING
    >> TCP myputer:microsoft-ds myputer:0 LISTENING
    >> TCP myputer:1027 myputer:0 LISTENING
    >> TCP myputer:1032 http://data.coremetrics.com:1033
    >> ESTABLISHED
    >> TCP myputer:1033 http://data.coremetrics.com:1032
    >> ESTABLISHED
    >> TCP myputer:netbios-ssn myputer:0 LISTENING
    >> UDP myputer:microsoft-ds *:*
    >> UDP myputer:1030 *:*
    >> UDP myputer:ntp *:*
    >> UDP myputer:ntp *:*
    >> UDP myputer:netbios-ns *:*
    >> UDP myputer:netbios-dgm *:*
    >>
    >> -------- After closing Firefox/Mozilla, then the connections are closed.
    >>

    > check to see what you've got listed as your home page
    >

    I found it. Its a roaming cookie. Try deleting the cookies and see
    if that help.

    --
    Files From The Not To Swift Department . . .

    My neighbor works in the operations department in the central office
    of a large bank. Employees in the field call him when they have
    problems with their computers. One night he got a call from a woman in
    one of the branch banks who had this question: "I've got smoke coming
    from the back of my terminal. Do you guys have a fire downtown?"
     
    gwtc, Aug 23, 2006
    #3
  4. John

    John Guest

    gwtc wrote:
    > gwtc wrote:
    >
    >> John wrote:
    >>
    >>>
    >>> Why is Mozilla/Firefox opening connections to data.coremetrics.com?
    >>> I *DON'T* have any toolbars.
    >>> I *HAVE* run SpyWare/Adaware (with the latest data definitions) and
    >>> Hijackthis! and found nothing.
    >>>
    >>> --------- After starting Internet Explorer
    >>>
    >>> Active Connections
    >>>
    >>> Proto Local Address Foreign Address State
    >>> TCP myputer:epmap myputer:0 LISTENING
    >>> TCP myputer:microsoft-ds myputer:0 LISTENING
    >>> TCP myputer:1027 myputer:0 LISTENING
    >>> TCP myputer:netbios-ssn myputer:0 LISTENING
    >>> UDP myputer:microsoft-ds *:*
    >>> UDP myputer:ntp *:*
    >>> UDP myputer:ntp *:*
    >>> UDP myputer:netbios-ns *:*
    >>> UDP myputer:netbios-dgm *:*
    >>>
    >>> ---------- After starting Mozilla
    >>>
    >>> Active Connections
    >>>
    >>> Proto Local Address Foreign Address State
    >>> TCP myputer:epmap myputer:0 LISTENING
    >>> TCP myputer:microsoft-ds myputer:0 LISTENING
    >>> TCP myputer:1027 myputer:0 LISTENING
    >>> TCP myputer:1028 http://data.coremetrics.com:1029
    >>> ESTABLISHED
    >>> TCP myputer:1029 http://data.coremetrics.com:1028
    >>> ESTABLISHED
    >>> TCP myputer:netbios-ssn myputer:0 LISTENING
    >>> UDP myputer:microsoft-ds *:*
    >>> UDP myputer:1030 *:*
    >>> UDP myputer:ntp *:*
    >>> UDP myputer:ntp *:*
    >>> UDP myputer:netbios-ns *:*
    >>> UDP myputer:netbios-dgm *:*
    >>>
    >>> --------- After starting Firefox
    >>>
    >>> Active Connections
    >>>
    >>> Proto Local Address Foreign Address State
    >>> TCP myputer:epmap myputer:0 LISTENING
    >>> TCP myputer:microsoft-ds myputer:0 LISTENING
    >>> TCP myputer:1027 myputer:0 LISTENING
    >>> TCP myputer:1032 http://data.coremetrics.com:1033
    >>> ESTABLISHED
    >>> TCP myputer:1033 http://data.coremetrics.com:1032
    >>> ESTABLISHED
    >>> TCP myputer:netbios-ssn myputer:0 LISTENING
    >>> UDP myputer:microsoft-ds *:*
    >>> UDP myputer:1030 *:*
    >>> UDP myputer:ntp *:*
    >>> UDP myputer:ntp *:*
    >>> UDP myputer:netbios-ns *:*
    >>> UDP myputer:netbios-dgm *:*
    >>>
    >>> -------- After closing Firefox/Mozilla, then the connections are closed.
    >>>

    >> check to see what you've got listed as your home page


    Nope, I start all browsers with a blank page.

    >>

    > I found it. Its a roaming cookie. Try deleting the cookies and see if
    > that help.
    >


    I'm a bit reluctant to purge all of my cookiessince I keep most of my banking
    sites info in cookies. I've searched everywhere for that damned cookie and I
    can't find it anywhere.

    I did put this into my hosts file:

    127.0.0.1 http://data.coremetrics.com
    127.0.0.1 https://data.coremetrics.com
    127.0.0.1 data.coremetrics.com

    but I still love to know how that TCP connection is being started.



    I use a few firefox extensions (noscript,adblock,fasterfox,customizegoogle).
     
    John, Aug 23, 2006
    #4
  5. John

    gwtc Guest

    John wrote:
    > gwtc wrote:
    >> gwtc wrote:
    >>
    >>> John wrote:
    >>>
    >>>>
    >>>> Why is Mozilla/Firefox opening connections to data.coremetrics.com?
    >>>> I *DON'T* have any toolbars.
    >>>> I *HAVE* run SpyWare/Adaware (with the latest data definitions) and
    >>>> Hijackthis! and found nothing.
    >>>>
    >>>> --------- After starting Internet Explorer
    >>>>
    >>>> Active Connections
    >>>>
    >>>> Proto Local Address Foreign Address State
    >>>> TCP myputer:epmap myputer:0 LISTENING
    >>>> TCP myputer:microsoft-ds myputer:0 LISTENING
    >>>> TCP myputer:1027 myputer:0 LISTENING
    >>>> TCP myputer:netbios-ssn myputer:0 LISTENING
    >>>> UDP myputer:microsoft-ds *:*
    >>>> UDP myputer:ntp *:*
    >>>> UDP myputer:ntp *:*
    >>>> UDP myputer:netbios-ns *:*
    >>>> UDP myputer:netbios-dgm *:*
    >>>>
    >>>> ---------- After starting Mozilla
    >>>>
    >>>> Active Connections
    >>>>
    >>>> Proto Local Address Foreign Address State
    >>>> TCP myputer:epmap myputer:0 LISTENING
    >>>> TCP myputer:microsoft-ds myputer:0 LISTENING
    >>>> TCP myputer:1027 myputer:0 LISTENING
    >>>> TCP myputer:1028 http://data.coremetrics.com:1029
    >>>> ESTABLISHED
    >>>> TCP myputer:1029 http://data.coremetrics.com:1028
    >>>> ESTABLISHED
    >>>> TCP myputer:netbios-ssn myputer:0 LISTENING
    >>>> UDP myputer:microsoft-ds *:*
    >>>> UDP myputer:1030 *:*
    >>>> UDP myputer:ntp *:*
    >>>> UDP myputer:ntp *:*
    >>>> UDP myputer:netbios-ns *:*
    >>>> UDP myputer:netbios-dgm *:*
    >>>>
    >>>> --------- After starting Firefox
    >>>>
    >>>> Active Connections
    >>>>
    >>>> Proto Local Address Foreign Address State
    >>>> TCP myputer:epmap myputer:0 LISTENING
    >>>> TCP myputer:microsoft-ds myputer:0 LISTENING
    >>>> TCP myputer:1027 myputer:0 LISTENING
    >>>> TCP myputer:1032 http://data.coremetrics.com:1033
    >>>> ESTABLISHED
    >>>> TCP myputer:1033 http://data.coremetrics.com:1032
    >>>> ESTABLISHED
    >>>> TCP myputer:netbios-ssn myputer:0 LISTENING
    >>>> UDP myputer:microsoft-ds *:*
    >>>> UDP myputer:1030 *:*
    >>>> UDP myputer:ntp *:*
    >>>> UDP myputer:ntp *:*
    >>>> UDP myputer:netbios-ns *:*
    >>>> UDP myputer:netbios-dgm *:*
    >>>>
    >>>> -------- After closing Firefox/Mozilla, then the connections are
    >>>> closed.
    >>>>
    >>> check to see what you've got listed as your home page

    >
    > Nope, I start all browsers with a blank page.
    >
    >>>

    >> I found it. Its a roaming cookie. Try deleting the cookies and see
    >> if that help.
    >>

    >
    > I'm a bit reluctant to purge all of my cookiessince I keep most of my
    > banking sites info in cookies. I've searched everywhere for that damned
    > cookie and I can't find it anywhere.
    >


    just remove the data.coremetrics cookie. You don't have to remove
    then ALL


    > I did put this into my hosts file:
    >
    > 127.0.0.1 http://data.coremetrics.com
    > 127.0.0.1 https://data.coremetrics.com
    > 127.0.0.1 data.coremetrics.com
    >


    that should do it.

    > but I still love to know how that TCP connection is being started.
    >
    >
    >
    > I use a few firefox extensions
    > (noscript,adblock,fasterfox,customizegoogle).



    --
    Files From The Not To Swift Department . . .

    My neighbor works in the operations department in the central office
    of a large bank. Employees in the field call him when they have
    problems with their computers. One night he got a call from a woman in
    one of the branch banks who had this question: "I've got smoke coming
    from the back of my terminal. Do you guys have a fire downtown?"
     
    gwtc, Aug 23, 2006
    #5
  6. John

    John Guest

    I've searched everywhere for that
    >> damned cookie and I can't find it anywhere.
    >>

    >
    > just remove the data.coremetrics cookie. You don't have to remove then ALL


    *** As I stated, I can't find the cookie. ***
    >
    >
    >> I did put this into my hosts file:
    >>
    >> 127.0.0.1 http://data.coremetrics.com
    >> 127.0.0.1 https://data.coremetrics.com
    >> 127.0.0.1 data.coremetrics.com
    >>

    >
    > that should do it.
    >
    >> but I still love to know how that TCP connection is being started.
    >>
    >>
    >>


    I'm even more perplexed. I'm using Ethereal (perhaps incorrectly) and I don't
    see any TCP ports for data.coremetrics being established when I started
    Mozilla & Firefox but this is what I currently open with both Mozilla and
    Firefox running:

    TCP myputer:1504 http://data.coremetrics.com:1505 ESTABLISHED
    TCP myputer:1505 http://data.coremetrics.com:1504 ESTABLISHED
    TCP myputer:1506 http://data.coremetrics.com:1507 ESTABLISHED
    TCP myputer:1507 http://data.coremetrics.com:1506 ESTABLISHED
     
    John, Aug 23, 2006
    #6
  7. John

    NOQ Guest

    John <> wrote in
    news:eek:q2Hg.275$:

    > I've searched everywhere for that
    >>> damned cookie and I can't find it anywhere.
    >>>
    >>> I did put this into my hosts file:
    >>>
    >>> 127.0.0.1 http://data.coremetrics.com
    >>> 127.0.0.1 https://data.coremetrics.com
    >>> 127.0.0.1 data.coremetrics.com
    >>>
    >>> but I still love to know how that TCP connection is being
    >>> started.
    >>>

    >
    > I'm even more perplexed. I'm using Ethereal (perhaps incorrectly)
    > and I don't see any TCP ports for data.coremetrics being
    > established when I started Mozilla & Firefox but this is what I
    > currently open with both Mozilla and Firefox running:
    >
    > TCP myputer:1504 http://data.coremetrics.com:1505
    > ESTABLISHED TCP myputer:1505
    > http://data.coremetrics.com:1504 ESTABLISHED TCP
    > myputer:1506 http://data.coremetrics.com:1507
    > ESTABLISHED TCP myputer:1507
    > http://data.coremetrics.com:1506 ESTABLISHED
    >


    hmmm, that is showing loopback connections to your local machine -
    using the 127.0.0.1 address! Change your hosts file entries for
    coremetrics to another 127.x.x.x address and the TCP connections
    should show up as going to localhost.



    --
    Mike Buglass
     
    NOQ, Aug 23, 2006
    #7
  8. John

    gwtc Guest

    John wrote:
    > I've searched everywhere for that
    >>> damned cookie and I can't find it anywhere.
    >>>

    >>
    >> just remove the data.coremetrics cookie. You don't have to remove
    >> then ALL

    >
    > *** As I stated, I can't find the cookie. ***
    >>
    >>
    >>> I did put this into my hosts file:
    >>>
    >>> 127.0.0.1 http://data.coremetrics.com
    >>> 127.0.0.1 https://data.coremetrics.com
    >>> 127.0.0.1 data.coremetrics.com
    >>>

    >>
    >> that should do it.
    >>
    >>> but I still love to know how that TCP connection is being started.
    >>>
    >>>
    >>>

    >
    > I'm even more perplexed. I'm using Ethereal (perhaps incorrectly) and I
    > don't see any TCP ports for data.coremetrics being established when I
    > started Mozilla & Firefox but this is what I currently open with both
    > Mozilla and Firefox running:
    >
    > TCP myputer:1504 http://data.coremetrics.com:1505
    > ESTABLISHED
    > TCP myputer:1505 http://data.coremetrics.com:1504
    > ESTABLISHED
    > TCP myputer:1506 http://data.coremetrics.com:1507
    > ESTABLISHED
    > TCP myputer:1507 http://data.coremetrics.com:1506
    > ESTABLISHED

    In the address bar type in about:config and look for these entries:

    browser.startup.homepage
    startup.homepage_override_url

    If you have a start page of blank, then both of these entries should
    be blank aswell. If they contain something, then double click on them
    and remove the entry.

    Also, check your bookmarks. Do you have any live bookmarks -- rss
    feeds, or something similar?

    --
    Files From The Not To Swift Department . . .

    My neighbor works in the operations department in the central office
    of a large bank. Employees in the field call him when they have
    problems with their computers. One night he got a call from a woman in
    one of the branch banks who had this question: "I've got smoke coming
    from the back of my terminal. Do you guys have a fire downtown?"
     
    gwtc, Aug 23, 2006
    #8
  9. John

    John Guest

    gwtc wrote:

    > John wrote:
    >
    >> I've searched everywhere for that
    >>
    >>>> damned cookie and I can't find it anywhere.
    >>>>
    >>>
    >>> just remove the data.coremetrics cookie. You don't have to remove
    >>> then ALL

    >>
    >>
    >> *** As I stated, I can't find the cookie. ***
    >>
    >>>
    >>>
    >>>> I did put this into my hosts file:
    >>>>
    >>>> 127.0.0.1 http://data.coremetrics.com
    >>>> 127.0.0.1 https://data.coremetrics.com
    >>>> 127.0.0.1 data.coremetrics.com
    >>>>
    >>>
    >>> that should do it.
    >>>
    >>>> but I still love to know how that TCP connection is being started.
    >>>>
    >>>>
    >>>>

    >>
    >> I'm even more perplexed. I'm using Ethereal (perhaps incorrectly) and
    >> I don't see any TCP ports for data.coremetrics being established when
    >> I started Mozilla & Firefox but this is what I currently open with
    >> both Mozilla and Firefox running:
    >>
    >> TCP myputer:1504 http://data.coremetrics.com:1505
    >> ESTABLISHED
    >> TCP myputer:1505 http://data.coremetrics.com:1504
    >> ESTABLISHED
    >> TCP myputer:1506 http://data.coremetrics.com:1507
    >> ESTABLISHED
    >> TCP myputer:1507 http://data.coremetrics.com:1506
    >> ESTABLISHED

    >
    > In the address bar type in about:config and look for these entries:
    >
    > browser.startup.homepage
    > startup.homepage_override_url


    In Firefox....


    This is what I had for startup.homepage_override_url:

    http://www.mozilla.org/products/firefox/releases/whatsnew/

    This is what I had for browser.startup.homepage:

    about:blank


    In Mozilla:

    Mozilla startup.homepage_override_url

    http://www.mozilla.org/start/

    Mozilla browser.startup.homepage

    www.google.com



    >
    > If you have a start page of blank, then both of these entries should be
    > blank aswell. If they contain something, then double click on them and
    > remove the entry.


    done. but, it didn't help. I closed out of the browsers and restart them and
    the damned data.coremetrics.com socket is still open (although I changed the
    address to localhost).

    >
    > Also, check your bookmarks. Do you have any live bookmarks -- rss
    > feeds, or something similar?
    >


    Nope, no live bookmarks, rss feeds or much of anything else. I have far less
    processes (about 30 total) running on my computers and far less "things"
    installed than most people. Compared to the typical computer, my XP starts up
    and runs way faster since I have so little installed.

    CPU and Networking utilization usually runs at zero percent.

    A software network sniffer shows no activity unless I explicitly do something
    ; with the exception of occasional, periodic activity with my ISP or router.
     
    John, Aug 23, 2006
    #9
  10. John

    gwtc Guest

    John wrote:
    > gwtc wrote:
    >
    >> John wrote:
    >>
    >>> I've searched everywhere for that
    >>>
    >>>>> damned cookie and I can't find it anywhere.
    >>>>>
    >>>>
    >>>> just remove the data.coremetrics cookie. You don't have to remove
    >>>> then ALL
    >>>
    >>>
    >>> *** As I stated, I can't find the cookie. ***
    >>>
    >>>>
    >>>>
    >>>>> I did put this into my hosts file:
    >>>>>
    >>>>> 127.0.0.1 http://data.coremetrics.com
    >>>>> 127.0.0.1 https://data.coremetrics.com
    >>>>> 127.0.0.1 data.coremetrics.com
    >>>>>
    >>>>
    >>>> that should do it.
    >>>>
    >>>>> but I still love to know how that TCP connection is being started.
    >>>>>
    >>>>>
    >>>>>
    >>>
    >>> I'm even more perplexed. I'm using Ethereal (perhaps incorrectly) and
    >>> I don't see any TCP ports for data.coremetrics being established when
    >>> I started Mozilla & Firefox but this is what I currently open with
    >>> both Mozilla and Firefox running:
    >>>
    >>> TCP myputer:1504 http://data.coremetrics.com:1505
    >>> ESTABLISHED
    >>> TCP myputer:1505 http://data.coremetrics.com:1504
    >>> ESTABLISHED
    >>> TCP myputer:1506 http://data.coremetrics.com:1507
    >>> ESTABLISHED
    >>> TCP myputer:1507 http://data.coremetrics.com:1506
    >>> ESTABLISHED

    >>
    >> In the address bar type in about:config and look for these entries:
    >>
    >> browser.startup.homepage
    >> startup.homepage_override_url

    >
    > In Firefox....
    >
    >
    > This is what I had for startup.homepage_override_url:
    >
    > http://www.mozilla.org/products/firefox/releases/whatsnew/
    >
    > This is what I had for browser.startup.homepage:
    >
    > about:blank
    >
    >
    > In Mozilla:
    >
    > Mozilla startup.homepage_override_url
    >
    > http://www.mozilla.org/start/
    >
    > Mozilla browser.startup.homepage
    >
    > www.google.com
    >
    >
    >
    >>
    >> If you have a start page of blank, then both of these entries should
    >> be blank aswell. If they contain something, then double click on them
    >> and remove the entry.

    >
    > done. but, it didn't help. I closed out of the browsers and restart them
    > and the damned data.coremetrics.com socket is still open (although I
    > changed the address to localhost).
    >
    >>
    >> Also, check your bookmarks. Do you have any live bookmarks -- rss
    >> feeds, or something similar?
    >>

    >
    > Nope, no live bookmarks, rss feeds or much of anything else. I have far
    > less
    > processes (about 30 total) running on my computers and far less "things"
    > installed than most people. Compared to the typical computer, my XP
    > starts up
    > and runs way faster since I have so little installed.
    >
    > CPU and Networking utilization usually runs at zero percent.
    >
    > A software network sniffer shows no activity unless I explicitly do
    > something ; with the exception of occasional, periodic activity with my
    > ISP or router.


    Close FF. Now, click on Start, Run, and enter exactly:

    firefox.exe -safe-mode

    this will start FF in Safe Mode. Does the the problem continue?

    --
    Files From The Not To Swift Department . . .

    My neighbor works in the operations department in the central office
    of a large bank. Employees in the field call him when they have
    problems with their computers. One night he got a call from a woman in
    one of the branch banks who had this question: "I've got smoke coming
    from the back of my terminal. Do you guys have a fire downtown?"
     
    gwtc, Aug 24, 2006
    #10
  11. John

    Faun Guest

    Faun, Aug 24, 2006
    #11
  12. John

    John Guest

    Faun wrote:
    > In article <COWGg.250$>, says...
    >
    >>
    >> Why is Mozilla/Firefox opening connections to data.coremetrics.com?
    >> I *DON'T* have any toolbars.
    >> I *HAVE* run SpyWare/Adaware (with the latest data definitions) and
    >> Hijackthis! and found nothing.

    >
    > Maybe these can help:
    > http://www.spywareremove.com/removeCoreMetrics.html
    > http://www.scanspyware.net/info/Coremetrics.htm
    >
    > HTH


    Thank you.

    I tried both. Neither found coremetrics, or anything remotely related to it.
     
    John, Aug 24, 2006
    #12
  13. John

    Faun Guest

    In article <SclHg.361$>, says...

    > I tried both. Neither found coremetrics, or anything remotely related to it.


    You could try the manual approach. I seem to recall there were some
    advice on how to deal with it manually on at least one of the pages.
    Probably means starting regedit and looking for some keys, or something.

    The human eye is often better than the computer at detecting subtle
    things.

    Good luck!
    --
    faun.
     
    Faun, Aug 24, 2006
    #13
  14. John

    John Guest

    Faun wrote:
    > In article <SclHg.361$>, says...
    >
    >> I tried both. Neither found coremetrics, or anything remotely related to it.

    >
    > You could try the manual approach. I seem to recall there were some
    > advice on how to deal with it manually on at least one of the pages.
    > Probably means starting regedit and looking for some keys, or something.


    Yep. I read the same thing but the article said that even if one edits the
    registry, the scumware can rebuild itself.

    >
    > The human eye is often better than the computer at detecting subtle
    > things.


    Death to "clever" programmers!

    >
    > Good luck!
     
    John, Aug 24, 2006
    #14
  15. John

    Faun Guest

    In article <>, says...

    > Faun wrote:
    > > In article <SclHg.361$>, says...
    > >
    > >> I tried both. Neither found coremetrics, or anything remotely related to it.

    > >
    > > You could try the manual approach. I seem to recall there were some
    > > advice on how to deal with it manually on at least one of the pages.
    > > Probably means starting regedit and looking for some keys, or something.

    >
    > Yep. I read the same thing but the article said that even if one edits the
    > registry, the scumware can rebuild itself.


    That is not possible. There must be a second app that does this. If an
    application is deleted, or otherwise made defunct, e.g. by not allowing
    it to run, the only thing that can restore it is another application.
    Even typing HEX values into a HEX editor counts as "another
    application." ;-) Seriously, though, the problem is that the
    application is hidden, and there are any number of ways of doing this.

    Check the Run keys in the registry, check and double check that all
    calls to run in the registry are valid applications, and /or
    applications you know what they're doing. If you suspect something weird
    going on, export the key and delete it (you can always import it later
    if you need it). Also remember to set a "system restore point" before
    you do any serious work on the registry, unless you are certain about
    what you delete.

    Some keys to check (on XP Pro):
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

    And variations on those names, e.g. Run keys under CURRENT_USER and
    alike.

    Also check the win.ini file, etc., in the windows directory. Stuff may
    be hidden everywhere.

    Or use this one:
    http://www.sysinternals.com/Utilities/Autoruns.html

    If that leads nowhere, you can try one or more of the following:
    http://www.sysinternals.com/Utilities/RootkitRevealer.html
    http://www.sysinternals.com/Utilities/ProcessExplorer.html
    http://www.sysinternals.com/Utilities/Filemon.html

    Read about what they do before you attempt to use them.

    There are heaps of other useful little tools over at sysinternals. Have
    fun. :)

    > > The human eye is often better than the computer at detecting subtle
    > > things.

    >
    > Death to "clever" programmers!


    That would take the fun out of windows... ;-)
    --
    faun.
     
    Faun, Aug 25, 2006
    #15
  16. John

    John Guest

    Faun wrote:
    > In article <>, says...
    >
    >> Faun wrote:
    >> > In article <SclHg.361$>, says...
    >> >
    >> >> I tried both. Neither found coremetrics, or anything remotely related to it.
    >> >
    >> > You could try the manual approach. I seem to recall there were some
    >> > advice on how to deal with it manually on at least one of the pages.
    >> > Probably means starting regedit and looking for some keys, or something.

    >>
    >> Yep. I read the same thing but the article said that even if one edits the
    >> registry, the scumware can rebuild itself.

    >
    > That is not possible. There must be a second app that does this. If an
    > application is deleted, or otherwise made defunct, e.g. by not allowing
    > it to run, the only thing that can restore it is another application.
    > Even typing HEX values into a HEX editor counts as "another
    > application." ;-) Seriously, though, the problem is that the
    > application is hidden, and there are any number of ways of doing this.
    >
    > Check the Run keys in the registry, check and double check that all
    > calls to run in the registry are valid applications, and /or
    > applications you know what they're doing. If you suspect something weird
    > going on, export the key and delete it (you can always import it later
    > if you need it). Also remember to set a "system restore point" before
    > you do any serious work on the registry, unless you are certain about
    > what you delete.


    I usually backup my entire operating system partition so that no matter what
    happens, I'm right back to where I started. I use Ghost 2003 and an old
    version of DriveImage. DriveImage takes less than 5 minutes to backup the
    entire partition.

    >
    > Some keys to check (on XP Pro):
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx


    Good idea. I tried it and didn't find anything in any of the RunXXXX keys.

    >
    > And variations on those names, e.g. Run keys under CURRENT_USER and
    > alike.
    >
    > Also check the win.ini file, etc., in the windows directory. Stuff may
    > be hidden everywhere.


    SysEdit revealed nothing.

    >
    > Or use this one:
    > http://www.sysinternals.com/Utilities/Autoruns.html


    I already have Autoruns and I didn't find anything there.

    Interestingly enough, while I had "Active Ports" up and running, I could see
    that Autoruns briefly opened up a port and talked to someone. I didn't have a
    network sniffer running at that moment to see what's going. That's for a
    later project.

    >
    > If that leads nowhere, you can try one or more of the following:
    > http://www.sysinternals.com/Utilities/RootkitRevealer.html


    I've never had any luck with RKR. I downloaded the latest version and, again,
    it just locks up my system.

    > http://www.sysinternals.com/Utilities/ProcessExplorer.html


    Tried that too. I looked under FireFox and Mozilla and aside from finding the
    open ports I didn't know what else to look for.
    I didn't see any obviously suspicious processes running.

    > http://www.sysinternals.com/Utilities/Filemon.html


    I've used that one too for seeing file activity but I don't see how that's
    going to help me for determining how these ports are being opened.

    >
    > Read about what they do before you attempt to use them.
    >
    > There are heaps of other useful little tools over at sysinternals. Have
    > fun. :)
    >
    >> > The human eye is often better than the computer at detecting subtle
    >> > things.

    >>
    >> Death to "clever" programmers!

    >
    > That would take the fun out of windows... ;-)


    On the bright side of things, ActivePorts revealed the following:

    mozilla.exe 2588 127.0.0.1 1029 127.0.0.1 1028 ESTABLISHED TCP D:\Program
    Files\mozilla.org\Mozilla\mozilla.exe
    mozilla.exe 2588 127.0.0.1 1028 127.0.0.1 1029 ESTABLISHED TCP D:\Program
    Files\mozilla.org\Mozilla\mozilla.exe
    firefox.exe 2988 127.0.0.1 1033 127.0.0.1 1032 ESTABLISHED TCP D:\Program
    Files\firefox.exe
    firefox.exe 2988 127.0.0.1 1032 127.0.0.1 1033 ESTABLISHED TCP D:\Program
    Files\firefox.exe

    Since I've modified data.coremetrics.com in 'hosts' to point to my own
    machine, that data isn't going anywhere. While data isn't leaking out, I'm
    still perplexed by how the socket is being instantiated.

    Thanks for all of your suggestions.
     
    John, Aug 25, 2006
    #16
  17. Peter Boerhof, Aug 25, 2006
    #17
  18. John

    Faun Guest

    In article <5UBHg.8116$n%>,
    says...

    > I usually backup my entire operating system partition so that no matter what
    > happens, I'm right back to where I started. I use Ghost 2003 and an old
    > version of DriveImage. DriveImage takes less than 5 minutes to backup the
    > entire partition.


    And your backup copy also has this problem...? Else, problem solved. :)

    > > If that leads nowhere, you can try one or more of the following:
    > > http://www.sysinternals.com/Utilities/RootkitRevealer.html

    >
    > I've never had any luck with RKR. I downloaded the latest version and, again,
    > it just locks up my system.


    Bummer...

    > > http://www.sysinternals.com/Utilities/ProcessExplorer.html

    >
    > Tried that too. I looked under FireFox and Mozilla and aside from finding the
    > open ports I didn't know what else to look for.
    > I didn't see any obviously suspicious processes running.


    Processes can be hidden. Perhaps even from that tool.

    > > http://www.sysinternals.com/Utilities/Filemon.html

    >
    > I've used that one too for seeing file activity but I don't see how that's
    > going to help me for determining how these ports are being opened.


    The app in question might be reading some file where it stores its data.
    It's a far-fetched idea, I know, but in lieu of better ones...

    > Since I've modified data.coremetrics.com in 'hosts' to point to my own
    > machine, that data isn't going anywhere. While data isn't leaking out, I'm
    > still perplexed by how the socket is being instantiated.


    Another thing to try is to look through the list of services that are
    started. Suspicious stuff should be checked out.

    Can't understand how the damn thing was installed, though. Unless you
    had a bad brain day, and hit install on some app you DL without skimming
    through the licence stuff...? ;-)

    BTW, is the connection made as the machine starts, or only after a
    while, or when Fx starts? If you can determine when it happens, it could
    narrow the search down a bit.

    > Thanks for all of your suggestions.


    No probs...
    --
    faun.
     
    Faun, Aug 27, 2006
    #18
  19. John

    Faun Guest

    Faun, Aug 27, 2006
    #19
  20. John

    John Guest

    Faun wrote:
    > In article <5UBHg.8116$n%>,
    > says...
    >
    >> I usually backup my entire operating system partition so that no matter what
    >> happens, I'm right back to where I started. I use Ghost 2003 and an old
    >> version of DriveImage. DriveImage takes less than 5 minutes to backup the
    >> entire partition.

    >
    > And your backup copy also has this problem...? Else, problem solved. :)
    >
    >> > If that leads nowhere, you can try one or more of the following:
    >> > http://www.sysinternals.com/Utilities/RootkitRevealer.html

    >>
    >> I've never had any luck with RKR. I downloaded the latest version and, again,
    >> it just locks up my system.

    >
    > Bummer...


    ----------- TA-DAHHHH! ---------

    Got RKR running. The 'Cleaning up' phase takes just about forever. It found
    one thing but according to the RKR help, I don't think that it was the cause
    of my problem.


    >
    >> > http://www.sysinternals.com/Utilities/ProcessExplorer.html

    >>
    >> Tried that too. I looked under FireFox and Mozilla and aside from finding the
    >> open ports I didn't know what else to look for.
    >> I didn't see any obviously suspicious processes running.

    >
    > Processes can be hidden. Perhaps even from that tool.
    >
    >> > http://www.sysinternals.com/Utilities/Filemon.html

    >>
    >> I've used that one too for seeing file activity but I don't see how that's
    >> going to help me for determining how these ports are being opened.

    >
    > The app in question might be reading some file where it stores its data.
    > It's a far-fetched idea, I know, but in lieu of better ones...
    >
    >> Since I've modified data.coremetrics.com in 'hosts' to point to my own
    >> machine, that data isn't going anywhere. While data isn't leaking out, I'm
    >> still perplexed by how the socket is being instantiated.

    >
    > Another thing to try is to look through the list of services that are
    > started. Suspicious stuff should be checked out.


    Been there, done it. I think I recognize all of the services. None stand out
    as being overtly suspicious.

    >
    > Can't understand how the damn thing was installed, though. Unless you
    > had a bad brain day, and hit install on some app you DL without skimming
    > through the licence stuff...? ;-)


    I very rarely download stuff and one else uses my computer. I'm the paranoid
    type.

    >
    > BTW, is the connection made as the machine starts, or only after a
    > while, or when Fx starts? If you can determine when it happens, it could
    > narrow the search down a bit.


    Connection is made/broken *ONLY* when Firefox/Mozilla starts/stops.

    >
    >> Thanks for all of your suggestions.

    >
    > No probs...
     
    John, Aug 29, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jim
    Replies:
    3
    Views:
    684
  2. Kevin
    Replies:
    1
    Views:
    807
    Walter Roberson
    Nov 10, 2004
  3. DJ Chiro
    Replies:
    1
    Views:
    3,323
    Rowdy Yates
    Nov 7, 2003
  4. Pavel Aronovich
    Replies:
    0
    Views:
    550
    Pavel Aronovich
    Feb 22, 2004
  5. Radium
    Replies:
    29
    Views:
    1,598
    Radium
    Mar 27, 2007
Loading...

Share This Page