Firefox & Thunderbird try to connect to site without my permission

Does anyone know why Firefox might be trying to connect to 64.224.99.120:53. If you punch the IP address in with out port it goes to www.freeware995.com. Thunderbird also tries to connect to the same address. For both FF & TB it will try at start up or sometimes after it been on for a while.

Any suggestions.

PS. Spybot, Ad-aware, MS Defender, Spysweeper say my system is clean of spyware, I have no virus, HIJackThis shows nothing out of the ordinary
MaxiumAsked:
Who is Participating?
 
war1Connect With a Mentor Commented:
Maxium,

You may need to clean out your DNS cache.  Go to Start > Run and type CMD and hit <Enter>
At the command prompt, type ipconfig /flushdns and hit <Enter>
Now test.
0
 
war1Connect With a Mentor Commented:
Greetings, Maxium !

Did you download a program from Freeware995.com?  Firefox and Thunderbird may be calling home.  Uninstall the program and then test.

I like to see your HijackThis log.  Post the log at http://www.hijackthis.de/ and click Analyse, Save.  Post a link to the saved list here.


Best wishes!
0
 
MaxiumAuthor Commented:
I did have pdf995 install, it is a print driver which allows you to print pdf file instead of printing to a print device. I should note that I ran this program for 3 yrs and have read nothing about this haveing spyware, except that it will bring you to and advertisement when you use it.
0
Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.

 
war1Commented:
Maxium,

I know about PDF995. It is not spyware.  Some software is trying to connect back to its home website.  It may not be malicious.  It may be looking for an update.

You wrote, "Does anyone know why Firefox might be trying to connect to 64.224.99.120:53."  How do you know Firefox is trying to connect?  Do you catch it with a firewall?
0
 
MaxiumAuthor Commented:
yes, I was checking a few other things and had zonealarm block pdf995 from connecting to it's advertising, That's when I noticed that thunderbird and firefox were not being allowed to connect to 64.224.99.120:53. I than start looking into why this was happening. I had found no really usefull info, so I decided to post something here. I agree that it is unlikely that PDF995 is spyware, but it's the only thing I have that came from the web site that this ip belongs to.
0
 
war1Connect With a Mentor Commented:
Maxium, your HijackThis log looks clean.

Run Rootkit Revealer to see if you have any rootkit.  
http://www.sysinternals.com/Utilities/RootkitRevealer.html

Post the log here.
0
 
MaxiumAuthor Commented:
I never use rootkit revealer before, but have run blbeta.exe (fsecure rootkit detector), plus spysweeper looks for rootkits as well and neither found anything, but I will run rootkitrevealer if you thing it's better. I should note that I did uninstall pdf995 and the problem still there. I then removed all entries in the registry dealing with pdf995, and since than have not had any signs of FF or TB trying to connect to the above mention site. But I will keep an eye on it to be sure.
0
 
war1Commented:
>> had zonealarm block pdf995 from connecting to it's advertising,

What is likely happening is that PDF995 is trying to connect back to its homepage to find out why its advertising is not working.
0
 
war1Commented:
No need to run Rootkit Revealer if had run F-Secure Blacklight.  The latter is a good rookit program.
0
 
MaxiumAuthor Commented:
Well as luck would have it, I spoke to soon it thunderbird just tried to connect. ZoneAlarm Description      Your computer was prevented from connecting to a restricted site (a restricted address (64.224.99.120)).
Rating           Medium
Date / Time      2006/05/27 22:54:34-3:00 GMT
Type             Program Access
Program          thunderbird.exe
Source IP        
Destination IP   64.224.99.120:53
Direction        Outgoing (connect)
Action Taken     Blocked
Count            5
Source DNS      
Destination DNS  freeware995.com

And pdf995 is no longer installed.
0
 
scrathcyboyCommented:
No zone alarm is the problem -- uninstall it from your PC and forget it ever existed.  Then remake your hope page to whatever you want, and dont use zone alarm again, that will solve it.
0
 
war1Commented:
Maxium, do you have a PDF file created by PDF995?  Maybe as an attachment?  Maybe the PDF attachment is calling home.
0
 
moorhouselondonConnect With a Mentor Commented:
I think the above comments have ascertained that everyone is happy with PDF995's intentions (i.e., it is a bone fide product).  However, have you bolted down Thunderbird/Firefox?  There are loopholes in these products which need to be closed off.  See this advisory for instance:-

http://www.kb.cert.org/vuls/id/592425
0
 
MaxiumAuthor Commented:
To scrathcyboy, I have had ZA for 6yrs and don't intend on getting rid of it, and my homepage has never been a problem.

0
 
MaxiumAuthor Commented:
To war1 I do have pdf's made by pdf995 on my computer, but none as attachments
0
 
MaxiumAuthor Commented:
To moorhouselondon: I'm running the lastest versions of Firefox and Thunderbird. Javascript is not allowed for Thunderbird and I'm running noscript on firefox as well
0
 
MaxiumAuthor Commented:
The following has just happened: thunder bird tried to connect to 66.218.79.175:53 (premium.geo.yahoo.akadns.net). This has happen twice before but I forgot about it. I have notice that all these seem to point to DNS (port 53) could this be significant.
0
 
moorhouselondonConnect With a Mentor Commented:
(1) Have you checked your HOSTS file for any redirection there?
(2) Try running Anti-Threat software in Safe Mode.  There has to be a trojan in the system.
0
 
cj_1969Connect With a Mentor Commented:
A PDF doc should not be trying to access the Internet.
A trojan is not going to go to a known site like what we are seeing.
As the PDF995 is a known program that deals with displaying advertising in your browser, the connection is going the home site (albeit an old one) for the application, this HAS to be a throw back to the app.  Chances are the reference to the port is just a dedicated port that the company set up for it apps to communicate on to its servers.

Check your "Run" regsitry keys and see if there is anything referencing a pdf995 (or any 995) application ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Also check
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

See if there is anything in the AppInit_DLLs reference.

If the app is uninstalled then there is most likely a back-end application that was not uninstalled with the app that is still trying to display the advertising.
0
 
MaxiumAuthor Commented:
As of May 30, 2006 do to the lack of time I had to work on this problem and the fact that nothing tried up till May 30 had worked, I decided to format and reinstall. I than restored my documents from backups.  I prefer not to solve problems this way, but sometime it's the fastest solution.

I would like to thank everyone who tried to help. I did learn a few new tricks to try even if it didn't help.

I would now like to close this question

Thanks

0
 
MaxiumAuthor Commented:
I was just reading another post, on a different subject and his problems wasn't solve, but he is splitting points because he learn some valuable information. I too believe I have learned some valuable information and would like to split points. If this is an allowable option I will do so.

Please advise.

Keep in mind I have only posted here once before, and still find myself new to rules about point system.

0
 
war1Commented:
Maxium,

Sorry that you had to reformat. Maybe that is the fastest way to fix the problem. Splitting the points among the likely answers will be acceptable.
0
All Courses

From novice to tech pro — start learning today.