After installing the process hacker I noticed that in-network section most of the processes is connecting to a 3rd party software called "partitionwizard" both of the local and remote address are same and my antivirus isn't detecting any virus toohere is the image of process hacker
.What kind of virus is this?
Why the processes are connecting to 3rd party software website
anti-virusfirewallprocessSecuritytask-manager
Related Solutions
It sounds like it's been blocked by an outgoing firewall. What version of Windows is it and is there a firewall (Comodo for example) running?
You can find out if there is a firewall (and which one it is) by opening. the windows security centre Control Panel > Security Center (on XP):
You should be able to open the firewall and see a list of blocked programs.
Find World of Warcraft on that list and change it to "allowed". This is the screen for Comodo as an example:
I was trying to stop services in normal mode which didn't run in safe mode, then I have accidentally solved the problem this morning.
Here in Brazil, a lot of users complain about GBPlugin - a technology most bank companies require users to use in order to access their bank account online. This GBPlugin consumes lots of resources and requires a highly skilled approach to be removed from the OS.
I tried to remove it following this post. Somebody named "DigRam" suggested a scan with AdwCleaner which had shown two suspect services:
- 412f21e02ea37d13c378594fcbac2bd2
- scan
AdwCleaner scan result has no effect on GBPlugin at all but had these two - suspicious. But after the Windows reboot I could finally see, create, change and delete the folders which had been hidden (in normal windows mode).
I can't determine who was the troublemaker and I really don't care right now. Both were killed and the OS is OK now.
Finally:
- I couldn't remove GBPlugin yet, but that is another problem with an existing solution.
- I bought spyHunter which I regret.
Below, is the scanning result
# AdwCleaner v6.000 - Relatório criado 21/08/2016 às 09:08:22
# *Updated on 12/08/2016 by ToolsLib
# Banco de dados : 2016-08-21.1 [Servidor]
# Sistema operacional : Windows 10 Pro (X64)
# Usuário : eduar - MOBISTATION
# Executando de : C:\Users\eduar\Downloads\adwcleaner_6.000.exe
# Limpar
# Apoio : https://toolslib.net/forum
***** [ Serviços ] *****
[-] Políticas do IE excluídas412f21e02ea37d13c378594fcbac2bd2
[-] Políticas do IE excluídasscan
***** [ Pastas ] *****
[-] RestauradoC:\Users\eduar\AppData\Roaming\ParetoLogic
[-] RestauradoC:\ProgramData\ParetoLogic
[-] RestauradoC:\Program Files (x86)\xtex
[-] RestauradoC:\Users\Public\Documents\dmp
[-] RestauradoC:\Users\eduar\AppData\Local\Geckofx
***** [ Arquivos ] *****
***** [ DLL ] *****
***** [ WMI ] *****
***** [ Atalhos ] *****
***** [ Tarefas agendadas ] *****
***** [ Registro ] *****
[-] Restaurado[x64] HKLM\SOFTWARE\Classes\CLSID\{65416821-217D-44BD-9C61-F53398FB1B46}
[-] Restaurado[x64] HKLM\SOFTWARE\Classes\CLSID\{6DFC0DC7-FDC5-44C2-8B80-5977BA8F8ACC}
[-] Restaurado[x64] HKLM\SOFTWARE\Classes\CLSID\{E5AFF088-92F8-41a9-8CAB-E9CDCCE967AC}
[-] Restaurado[x64] HKLM\SOFTWARE\Classes\CLSID\{4ABDD67C-44E3-42E0-816D-D7F0E54761DF}
[-] Restaurado[x64] HKLM\SOFTWARE\Classes\CLSID\{94915A56-4D71-4F85-B59C-CC040F5AC6F0}
[-] Restaurado[x64] HKLM\SOFTWARE\Classes\Interface\{65416821-217D-44BD-9C61-F53398FB1B46}
[-] Restaurado[x64] HKLM\SOFTWARE\Classes\Interface\{4ABDD67C-44E3-42E0-816D-D7F0E54761DF}
[-] RestauradoHKLM\SOFTWARE\Classes\Interface\{65416821-217D-44BD-9C61-F53398FB1B46}
[-] RestauradoHKLM\SOFTWARE\Classes\Interface\{4ABDD67C-44E3-42E0-816D-D7F0E54761DF}
[-] RestauradoHKLM\SOFTWARE\Classes\TypeLib\{34F4FEAF-4921-4B5D-8BE5-CA384BFFC2CE}
[-] RestauradoHKLM\SOFTWARE\Classes\TypeLib\{39A37965-0A96-43A3-870E-821FE5C84B0B}
[-] Restaurado[x64] HKLM\SOFTWARE\SmartPCFixer
[-] RestauradoHKU\S-1-5-21-3215691145-4218728392-1243681445-1001\Software\IM
[-] RestauradoHKU\S-1-5-21-3215691145-4218728392-1243681445-1001\Software\ParetoLogic
[#] *Key deleted on reboot: HKCU\Software\IM
[#] *Key deleted on reboot: HKCU\Software\ParetoLogic
[-] RestauradoHKLM\SOFTWARE\ParetoLogic
[-] RestauradoHKLM\SOFTWARE\SmartPCFixer
***** [ Navegadores ] *****
[-] [br.ask.com] [Search Provider] Excluídobr.ask.com
*************************
:: Chaves "Tracing" excluídas
:: Configurações Winsock restauradas
*************************
C:\AdwCleaner\AdwCleaner[C0].txt - [2494 *Bytes] - [21/08/2016 09:08:22]
C:\AdwCleaner\AdwCleaner[S0].txt - [2676 *Bytes] - [21/08/2016 09:04:40]
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [2642 *Bytes] ##########
Best Answer
The local address always has to be a local address – as in an address that's literally assigned to a network adapter on this computer. So if a strange domain name shows up as a "local address", that just means one of your own IP addresses is resolving to that strange domain name.
If you use
netstat
or disable the "Resolve network addresses" option in Process Hacker, it's almost guaranteed to show that the actual address is127.0.0.1
or::1
.(Note also that the connections that you see are very often in pairs – you see one from port A to B, and another from port B to A. This strongly implies it's a loopback connection and they're actually just two ends of the same connection.)
Most likely, you (or some "ad blocking" software) have put a ton of
127.0.0.1 partitionwizard.com
entries to the /etc/hosts file (well, C:\Windows\System32\drivers\etc\hosts), where they deliberately have priority over DNS lookups. However, entries there work both ways – the file doesn't only translate names to addresses, but also addresses to names. When the system is asked to translate 127.0.0.1 to a name, it'll use whatever domain it finds in the 'hosts' entries.(For that reason, I would recommend manually adding
127.0.0.1 localhost
and::1 localhost
at the very top of the 'hosts' file. Normally Windows doesn't need those entries, but when you have custom ones, you have to add localhost as well.)So those are loopback connections. As to why those loopback connections are made – I'm pretty sure it has to do with your antivirus software (this avp.exe, which is again very noticeably one of the endpoints for each connection) performing "web scanning", i.e. it tries to intercept every single HTTP and HTTPS connection that programs make.