jumping crab.com

[brotherboard]

Hi

Please could anyone tell me why Firefox tries to constantly connect to jumpingcrab.com?
I say tries because I have it blocked in my hosts file to have it redirected to local host.
This activity shows up when using the command line - netstat -abf 5 > activity.txt

TCP 127.0.0.1:49775 sendmsg.jumpingcrab.com:49776 ESTABLISHED
[firefox.exe]

Also Avast is doing the same

TCP 127.0.0.1:12080 sendmsg.jumpingcrab.com:50430 ESTABLISHED
[AvastSvc.exe]

 

[HammerHead]

Specs

I see you filled out your specs. Congrats to you.

I would guess you have some malware. You can start by running Malware Bytes. If you don't have it here is a link to download and install.

Malwarebytes

 

[brotherboard]

Hi

HammerHead..... thanks for the reply I ran Malwarebytes as I do about once a week anyway, and it found two trojan objects so I deleted them. They weren't there on my last scan obviously!
A scan with Kapersky TDSSkiller anti rootkit detection came up clean as did a scan with SuperAntispyware. An on line analysis of a HiJackThis scan shows no suspicious items either

Netstat still reporting

TCP 127.0.0.1:12080 sendmsg.jumpingcrab.com:50430 ESTABLISHED
[AvastSvc.exe]

and

TCP 127.0.0.1:49187 sendmsg.jumpingcrab.com:49186 ESTABLISHED
[firefox.exe]

 

[HammerHead]

More Help

We will get some more help in a little while. Some members here a are good at this. They'll be along. In the meantime, I am not familiar with fire fox but you need to check your browser addons and if you see anything suspicous disable it.

 

[HammerHead]

SpyBot

Here is a free scanner that you can use.

Download Free Spybot

 

[brotherboard]

Thanks for the replies

The following scans have all reported clean

Malwarebytes full scan
SuperAntispyware full scan
Avast Antivirus full scan
Kapersky TDSSkiller Anti-rootkit scan
HiJackthis Analysed online scan
CWS Shredder
ESET online scanner
Also Comodo CIS is not reporting this activity

Am I right to assume that by redirecting to my local host the connection is never made and I am safe for now till I can establish the culprit?

 

[HammerHead]

Browser

Have you checked your browser for addons?

Do a file search on your OS disk for "jumpingcrab" and see what you come up with.

 

[carwiz]

It appears to be a serious problem according to Norton. It's a AV redirect spoof. Could be why nothing you've loaded is finding it. You may have been downloading additional malware. You might try the Norton Power Eraser but I would download it on a different machine and save it to a thumb drive then run it from that on your machine. Pay particular attention to the warning that NPE uses "aggressive methods to detect threats" and be careful what you remove.

 

[brotherboard]

many thanks I'll get to it later. Your input is much appreciated. I do have several back ups going back many weeks if all fails.

Carwiz

Following your instructions the Norton Power eraser retuned a report of no problems found.

Thanks for your input.

 

[VistaKing]

Can you upload the HiJackThis log ? Can you open up your Ethernet properties and your wireless adapter properties and see if anything is listed under proxy .

 

[A Guy]

Oh boy, this is looking like a thread for the Security section. The host is a Chinese IP address

sendmsg.jumpingcrab.com information at DomainReverse.com

It looks like you have the new Trojan Upclicker

Trojan Upclicker malware infecting PCs via mouse input | ITProPortal.com

New Trojan Bypasses Detection with Manipulated Mouse Click - FIGHTERtools

Volatility Labs: What do Upclicker, Poison Ivy, Cuckoo, and Volatility Have in Common?

Upclicker Trojan Evades Sandbox Detection by Hiding in a Mouse Click | threatpost

I could not find any legit removal procedures at the usual security sites, but perhaps VistaKing, or others will be aware of this. A Guy

 

[Dwarf]

Thread moved, also requested assistance from one of our malware specialists (Jacee).

 

[A Guy]

Thread moved, also requested assistance from one of our malware specialists (Jacee).

As did I

 

[cottonball]

brotherboard,

While Jacee gets here, you can try the following:

This program reports if Proxy / DNS configurations are found...

Please download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement:

Select the version that applies to your system: x64
Click the dark-blue button to download.
Save to the Desktop.

Close all windows and browsers.
Right-click and select: Run as Administrator

At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished.)
Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.
(Also, do not delete any entries, please.)

 

[brotherboard]

Thank you for all your replies. Having taken on board all the excellent advice, recommendations and spending a lot of time on this, I have done a full restore from original back up discs (without the bloatware !)
My Netstat scans are now showing no sign of the dreaded jumpingcrab.com connections. I'll keep a close check on things, and get back if it re-appears.
Thanks once again. Please mark as solved.

 

[Jacee]

Flush the DNS cache and restore MS's Hosts file ...

Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop.
Double click on the flush.bat file to run it.Vista and Windows 7... right click the .bat file and choose to run as Administrator. Your computer will reboot itself.

Then, follow cottonball's instructions.