Why my processes are connecting to 3rd party software website [duplicate]
After installing the process hacker I noticed that in-network section most of the processes is connecting to a 3rd party software called "partitionwizard" both of the local and remote address are same and my antivirus isn't detecting any virus toohere is the image of process hacker .What kind of virus is this?
Solution 1:
The local address always has to be a local address – as in an address that's literally assigned to a network adapter on this computer. So if a strange domain name shows up as a "local address", that just means one of your own IP addresses is resolving to that strange domain name.
If you use netstat
or disable the "Resolve network addresses" option in Process Hacker, it's almost guaranteed to show that the actual address is 127.0.0.1
or ::1
.
(Note also that the connections that you see are very often in pairs – you see one from port A to B, and another from port B to A. This strongly implies it's a loopback connection and they're actually just two ends of the same connection.)
Most likely, you (or some "ad blocking" software) have put a ton of 127.0.0.1 partitionwizard.com
entries to the /etc/hosts file (well, C:\Windows\System32\drivers\etc\hosts), where they deliberately have priority over DNS lookups. However, entries there work both ways – the file doesn't only translate names to addresses, but also addresses to names. When the system is asked to translate 127.0.0.1 to a name, it'll use whatever domain it finds in the 'hosts' entries.
(For that reason, I would recommend manually adding 127.0.0.1 localhost
and ::1 localhost
at the very top of the 'hosts' file. Normally Windows doesn't need those entries, but when you have custom ones, you have to add localhost as well.)
So those are loopback connections. As to why those loopback connections are made – I'm pretty sure it has to do with your antivirus software (this avp.exe, which is again very noticeably one of the endpoints for each connection) performing "web scanning", i.e. it tries to intercept every single HTTP and HTTPS connection that programs make.