My system is infected with calls to "www.r2rdownload.com" from pretty much every app on my system. The address is blocked in my hosts file.

Something I have downloaded has obviously been naughty, but I am not getting any hits from Malwarebytes, Windows, or ADWCleaner etc.

It is obviously something that each app is using to connect to the outside world. (Windows 11)

Anyone else had this?

Thanks

Natty

 

Have you added it properly to your hosts file? And are you sure no other app installed since has updated your hosts file? Sometimes a Windows update cleans out your hosts file too.

Try also adding the 127 and 0 versions to your hosts file, which should block any outgoing attempt by any app:

127.0.0.1 www.r2rdownload.com
0.0.0.0 www.r2rdownload.com

 

remove any address you have from the hostfile, it does the same thing to me. just add your blocked shit to a third party soft like portmaster. problem solved.

 

I have it in the hosts file and the call is looping back, so not going anywhere.

I was trying to get to the bottom of what is piggy backing onto everything to get rid of it.

 

No need to worry, bro. It's not what you think it is: The hosts file does the same thing a DNS does. It also acts as a reverse DNS. So whenever anything on your system calls either 127.0.0.1 or 0.0.0.0 it gets translated to one of the URLs you have put in your host file. So in your case apps on your system are not trying to call www.r2rdownload.com, they're actually calling 127.0.0.1 (localhost or in other words "your own system"). Programs like Netstat just show the association you have put in your hosts file because this is what the reverse DNS query resolves to.

 

It maps the second column to the first (but not the other way around).

Code:

127.0.0.1    example.com

means that "example.com" is resolved to 127.0.0.1.

Code:

127.0.0.1    example.com
malware.xyz  127.0.0.1

however, is probably something you don't want to have.

 

Hey Natty, are you using a firewall? Most of them have a feature that shows a list of "events', meaning they will tell you what app was trying to reach the 'r2rdownload' site you refer to and what the end point of that 'reach' was. In your case the endpoint should be right back to your own machine or 127.0.0.1. If you want to check to be certain the hosts file is working properly it's easy enough. Just open your browser, and enter the R2R url you posted. If all is working correctly on your system, it should lead to an error page and not any website. It would be good if you could determine the app that's causing this on your system, not only for your own safety, but also for the community here, since I'm sure you're probably not the only person that downloaded the problematic app that's causing this, and so the information would be beneficial to all of us.

Good luck!

 

And never map an IP address to the loopback like this:

Code:

127.0.0.1  56.19.27.13

 

That is true as far as the network address translation goes, however, in the case of a reverse DNS lookup it actually does go "the other way round" and this is why Natty is getting this "false positive". So again, because this is what's to be taken away: In your case it's all good, Natty. Nothing to worry about.

 

Guys r2rdownload.com is NOT from R2R.

There was a problem with this a few years ago and basically these were scam sites, r2r has no direct website.

If you downloaded something from one of these websites, of if you're using those sketchy websites like freevst or wtv, and your computer is doing sketchy shit now, you should reformat your PC.

I know some of the releases on sistersite a few years ago would tell you to block r2rdownload.com, but that wasn't because it was going to call home to it, it's because these were scam sites and they didn't want you going there.

Under no circumstance would any vst be calling home to r2rdownload.com, they would be calling home to the manufacturer of the VST.

Now if u gonna reformat, what I did is took an external hard drive (or USB with enough room) and slapped all my project folder, samples, and any presets/other important stuff into the external drive.

But dont go copying all your vst's in there, do a fresh install and please ONLY download from sistersite from now on.

 

Just for anyone who was curious, this isn't an issue on mac....

 

This r2rdownload.com line added to the hosts file to block access to it was a trick from the real R2R team, it is (was?) required for some of their releases when the scam site was active.

 

I know, I literally said that...
But that wasn't because r2rdownload.com was going to be calling home. It's because those websites are scams and they didn't want you going there.

EDIT: In other words, if it's calling home it's because something was download from somewhere else than sistersite.

 

Although everyone ought to be ready and able to reformat at any time (that means having recent backups of EVERYTHING you do not want to lose), it's unlikely that the OP's problem is worth doing that until other faster and easier things have been done.

For most people, telling them to reformat means days of getting things back in order.
If you use Windows stock and only use Fl Studio, well then sure, reformat at will....

 

I love me a bit of mansplaining

NOTE: I think you missed the point. They know what it is, just wondering why everything was trying to connect to it. The above posts about resolving of 127.0.0.1 from @Jack Doee and @Olaf explains it, so nothing to do with your explanation/misinformation or about preaching to only downloading from sister site etc. What's the AudioSex version of a Facebook Expert

 

Ok, I'm sorry if I'm wrong, I'm only trying to help. Can you clarify to me why something would be calling home to r2rdownload.com?

I've gotten some nasty bugs in the past from this kind of shit, and am now studying cybersecurity, so I'm genuinely curious why your vsts would be calling home to a scam site if it's not r2r.

Only trying to help.

I would also like to know why your vsts from the real r2r are calling home to a scam site. Seems to me it would be backwards for a team that spends all it's time making its releases run faster than the OG by removing several homecalling and cpu hungry key checks, that they would then have their own vsts constantly connecting to the net and calling to a website that isn't even their home.
But idk man apparently I spend too much time on FB. (I don't even have a fb)

 

Last edited: Dec 19, 2022

They are not calling www.r2rdownload.com. Read the above posts I referred to that answer you questions, namely....

...and...

So, when any app on the system tries to call homes, it searches the hosts, picks up 127.0.0.1 and translated to a URL associated with said IP in your hosts file, in this case, www.r2rdownload.com.

As an illustrative example, I interpret @Jack Doee and @Olaf posts as saying:

APP > calls 127.0.0.1 to access internet > scans hosts file > finds 127.0.0.1 in hosts file > finds 127.0.0.1 associated with an URL > translates 127.0.0.1 to the associated URL, being www.r2rdoanload.com > can't connect to 127.0.0.1 due to hosts block > displays error saying could not connect to ww.r2rdownload.com, being the URL that 127.0.0.1 has been translated to (even though in reality the app is simply trying to connect to 127.0.0.1)

 

Last edited: Dec 19, 2022

Thanks for the responses people.

Literally everything I use is calling R2R - I am not bothered about that as the loopback is working fine. X-Plane, Live, NVIDIA Experience, everything lol. I am sure it is going to be a single rogue app/dll that is piggy-backing - but why the mary can't virus/malware scans see it?

It is not causing me problems at all, and I only download from Audiosex... I am only bothered that it's a thing on my computer sitting there like a squatter lol. I am using this... https://learn.microsoft.com/en-gb/sysinternals/downloads/procmon which is a fantastic tool. I can see which app is doing the calling, and all the processes for that app, and scanned all the relative dlls to no avail.

This is just a forensic project for me now...

 

If you delete all r2rdownload entries from the host file and then all apps stop connecting to it, you know for a fact that @Bunford is right! Just make a backup before you do it.

 

Thanks for the clarification. Why would it always show up as www.r2rdownload.com? Assuming Natty has multiple plugin hosts blocked with 127.0.0.1 , wouldn't it be changing its assumption? Does it just pick the first thing you have in your hostfile?

Natty what if you tried removing www.r2rdownload.com from hostfile, and see what the calls will be saying when thats not in hostfile?