www.r2rdownload.com calls

Discussion in 'PC' started by NattyCarter, Dec 19, 2022.

  1. NattyCarter

    NattyCarter Newbie

    Joined:
    Mar 3, 2020
    Messages:
    6
    Likes Received:
    0
    My system is infected with calls to "www.r2rdownload.com" from pretty much every app on my system. The address is blocked in my hosts file.

    Something I have downloaded has obviously been naughty, but I am not getting any hits from Malwarebytes, Windows, or ADWCleaner etc.

    It is obviously something that each app is using to connect to the outside world. (Windows 11)

    Anyone else had this?

    Thanks

    Natty
     
  2.  
  3. Bunford

    Bunford Audiosexual

    Joined:
    Jan 17, 2012
    Messages:
    2,529
    Likes Received:
    978
    Have you added it properly to your hosts file? And are you sure no other app installed since has updated your hosts file? Sometimes a Windows update cleans out your hosts file too.

    Try also adding the 127 and 0 versions to your hosts file, which should block any outgoing attempt by any app:

    127.0.0.1 www.r2rdownload.com
    0.0.0.0 www.r2rdownload.com
     
  4. VaricellaNelDeretano

    VaricellaNelDeretano Newbie

    Joined:
    Nov 27, 2022
    Messages:
    2
    Likes Received:
    0
    remove any address you have from the hostfile, it does the same thing to me. just add your blocked shit to a third party soft like portmaster. problem solved.
     
  5. NattyCarter

    NattyCarter Newbie

    Joined:
    Mar 3, 2020
    Messages:
    6
    Likes Received:
    0
    I have it in the hosts file and the call is looping back, so not going anywhere.

    I was trying to get to the bottom of what is piggy backing onto everything to get rid of it.
     
  6. Jack Doee

    Jack Doee Member

    Joined:
    Oct 18, 2022
    Messages:
    24
    Likes Received:
    13
    No need to worry, bro. It's not what you think it is: The hosts file does the same thing a DNS does. It also acts as a reverse DNS. So whenever anything on your system calls either 127.0.0.1 or 0.0.0.0 it gets translated to one of the URLs you have put in your host file. So in your case apps on your system are not trying to call www.r2rdownload.com, they're actually calling 127.0.0.1 (localhost or in other words "your own system"). Programs like Netstat just show the association you have put in your hosts file because this is what the reverse DNS query resolves to.
     
  7. Olaf

    Olaf Platinum Record

    Joined:
    Jun 5, 2011
    Messages:
    570
    Likes Received:
    244
    It maps the second column to the first (but not the other way around).
    Code:
    127.0.0.1    example.com
    means that "example.com" is resolved to 127.0.0.1.
    Code:
    127.0.0.1    example.com
    malware.xyz  127.0.0.1
    however, is probably something you don't want to have.
     
  8. Hey Natty, are you using a firewall? Most of them have a feature that shows a list of "events', meaning they will tell you what app was trying to reach the 'r2rdownload' site you refer to and what the end point of that 'reach' was. In your case the endpoint should be right back to your own machine or 127.0.0.1. If you want to check to be certain the hosts file is working properly it's easy enough. Just open your browser, and enter the R2R url you posted. If all is working correctly on your system, it should lead to an error page and not any website. It would be good if you could determine the app that's causing this on your system, not only for your own safety, but also for the community here, since I'm sure you're probably not the only person that downloaded the problematic app that's causing this, and so the information would be beneficial to all of us.

    Good luck!
     
  9. Haliax

    Haliax Guest

    And never map an IP address to the loopback like this:

    Code:
    127.0.0.1  56.19.27.13
    
     
  10. Jack Doee

    Jack Doee Member

    Joined:
    Oct 18, 2022
    Messages:
    24
    Likes Received:
    13
    That is true as far as the network address translation goes, however, in the case of a reverse DNS lookup it actually does go "the other way round" and this is why Natty is getting this "false positive". So again, because this is what's to be taken away: In your case it's all good, Natty. Nothing to worry about.
     
  11. Neflum

    Neflum Ultrasonic

    Joined:
    Apr 24, 2020
    Messages:
    56
    Likes Received:
    29
    Guys r2rdownload.com is NOT from R2R.

    There was a problem with this a few years ago and basically these were scam sites, r2r has no direct website.

    If you downloaded something from one of these websites, of if you're using those sketchy websites like freevst or wtv, and your computer is doing sketchy shit now, you should reformat your PC.

    I know some of the releases on sistersite a few years ago would tell you to block r2rdownload.com, but that wasn't because it was going to call home to it, it's because these were scam sites and they didn't want you going there.

    Under no circumstance would any vst be calling home to r2rdownload.com, they would be calling home to the manufacturer of the VST.

    Now if u gonna reformat, what I did is took an external hard drive (or USB with enough room) and slapped all my project folder, samples, and any presets/other important stuff into the external drive.

    But dont go copying all your vst's in there, do a fresh install and please ONLY download from sistersite from now on.
     
    • Like Like x 1
    • Disagree Disagree x 1
    • Useful Useful x 1
    • List
  12. madbuzzin

    madbuzzin Platinum Record

    Joined:
    Dec 1, 2021
    Messages:
    482
    Likes Received:
    202
    Just for anyone who was curious, this isn't an issue on mac....
     
    • Funny Funny x 4
    • Dislike Dislike x 2
    • Like Like x 1
    • List
  13. jarredou

    jarredou Guest

    This r2rdownload.com line added to the hosts file to block access to it was a trick from the real R2R team, it is (was?) required for some of their releases when the scam site was active.
     
  14. Neflum

    Neflum Ultrasonic

    Joined:
    Apr 24, 2020
    Messages:
    56
    Likes Received:
    29
    I know, I literally said that...
    But that wasn't because r2rdownload.com was going to be calling home. It's because those websites are scams and they didn't want you going there.

    EDIT: In other words, if it's calling home it's because something was download from somewhere else than sistersite.
     
    • Agree Agree x 2
    • Disagree Disagree x 2
    • List
  15. DoubleTake

    DoubleTake Audiosexual

    Joined:
    Jul 16, 2017
    Messages:
    2,321
    Likes Received:
    1,242
    Although everyone ought to be ready and able to reformat at any time (that means having recent backups of EVERYTHING you do not want to lose), it's unlikely that the OP's problem is worth doing that until other faster and easier things have been done.

    For most people, telling them to reformat means days of getting things back in order.
    If you use Windows stock and only use Fl Studio, well then sure, reformat at will....
     
  16. Bunford

    Bunford Audiosexual

    Joined:
    Jan 17, 2012
    Messages:
    2,529
    Likes Received:
    978
    I love me a bit of mansplaining :rofl:

    NOTE: I think you missed the point. They know what it is, just wondering why everything was trying to connect to it. The above posts about resolving of 127.0.0.1 from @Jack Doee and @Olaf explains it, so nothing to do with your explanation/misinformation or about preaching to only downloading from sister site etc. What's the AudioSex version of a Facebook Expert :rofl:
     
  17. Neflum

    Neflum Ultrasonic

    Joined:
    Apr 24, 2020
    Messages:
    56
    Likes Received:
    29
    Ok, I'm sorry if I'm wrong, I'm only trying to help. Can you clarify to me why something would be calling home to r2rdownload.com?

    I've gotten some nasty bugs in the past from this kind of shit, and am now studying cybersecurity, so I'm genuinely curious why your vsts would be calling home to a scam site if it's not r2r.

    Only trying to help.

    I would also like to know why your vsts from the real r2r are calling home to a scam site. Seems to me it would be backwards for a team that spends all it's time making its releases run faster than the OG by removing several homecalling and cpu hungry key checks, that they would then have their own vsts constantly connecting to the net and calling to a website that isn't even their home.
    But idk man apparently I spend too much time on FB. (I don't even have a fb)
     
    Last edited: Dec 19, 2022
  18. Bunford

    Bunford Audiosexual

    Joined:
    Jan 17, 2012
    Messages:
    2,529
    Likes Received:
    978
    They are not calling www.r2rdownload.com. Read the above posts I referred to that answer you questions, namely....

    ...and...

    So, when any app on the system tries to call homes, it searches the hosts, picks up 127.0.0.1 and translated to a URL associated with said IP in your hosts file, in this case, www.r2rdownload.com.

    As an illustrative example, I interpret @Jack Doee and @Olaf posts as saying:

    APP > calls 127.0.0.1 to access internet > scans hosts file > finds 127.0.0.1 in hosts file > finds 127.0.0.1 associated with an URL > translates 127.0.0.1 to the associated URL, being www.r2rdoanload.com > can't connect to 127.0.0.1 due to hosts block > displays error saying could not connect to ww.r2rdownload.com, being the URL that 127.0.0.1 has been translated to (even though in reality the app is simply trying to connect to 127.0.0.1)
     
    Last edited: Dec 19, 2022
  19. NattyCarter

    NattyCarter Newbie

    Joined:
    Mar 3, 2020
    Messages:
    6
    Likes Received:
    0
    Thanks for the responses people.

    Literally everything I use is calling R2R - I am not bothered about that as the loopback is working fine. X-Plane, Live, NVIDIA Experience, everything lol. I am sure it is going to be a single rogue app/dll that is piggy-backing - but why the mary can't virus/malware scans see it?

    It is not causing me problems at all, and I only download from Audiosex... I am only bothered that it's a thing on my computer sitting there like a squatter lol. I am using this... https://learn.microsoft.com/en-gb/sysinternals/downloads/procmon which is a fantastic tool. I can see which app is doing the calling, and all the processes for that app, and scanned all the relative dlls to no avail.

    This is just a forensic project for me now... :)
     
  20. secretworld

    secretworld Producer

    Joined:
    Mar 7, 2018
    Messages:
    172
    Likes Received:
    83
    If you delete all r2rdownload entries from the host file and then all apps stop connecting to it, you know for a fact that @Bunford is right! Just make a backup before you do it.
     
  21. Neflum

    Neflum Ultrasonic

    Joined:
    Apr 24, 2020
    Messages:
    56
    Likes Received:
    29
    Thanks for the clarification. Why would it always show up as www.r2rdownload.com? Assuming Natty has multiple plugin hosts blocked with 127.0.0.1 , wouldn't it be changing its assumption? Does it just pick the first thing you have in your hostfile?

    Natty what if you tried removing www.r2rdownload.com from hostfile, and see what the calls will be saying when thats not in hostfile?
     
Loading...
Loading...