www.r2rdownload.com calls

Discussion in 'PC' started by NattyCarter, Dec 19, 2022.

  1. jarredou

    jarredou Guest

    Add another random URL pointing to 127.0.0.1 before the r2rdownload.com one in your hosts file and see if it is also changing in procmon
     
  2. Bunford

    Bunford Audiosexual

    Joined:
    Jan 17, 2012
    Messages:
    2,529
    Likes Received:
    978
    I would assume that it is some arbitrary logic like this, where it is essentially searching for whatever the first hit in the lookup table, i.e. the hosts file, is.
     
  3. Jack Doee

    Jack Doee Member

    Joined:
    Oct 18, 2022
    Messages:
    24
    Likes Received:
    13
    Yes, that is actually a good idea, and this is exactly what they should do if they still have any doubts. If they removed this line from the hosts file, the reverse DNS would jump to a different association in the hosts file and that would be the ultimate proof that the phenomenon is a false positive caused only by the associations listed in this file and that it is completely harmless.
     
    • Like Like x 1
    • Interesting Interesting x 1
    • List
  4. NattyCarter

    NattyCarter Newbie

    Joined:
    Mar 3, 2020
    Messages:
    6
    Likes Received:
    0
    But I know the call to r2rdownload is a dodgy call... So removing it will cause other problems
     
  5. Strat4ever

    Strat4ever Rock Star

    Joined:
    Aug 17, 2019
    Messages:
    575
    Likes Received:
    362
    make a backup copy of the hosts file before attempting changes to it.
     
  6. DoubleTake

    DoubleTake Audiosexual

    Joined:
    Jul 16, 2017
    Messages:
    2,321
    Likes Received:
    1,242
    And maybe just use BlueLife Hosts Editor.
    You can uncheck to disable a line easily without opening hosts file, easily open hosts file from that GUI and etc.
    https://www.sordum.org/8266/bluelifehosts-editor-v1-4/
     
  7. DoubleTake

    DoubleTake Audiosexual

    Joined:
    Jul 16, 2017
    Messages:
    2,321
    Likes Received:
    1,242
    I don't know if someone else is controlling your account, but it seems you are spamming the SHIT out of these forums.
     
  8. Olaf

    Olaf Platinum Record

    Joined:
    Jun 5, 2011
    Messages:
    570
    Likes Received:
    244
    No, it's the other way round.
    Code:
    127.0.0.1    example.com
    127.0.0.1    google.com
    in the hosts file means that every call to example.com and google.com is resolved (i.e. "redirected") to 127.0.0.1. Calling 127.0.0.1 would not map it to anything else (it would be ambiguous anyway).
     
  9. NattyCarter

    NattyCarter Newbie

    Joined:
    Mar 3, 2020
    Messages:
    6
    Likes Received:
    0
    Well, I moved r2rdownload to the bottom, and the next re-direct in the hosts file started to appear, so yes, this is just all a red-herring, wild goose chase etc. almost makes me think it's in an infinite loop - a call to localhost diverts to r2rdownloads, which diverts to localhost...

    this whole has obviously got me chasing my tail. thanks for all the responses people!

    Natty out
     
  10. Amore_de_la_Vida

    Amore_de_la_Vida Rock Star

    Joined:
    Jul 23, 2021
    Messages:
    412
    Likes Received:
    367
    This kind of problem should deserves further analysis. For example:

    1. You could check the list of proggies, services and scripts that are executed at startup: there is several freewares for this purpose, Autoruns from Sysinternals being the most reputed and complete.
    This kind of tool is precious to determine if the things that are launched at startup are legitimate, or not.

    2. Is this problem happens all the times, or only when you launch your DAW / another proggie? Have you noted exactly what you or your system was doing when this alert appears? Have you took a look at your Task Scheduler => C:\Windows\System32\taskschd.msc ?

    3. If you think it could be a mal/adware of some sort, it could be worth trying a free anti-malware proggie like Spybot (there is many, many other free / almost free / paying anti-malwares on the market, just try several and pick the one you feel comfortable with).
    Anti malwares are very different from antiviruses, I found these very useful.

    The only thing you'll find perhaps annoying is that anti-malwares, particularly the "free" ones, have a sensible tendency to be bloated and a little invasive, so you can do like me: install one of them (important: only one at a time!), scan your system as extensively as you can, remove / inactivate any suspicious things it tells you, then uninstall it.

    The best could be to install AND uninstall it with Revo uninstaller, so that you are sure it doesn't let traces and files everywhere on your system.
     
    Last edited: Dec 21, 2022
  11. Neflum

    Neflum Ultrasonic

    Joined:
    Apr 24, 2020
    Messages:
    56
    Likes Received:
    29
    This is the part I am maybe not understanding tho.
    Why would you have something trying to call home to that website? None of the VSTs you downloaded that are from R2R would be calling to that website for any good reason, would they?

    From what I understood in this thread its not specifically calling to r2rdownload.com, so removing it from your host files would do nothing specific, other than if you opened those VSTs that were associated, maybe they're now in demo mode or something.

    If its R2R calling to that website to make sure its blocked, than the only thing that'll happen is the VSTs that we needed to add that line for would stop working, either you would need to uninstall em and reinstall after you add the line to host files again.

    Otherwise if something on your PC starts calling to that website when you remove it from host files, then you have a bigger problem here.
     
  12. Amore_de_la_Vida

    Amore_de_la_Vida Rock Star

    Joined:
    Jul 23, 2021
    Messages:
    412
    Likes Received:
    367
    I remember now! At the times, some R2R setups tested if you have blocked this site in your hosts file, or not. If you have this (old, disappeared) scam site effectively blocked, then the release accepted to work / install.

    It seems you have some R2R old releases remains on your system. I remember there was a *.cmd (= batch file) file included in all these releases, to write this scam address on your hosts file automatically. Let me search a little...

    Found it! I've searched in my file system, and found the name of the file: "R2R_IS_AGAINST_BUSINESS_WAREZ_170811.cmd".

    So to sum up: it looks like you have put this file in the wrong place, like your startup folder, or something like that. To verify that, you have to use SysInternal's Autoruns to find and suppress this entry in your startup listing.

    If the *.cmd file is not listed in Autoruns, then it's because one or several R2R's release(s) (plugin, or standalone) that you have installed keep on testing the address' blocking each time it is launched.

    The best to do in this case is to verity on sister site if there is newer versions of the old R2R's plugins you still use, uninstall the oldest plugins, and replace them with more recent versions. In this case, you will not have this problem anymore, considering that the scam site (+ a second one) in question have definitely disappeared since longtime.

    (I don't know if I've been perfectly clear, sorry for the long, clumsy sentences but English is not my native language, so I've done what I can...)
     
    Last edited: Dec 21, 2022
Loading...
Loading...