Add another random URL pointing to 127.0.0.1 before the r2rdownload.com one in your hosts file and see if it is also changing in procmon

 

I would assume that it is some arbitrary logic like this, where it is essentially searching for whatever the first hit in the lookup table, i.e. the hosts file, is.

 

Yes, that is actually a good idea, and this is exactly what they should do if they still have any doubts. If they removed this line from the hosts file, the reverse DNS would jump to a different association in the hosts file and that would be the ultimate proof that the phenomenon is a false positive caused only by the associations listed in this file and that it is completely harmless.

 

But I know the call to r2rdownload is a dodgy call... So removing it will cause other problems

 

make a backup copy of the hosts file before attempting changes to it.

 

And maybe just use BlueLife Hosts Editor.
You can uncheck to disable a line easily without opening hosts file, easily open hosts file from that GUI and etc.
https://www.sordum.org/8266/bluelifehosts-editor-v1-4/

 

I don't know if someone else is controlling your account, but it seems you are spamming the SHIT out of these forums.

 

No, it's the other way round.

Code:

127.0.0.1    example.com
127.0.0.1    google.com

in the hosts file means that every call to example.com and google.com is resolved (i.e. "redirected") to 127.0.0.1. Calling 127.0.0.1 would not map it to anything else (it would be ambiguous anyway).

 

Well, I moved r2rdownload to the bottom, and the next re-direct in the hosts file started to appear, so yes, this is just all a red-herring, wild goose chase etc. almost makes me think it's in an infinite loop - a call to localhost diverts to r2rdownloads, which diverts to localhost...

this whole has obviously got me chasing my tail. thanks for all the responses people!

Natty out

 

This kind of problem should deserves further analysis. For example:

1. You could check the list of proggies, services and scripts that are executed at startup: there is several freewares for this purpose, Autoruns from Sysinternals being the most reputed and complete.
This kind of tool is precious to determine if the things that are launched at startup are legitimate, or not.

2. Is this problem happens all the times, or only when you launch your DAW / another proggie? Have you noted exactly what you or your system was doing when this alert appears? Have you took a look at your Task Scheduler => C:\Windows\System32\taskschd.msc ?

3. If you think it could be a mal/adware of some sort, it could be worth trying a free anti-malware proggie like Spybot (there is many, many other free / almost free / paying anti-malwares on the market, just try several and pick the one you feel comfortable with).
Anti malwares are very different from antiviruses, I found these very useful.

The only thing you'll find perhaps annoying is that anti-malwares, particularly the "free" ones, have a sensible tendency to be bloated and a little invasive, so you can do like me: install one of them (important: only one at a time!), scan your system as extensively as you can, remove / inactivate any suspicious things it tells you, then uninstall it.

The best could be to install AND uninstall it with Revo uninstaller, so that you are sure it doesn't let traces and files everywhere on your system.

 

Last edited: Dec 21, 2022

This is the part I am maybe not understanding tho.
Why would you have something trying to call home to that website? None of the VSTs you downloaded that are from R2R would be calling to that website for any good reason, would they?

From what I understood in this thread its not specifically calling to r2rdownload.com, so removing it from your host files would do nothing specific, other than if you opened those VSTs that were associated, maybe they're now in demo mode or something.

If its R2R calling to that website to make sure its blocked, than the only thing that'll happen is the VSTs that we needed to add that line for would stop working, either you would need to uninstall em and reinstall after you add the line to host files again.

Otherwise if something on your PC starts calling to that website when you remove it from host files, then you have a bigger problem here.

 

I remember now! At the times, some R2R setups tested if you have blocked this site in your hosts file, or not. If you have this (old, disappeared) scam site effectively blocked, then the release accepted to work / install.

It seems you have some R2R old releases remains on your system. I remember there was a *.cmd (= batch file) file included in all these releases, to write this scam address on your hosts file automatically. Let me search a little...

Found it! I've searched in my file system, and found the name of the file: "R2R_IS_AGAINST_BUSINESS_WAREZ_170811.cmd".

So to sum up: it looks like you have put this file in the wrong place, like your startup folder, or something like that. To verify that, you have to use SysInternal's Autoruns to find and suppress this entry in your startup listing.

If the *.cmd file is not listed in Autoruns, then it's because one or several R2R's release(s) (plugin, or standalone) that you have installed keep on testing the address' blocking each time it is launched.

The best to do in this case is to verity on sister site if there is newer versions of the old R2R's plugins you still use, uninstall the oldest plugins, and replace them with more recent versions. In this case, you will not have this problem anymore, considering that the scam site (+ a second one) in question have definitely disappeared since longtime.

(I don't know if I've been perfectly clear, sorry for the long, clumsy sentences but English is not my native language, so I've done what I can...)

 

Last edited: Dec 21, 2022