• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

app57.logmein etc.

Early in 2011 I downloaded LogMeIn and signed up for an account. However, I later decided not to use LogMeIn and I uninstalled the software on January 11, 2011.

Just recently (August, 2011) I signed up for a service (OpenDNS) that, among its other features, allows me to see which domains my computer is contacting throughout the day. I was astonished to see multiple requests for logmein.com.

The actual domain names look like this:


app57.logmein.com
app59.logmein.com
app04-05.logmein.com
app04-09.logmein.com, and so on.

All these domain names seem to be legitimately associated with LogMeIn. I checked my computer quite carefully, and I'm very sure that LogMeIn was completely uninstalled. I also scanned my computer for malware with Norton Power Eraser (also Malwarebytes), finding no infections.

My first reaction was: someone is accessing my wireless network. That's quite unlikely, since my network is protected by WPA2/AES encryption, and my network password is un-crackable. (Plus, I live in the far out suburbs.) And yet, my computer continues to attempt to contact these domains.

This leads me to two possible conclusions: Despite my efforts, soneone has hacked into my computer and/or into my network; or, some legitimate application is accessing logmein for a legitimate purpose.

Does this sound familiar to anyone?

Replies

Kudos0

Re: app57.logmein etc.


Bulldoggy wrote:

Early in 2011 I downloaded LogMeIn and signed up for an account. However, I later decided not to use LogMeIn and I uninstalled the software on January 11, 2011.

Just recently (August, 2011) I signed up for a service (OpenDNS) that, among its other features, allows me to see which domains my computer is contacting throughout the day. I was astonished to see multiple requests for logmein.com.

The actual domain names look like this:


app57.logmein.com
app59.logmein.com
app04-05.logmein.com
app04-09.logmein.com, and so on.

All these domain names seem to be legitimately associated with LogMeIn. I checked my computer quite carefully, and I'm very sure that LogMeIn was completely uninstalled. I also scanned my computer for malware with Norton Power Eraser (also Malwarebytes), finding no infections.

My first reaction was: someone is accessing my wireless network. That's quite unlikely, since my network is protected by WPA2/AES encryption, and my network password is un-crackable. (Plus, I live in the far out suburbs.) And yet, my computer continues to attempt to contact these domains.

This leads me to two possible conclusions: Despite my efforts, soneone has hacked into my computer and/or into my network; or, some legitimate application is accessing logmein for a legitimate purpose.

Does this sound familiar to anyone?


Hi,

It doesn't sound familiar but I do have a question. Are these attempts by your computer to contact logmein or are they from logmein trying to make contact with your system to tell you about updates, upgrades, new products, etc.?

If they are from your computer then the last place you might have some bits and pieces of the program is in the registry. Edit at your peril and be very sure to make a full backup of it BEFORE you start playing in that sand box.

Dick Win 10x64 current current NSBU
Kudos0

Re: app57.logmein etc.

OpenDNS is a public DNS server, so the domains listed are domains for which IP addresses have been requested. IOW, my computer is attempting to connect to these domains.

Unfortunately, there are no references in the registry to LogMeIn. One thing I am able to do with OpenDNS is to block my computer from accessing logmein.com. I could try that and see if it breaks something.

Kudos0

Re: app57.logmein etc.

Sounds like a plan to me. Let's hope nothing breaks, we just want to bend it a bit in our direction so we can see what's going on and why.

Keep us in the loop

Dick Win 10x64 current current NSBU
Kudos0

Re: app57.logmein etc.

Hello Bulldoggy

Perhaps the information in this link will help you. According to this site, there is something in the registry having to do with LogMeIn. If you are going to do anything with the registry, first back it up and don't do anything  with it unless you know what you are doing.

You can also check the firewall and make sure that LogMeIn isn't listed under the programs allowed. If you have used system restore, you may have restored part of the program also.

http://community.logmeinrescue.com/t5/Free/MANUAL-UNINSTALL/td-p/18918

Please come back and let us know how you made out. Thanks.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: app57.logmein etc.

A progress report: No resolution yet, but I did learn that the various forms of the logmein.com domain (app59.logmein.com, app04-09.logmein.com, etc.) are simply gateway servers that LogMeIn uses for load balancing. In other words: they're all logmein.com.

Something on my network is trying to contact logmein.com. Now I need to find out what (or who) is doing it.

Using OpenDNS I blocked access to logmein.com, so hopefully that will generate error messages that might help me.

Kudos0

Re: app57.logmein etc.

Another update, for anyone still following:

The DNS requests are definitely coming from my computer, and not from my WLAN. (IOW, my network is not hacked.)

The DNS requests are being made even when my browsers are not open. So far I'm not able to identify which process is making the request. That's proving to be very difficult.

Two scans for rootkits (Sophos and GMER) turned up nothing.

All this is leading me to suspect that the DNS requests are not coming from malicious software, but rather from legitimate software that I installed on my computer. If I can just find a way to see which process is making the requests, I'm sure I'd have a solution.

Kudos0

Re: app57.logmein etc.

Hello Bulldoggy

Have you recently called any support centers like your ISP or other product support centers? Many support centers use programs like LogMeIn.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: app57.logmein etc.

HI Bulldoggy,

Use the free TCPView from MIcrosoft / Sysinternals to see what processes have active internet connections.

http://technet.microsoft.com/en-us/sysinternals/bb897437

Kudos0

Re: app57.logmein etc.

Thanks to you both for your suggestions.

Support centers are supposed to ask before installing LogMeIn (or similar utilities); to the best of my memory no support center has installed LogMeIn and the application is not currently on my machine.

TCPView does indeed show what processes have active internet connections, but it doesn't tell me which internet connections are DNS queries. With Wireshark I can see the DNS queries, but Wireshark doesn't tell me which processes are initiating the queries.

I think the problem I'm having in identifying the culprit comes down to this: IIUC, most processes don't directly query the DNS server. Instead, they query Windows' own internal hostname resolver, and if that doesn't have a match then the resolver initiates a query to the DNS server. So there may be no easy way to identify which process is trying to reach logmein and everquest...unless I kill off processes one by one until the queries stop.

<sigh> I wish I was infected by malware...at least I'd know what hit me.

Kudos0

Re: app57.logmein etc.

Alright...I've got more information, courtesy of Wireshark, that I'd like to share:

1- The DNS queries are definitely coming from my computer.

2- The source port is different every time, but always in the upper range of port numbers (50000 and up). For instance, the source ports are 58620, 62544, 56138, 54596, 52952, 57794, etc. This might be an attempt to prevent me from stopping this activity by setting a firewall rule. I would have to block every port from 50000 and up.

I still haven't identified the process that's doing this, nor can I understand why something or someone would be making literally thousands of DNS queries a day for logmein.com and patch.everquest.com.

Kudos0

Re: app57.logmein etc.

Hello Bulldoggy

I assume you don't play the game Ever Quest??

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: app57.logmein etc.

<lol> No, I'm no gamer. (Nothing wrong with being a gamer, though.)

Everquest, or parts of it, might have made it onto my PC in other ways, I suppose. For example, it could have arrived - without my knowledge or consent - in the software for my video card, or with some other software. I've tried searching for it on my hard drive, but no luck.

What really puzzles me is this: Why is something (or somebody) using my computer to make thousands of DNS queries every day? Doesn't make sense. DDOS attack on a DNS server? Nah...that's silly.

Kudos0

Re: app57.logmein etc.

Last update: Still no resolution, but I did add the affected domains to my Hosts file and pointed them to 127.0.0.1 so at least the DNS queries have stopped.

Kudos0

Re: app57.logmein etc.

The replies to the DNS queries should be showing as remote port 53 in TCPView.  That should reveal the application making the request.

This thread is closed from further comment. Please visit the forum to start a new thread.