I keep getting these svchost.exe connect attemps every 10 minutes to armdl.adobe.com. I tightened up Norton's outbound firewall rules a while back to block everything except DNS, HTTP/S, WIN time servers, and FTP.
I have removed everything Abode and Macromedia based on my PC and scrubbed the registry and everything related to those two on my HDD, yet these firewall alerts appear every 10 mins.
Any help would be greatly appreciated.
Category: Firewall - Activities Date & Time,Risk,Activity,Status,Recommended Action,Category 2/12/2011 3:25 PM,Info,"Rule \"svchost.exe Block All TCP/UDP\" blocked (armdl.adobe.com (209.18.38.50), Port www-http(80) ). Outbound TCP connection.",Detected,No Action Required,Firewall - Activities
armdl.adobe.com is the Domain name for NTT-COMMUNICATIONS-2914 - NTT America, Inc. OrgName: NTT America, Inc. OrgId: NTTAM-1 Address: 8005 South Chester Street Address: Suite 200 City: Centennial StateProv: CO
Not really. The IP addresses it uses are all over the place.
I know of no reason why this should "dialing out" ever 10 minutes especially with no Adobe software installed. It also fires up immediately at boot time and interestingly right before Norton's intrusion protection is enabled.
At least I had the foresight to tighten up Norton firewall outbound rules.
I have uninstalled and throughly cleaned all references of Adobe and Macromedia on my PC. All program files, Registry and prefetch references have been deleted. I even went through every reference of svchost.exe in the Registry trying to find reference to armdl.adobe.com. I ran a full harddrive WIN Explorer text scan armdl.adobe.com. ZIP - nothing found.
There are no refs in msconfig or registry run keys to it.
I have run SysInternals Process Explorer looking for anything amiss in all svchost.exe active processes. Zip. I also ran Neuber's Svchost Analyzer and do have two that were flagged as "access denied - requires admim privledges." I run as an admin. Don't know what to make of those but suspect they are related to IS 2011?
I gave up and restored with a week old image I had.
Before I restoring though, I did do some more work with Process Explorer and didn't like what I saw. I observed code injected into qmgr.dll that is used by svchost.exe -netsvc. I compared image to memory and observed references to http: adobe urls that were not present in the image.
Web references point to two possible causes. Either busted Adobe Reader update or a keylogger. I learn toward the keylogger since this turkey was dialing out ever 10 minutes to numerous different IP addresses.
After image restore, I added a block rule to svchost.exe for http://armdl.adobe.com and have not received any log entries for the block which is a relief.
Hmmm. Clicking on the link provides a 404 error. Access to the server denied. It will be interesting to see if there are any connection difficulties and with what app.
Thought I would continue this thread since Abode updater reared its ugly head again today and I was able to trace what was going on.
Booted today and a slew of blocked svchost.exe message appear in firewall log. All are for a connect to armmf.adobe.com to 69.192.51.235. Now that IP is Alkami which is a "safe" server farm for the most part. That is not to say it cannot be used for adware purposes and the like.
I check running processes and low and behold, adobe.arm is running. So he is the culprit -maybe ...... When I had my previous problem, everything Adobe was uninstalled.
So why would a legit updater be using svchost.exe to connect out? Talk about giving away the store.
So what does Norton firewall do? It changes my custom rule I had set up for adobe.arm to auto and then lets it connect! Friggin unbeleivable!
Now adobe.arm's suspicious behavior is nothing new to me. I tracked it over a year ago and what I saw was all bad. Very bad.