Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mysterious repeated outgoing internet connection


  • Please log in to reply
7 replies to this topic

#1 kmart92

kmart92

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 19 May 2015 - 11:53 AM

Hi.
 
I am a new member and not really sure whether this post belongs here in the Windows 7 forum or in the Am I Infected forum.  I have a desktop PC running Windows 7 and I am using ESET Smart Security for my antivirus & firewall.  Starting within the last week or so, I have been getting firewall popups about an attempted outgoing connection.  The popups tell me the application attempting to connect is "System" and that it is always attempting to connect to the same external address (208.91.197.27) using the GRE & ESP protocol.
 
I haven't installed any new software in the last week with the exception of running Windows Update.  I tried to do some research about these protocols but all I could understand was that they are some type of tunneling protocols usually involving VPN connections.  I've also tried a few methods for monitoring/showing my internet connections to see if I could determine what is trying to make a connection but I haven't had any success.
 
Any ideas what could be causing this?  Or ideas on how I can track down the source of these attempted connections?  I know I can create a permanent rule to block these connections and then wait and see if that seems to cause any problems but I thought I might try to get a better understanding of what is behind it first.
 
Thanks.

Edit: Topic moved from Windows 7 to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:51 AM

Posted 19 May 2015 - 02:29 PM

That is indeed interesting.  http://whois.domaintools.com/208.91.197.27


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 zcomputerwiz

zcomputerwiz

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 19 May 2015 - 02:48 PM

That IP address is the parked domain server by Confluence Networks for Network Solutions.

Whatever program it is, the domain it used to connect to has expired.

 

The folks in the 'Am I Infected' forum would probably have a good idea of where to start digging.


Have you tried turning it off and on again?


#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:51 AM

Posted 19 May 2015 - 02:57 PM

Please run Malwarebytes AntiMalware
 
Please download Malwarebytes Anti-Malware.  After clicking on the link the download will start automatically.
 
1)  Double-click on mbam-setup.exe, then click on Run to install the application, follow the prompts through the installation.
 
2)  Malwarebytes will automatically open.  If this is the first time you have run this version of Malwarbytes you will see an image like the one below.
 
mbam1_zps95cc812c.png
 
Click on Update Now, after Malwarebytes is updated click on Scan.
 
If this isn't the first time you have run this version, then you will see an image like the one below.  Click on Scan
 
mbam1_zps98e7fba9.png
 
You will be prompted to update Malwarebytes, to do so click on Update Now.
 
 mbam2_zps85f38f0c.png
 
3)  The scan will automatically run now.
 
malwarerun_zps9abd4ef1.png
 
4)  When the scan is complete the results will be displayed.  Click on Delete All.
 
malwarenew_zps34b58fdc.png
 
5)  Please post the Malwarebytes log.
 
To find your Malwarebytes log,download mbam-check.exe from here and save it to your desktop.
 
To open the log double click on mbam-check.exe on your desktop.  When the log opens, scroll down toward the bottom of the log to Quarantined Items.  Copy and paste this in your next post.
 
==========
 

Please download and install Emsisoft.
 
1.  When Emsisoft opens click on Update.
 
emsisoft6_zpsace019ac.png
 
2.  Click on Full Scan.
 
emsisoft7_zps9186dacd.png
 
3.  After the scan has completed the results will be displayed.  Make sure there is a check in the box of each item found, then click on Quarantine.
 
emsisoft9_zpsf493a30a.png
 
4.  After the items have been quarantined click on OK.
 
emsisoft10_zpscd89d5de.png
 
5.  After the quarantine has been completed click on Logs.
 
emsisoft11_zps7f976399.png
 
6.  Click on Export and save the log to a location which you will be able to find and open.  Open the log, copy and then paste the log in your topic.
 
emsisoft12_zpsb7365391.png
 
 

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 kmart92

kmart92
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 20 May 2015 - 12:23 PM

Hi dc3.

 

Neither of those scanners found anything.

 

Malwarebytes log:

 

Quarantined Items:
===================
===============================================================
END OF FILE

 

 

And Emsisoft wouldn't allow me to export a log since the Quarantine is empty.

 

So this brings me back to thinking it is something that got installed or changed when I ran Windows update.  I can go to my update history and then remove/uninstall each of the updates that was installed during the most recent update.  But if that does work and I dont see the attempted connections after that it is going to be a little bit of a pain to identify the specific update that is the cause because 28 updates were installed on the same day.  If this is coming from an official update it seems strange that no one else has noticed this behaviour but perhaps most people have thei firewalls configured to automatically allow "System" connections?  I've temporarily modified my firewall setup to log all blocked connections so perhaps I will find more information in the logs after awhile.

 

 



#6 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:51 AM

Posted 20 May 2015 - 12:31 PM

Please run AdwCleaner
 
Please download AdwCleaner and install it.
 
When AdwCleaner opens you will see an image like the one below.
 
adwcleaner11_zps48314883.png
 
Click on Scan to start the scan.
 
Once the search is complete a list of the pending items will be displayed.  If you see any which you do not want removed, remove the check mark next to it.  
 
Click on Clean to remove the selected items.  If you have any questions about any items in the list please copy and paste the list in your topic so we can review it.  
 
You will receive a message telling you that all programs will be closed so that the infections can be removed.  Click on OK.  The computer will be restarted to complete the cleaning process.
 
When the cleaning process is complete a log of what was removed will be presented.  Please copy and the paste this log in your topic.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#7 kmart92

kmart92
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 20 May 2015 - 01:22 PM

AdwCleaner didn't really find anything either, except a data folder that I think was left over from the installation of my printer software.

 

# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Kmart\AppData\LocalLow\HPAppData

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17801


-\\ Mozilla Firefox v37.0.2 (x86 en-US)


-\\ Google Chrome v41.0.2272.101


*************************
 



#8 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:51 AM

Posted 20 May 2015 - 02:36 PM

I don't see anything which indicates an infection.  But there are tools which can't be run in this forum.  .  For this reason you will need to open another topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum.

 
Before posting your topic you will need to read and follow the instructions in the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help.
 
The members of the Malware Response Team who respond to these topics are constantly inundated do to the high volume of requests for help in this forum.   For this reason it may take a couple of days before a Team member may be able to get to your topic.  
 
Do not add anything or bump your topic once you have posted your log.  The Malware Removal Team members look for topics which have not been addressed, if you post any additional information it will make it appear that the topic is being addressed.
 
After you have posted your new topic a Moderator will close this topic.  If it is determined that there is a sofware or hardware problem after cleaning the infection you can contact a Moderator to have this topic reopened.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users