Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"suspicious incoming network connections"


  • This topic is locked This topic is locked
5 replies to this topic

#1 qlarney1

qlarney1

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 15 May 2017 - 01:26 AM

Hello,

I'm having a question regarding the "suspicious incoming network connections" that are being blocked by my McAfee firewall every minute, which are coming from the addresses such as 52.42.186.158   (ec2-52-42-186-158.us-west-2.compute.amazonaws.com) using random TCP ports such as 49797.

 

+ once in a while I got the warning from the McAfee that my web browser (firefox)  tried to connect to   someweirdsite.ru .

 

What started the issue? -  Lately, I was having a problem with the maleware, had to do the boot-time scan and run malewarebytes and McAfee to solve the issue. (These maleware programs were defined as PUP's by the McAfee) I attach the logs of scans below.

 

I would like to ask you how to resolve the issue and if it is a potential threat, how to deal with it?( Currently, McAfee and Malewarebytes nor Stinger or Anti-Rootkit can find any problems. My computer seems to be clear.) I attach as well the hijackthis.log

 

Thanks a lot

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:19 PM

Posted 16 May 2017 - 08:44 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

When completed it will create a log. Please post the content on your next reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs.

Wait for further instructions.

p.s.
HijackThis is no longer supported and not ready for your Operating system.
I suggest your remove via the Control panel > Programs > Programs and Features.
Use the Farbar tool from now on to report problems.
<<<>>>

#3 qlarney1

qlarney1
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 16 May 2017 - 11:11 AM

Thank you for your response. Below I attach the logs.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:19 PM

Posted 16 May 2017 - 12:58 PM

Please run the RogueKiller tool and delete these 3 entries.

[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23} -> Found
[PUP.Gen0|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A21DE3EA-10CA-4BFA-B823-AC54820141CB} : v2.22|Action=Allow|Active=TRUE|Dir=In|App=C:\Program Files (x86)\chroomium Browser\chroomium\chrome.exe|Name=Chrome Browser|Desc=Chrome Browser| [x] -> Found
[PUP.Gen0|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A32A5FA9-ECBD-4528-A597-391472A42C35} : v2.22|Action=Allow|Active=TRUE|Dir=In|App=C:\Program Files (x86)\chroomium Browser\chroomium\bin\browserServer.exe|Name=Chrome Server|Desc=Chrome Server| [x] -> Found

===

Remove this program in bold via the Control Panel > Programs > Programs and Features.
Wireshark 2.2.6 (64-bit) (HKLM-x32\...\Wireshark) (Version: 2.2.6 - The Wireshark developer community, hxxps://www.wireshark.org)
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-187171473-3257716872-3346859518-1001\...\Policies\Explorer: []
SearchScopes: HKLM-x32 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>
S3 mfeavfk01; \Device\mfeavfk01.sys [X]

CustomCLSID: HKU\S-1-5-21-187171473-3257716872-3346859518-1001_Classes\CLSID\{6A221957-2D85-42A7-8E19-BE33950D1DEB}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2014\acad.exe => No File
CustomCLSID: HKU\S-1-5-21-187171473-3257716872-3346859518-1001_Classes\CLSID\{7DE1BE5C-CEBA-4F1D-ACBC-9CE11EE9A2A1}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2014\acad.exe /Automation => No File
CustomCLSID: HKU\S-1-5-21-187171473-3257716872-3346859518-1001_Classes\CLSID\{BD0DEB94-63DB-4392-9420-6EEE05094B1F}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2014\acad.exe /Automation => No File
Task: {775EF58D-9193-40A0-9A55-53E568E4CEA4} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe
C:\Windows\AutoKMS

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after these updates remove these old version(s) via the Control Panel > Programs > Programs and Features.
Java 7 Update 51 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217051FF}) (Version: 7.0.510 - Oracle)
Java 8 Update 121 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180121F0}) (Version: 8.0.1210.13 - Oracle Corporation)
Java 8 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)

Please let me know what problem persists with this computer.

#5 qlarney1

qlarney1
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 17 May 2017 - 04:27 AM

Let me start saying that after running the FRST I got a huge problem. I ran the program with copied content, computer restarted and something happened to the laptop screen. It boots but It doesn't light up any more and it remains black. You can barely see something. As if something bad happened to the display software. The only way to see anything is to use a very strong torch to light up the screen. But even thought it's hard to notice a thing. Can you relate to that? I don't know what happened.

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:19 PM

Posted 17 May 2017 - 08:27 AM

We did not remove anything impacting the Video.

I suspect that you have some hardware problems.

Start the computer in safe mode.

Press the F4 key on your keyboard, to enable Safe Mode, F5 to enable Safe Mode with Networking and F6 to enable Safe Mode with Command Prompt. Windows 8 and Windows 8.1 now boot according to the setting you selected.
Read the next page in this guide for another three ways of booting into Safe Mode.

You will find addition information on this page.
http://www.digitalcitizen.life/5-ways-boot-safe-mode-windows-8-windows-81

---

This link may be a good place to start trouble shootidng the issue.
https://answers.microsoft.com/en-us/windows/forum/windows8_1-performance/black-screen-windows-81-before-login/add6ecec-b0f4-4d84-bc37-134615ff4da3

Keep me posted.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users