Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by some unknown malware?


  • This topic is locked This topic is locked
3 replies to this topic

#1 roy7

roy7

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 05 December 2017 - 11:08 PM

While doing some programming on a remote site tonight, I discovered that
any time I'd access a URL in my browser, within a few minutes afterwards
another request would go there, but from Amazon and not from me. I thought
maybe it was my virus software from Trend Micro, or my Malwarebytes
software. I tried turning both off though and the behavior continued.

The remote requests to the remote server were coming from 52.27.2.86
50.112.194.65 and maybe some others I didn't note at the time.

On my home computer, if I load a web link like:

http://zero.sjeng.org/best-network-hash

which is hosted in Germany I believe and just returns a simple text
response, Wireshark shows there are also instant connections opened to
54.209.152.144 which is also at Amazon.

I've ran Trend and Malwarebytes and Microsoft Safety Scanner and they find nothing.
But it concerns me any time I access the web, data is being sent to the
Amazon data center immediately, and that requests shortly there after will
go from Amazon out to the remote web sites I'm visiting copying my URLs.

 

For instance, some specific URLs I loaded during my tested were, a while later,

accessed from 54.85.182.120 which is also at the amazon data center. This IP

reverse lookups to nat-service2.aws.kontera.com.

 

To eliminate Trend Micro Toolbar as the cause I tried Edge, Firefox, and Chome

all with same results. Instant connects to Amazon open up when I load web pages,

and at least for the limited testing I can do, URLs I go to are being downloaded

by the data center as well, within a few minutes.

 

I ran the FRST tool as directed by the forum instructions. I also saw someone needed

to run DDS so I'm tossing that in as well.

 

Attached Files


Edited by roy7, 05 December 2017 - 11:40 PM.


BC AdBot (Login to Remove)

 


#2 roy7

roy7
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 06 December 2017 - 09:13 AM

Same thing happened at my office. I put in support tickets to Trend Micro and Amazon. Another IP address popped up, 

 

Tracing route to 2620:101:4036:321:150:70:188:171 over a maximum of 30 hops
 
  1     *      183 ms    89 ms  2002:c058:6301::1
  2    90 ms    91 ms    89 ms  ve405.core1.sjc2.he.net [2001:470:0:1e1::1]
  3    91 ms    91 ms    90 ms  eqix-sjc-a.trendmicro.com [2001:504:0:1:0:1:6880:1]
  4    95 ms    93 ms   105 ms  2620:101:4036:1:150:70:176:76b
  5    90 ms    91 ms    91 ms  2620:101:4036:321:150:70:188:171
 
Trace complete.
 
Which I think solves the issue. It's actually Trend Micro doing this. I guess as part of their SafeSearch or whatever, they pull copies of each URL I go to, and scan them for viruses and store them in their database. So that was weird and unexpected, but at least it isn't malware after all.

Edited by roy7, 06 December 2017 - 09:13 AM.


#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,210 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:48 PM

Posted 06 December 2017 - 02:26 PM

Thank you for letting us know.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,210 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:48 PM

Posted 06 December 2017 - 02:27 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users