Jump to content

Chrome keeps trying to connect to 216.21.13.14/216.21.13.15


Recommended Posts

Malwarebytes Premium keeps detecting the connection to an outbound connection to one of those two IP address, which is basically a server that hosts a lot of malware. I tried blocking the ports on both incoming and outgoing via the hosts file and via firewall, but it still keeps trying, so that connection blocked alert is constantly popping up. I added a block via Port 443 (which is the one blocked) by adding UDP and TCP, and adding chrome as the target. However, it still doesn't help.

I use Auslogics Disk Defragmenter (which keeps popping up as malware despite making sure not to install anything else and avoiding all of those other optional garbage), but that comes up as malware. Also, some of my extensions are not from the google store or some are probably detected as malware by accident, I am not sure which registry files to specifically delete and which ones not to.

 

This is the scan from AdwCleaner, and the two malwarebytes are logs from the blocked reports. I didn't do anything yet after the AdwCleaner scan for now. What should be deleted and what shouldn't be?

AdwCleaner[S00].txt malwarebytes blocked connection.txt malwarebytes blocked connection2.txt

Link to post
Share on other sites
Hello Pepega02 and welcome to malwarebytes....

Continue with the following:

If you do not have Malwarebytes installed do the following:

Download Malwarebytes from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

or,

https://downloads.malwarebytes.com/file/mb4_offline

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > "settings" > "security tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Single click on the target sight above scanner window.
  • In the new window select Report
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Export toTxt - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Export to Txt" then attach the log to your reply...


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
Link to post
Share on other sites

I have Malwarebytes, and AdwCleaner is where the detections pop up. Also, both Malwarebytes and Adwcleaner both detects Auslogics Disk Defrag as malware, so if I quarantine them, then it will quarantine all of the registry keys related to the programs and even the uninstaller and executables, rendering it impossible to uninstall or run them. The Adwcleaner files I sent you is from the AdwCleaner scan, which I used to scan the computer. Also, some of my third party Chrome extensions get removed when I do a scan, despite them being legitimate (They are like the User Agent Switcher etc (which is actually from the Google Chrome web store by the way, and I use it for changing my User Agent on websites).

Malwarebytes doesn't detect anything, but all detections came from AdwCleaner. Due to false positives like EA Origin being deleted by Malwarebytes and some of my old visual novels like School Days, Fate/Stay Night, or some others (I would like to not name some) being constantly detected as viruses, I would like to know what to manually, not just randomly quarantine anything and get errors from all of my software. I know some personally like GlobalUpdate and KuaiZip as I personally had problems with these for years, but the problem is that I cannot sort what stuff are actually malware or not, as some are related to Auslogics, while some are just malware.

Anyway, here are the requested documents. I quarantined the GlobalUpdate and KuaiZip, as those are known.

Malwarebytes scan July 20-2020.txt FRST.txt Addition.txt

Link to post
Share on other sites
Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Let me see those logs in your reply...

Thank you,

Kevin....

fixlist.txt

Edited by kevinf80
Link to post
Share on other sites

will I lose my chrome extensions files and other files like EA Origin, utorrent, and some of my software and other files that keep coming up as false positive if i do the scan and cleanup? 

Link to post
Share on other sites

Hello pepega02

If you are still concerned with losing Chrome user data then you can also manually back up all settings:

If your Chrome Bookmarks are important do this first:

Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks.....

For your Passwords go here: https://www.intowindows.com/how-to-backup-saved-passwords-in-google-chrome-browser/

For your Chrome extensions:

Select the Windows Key and R Key together, in the "Run" box type or copy/paste the following:

%UserProfile%\AppData\Local\Google\Chrome\User Data\Default\extensions

Select Ok, then copy the contents of that folder (except for Temp) to a newly created folder on your Desktop or somewhere else of your choice. Those entries can be copied back to the Extensions folder if required later...

If for any reason you lose any of the above and Chrome Sync does not reinstate them or Sync is turned off, then you have all important user data backed up manually...
 
Thank you,
 
Kevin
Edited by kevinf80
typing error
Link to post
Share on other sites

I have done the scan, but my laptop cannot connect to the internet anymore. No network is found, despite it being connected to a WiFi point. It says No Internet, Secured.

It shows that I don't even have any active networks running, despite my laptop bring connected to the wifi point. Usually, it shows that a WiFi is active, even if it's not connected to the internet. This happened after I left the scan on and came back to my house, and found my laptop unable to connect to the internet.

Link to post
Share on other sites

Hello Pepega02,

Can you right click on the internet icon on Taskbar, then select "Troubleshoot" problems. Does windows fix the issue..?

Thank you,

Kevin..

Link to post
Share on other sites

I tried that already, and it doesn't work. It keeps saying either a driver issue or something, and refuses to fix, saying it failed. I don't really use system restore, so I am currently downloading a copy of Windows 10 iso on my mobile to copy to my computer and do a repair upgrade.

Link to post
Share on other sites

FRST fix turned System Restore on and created a new restore point, you can use that to restore system to pre FRST fix.

The following entries are listed as INCA internet Co Ltd. A Google search indicates they are Malicious, also as you can see FRST scan marked them up for attention.. Are those known to you and trusted...?

S3 TKCtrl; C:\WINDOWS\SysWOW64\TKCtrl2k64.sys [147240 2019-05-22] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKFsAvM; C:\WINDOWS\SysWOW64\TKFsAv64.sys [198808 2019-05-22] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKFsFtM; C:\WINDOWS\system32\TKFsFt64.sys [28824 2019-05-22] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
R1 TKFWFV; C:\WINDOWS\system32\TKFWFV64.sys [34400 2018-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
R1 TKFWFV; C:\Windows\SysWOW64\TKFWFV64.sys [34400 2019-05-22] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKFWVT; C:\WINDOWS\SysWOW64\TKFWVT64.sys [199856 2019-05-22] (INCA Internet Co.,Ltd. -> INCA Internet Co.,Ltd.) <==== ATTENTION
S3 TkIdsVt; C:\WINDOWS\SysWOW64\TkIdsVt64.sys [118904 2019-05-22] (INCA Internet Co.,Ltd. -> INCA Internet Co.,Ltd.) <==== ATTENTION
S3 TKPcFt; C:\WINDOWS\system32\TKPcFtCb64.sys [54504 2019-05-22] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKRgAc; C:\WINDOWS\SysWOW64\TKRgAc2k64.sys [115760 2019-05-22] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKRgFt; C:\WINDOWS\system32\TKRgFtXp64.sys [68968 2019-05-22] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
C:\WINDOWS\SysWOW64\TKCtrl2k64.sys
C:\WINDOWS\SysWOW64\TKFsAv64.sys
C:\WINDOWS\system32\TKFsFt64.sys
C:\Windows\SysWOW64\TKFWFV64.sys
C:\WINDOWS\SysWOW64\TKFWVT64.sys
C:\WINDOWS\system32\TKPcFtCb64.sys
C:\WINDOWS\SysWOW64\TKRgAc2k64.sys
C:\WINDOWS\system32\TKRgFtXp64.sys

Link to post
Share on other sites

Not those. I usually try not to update my computer due to bugs from new releases. Also, there is nothing from system restore, so I think I will try a repair install. It says there is no system restore point.

Link to post
Share on other sites

Can you transfer the attached "fixlist.txt" to the sick PC and run it...

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.


The fix will force a reboot, does the connection now work...?

fixlist.txt

Link to post
Share on other sites

Hiya Pepega02,

Thanks for the update information and log from Sophos. What is the current status of your sytem now, any issues or concerns?

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Thank you,

Kevin...

 

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.