Jump to content

IP Addresses downloading from my pc


Recommended Posts

 

Hi Folks

 

Reaching out to see if I could get some assistance trying to trace out this issue as it is driving me crazy !

Below is an email I sent to Microsoft abuse in re to finding IP Addresses downloading off my Pro 10 pc !

I have researched off the web and found one issue with Akamai but I don't know how to resolve it whether it is a program or some sort of virus / malicious code etc. 

I have moved my critical data over to an external drive in order to keep an eye on My Data and away from my pc .

Scanned yesterday and found some viruses listed below

https://blog.malwarebytes.com/detections/malware-heuristic/  ( parser_REV80B3.RAR )

I removed quite a few of these off my external drive as I was shocked as I run scans almost every day as I have been shutting my external down a lot and yesterday did a HUGE all day scan and found 22 of these parser_REV80B3.RAR downloads on it !

Due to isolating this external drive , I did not do any scans recently due to being protected ( Or I thought so )  Are there any tools that I could use to further check ? I did a re install about 6 months ago and thought with Malwarebytes I would be ok but not sure how these got on here !

Any help would be greatly appreciated as I see my network trace fill up with traffic being sent out !

I also have another trace with much more detail in it as well . 

Letter to Microsoft abuse email and awaiting reply 

Good Morning , 

After having issues on my pc , I performed a network trace and found Microsoft downloading info off my pc !

IP Addresses :

Microsoft Azure 13.64.90.137

Microsoft Azure 52.179.224.221

Akamai 104.73.8.115

VERY Concerned that someone is downloading info via these IP Addresses belonging to Microsoft !

Trace if the event included – Too large to post – 75.6 meg pls give a site to download if you need to review as I would be happy to share !!

Could You please tell me why this is occurring as I have no services for Microsoft Akamai or any other cloud  services depending on Microsoft Akamai or any other platform .

A TLS session opened and numerous packets downloading to the above IP Addrress known as Azure and Akamai

Not knowing what exactly is downloaded , the trace shows a tls session Hello starting  ( 52.179.224.221 ) then proceeds to download to the above mentioned addresses clearly showing Microsoft and Akamai !

Why is this occurring ? 

I have a network trace but It is too large tio send as it is not able to email ! 75.5 meg …

No one should be downloading without my permission especially Microsoft or Akamai as are you downloading all of my personal information ? This concerns me very much to think Microsoft is using this data without my permission !!

 

I await a reply !

 

Internet issues.zip

Link to post
Share on other sites

  • Root Admin

Hello @maxum02062

We'll take a look at cleaning your computer but don't offer forensic examination as to how or why something go onto the computer.

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

 

Spoiler
 
 
 
 

 

Spoiler

 

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

image.png

image.png

image.png

 

 



STEP 01

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

Link to post
Share on other sites

Good Morning

 

Thx for reaching out !

 

I will get on this asap on Monday as I will be busy the weekend .  I appreciate you answering as this is driving me nuts . 

I ran a complete Malwarebytes custom scan twice this week as it took for both C D and K drives over 7 hours to complete .

I let it run overnight but the quick scan set to run at 2 AM stopped the complete scan 

I thinnk it completed but not sure so I will run it again today or Tomorrow whereby I can see it complete .. 

I was amazed that it took so long as the quick scan takes about 15 minutes ? , somewhere around that time frame . 

I will follow your instructions and reply back when complete . 

Again Thank You for the reply !

 

Regards


Rich 

Link to post
Share on other sites

 

Good Morning 

 

Per your instructions , I am running my scans Adware cleaner etc. and will be completed ion an hour or so .

But I  came across something very strange .

My resource monitor is showing network traffic to multiple sites ( See screen shot )

I am amazed at how many chrome sites have IP Addresses or domain names showing downloading etc.  

This machine is running a 3CX telephone system hence 3cx networking etc. 

 

Any idea as to how to stop these ? 

Looking around now for info to see if I can find out whats going on and how to stop these as well 

image.thumb.png.9ef8ab8a955a6e2a4262bac4772a5fbb.png

Link to post
Share on other sites

  • Root Admin

Hello @maxum02062

The log detections from before are machine learning detections and often are false positive.

Please go into Control Panel, Programs, Programs and Features and uninstall the following

Bonjour
 

Bonjour is a discovery tool from Apple but is probably the worst, most noisy, and talkative program out there. If you have an Apple TV connected to a PC you might need it beyond that most Windows users do not need it period.

 

Did you install PostgreSQL? I see errors for it in the Event Logs but I don't see an entry in your logs showing that you installed it

The following are not malware related but you might want to review and see if you can correct, fix the issues.

System errors:
=============

Error: (04/28/2021 11:55:20 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Audio Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (04/28/2021 11:55:20 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The 3CXQueueManager01 service depends on the 3CXPhoneSystem01 service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (04/28/2021 11:55:20 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The 3CXPhoneSystemMC01 service depends on the 3CXCfgServ01 service which failed to start because of the following error:
The operation completed successfully.

 

Trying to keep Microsoft from talking with your computer is a bit paranoid overall. I see you already modify your hosts file to block telemetry but you'd need a firewall to block some of the Microsoft network talk but one can easily break Windows by doing so.
It is your computer so you can do as you wish, just saying I too don't like snooping, but at some point, you have to realize that Windows and most applications today need some level of network talk to function and update properly so my advice would be to not go overboard with it.

 

Please temporarily disable your Norton Antivirus and run the following scan for me.

 

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Link to post
Share on other sites

Good Morning and Thank You for the answers !

The scanner came back negative and nothing was found . I downloaded a copy of the scanner report 

I also removed Bonjour per your recommendation and thx for the tip . 

That said , I will continue to search on why I am downloading to different iup addresses like Akamai etc. 

Looks like all is well for now and I'll post if and when I can find a solution for the ip addresses etc. 

 

Thank You again

Regards


Rich

OnlineScannerLog.txt

Link to post
Share on other sites

Thx for the help !

I have a few traces that captured the download to Akamai but I am not sure of what is running as I have checked just about eve3rything I can think of , add remove , processes services and more .  Help about this is sketchy as it is acknowledged as an issue to some but no solution on how to stop it . 

 

I'll start there and download TCPView 

Link to post
Share on other sites

  • Root Admin

This is a very old article so not sure it applies to you or not but you could try

https://answers.microsoft.com/en-us/ie/forum/ie8-windows_vista/stop-akamai-technologies-from-downloading/71c2fb35-3fce-4a1a-89fb-0a4764d0fe6f

Here is a general explanation of Content Delivery Networks and why they're used

https://www.globaldots.com/resources/blog/content-delivery-network-explained/

 

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.