Jump to content

Blocked outbound connections from msedge.exe, but cannot find infection


Go to solution Solved by AdvancedSetup,

Recommended Posts

Two outbound connections from msedge.exe on 443 to known bad rep/compromised ips (164.90.152.6, 68.183.20.102) (files blocked_outbound.txt and blocked_outbound2.txt)

Only occurs when using msedge.exe (something I regret since I usually use firefox with no script, ublock, etc., or chrome, but my dumb ass clicked on one of the headlines in windows 11... ).

Have result of mbam full scan with rootkit detection with nothing found (mbam_full_scan.txt) 

Have run msert twice with no detections (msert.log)

Have run FRST, maybe I missed something, but I see nothing malicious?  (addition.txt and FRST.txt)

Have run adwcleaner as well.. no detections.

Also windows defender full scan, no detections.

Thank you for your help, I am at wits end... spent many hours trying to figure out if this is something to worry about or what to do next. I haven't manually looked at regedit, or used one of the registry specialized tools. If you have any recommendations I'd greatly appreciate it.

If you are wondering why the dates are old, it's because I spent all night yesterday trying to figure out the problem.

 

blocked_outbound.txt blocked_outbound2.txt mbam_full_scan.txt msert.log Addition.txt FRST.txt

Link to post
Share on other sites

  • Root Admin

Hello @TwoShoty2009

The logs do not indicate an obvious infection.

I would uninstall the following though as no service should be running from any TEMP folders.

R3 ALSysIO; C:\Users\Uragtur\AppData\Local\Temp\ALSysIO64.sys [43528 2023-02-06] (Microsoft Windows Hardware Compatibility Publisher -> Arthur Liberman) <==== ATTENTION

 

 

Then run the following, please. Very late for me so I'll probably check back on you again some time tomorrow.

 

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

  • Thanks 1
Link to post
Share on other sites

I removed ALSysIO64.sys as instructed; it was the driver component of core temp. For safetys sake I also uploaded it to virustotal with no detections, but to comply I removed everything with the installer and made sure to check that the file was gone after manual deletion and restart.

The securitycheck also seems to be clean. Additionally I ran KVRT with no detection:

<Report>
    <Metadata Version="1" PCID="{9EDFE32B-4382-BF09-7DA3-9FBAEDDC18C7}" LastModification="2023.02.14 23:56:12.388" />
    <EventBlocks>
        <Block0 Type="Scan" Processed="1645729" Found="0" Neutralized="0">
            <Event0 Action="Scan" Time="133209159664451632" Object="" Info="Started" />
            <Event1 Action="Scan" Time="133209198567141116" Object="" Info="Finished" />
        </Block0>
    </EventBlocks>
</Report>

 

SecurityCheck.txt

Link to post
Share on other sites

  • Root Admin

You can have it installed, just choose a folder, not the %TEMP% folder 😃

Please update the following programs.

 

Then let's go ahead and run the following antivirus scanner.

 

 

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get started. 
  • When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
  • On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
  • When prompted for scan type, Click on the Full Scan button
  • Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
  • Have patience.  The entire process may take a few hours or more.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log and give it a name and location you remember.
  • If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
  • Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

  • Thanks 1
Link to post
Share on other sites

Some important context for the results: Binary was never executed (it's an ancient installer), transfer from old computer with files (old CC cleaner installation bundled with adware from like 7 years ago).

Still have no idea what caused the outbound connections.

I am thinking now that I am probably not infected, but it was just XSS/malicious javascript so it was only living in memory, because I have stopped using msedge and haven't gotten a single blocked connection since.

 

Link to post
Share on other sites

  • Root Admin
10 hours ago, TwoShoty2009 said:

I am thinking now that I am probably not infected, but it was just XSS/malicious javascript so it was only living in memory, because I have stopped using msedge and haven't gotten a single blocked connection since.

 

Yes, I'm betting that it was just a single instance as well and not an onboard continuing issue. @TwoShoty2009

 

Let me have you run the following please.

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

I don't understand the requirement. It is quite common to have multiple versions of python for different virtual environments.... one of the most commonly used is 3.7.5. That having been said I did that anyway to continue whatever we have going on here. i.e. installed 3.11.x and removed the old one.

Since we don't seem to be making any progress could you please recommend a good personal firewall for windows like the old symantec one that used to be free? Then I can mark that as a solution and we can both go on our merry ways.

Sorry if I am being impatient and rude, but I am on-call and am not used to dealing with these windows problems, since I am usually on macOS/Linux for work and never have to deal with crap like this. 

Thank you again for your help, the tools you provided will definitely come in handy at a later time if the need arises. If anything this will hopefully be the last time I ever purchase a laptop with windows again... even if it is on sale, or maybe I will just nuke the drive, install mint/ubuntu and forego the warranty.

🤐

 

SecurityCheck.txt

Link to post
Share on other sites

  • Root Admin
  • Solution

The Security Check log looks good.

How is the computer running now?

Are there still any signs of an infection or alerts?

If you want a better firewall then setup pfsense on another device and use that. That would give you much better control over what comes in our out as it would be external to the computer.

But that said a firewall alone will not fully stop all malware and though you may not have come across it yourself even Linux is hit with rootkits and malware these days. The market share of Linux is less than 3% so not exactly a big target for malware authors

 

 

 

  • Thanks 1
Link to post
Share on other sites

  • Root Admin

As long as no other signs of an infection

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.