Suspicious tmp file firewall access requests

[GeoffTheGeoffTheGeoff]

I have recently noticed suspicious outbound firewall requests from .tmp files that originate from folder locations that do not exist. I noticed these requests in Windows Firewall Control. I block them. I go looking for the files that they originate from but the locations don't exist. I have scanned with premium Malwarebytes and found nothing. I have use Windows utility to clean up the C drive, including system files. I have gone through a few iterations of Windows Updates. Nothing seems to stand out in task manager. 

This all seems very suspicious to me but I don't know how to investigate this further. I have attached some screenshots from Windows Firewall Control. 

Please help me. 

[JSntgRvr]

:Welcome:  
 
I'll be helping you with your computer.
 
Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.
 
Please take note of the guidelines for this fix:

• Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
• First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
• Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
• Please read ALL instructions carefully and perform the steps fully and in the order they are written.
• If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
• Continue to read and follow my instructions until I tell you that your machine is clean.
• If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
• Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary.  

Let's begin... 

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

• Please rename FRST.EXE or FRST64.EXE to FRSTEnglish.exe
• After renaming the file right-click over FRSTEnglish.exe and select "Run as administrator"
• When the tool opens click Yes to the disclaimer if this is the first time using the tool
• Make sure there is a check mark in the Addition.txt check box
• Press the Scan button.
• It will make a log FRST.txt and Addition.txt in the same directory the tool is run from. Please attach both logs to your next reply.

[GeoffTheGeoffTheGeoff]

Hey mate,

I ran the tool and have attached the requested files. 
What are we looking for in the files?

I noticed that Addition.txt thinks I have Kaspersky installed and active but to the best of my knowledge it has been removed.

Is this info in these files at all sensitive info to upload?

Thanks

FRST.txt Addition.txt

[JSntgRvr]

There is no evident malware in the logs. Open Chrome Settings and manually remove Kasperski extensions.

This Fix will empty the following folders:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns, please ask before running this fix.

The system will be rebooted after the fix has run.

FRST64 is saved as C:\Users\Super\Desktop\FRSTEnglish.exe

• Download the enclosed file Fixlist.txt
• Save it in the same location FRST64.exe is saved (FRSTEnglish.exe)
• Start FRST (FRST64) with Administrator privileges 
• This time around Press the Fix button and wait
• When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply. If too large, use an online upload service and post the link. ww.wetransfer.com is a good site.

 

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

You will need to send them an email to obtain a link to download the scanner, please do so

• The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
• Close all open applications and locate the downloaded file and double-click to run it
• The program will take a moment to launch and bring up the License and Update screen
• Place a check mark to agree to the terms and then click on the Continue button
• Click the underlined link Select objects for scanning
• On the top left click the Scanning objects that should automatically check all objects
• Click the small wrench and make sure there is a check on Automatically apply actions to threats
• Then click the large button on bottom right Start scanning
• Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
• The log is saved in the folder named Doctor Web in the top of your user profile folders
• Please attach that log on your next reply

Scan with SecurityCheck by glax24

The following tool named SecurityCheck is a utility for quickly checking for the presence of possibly vulnerable applications and the status of other security settings

• Temporarily disable Microsoft SmartScreen only if it blocks the download of the software. The program is safe
• Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
• If SmartScreen blocks the file from running click on More info and Run anyway
• This tool is safe.   Smartscreen is overly sensitive. You can check the VirusTotal scan of the tool from here
• Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow it to run
• Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
• You can find this file in a folder called SecurityCheck,  C:\SecurityCheck\SecurityCheck.txt

 

 

 

 

Items checked:

The following items are scanned by the SecurityCheck tool

• User Account Control (UAC).
• Service pack.
• IE version.
• Automatic OS update. Sets of critical KB patches when updating is disabled.
• Antivirus, firewall, other security utilities.
• Versions of Java, Oracle Virtualbox.
• Version of Adobe Flash Player, Adobe AIR.
• Versions of Adobe Reader, Acrobat Reader DC, Foxit Reader.
• Versions of media players (iTunes, AIMP, foobar2000).
• Versions of messengers (Skype, Pidgin).
• Versions of installed browsers (Chrome, Opera, Firefox, Yandex, SeaMonkey).
• Versions of mail programs (The Bat, Thunderbird).
• Checking running processes and security program services
• Searching for installed Adware programs and optimizer programs (More than 5000).