4 Replies Latest reply: Mar 12, 2012 10:32 AM by newjack RSS

    Net Guard blocked connections

    fred123

      Hello,

       

      I got an alert that Net Guard had blocked a connection yesterday (see Attachment 1) and noticed that it had blocked one 6 days earlier at almost the exact same time, although I didn't see that alert (maybe a fullscreen program blocked it?).

       

      I scanned my computer with Mcafee, Avira and Malwarebytes and none of them discovered anything, except Avira came up with a load of warnings, mostly that access was denied to folders that don't exist, but no detections were made.

       

      I then used Syetem Restore to restore to the earliest point I could, and scanned again with those three programs and with Windows Defender, Stinger (it just said Number of clean files: 704212, so I assume that means it's all clear) and none of them discovered anything again, except for the same Avira warnings.

       

      I gave GetSusp a go and it said there were 23 suspicious and 4 unknown files, but I can account for all of them. I can post them here if it might help though.

       

      All scans were run in safe mode.

       

      I noticed that there are a couple of similar threads, so other people seem to be having something similar happen to them too:

       

      https://community.mcafee.com/thread/41928

       

      https://community.mcafee.com/thread/43432

       

      Looking at the second thread, its creator seemed to have the connection associated with a particular trojan. If you have a look at my Attachment 2, I had a similar incoming event just before the 10 March blocked connection, which might be connected. I had another after I had system restored (Attachment 3).

       

      Now, I would have just left it and assumed that it was some same software phoning home, but

      a) Other people seem to be having the same problem, and the creater of the first thread reported that they found a virus.

      b) One of the IPs is located in the Seychelles, which seems a bit odd.

       

      Now either the System Restore worked, or it was an unknown legitimate program all along, or I still have a virus. Given the possibility that it could be option 3, what further steps could I take? Would HijackThis be the next step? If so, which forum would you recommend to pursue it on?

       

      In addition, as you can see from Attachments 2 and 3, there are a very large number of 'Incoming Events' - dozens every minute at times. Is this unusual?

       

      Thank you for your time.

       

      (Just to add, I did a scan with Kaspersky TDSSKiller and it flagged up gdrv.sys as an 'Unsigned file'.

       

      I assume it is just a motherboard driver and just a false positive though.)

       

      on 11/03/12 23:17:25 GMT
        • 1. Re: Net Guard blocked connections
          Hayton

          I can't answer all the questions you have, but I can supply a little information to help you decide what to do next.

           

          The Incoming Events are failed (blocked) attempts to connect to your PC. Successful ones don't, I think, get logged. Maybe they should be. So the attempt by 91.217.178.74 to access your PC did not succeed. You should look for failed attempts by the other IP address, 91.205.41.53, about a week earlier.

           

          I've never had a Netguard alert, so I may be corrected on this, but that looks like two outgoing requests which were blocked by Netguard - presumably it looks up the IP addresses somewhere before deciding what to do. Now that I would be worried about, especially as it was your SYSTEM process attempting to make the connection.

           

          I checked the location of the addresses and one is in the Seychelles, the other apparently in the middle of desolate moorland north of Skipton, about 30 miles from me. I know that area, and there's nothing much there. Conceivably someone has installed a server farm in a barn on an upland farm, but ....

           

          The location is less important than the reputation of the owner/user of the IP addresses. These two are web hosting providers :

           

          91.217.178.74 is associated with Business Dialogue Ltd (Seychelles), and they have a poor reputation - but that may be because they are an ISP, not a website owner.

          http://webdetail.org/ip/91.217.178.214 :

          "There is no website hosted on this IP address."

           

          So it could be a mail server; which appears to be borne out by the TrustedSource report for that IP address -

          91.217.178.214 - IP - McAfee Labs Threat Center.png

           

           

          91.205.41.53 belongs to Dragonara Alliance Ltd and there are allegations in various places that they are involved in distributing spam and engaging in forum spamming, as well as operating in dubious business areas connected with web-finance.

          http://www.webhostingtalk.com/archive/index.php/t-1009543.html

           

          What made me REALLY freak the F... out is the fact that I stumbled upon some reviews (after doing wire transaction) of how dragonara is involved in some shady business such as scamming and blackmailing.

          Link here (http://www.webhostingtalk.com/archive/index.php/t-734739.html) and here (http://www.moneymakergroup.com/Huge-Scammers-Network-Rev-t260737.html)

           

          I personally cannot comment on the truth or otherwise of any such allegations. As far as TrustedSource is concerned the IP address is (or is not) regarded as unsafe because of problems with mailing (which usually means spam).

           

          91.205.41.53 - IP - McAfee Labs Threat Center headers.png

          91.205.41.53 - IP - McAfee Labs Threat Center.png

          91.205.41.53 - IP - McAfee Labs Threat Center overview.png

           

          So the question is whether your PC was trying to contact these addresses and if so, why?

           

          If you've run a McAfee scan and one with Malwarebytes but you still want to be sure I suggest running the Microsoft scan available from HERE.


           

          Message was edited by: Hayton on 12/03/12 02:23:41 GMT
          • 2. Re: Net Guard blocked connections
            fred123

            Thank you for your reply.

             

            I'm afraid I can't check back a week as the Mcafee logs don't go back that far - the 100s of incoming attempts a day seem to have pushed anything past a few days ago off the list.

             

            I am certainly concerned about my computer trying to connect to these IPs, and that is the main thing to worry about I agree.

             

            I ran that Microsoft scan as you suggested, but it came up clean also.

            • 3. Re: Net Guard blocked connections
              newjack

              Hi Fred, Pretty interesting that we both have similar Issue with same Antivirus vendor.As you can see here.I would go post a log as Ex_brit suggeted to me.

              This is Obviously a problem that has not been Handled yet by McAfee.Not sure about your Internet habits.But I think Mine are pretty safe.Also always Updated to Latest patches with Secunia & windows.2 of the biggest ways your system can be compromised.My system is also trying to connect to Ip In that Area.Hmm

              https://community.mcafee.com/thread/43432  Wonder how many others have this problem & don`t know?

              • 4. Re: Net Guard blocked connections
                newjack

                Also Fred,Open McAfee & on top right click Navigation.Scroll to bottom & open your Traffic monitor.See If Mcshost is taking up all of your traffic.As seen here.If so I would go post at one of the forums mentioned in above link.None of my scans came back with anything either.

                 

                Mc service host.JPG