cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 21 of 27

Re: Risky connection blocked

The Stinger results were less helpful than I hoped they would be. Neither the Artemis numbers nor the MD5 hash give any other hits when I search for them. The Stinger run itself only lasted 20 seconds, which doesn't seem long enough. I'll do a comparative scan to see whether any of the settings need to be changed.

Re: Risky connection blocked

I do have solid state drives, so it is much faster.

On opening a new tab in google I get this now:

Googlenew.png

Normally this shows sites I use but most of these I have never visited, the google, Canal world, Vidblaster and Newport Baptist are sites I use.   All the rest I  have not visited, hovering mouse over them it states active.

Also when I shut down the computer I see another screen view behind the Desktop flash on/off.

I think I will have to just reinstall windows and all programs.

David

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 23 of 27

Re: Risky connection blocked


olwdave wrote:



Normally this shows sites I use but most of these I have never visited, the google, Canal world, Vidblaster and Newport Baptist are sites I use.   All the rest I  have not visited, hovering mouse over them it states active.



Also when I shut down the computer I see another screen view behind the Desktop flash on/off.


What you see at shutdown is possibly - or probably - a pop-under window. A hidden pop-up. That could be advertising.

The sites in the screenshot : Gaming, Advertising (Taboola), possible Facebook app/advertising (Carscritic) - there's more adware to get rid of I think. And this one is the most likely cause of a connection to a server in the Far East or China : stat[dot]gmonitor[dot]aliimg[dot]com - see the VirusTotal report for that domain at

https://www.virustotal.com/en-gb/domain/stat.gmonitor.aliimg.com/information/

It's on an AlibabaOnline server in Hangzhou, China. It's devoted to online shopping. And it's the sort of thing that resident adware might connect to.

So, the next thing to do is run a program that will root out any third-party programs that Malwarebytes might have missed. Try AdwCleaner, which you can get from the BleepingComputer site (where you will also find a review and instructions for how to use it) - http://www.bleepingcomputer.com/download/adwcleaner/

Re: Risky connection blocked

Thanks Haydon,

I ran TCPView and stat[dot]gmonitor[dot]aliimg[dot]com was loading many times, the strange thing was TCPview only ran for about a minute and then closed and the TCPView.exe had been deleted from downloads and I had to download it again.

I will try adCleaner.

David

Re: Risky connection blocked

Have run AdCleaner and it has deleted a lot of folders/files but does not seem to have sorted problem, the pop-under window is still there on shutdown and Internet explorer very slow to load google states "waiting" have not yet had a "blocked connection" though, I will wait and see.  McAfee came up twice while AdCleaner was running to say it found a Threat (Artemis!5FB25CFDCDC1 (Trojan)) and quarantined.

Thanks for your help, David

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 26 of 27

Re: Risky connection blocked

I'd say this is a simple case of severe malware infection.

Did you follow the advice I offered on page 2 post #14?

We are not really equipped here for that job and don't have the manpower to deal with it, but the procedure I suggested allows experienced malware specialists to deal with it.

That's all they are there for.

It's Hayton by the way, not Haydon.

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 27 of 27

Re: Risky connection blocked

You could be right. If Stinger keeps coming up with Artemis detections they're being re-introduced from somewhere.

And as I said earlier, it's not so helpful to us to know that something was found and deleted as it would be if we knew exactly what was being found. That would give a clue as to the possible source of infection.

By the way, if olwdave is using P2P I would advise that it be disabled.