1 2 Previous Next 18 Replies Latest reply on Sep 5, 2012 6:09 AM by Peter M

    Unwanted outgoing connection

      McAfee Total Protection Firewall blocked an outgoing connection to an IP address 90.84.59.147 saying that this site was suspect.

       

      Clearly the instruction to connect has been installed on my computer by malware.  Where will this instruction be so that I can delete it?

        • 1. Re: Unwanted outgoing connection
          Peter M

          Moved this provisionally to Malware Discussion > Home User Assistance.

           

          That IP belongs to France Telecom, do you have anything installed that would 'dial home' to France?

           

          Look in the last link in my signature below for some tools from McAfee and 3rd parties which you could run as a precaution.

           

          Remember this was blocked to you should be OK.   Where were you reading this blocked message by the way?

          1 of 1 people found this helpful
          • 2. Re: Unwanted outgoing connection

            I checked the IP address here and found that the ISP for the address is France.

             

            I checked here (Neighbouring IP addresses) and saw that it was assessed as HIGH RISK by way of WEB REPUTATION

             

            The blocked message notification came up on my screen.  It was posted by my McAfee Total Protection Firewall Net Guard which I have running.  It was an alert to tell me that McAfee had blocked access.

             

            Out of curiosity I then posted the IP address in the IE address bar and got this warning

             

            Screenshot.jpg

             

            I appreciate that the connection is blocked but what I wondered is where on my computer would be the command to make this connection to this IP address.  I could then delete it.

            • 3. Re: Unwanted outgoing connection
              Peter M

              Not sure but as a precaution I would run some scans with say Stinger & Malwarebytes Free - both listed in the last link in my signature below.

               

              One place you could look which may give a clue is in SecurityCenter click navigation at top right

              Scroll down to Traffic Monitor

              In the drop-down menu near the top select Active Programs

              Expand each one in the list below to see if that IP crops up there.

               

              Another way that may work, may not, is to search for that IP number by keying in the number into a registry search.

               

              Go to Start/Run and enter regedit and click OK - also OK any UAC prompts you may get (Vista and above).
              A page should open with the top left hand corner looking something like this:

               

              https://community.mcafee.com/servlet/JiveServlet/downloadImage/2-145517-8112/285-187/Regedit.jpg


              If for some reason the trees are expanded, collapse them and then highlight My Computer.
              Go to File tab and click "Export" and send the registry to your desktop. This is in case something goes wrong. It can then be rebuilt by simply right-clicking that desktop item and selecting merge.
              Now click the Edit tab and then "Find". Enter "90.84.59.147" (minus the "") then click "Find next" (or hit the enter key).
              Whatever is found, right-click and delete if so desired.
              Hit your F3 key for the next instance and keep going until all entries are gone.
              If one says it can't be deleted this is where it gets complicated. You have to then find which key on the left column pertains to it and right-click/Properties/Permissions and give yourself permission.
              If all is successful those entries could not possibly remain and you can then delete the registry backup.

               

               

               

               

               

              .

               

              Message was edited by: Ex_Brit on 03/09/12 9:44:51 EDT AM
              1 of 1 people found this helpful
              • 4. Re: Unwanted outgoing connection

                This is proving interesting.

                 

                The IP address we agree was provided by an ISP in France was allocated to AKAMAI Technologies.

                 

                When I put AKAMAI into START>SEARCH then it produces a number of PHISHING emails which I reported to reports@banksafeonline.org.uk

                 

                The original IP address which was blocked does not appear in the Traffic Monitor but another with a similar IP address did appear.  I checked it here  and also here  which would suggest that (as it is high risk for emails) that this would tie in with the phishing emails.

                 

                However, I checked AKAMAI on RIPE Net and found this

                 

                I also Googled it and found that there is a legit company by that name but also some people were reporting concerns years ago for example here and here

                 

                I cannot find AKAMAI in the delete programme search or in msconfig.

                 

                Some people have said that ADOBE genuinely uses AKAMAI but what I find interesting is that when I got the UKASH trojan (see my post here) I believe I got it through a fake ADOBE update!

                 

                I must do some investigating!

                • 5. Re: Unwanted outgoing connection
                  Peter M

                  AKAMAI download managers are commonly used to install certain types of software.  Have you installed anything new lately?

                   

                  Look at the last link in my signature and go down near the end.  Post a Hijackthis or DDS log as instructed there on one of those specialist forums for analysis.

                  1 of 1 people found this helpful
                  • 6. Re: Unwanted outgoing connection

                    I have not installed anything recently.

                     

                    I can see that AKAMAI has a genuine role but looking at the results of the check of the IP addresses in McAfee would suggest that others have reported problems.  Interesting that the search of my computer brought up the phishing emails I reported.

                    • 7. Re: Unwanted outgoing connection
                      Peter M

                      Best post a Hijackthis or DDS log as I suggested and have them look into the possibility that something amiss is still going on in your machine.

                      • 8. Re: Unwanted outgoing connection
                        Hayton

                        makfai wrote:

                         

                        I have not installed anything recently.

                         

                        I think you have installed something, although unintentionally.

                         

                        when I got the UKASH trojan (see my post here) I believe I got it through a fake ADOBE update

                         

                        The Trojan has probably downloaded other malware and you are seeing the result.

                         

                        The IP address (90.84.59.147) shows as High Risk in TrustedSource because the server has been compromised and is hosting malware.

                        See http://malwaresurvival.net/2012/07/30/funky-internet-payment-site-dishing-out-ma lware/

                         

                        If you have not already done so you should run Stinger in case you have a rootkit on your system.

                        • 9. Re: Unwanted outgoing connection

                          I have run stinger and Mcafee's Rootkit Remover but no sign of anything.

                           

                          Have also now installed Malwarebytes.

                          1 2 Previous Next