Jump to content

Malware? As.eu.angsrvr.com

Antonh

By Antonh
in Malware Finding and Cleaning

 Share

Recommended Posts

Antonh

Antonh 0

Posted
Posted

Hi all,

Whenever I start IE on Windows 10 I keep getting an eset popup that IE is setting up an outgoing, non-certified connection to as.eu.angsrvr.com.

I scanned the notebook with ESET Internet Security and Malwarebytes  and they both tell me the computer isn't infected with anything.

I tried to google the domain, but unfortunately I can't find a thrustworthy source which tells what the connection is about and how to remove it (if harmfull).

Is this a virus or malware? If yes, does anyone know how to remove it?

Thank you in advance.

Anton

 

 

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,071

Posted
  • Administrators
Posted

Are you getting the pop-up only when launching IE or other browsers as well?

Please provide me with logs collected by ELC to start off.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

Appears to be an Amazon backbone server located in Ireland per Robtex:
 

Quote

ANALYSIS

As.eu.angsrvr.com is a CNAME to lb-adselect-1417292246.eu-west-1.elb.amazonaws.com. Lb-adselect-1417292246.eu-west-1.elb.amazonaws.com has eight IP numbers.

IP numbers

The IP numbers are 52.48.23.77, 52.48.187.226, 52.48.224.106, 52.49.106.168, 52.212.137.240, 52.214.89.34, 54.77.167.116 and 54.171.53.34. The PTRs of the IP numbers are ec2-52-48-23-77.eu-west-1.compute.amazonaws.com, ec2-52-48-187-226.eu-west-1.compute.amazonaws.com, ec2-52-48-224-106.eu-west-1.compute.amazonaws.com, ec2-52-49-106-168.eu-west-1.compute.amazonaws.com, ec2-52-212-137-240.eu-west-1.compute.amazonaws.com, ec2-52-214-89-34.eu-west-1.compute.amazonaws.com, ec2-54-77-167-116.eu-west-1.compute.amazonaws.com and ec2-54-171-53-34.eu-west-1.compute.amazonaws.com. The IP numbers are in Dublin, Ireland. They are hosted by Amazon EC2 DUB prefix.

Results found

Angsrvr.com.

If you are running the Eset firewall in Interactive mode, this connection is probably Microsoft dial-out activity from IE for "God only knows" what pupose; most likely telemetry.

Edited by itman
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted
1 hour ago, Antonh said:

But if it is Microsoft dial-out activity everyone should get it, right?

Please clarify what you mean. Are you referring to the fact that IE generates the outbound connection but other browsers do not?

Link to comment
Share on other sites
Antonh

Antonh 0

Posted
  • Author
Posted

I thought you meant the dial-out activity was common behaviour of microsoft. But I guess its not. How do i get rid of it? And is it harmfull? 

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted
4 hours ago, Antonh said:

thought you meant the dial-out activity was common behaviour of microsoft. But I guess its not. How do i get rid of it? And is it harmfull? 

Let's start all over again.

Do you have the Eset firewall set to default settings? That is all outbound communication is allowed.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted
5 hours ago, Antonh said:

Yes, I use the default settings

The Eset firewall by default allows all outbound connections. However, Eset monitors for connections to malicious domains and also that the certificates used by a domain name are valid.

Next time you receive the Eset popup upon starting IE, take a screen shot of it and post it. This way we can positively id what is going on.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...