Antonh 0 Posted April 18, 2018 Share Posted April 18, 2018 Hi all, Whenever I start IE on Windows 10 I keep getting an eset popup that IE is setting up an outgoing, non-certified connection to as.eu.angsrvr.com. I scanned the notebook with ESET Internet Security and Malwarebytes and they both tell me the computer isn't infected with anything. I tried to google the domain, but unfortunately I can't find a thrustworthy source which tells what the connection is about and how to remove it (if harmfull). Is this a virus or malware? If yes, does anyone know how to remove it? Thank you in advance. Anton Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted April 18, 2018 Administrators Share Posted April 18, 2018 Are you getting the pop-up only when launching IE or other browsers as well? Please provide me with logs collected by ELC to start off. Link to comment Share on other sites More sharing options...
Antonh 0 Posted April 18, 2018 Author Share Posted April 18, 2018 Yes, I only get it when I use IE. Attached the generated file by ELC. eis_logs.zip Link to comment Share on other sites More sharing options...
itman 1,749 Posted April 18, 2018 Share Posted April 18, 2018 (edited) Appears to be an Amazon backbone server located in Ireland per Robtex: Quote ANALYSIS As.eu.angsrvr.com is a CNAME to lb-adselect-1417292246.eu-west-1.elb.amazonaws.com. Lb-adselect-1417292246.eu-west-1.elb.amazonaws.com has eight IP numbers. IP numbers The IP numbers are 52.48.23.77, 52.48.187.226, 52.48.224.106, 52.49.106.168, 52.212.137.240, 52.214.89.34, 54.77.167.116 and 54.171.53.34. The PTRs of the IP numbers are ec2-52-48-23-77.eu-west-1.compute.amazonaws.com, ec2-52-48-187-226.eu-west-1.compute.amazonaws.com, ec2-52-48-224-106.eu-west-1.compute.amazonaws.com, ec2-52-49-106-168.eu-west-1.compute.amazonaws.com, ec2-52-212-137-240.eu-west-1.compute.amazonaws.com, ec2-52-214-89-34.eu-west-1.compute.amazonaws.com, ec2-54-77-167-116.eu-west-1.compute.amazonaws.com and ec2-54-171-53-34.eu-west-1.compute.amazonaws.com. The IP numbers are in Dublin, Ireland. They are hosted by Amazon EC2 DUB prefix. Results found Angsrvr.com. If you are running the Eset firewall in Interactive mode, this connection is probably Microsoft dial-out activity from IE for "God only knows" what pupose; most likely telemetry. Edited April 18, 2018 by itman Link to comment Share on other sites More sharing options...
Antonh 0 Posted April 19, 2018 Author Share Posted April 19, 2018 But if it is Microsoft dial-out activity everyone should get it, right? Link to comment Share on other sites More sharing options...
itman 1,749 Posted April 19, 2018 Share Posted April 19, 2018 1 hour ago, Antonh said: But if it is Microsoft dial-out activity everyone should get it, right? Please clarify what you mean. Are you referring to the fact that IE generates the outbound connection but other browsers do not? Link to comment Share on other sites More sharing options...
Antonh 0 Posted April 19, 2018 Author Share Posted April 19, 2018 I thought you meant the dial-out activity was common behaviour of microsoft. But I guess its not. How do i get rid of it? And is it harmfull? Link to comment Share on other sites More sharing options...
itman 1,749 Posted April 19, 2018 Share Posted April 19, 2018 4 hours ago, Antonh said: thought you meant the dial-out activity was common behaviour of microsoft. But I guess its not. How do i get rid of it? And is it harmfull? Let's start all over again. Do you have the Eset firewall set to default settings? That is all outbound communication is allowed. Link to comment Share on other sites More sharing options...
Antonh 0 Posted April 21, 2018 Author Share Posted April 21, 2018 Yes, I use the default settings Link to comment Share on other sites More sharing options...
itman 1,749 Posted April 21, 2018 Share Posted April 21, 2018 5 hours ago, Antonh said: Yes, I use the default settings The Eset firewall by default allows all outbound connections. However, Eset monitors for connections to malicious domains and also that the certificates used by a domain name are valid. Next time you receive the Eset popup upon starting IE, take a screen shot of it and post it. This way we can positively id what is going on. Link to comment Share on other sites More sharing options...
Recommended Posts