Antonh

Malware? As.eu.angsrvr.com

Recommended Posts

Hi all,

Whenever I start IE on Windows 10 I keep getting an eset popup that IE is setting up an outgoing, non-certified connection to as.eu.angsrvr.com.

I scanned the notebook with ESET Internet Security and Malwarebytes  and they both tell me the computer isn't infected with anything.

I tried to google the domain, but unfortunately I can't find a thrustworthy source which tells what the connection is about and how to remove it (if harmfull).

Is this a virus or malware? If yes, does anyone know how to remove it?

Thank you in advance.

Anton

 

 

Share this post


Link to post
Share on other sites

Are you getting the pop-up only when launching IE or other browsers as well?

Please provide me with logs collected by ELC to start off.

badzydy007 likes this

Share this post


Link to post
Share on other sites

Yes, I only get it when I use IE. Attached the generated file by ELC.

eis_logs.zip

Share this post


Link to post
Share on other sites
Posted (edited)

Appears to be an Amazon backbone server located in Ireland per Robtex:
 

Quote

ANALYSIS

As.eu.angsrvr.com is a CNAME to lb-adselect-1417292246.eu-west-1.elb.amazonaws.com. Lb-adselect-1417292246.eu-west-1.elb.amazonaws.com has eight IP numbers.

IP numbers

The IP numbers are 52.48.23.77, 52.48.187.226, 52.48.224.106, 52.49.106.168, 52.212.137.240, 52.214.89.34, 54.77.167.116 and 54.171.53.34. The PTRs of the IP numbers are ec2-52-48-23-77.eu-west-1.compute.amazonaws.com, ec2-52-48-187-226.eu-west-1.compute.amazonaws.com, ec2-52-48-224-106.eu-west-1.compute.amazonaws.com, ec2-52-49-106-168.eu-west-1.compute.amazonaws.com, ec2-52-212-137-240.eu-west-1.compute.amazonaws.com, ec2-52-214-89-34.eu-west-1.compute.amazonaws.com, ec2-54-77-167-116.eu-west-1.compute.amazonaws.com and ec2-54-171-53-34.eu-west-1.compute.amazonaws.com. The IP numbers are in Dublin, Ireland. They are hosted by Amazon EC2 DUB prefix.

Results found

Angsrvr.com.

If you are running the Eset firewall in Interactive mode, this connection is probably Microsoft dial-out activity from IE for "God only knows" what pupose; most likely telemetry.

Edited by itman

Share this post


Link to post
Share on other sites

But if it is Microsoft dial-out activity everyone should get it, right?

Share this post


Link to post
Share on other sites
1 hour ago, Antonh said:

But if it is Microsoft dial-out activity everyone should get it, right?

Please clarify what you mean. Are you referring to the fact that IE generates the outbound connection but other browsers do not?

Share this post


Link to post
Share on other sites

I thought you meant the dial-out activity was common behaviour of microsoft. But I guess its not. How do i get rid of it? And is it harmfull? 

Share this post


Link to post
Share on other sites
4 hours ago, Antonh said:

thought you meant the dial-out activity was common behaviour of microsoft. But I guess its not. How do i get rid of it? And is it harmfull? 

Let's start all over again.

Do you have the Eset firewall set to default settings? That is all outbound communication is allowed.

Share this post


Link to post
Share on other sites

Yes, I use the default settings

Share this post


Link to post
Share on other sites
5 hours ago, Antonh said:

Yes, I use the default settings

The Eset firewall by default allows all outbound connections. However, Eset monitors for connections to malicious domains and also that the certificates used by a domain name are valid.

Next time you receive the Eset popup upon starting IE, take a screen shot of it and post it. This way we can positively id what is going on.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.