Jump to content

runtnc issue


Recommended Posts

  • Administrators

I'd suggest temporarily removing the following apps:

Discord
Killer Ethernet Performance Driver Suite UWD

Then you have also a couple of games installed, however, I assume you didn't use any cracks.

Also make sure that browser extensions are completely removed, not just disabled. According to the ELC logs you provided, access the url was blocked twice and only Chrome attempted to access it.

22. 4. 2019 16:40:53    hxxps://amanda.runtnc.net    Blocked by PUA blacklist    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe    18.210.42.94   
22. 4. 2019 16:33:49    hxxps://amanda.runtnc.net    Blocked by PUA blacklist    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe    35.169.145.234   
15. 4. 2019 19:58:20   hxxs://www.maxonclick.com  Blocked by PUA blacklist    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe    35.190.68.123   

You could try uninstalling Chrome, making sure that the folder "C:\Users\zeman\AppData\Local\Google\Chrome\User Data"  doesn't exist and then install Chrome from scratch.

Also you could try resetting your router to factory settings and use Google DNS 8.8.8.8 and 8.8.4.4, just in case.

 

 

Link to comment
Share on other sites

Ive tried multiple solutions you both have provided. Also re installed chrome just again plus yes all my games are from steam :)

Link to comment
Share on other sites

  • 3 weeks later...
On 5/11/2019 at 10:37 PM, itman said:

Since you already did a Win 10 reset install and the issue still persists, do the following. At least, this will stop the Eset alerts for the time being and allow for hopefully, identifying which process is performing this activity.

1. Go to your Eset Filtered Web Sites log and search for all long entries related to amanda.run netc. Make a note of all IP addresses associated with the log entries. Hopefully, they are all the same IP Address or only a few.

2. Create an Eset firewall rule to block; i.e. "Deny", "TCP and UDP protocol", and  Direction set to "Out." Name your rule something meaningful.

  • Set Logging Severity to "Warning." Do not checkmark the Notify user option, since this will keep giving you alerts.
  • Click on the Remote tab. Navigate to the window labeled IP. Enter each previously noted IP address.  If entering multiple IP addresses, enter a comma after the end of the address, a space, and then the next IP address. Do not enter a comma after the last IP address entered. 

Click on the "OK" tab and every "OK" tab thereafter to save you newly created firewall rule.

Once a few Eset Network log entries have been created from this firewall, copy those entries and post them into your next forum reply. Hopefully, this will point us to what process is performing this activity.

Where exactly I can find these entries?

Link to comment
Share on other sites

16 minutes ago, ENDSP1EL said:

Where exactly I can find these entries?

As note in step 1)., the original Eset detections should be shown in the Eset Filtered Web Sites log.

If you performed the instructions given in step 2)., any resultant detections will be shown in entries contained in the Eset Network protection log.

Link to comment
Share on other sites

Čas;Udalosť;Akcia;Zdroj;Cieľ;Protokol;Názov pravidla/červa;Aplikácia;Používateľ
12.05.2019 19:24:21;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50830;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
12.05.2019 19:24:21;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50831;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
12.05.2019 19:24:21;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50832;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
12.05.2019 19:25:47;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50842;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
12.05.2019 19:25:47;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50843;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
12.05.2019 19:25:47;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50844;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
15.05.2019 12:20:10;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:55933;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
15.05.2019 12:20:10;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:55934;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
15.05.2019 12:20:10;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:55935;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
15.05.2019 12:32:18;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:56214;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
15.05.2019 12:32:18;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:56215;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
15.05.2019 12:32:18;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:56216;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
22.05.2019 17:32:33;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:62965;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
22.05.2019 17:32:33;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:62966;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
22.05.2019 17:32:33;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:62967;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
22.05.2019 17:33:21;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:62984;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
22.05.2019 17:33:21;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:62985;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
22.05.2019 17:33:21;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:62986;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
23.05.2019 16:59:28;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:52601;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
23.05.2019 16:59:28;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:52602;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
23.05.2019 16:59:28;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:52603;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
23.05.2019 16:59:29;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:52604;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
23.05.2019 16:59:29;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:52605;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
23.05.2019 16:59:29;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:52606;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
25.05.2019 17:07:17;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50341;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
25.05.2019 17:07:17;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50342;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
25.05.2019 17:07:17;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50343;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
25.05.2019 17:07:20;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50344;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
25.05.2019 17:07:20;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50345;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
25.05.2019 17:07:20;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50346;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
30.05.2019 16:38:50;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:58004;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
30.05.2019 16:38:50;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:58005;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
30.05.2019 16:38:50;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:58006;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
30.05.2019 16:39:42;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:58029;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
30.05.2019 16:39:42;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:58030;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
30.05.2019 16:39:42;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:58031;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik
 

Link to comment
Share on other sites

  • Administrators

You can try uninstalling Chrome and installing it from scratch so that your user profile is created from scratch as well. After installation, make sure that synchronization is disabled. Is the url still blocked then?

Link to comment
Share on other sites

Try another browser for a while; IE11, Edge, or Firefox.

If there no Eset log entries generated for Amanda runtnc, then this confirms the issue is most likely a malicious Chrome extension or the like. Uninstall Chrome and do as @Marcos just posted recently.

-EDIT- Also reviewing your prior posting, I assume you reinstalled Chrome after you performed the Win 10 reset option.

When a Win 10 reset is performed, all existing user accounts and their related files and registry entries are left intact. If you now get blocked Amanda runtnc activity when using other browsers than Chrome, we can assume the source is related to your local admin account directories or registry entries given that is how you log on to Win 10. Before proposing more radical solutions, I would give both Malwarebytes anti-malware and AdwCleaner a shot to see if they can remove this. Make sure to disable Malwarebytes realtime scanning so it doesn't conflict's with Eset's like protection. Then run a scan with both to see if they can find and remove this Amanda runtnc baloney.

Also have you run an "in-depth" scan with Eset to see if it detects and removes this? This should have run automatically after Eset was reinstalled after you performed the Win 10 reset.

Edited by itman
Link to comment
Share on other sites

15 hours ago, itman said:

Try another browser for a while; IE11, Edge, or Firefox.

If there no Eset log entries generated for Amanda runtnc, then this confirms the issue is most likely a malicious Chrome extension or the like. Uninstall Chrome and do as @Marcos just posted recently.

-EDIT- Also reviewing your prior posting, I assume you reinstalled Chrome after you performed the Win 10 reset option.

When a Win 10 reset is performed, all existing user accounts and their related files and registry entries are left intact. If you now get blocked Amanda runtnc activity when using other browsers than Chrome, we can assume the source is related to your local admin account directories or registry entries given that is how you log on to Win 10. Before proposing more radical solutions, I would give both Malwarebytes anti-malware and AdwCleaner a shot to see if they can remove this. Make sure to disable Malwarebytes realtime scanning so it doesn't conflict's with Eset's like protection. Then run a scan with both to see if they can find and remove this Amanda runtnc baloney.

Also have you run an "in-depth" scan with Eset to see if it detects and removes this? This should have run automatically after Eset was reinstalled after you performed the Win 10 reset.

 

18 hours ago, Marcos said:

You can try uninstalling Chrome and installing it from scratch so that your user profile is created from scratch as well. After installation, make sure that synchronization is disabled. Is the url still blocked then?

 

I have already tried multiple apps and also the ESET scan. I have a strong feeling that this thing has something to do with a game forum I usually visit. But I doubt that, because it is not some crack, hack or these things type of forum.  Link

Link to comment
Share on other sites

Referring back to your log entries, they all appear to be redirects to Amazon servers in the U.S. associated with Massachusetts Institute of Technology. For example, selecting the first two entries yields this from Robtex site lookup:

Quote

We investigated two host names that point to 35.169.145.234. Example: sandra.runtnc.net and amanda.runtnc.net.

We investigated three host names that point to 18.210.42.94. Example: runtnc.net, sandra.runtnc.net and amanda.runtnc.net.

M.I.T. is one of the premier technical universities in the world. It also does a lot of computer research and does like activities for the U.S. government.

If the Eset alerts for this only occur on certain web sites, I would stay away from those sites.

Edited by itman
Link to comment
Share on other sites

Here's another possibility, Your router has been hacked with DNSChanger malware.

Go to this website: http://www.dcwg.org/detect/ and click on any of the links shown. I didn't see anything posted for Slovak. So you will have use an English based site or perhaps German, if you're fluent in that language.

Actually, just use this site for a check: http://www.dns-ok.us/

Edited by itman
Link to comment
Share on other sites

Kaspersky forum also has a posting on this: https://forum.kaspersky.com/index.php?/topic/398092-sarahruntc-blocked/&do=findComment&comment=2815790 .

You really have to do a thorough "house cleaning" on your PC; especially in regards to any programs you have installed in the last few months from questionable sources and that you really don't need. Then proceed to doing likewise for temp directories and browser add-on and extensions.

Whatever this bugger is, it appears to "fly under the detection radar" of most security software.

Link to comment
Share on other sites

On 6/1/2019 at 1:00 AM, itman said:

Kaspersky forum also has a posting on this: https://forum.kaspersky.com/index.php?/topic/398092-sarahruntc-blocked/&do=findComment&comment=2815790 .

You really have to do a thorough "house cleaning" on your PC; especially in regards to any programs you have installed in the last few months from questionable sources and that you really don't need. Then proceed to doing likewise for temp directories and browser add-on and extensions.

Whatever this bugger is, it appears to "fly under the detection radar" of most security software.

Tried that DNS scan. Everything looks good, I do only run three add ons, Gmail check, ad blocker and password manager from Google. Plus I do not have any apps from suspicious sources etc so I am kinda clueless :D

Link to comment
Share on other sites

28 minutes ago, ENDSP1EL said:

I do only run three add ons, Gmail check, ad blocker and password manager from Google

Do this.

Temporarily, disable all the add-ons in Chrome. If you no longer receive any blocked Eset Network log entries related  to runtnc.net, you have found the source. Then one by one enable each add-on monitoring for any blocked Network log entries until you find the exact source of the activity.

Link to comment
Share on other sites

48 minutes ago, itman said:

Do this.

Temporarily, disable all the add-ons in Chrome. If you no longer receive any blocked Eset Network log entries related  to runtnc.net, you have found the source. Then one by one enable each add-on monitoring for any blocked Network log entries until you find the exact source of the activity.

Okay, disabled em all. I will update you soon

Link to comment
Share on other sites

Seems like after I disabled them ESET stopped showing any logs. Its been clear since 2.6.2019 so should I turn them on one by one now?

Link to comment
Share on other sites

44 minutes ago, ENDSP1EL said:

Seems like after I disabled them ESET stopped showing any logs. Its been clear since 2.6.2019 so should I turn them on one by one now?

Yes, since it appears the alerts are being generated by one of those add-ons.

Link to comment
Share on other sites

19 hours ago, itman said:

Interesting. That was my number one suspect initially.

How come? It is from Google and their official store. Plus it had not been happening before I started this topic here

Link to comment
Share on other sites

6 minutes ago, ENDSP1EL said:

How come? It is from Google and their official store. Plus it had not been happening before I started this topic here

"My take" on this runtc.net issue is that it is some type of redirect tracker interception. Who is "infamous" for tracking activities - Google.

Link to comment
Share on other sites

24 minutes ago, itman said:

"My take" on this runtc.net issue is that it is some type of redirect tracker interception. Who is "infamous" for tracking activities - Google.

Should I disable it then? And is like random because as I said, I had not had this issue before

Link to comment
Share on other sites

2 hours ago, ENDSP1EL said:

Should I disable it then? And is like random because as I said, I had not had this issue before

Here's your choices:

1. Keep adding IP address to block with your existing Eset firewall rule whenever an Eset popup alert appear with a new IP address.

2. "Live with" the existing Eset alerts.

3. Remove the Chrome extension.

Link to comment
Share on other sites

47 minutes ago, itman said:

Here's your choices:

1. Keep adding IP address to block with your existing Eset firewall rule whenever an Eset popup alert appear with a new IP address.

2. "Live with" the existing Eset alerts.

3. Remove the Chrome extension.

I've removed it

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...