Administrators Marcos 5,407 Posted May 12, 2019 Administrators Share Posted May 12, 2019 I'd suggest temporarily removing the following apps: Discord Killer Ethernet Performance Driver Suite UWD Then you have also a couple of games installed, however, I assume you didn't use any cracks. Also make sure that browser extensions are completely removed, not just disabled. According to the ELC logs you provided, access the url was blocked twice and only Chrome attempted to access it. 22. 4. 2019 16:40:53 hxxps://amanda.runtnc.net Blocked by PUA blacklist C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 18.210.42.94 22. 4. 2019 16:33:49 hxxps://amanda.runtnc.net Blocked by PUA blacklist C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 35.169.145.234 15. 4. 2019 19:58:20 hxxs://www.maxonclick.com Blocked by PUA blacklist C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 35.190.68.123 You could try uninstalling Chrome, making sure that the folder "C:\Users\zeman\AppData\Local\Google\Chrome\User Data" doesn't exist and then install Chrome from scratch. Also you could try resetting your router to factory settings and use Google DNS 8.8.8.8 and 8.8.4.4, just in case. Link to comment Share on other sites More sharing options...
ENDSP1EL 0 Posted May 12, 2019 Author Share Posted May 12, 2019 Ive tried multiple solutions you both have provided. Also re installed chrome just again plus yes all my games are from steam Link to comment Share on other sites More sharing options...
ENDSP1EL 0 Posted May 30, 2019 Author Share Posted May 30, 2019 On 5/11/2019 at 10:37 PM, itman said: Since you already did a Win 10 reset install and the issue still persists, do the following. At least, this will stop the Eset alerts for the time being and allow for hopefully, identifying which process is performing this activity. 1. Go to your Eset Filtered Web Sites log and search for all long entries related to amanda.run netc. Make a note of all IP addresses associated with the log entries. Hopefully, they are all the same IP Address or only a few. 2. Create an Eset firewall rule to block; i.e. "Deny", "TCP and UDP protocol", and Direction set to "Out." Name your rule something meaningful. Set Logging Severity to "Warning." Do not checkmark the Notify user option, since this will keep giving you alerts. Click on the Remote tab. Navigate to the window labeled IP. Enter each previously noted IP address. If entering multiple IP addresses, enter a comma after the end of the address, a space, and then the next IP address. Do not enter a comma after the last IP address entered. Click on the "OK" tab and every "OK" tab thereafter to save you newly created firewall rule. Once a few Eset Network log entries have been created from this firewall, copy those entries and post them into your next forum reply. Hopefully, this will point us to what process is performing this activity. Where exactly I can find these entries? Link to comment Share on other sites More sharing options...
itman 1,789 Posted May 30, 2019 Share Posted May 30, 2019 16 minutes ago, ENDSP1EL said: Where exactly I can find these entries? As note in step 1)., the original Eset detections should be shown in the Eset Filtered Web Sites log. If you performed the instructions given in step 2)., any resultant detections will be shown in entries contained in the Eset Network protection log. Link to comment Share on other sites More sharing options...
ENDSP1EL 0 Posted May 30, 2019 Author Share Posted May 30, 2019 Čas;Udalosť;Akcia;Zdroj;Cieľ;Protokol;Názov pravidla/červa;Aplikácia;Používateľ 12.05.2019 19:24:21;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50830;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 12.05.2019 19:24:21;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50831;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 12.05.2019 19:24:21;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50832;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 12.05.2019 19:25:47;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50842;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 12.05.2019 19:25:47;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50843;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 12.05.2019 19:25:47;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50844;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 15.05.2019 12:20:10;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:55933;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 15.05.2019 12:20:10;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:55934;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 15.05.2019 12:20:10;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:55935;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 15.05.2019 12:32:18;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:56214;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 15.05.2019 12:32:18;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:56215;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 15.05.2019 12:32:18;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:56216;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 22.05.2019 17:32:33;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:62965;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 22.05.2019 17:32:33;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:62966;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 22.05.2019 17:32:33;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:62967;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 22.05.2019 17:33:21;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:62984;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 22.05.2019 17:33:21;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:62985;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 22.05.2019 17:33:21;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:62986;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 23.05.2019 16:59:28;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:52601;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 23.05.2019 16:59:28;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:52602;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 23.05.2019 16:59:28;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:52603;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 23.05.2019 16:59:29;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:52604;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 23.05.2019 16:59:29;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:52605;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 23.05.2019 16:59:29;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:52606;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 25.05.2019 17:07:17;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50341;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 25.05.2019 17:07:17;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50342;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 25.05.2019 17:07:17;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50343;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 25.05.2019 17:07:20;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50344;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 25.05.2019 17:07:20;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50345;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 25.05.2019 17:07:20;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:50346;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 30.05.2019 16:38:50;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:58004;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 30.05.2019 16:38:50;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:58005;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 30.05.2019 16:38:50;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:58006;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 30.05.2019 16:39:42;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:58029;18.210.42.94:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 30.05.2019 16:39:42;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:58030;54.85.168.127:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik 30.05.2019 16:39:42;Komunikácia zamietnutá pravidlom;Blokované;192.168.1.112:58031;35.169.145.234:443;TCP;Amanda runtnc;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;DESKTOP-G3PJ9UN\matik Link to comment Share on other sites More sharing options...
ENDSP1EL 0 Posted May 30, 2019 Author Share Posted May 30, 2019 (edited) Dunno if you wanted this @itman Edited May 30, 2019 by ENDSP1EL Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted May 30, 2019 Administrators Share Posted May 30, 2019 You can try uninstalling Chrome and installing it from scratch so that your user profile is created from scratch as well. After installation, make sure that synchronization is disabled. Is the url still blocked then? Link to comment Share on other sites More sharing options...
itman 1,789 Posted May 30, 2019 Share Posted May 30, 2019 (edited) Try another browser for a while; IE11, Edge, or Firefox. If there no Eset log entries generated for Amanda runtnc, then this confirms the issue is most likely a malicious Chrome extension or the like. Uninstall Chrome and do as @Marcos just posted recently. -EDIT- Also reviewing your prior posting, I assume you reinstalled Chrome after you performed the Win 10 reset option. When a Win 10 reset is performed, all existing user accounts and their related files and registry entries are left intact. If you now get blocked Amanda runtnc activity when using other browsers than Chrome, we can assume the source is related to your local admin account directories or registry entries given that is how you log on to Win 10. Before proposing more radical solutions, I would give both Malwarebytes anti-malware and AdwCleaner a shot to see if they can remove this. Make sure to disable Malwarebytes realtime scanning so it doesn't conflict's with Eset's like protection. Then run a scan with both to see if they can find and remove this Amanda runtnc baloney. Also have you run an "in-depth" scan with Eset to see if it detects and removes this? This should have run automatically after Eset was reinstalled after you performed the Win 10 reset. Edited May 30, 2019 by itman Link to comment Share on other sites More sharing options...
ENDSP1EL 0 Posted May 31, 2019 Author Share Posted May 31, 2019 15 hours ago, itman said: Try another browser for a while; IE11, Edge, or Firefox. If there no Eset log entries generated for Amanda runtnc, then this confirms the issue is most likely a malicious Chrome extension or the like. Uninstall Chrome and do as @Marcos just posted recently. -EDIT- Also reviewing your prior posting, I assume you reinstalled Chrome after you performed the Win 10 reset option. When a Win 10 reset is performed, all existing user accounts and their related files and registry entries are left intact. If you now get blocked Amanda runtnc activity when using other browsers than Chrome, we can assume the source is related to your local admin account directories or registry entries given that is how you log on to Win 10. Before proposing more radical solutions, I would give both Malwarebytes anti-malware and AdwCleaner a shot to see if they can remove this. Make sure to disable Malwarebytes realtime scanning so it doesn't conflict's with Eset's like protection. Then run a scan with both to see if they can find and remove this Amanda runtnc baloney. Also have you run an "in-depth" scan with Eset to see if it detects and removes this? This should have run automatically after Eset was reinstalled after you performed the Win 10 reset. 18 hours ago, Marcos said: You can try uninstalling Chrome and installing it from scratch so that your user profile is created from scratch as well. After installation, make sure that synchronization is disabled. Is the url still blocked then? I have already tried multiple apps and also the ESET scan. I have a strong feeling that this thing has something to do with a game forum I usually visit. But I doubt that, because it is not some crack, hack or these things type of forum. Link Link to comment Share on other sites More sharing options...
itman 1,789 Posted May 31, 2019 Share Posted May 31, 2019 (edited) Referring back to your log entries, they all appear to be redirects to Amazon servers in the U.S. associated with Massachusetts Institute of Technology. For example, selecting the first two entries yields this from Robtex site lookup: Quote We investigated two host names that point to 35.169.145.234. Example: sandra.runtnc.net and amanda.runtnc.net. We investigated three host names that point to 18.210.42.94. Example: runtnc.net, sandra.runtnc.net and amanda.runtnc.net. M.I.T. is one of the premier technical universities in the world. It also does a lot of computer research and does like activities for the U.S. government. If the Eset alerts for this only occur on certain web sites, I would stay away from those sites. Edited May 31, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,789 Posted May 31, 2019 Share Posted May 31, 2019 (edited) Here's another possibility, Your router has been hacked with DNSChanger malware. Go to this website: http://www.dcwg.org/detect/ and click on any of the links shown. I didn't see anything posted for Slovak. So you will have use an English based site or perhaps German, if you're fluent in that language. Actually, just use this site for a check: http://www.dns-ok.us/ Edited May 31, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,789 Posted May 31, 2019 Share Posted May 31, 2019 Kaspersky forum also has a posting on this: https://forum.kaspersky.com/index.php?/topic/398092-sarahruntc-blocked/&do=findComment&comment=2815790 . You really have to do a thorough "house cleaning" on your PC; especially in regards to any programs you have installed in the last few months from questionable sources and that you really don't need. Then proceed to doing likewise for temp directories and browser add-on and extensions. Whatever this bugger is, it appears to "fly under the detection radar" of most security software. Link to comment Share on other sites More sharing options...
ENDSP1EL 0 Posted June 2, 2019 Author Share Posted June 2, 2019 On 6/1/2019 at 1:00 AM, itman said: Kaspersky forum also has a posting on this: https://forum.kaspersky.com/index.php?/topic/398092-sarahruntc-blocked/&do=findComment&comment=2815790 . You really have to do a thorough "house cleaning" on your PC; especially in regards to any programs you have installed in the last few months from questionable sources and that you really don't need. Then proceed to doing likewise for temp directories and browser add-on and extensions. Whatever this bugger is, it appears to "fly under the detection radar" of most security software. Tried that DNS scan. Everything looks good, I do only run three add ons, Gmail check, ad blocker and password manager from Google. Plus I do not have any apps from suspicious sources etc so I am kinda clueless Link to comment Share on other sites More sharing options...
itman 1,789 Posted June 2, 2019 Share Posted June 2, 2019 28 minutes ago, ENDSP1EL said: I do only run three add ons, Gmail check, ad blocker and password manager from Google Do this. Temporarily, disable all the add-ons in Chrome. If you no longer receive any blocked Eset Network log entries related to runtnc.net, you have found the source. Then one by one enable each add-on monitoring for any blocked Network log entries until you find the exact source of the activity. Link to comment Share on other sites More sharing options...
ENDSP1EL 0 Posted June 2, 2019 Author Share Posted June 2, 2019 48 minutes ago, itman said: Do this. Temporarily, disable all the add-ons in Chrome. If you no longer receive any blocked Eset Network log entries related to runtnc.net, you have found the source. Then one by one enable each add-on monitoring for any blocked Network log entries until you find the exact source of the activity. Okay, disabled em all. I will update you soon Link to comment Share on other sites More sharing options...
ENDSP1EL 0 Posted June 5, 2019 Author Share Posted June 5, 2019 Seems like after I disabled them ESET stopped showing any logs. Its been clear since 2.6.2019 so should I turn them on one by one now? Link to comment Share on other sites More sharing options...
itman 1,789 Posted June 5, 2019 Share Posted June 5, 2019 44 minutes ago, ENDSP1EL said: Seems like after I disabled them ESET stopped showing any logs. Its been clear since 2.6.2019 so should I turn them on one by one now? Yes, since it appears the alerts are being generated by one of those add-ons. Link to comment Share on other sites More sharing options...
ENDSP1EL 0 Posted June 6, 2019 Author Share Posted June 6, 2019 On 6/5/2019 at 3:57 PM, itman said: Yes, since it appears the alerts are being generated by one of those add-ons. Enabled the gmail check https://chrome.google.com/webstore/detail/google-mail-checker/mihcahmgecmbnbcchbopgniflfhgnkff and boom few logs already there Link to comment Share on other sites More sharing options...
itman 1,789 Posted June 6, 2019 Share Posted June 6, 2019 15 minutes ago, ENDSP1EL said: Enabled the gmail check https://chrome.google.com/webstore/detail/google-mail-checker/mihcahmgecmbnbcchbopgniflfhgnkff and boom few logs already there Interesting. That was my number one suspect initially. Link to comment Share on other sites More sharing options...
ENDSP1EL 0 Posted June 7, 2019 Author Share Posted June 7, 2019 19 hours ago, itman said: Interesting. That was my number one suspect initially. How come? It is from Google and their official store. Plus it had not been happening before I started this topic here Link to comment Share on other sites More sharing options...
itman 1,789 Posted June 7, 2019 Share Posted June 7, 2019 6 minutes ago, ENDSP1EL said: How come? It is from Google and their official store. Plus it had not been happening before I started this topic here "My take" on this runtc.net issue is that it is some type of redirect tracker interception. Who is "infamous" for tracking activities - Google. Link to comment Share on other sites More sharing options...
ENDSP1EL 0 Posted June 7, 2019 Author Share Posted June 7, 2019 24 minutes ago, itman said: "My take" on this runtc.net issue is that it is some type of redirect tracker interception. Who is "infamous" for tracking activities - Google. Should I disable it then? And is like random because as I said, I had not had this issue before Link to comment Share on other sites More sharing options...
itman 1,789 Posted June 7, 2019 Share Posted June 7, 2019 2 hours ago, ENDSP1EL said: Should I disable it then? And is like random because as I said, I had not had this issue before Here's your choices: 1. Keep adding IP address to block with your existing Eset firewall rule whenever an Eset popup alert appear with a new IP address. 2. "Live with" the existing Eset alerts. 3. Remove the Chrome extension. Link to comment Share on other sites More sharing options...
ENDSP1EL 0 Posted June 7, 2019 Author Share Posted June 7, 2019 47 minutes ago, itman said: Here's your choices: 1. Keep adding IP address to block with your existing Eset firewall rule whenever an Eset popup alert appear with a new IP address. 2. "Live with" the existing Eset alerts. 3. Remove the Chrome extension. I've removed it Link to comment Share on other sites More sharing options...
ENDSP1EL 0 Posted June 11, 2019 Author Share Posted June 11, 2019 Unlucky here, I have noticed it has come back. Should I try again to disable my add ons? Link to comment Share on other sites More sharing options...
Recommended Posts