Guided 0 Posted June 22, 2021 Share Posted June 22, 2021 Hi, Kms connection broker (which appears to be safe file) wants to connect with ip 10.3.0.20 (which is a private ip). Generally I want to know if a legitimate program wants to connect to internet, should we check the site or ip it wants to connect to? Or since its legitimate program, we can trust it freely? Thanks Link to comment Share on other sites More sharing options...
itman 1,749 Posted June 22, 2021 Share Posted June 22, 2021 (edited) Do you have any cracked software installed? The legit KMS Connection Broker process; i.e. SppExtComObj.exe, is located in C:\Windows\System32 and used for license validation processing of Microsoft products. As such, it should only be connecting to IP addresses associated with Microsoft license validation support servers. Edited June 22, 2021 by itman Link to comment Share on other sites More sharing options...
Guided 0 Posted June 22, 2021 Author Share Posted June 22, 2021 Thanks itman, I don't think so, my windows 10 is original. Does existence of this process point out to crack software on system, or its request to connect to internet? Link to comment Share on other sites More sharing options...
itman 1,749 Posted June 22, 2021 Share Posted June 22, 2021 Are you using a VPN? If so, this IP address assignment might be related to that. Link to comment Share on other sites More sharing options...
Guided 0 Posted June 22, 2021 Author Share Posted June 22, 2021 When I get this outbound request my vpn is off. It tells the reputation is ok & discovered 2 weeks ago. But does that mean it confirms 10.3.0.20 (remote computer) is ok too? Link to comment Share on other sites More sharing options...
itman 1,749 Posted June 22, 2021 Share Posted June 22, 2021 (edited) 32 minutes ago, Guided said: But does that mean it confirms 10.3.0.20 (remote computer) is ok too? To begin, IP addresses in the 10.0.0.0 to 10.255.255.255 range are private IP addresses. Private IP addresses are not routable; i.e cannot be used on the Internet. Therefore, IP address, 10.3.0.20, is not a remote computer. Open a command prompt window and enter this command; ipconfig /all Are IPv4 addresses shown in this range, 10.0.0.0 to 10.255.255.255? If so, IP address, 10.3.0.20, is an IP address on your local subnet network. Edited June 22, 2021 by itman Link to comment Share on other sites More sharing options...
Guided 0 Posted June 22, 2021 Author Share Posted June 22, 2021 None of the items in the list I got mentions ipv4, except last one which is my wifi ip address. The only address I see are physical addresses. What i did wrong? Link to comment Share on other sites More sharing options...
itman 1,749 Posted June 22, 2021 Share Posted June 22, 2021 15 minutes ago, Guided said: None of the items in the list I got mentions ipv4, except last one which is my wifi ip address. Is that address in the 10.0.0.0 to 10.255.255.255 range? Also are you using a static IPv4 DNS address provided by your ISP? In this case, the router's DHCPv4 server is not used to assign a DNS server IP address from your local allocated subnet address range. Link to comment Share on other sites More sharing options...
Guided 0 Posted June 22, 2021 Author Share Posted June 22, 2021 No its not in that range. I don't understand your 2 last lines completely, but maybe I can find it out by going to router's settings? A few weeks ago I assigned a static ip address to one of my devices on my router network to control its bandwidth using. All other devices I think are dynamic ip. Link to comment Share on other sites More sharing options...
itman 1,749 Posted June 22, 2021 Share Posted June 22, 2021 14 minutes ago, Guided said: but maybe I can find it out by going to router's settings? That would be a good starting point. Another possibility of what's going on is some type of local hidden proxy activity is occurring on your device. In a local proxy scenario, your outbound Internet traffic would be directed to for example, IP address, 10.3.0.20. Then from there to the actual destination IP address. Hidden local proxies are used for man-in-the-middle interception and/or redirection activities . You might want to check your Windows localhost file for any modifications. Link to comment Share on other sites More sharing options...
itman 1,749 Posted June 22, 2021 Share Posted June 22, 2021 Also since you reside in Iran, I assume all your Internet traffic is being monitored at the state level. This in itself is man-in-the-middle proxy activity and might be want is happening here. Link to comment Share on other sites More sharing options...
itman 1,749 Posted June 22, 2021 Share Posted June 22, 2021 (edited) I also again ask if KMSpico: http://www.kmsauto.info/kmspico or like hacktool is installed on your device. The behavior described is indicative that it is indeed installed. Quote Key Management Service (KMS) is used to activate Microsoft products on clients using generic keys against a Volume Activation Service, hosted on a remote server. Legally owned volume licenses are installed on the server and activation is required typically every 180 days to keep the products activated on client machines. For more information, please refer to the Understanding KMS article by Microsoft. Hacktools using KMS activation emulate a fake KMS server on the local computer and trick Microsoft products to activate against it. Products activated this way have temporary valid license and when installing such hacktools, a task is often created to automatically renew it every 60 days. https://www.adlice.com/kms-activators-analysis/ Edited June 22, 2021 by itman Link to comment Share on other sites More sharing options...
Guided 0 Posted June 23, 2021 Author Share Posted June 23, 2021 11 hours ago, itman said: I also again ask if KMSpico: hxxp://www.kmsauto.info/kmspico or like hacktool is installed on your device. The behavior described is indicative that it is indeed installed. Quote I went to the adlice site and installed its RogueKiller scanner, it found afew things, including Hotspot Shield (really a virus?), babylon and a Autokms folder containing 2 ini and log files. What should I do now? I think Eset itslef didn't detect these because I disabled "potentially unwanted applications". Link to comment Share on other sites More sharing options...
itman 1,749 Posted June 23, 2021 Share Posted June 23, 2021 Whom did you acquire your PC from? There have been multiple past postings from individuals in the Middle East purchasing their PC from a local computer shop or the like only to find later that a KMS cracker was installed and/or other software crackers. Your only recourse at this point to confront whomever you purchased your PC from and demand a legit Windows license. Good luck on that one. As far as Babylon, etc. adware an the like, enable Eset potentially unwanted and unsafe application plus suspicious settings. Then set protection and reporting levels to aggressive for all. Finally, run an Eset On-demand scan as Administrator. Note: you will probably have to set an Eset detection exclusion for any KMS cracking software detected unless you intend to purchase a Windows and/or MS Office license. Or, you receive one from the source you purchased you device from. Link to comment Share on other sites More sharing options...
itman 1,749 Posted June 23, 2021 Share Posted June 23, 2021 (edited) A final comment in regards to anyone residing in Iran: Quote Without limitation, parties acquiring software from Microsoft are responsible for obtaining all licenses or other approvals necessary for downloading or transfer of the software or use of the service. A party may not transfer the software or services without U.S. Government permission to (a) anyone on the U.S. Treasury Department’s lists of Specially Designated Nationals (including the Government of Iran, Government of Cuba, prohibited members of the Cuban Communist Party), or on the U.S. Commerce Department’s Denied Persons List, Entity List, or Unverified List, or on the U.S. State Department’s Debarred List or Nonproliferation List (see Commerce Lists to Check); or (b) for use with chemical or biological weapons, sensitive nuclear end-uses, or missiles to deliver them. https://www.microsoft.com/en-us/exporting/overview.aspx As such, this is one possible reason why a KMS cracker is installed on your device. Additionally and in regards to the above, Eset is not official sold or supported to Iranian concerns. Edited June 23, 2021 by itman Link to comment Share on other sites More sharing options...
Guided 0 Posted June 23, 2021 Author Share Posted June 23, 2021 Thanks itman, Many years ago I purchased the brand new pc with windows 7 pre-installed, then upgraded to windows 10 (for free), so windows is original. The only thing I doubt is that l borrowed it to my friend for a week, & he might have installed something like Office on it, & must have been uninstalled after, because now there is no office on it. I will scan it as you suggested, meanwhile I can disallow any suspicious request like kms connection broker in the firewall. Isn't it effective? or it's possible it can do its activity without my notice? 1 hour ago, itman said: enable Eset potentially unwanted and unsafe application plus suspicious settings Please let me know what is suspicious settings. Thanks Link to comment Share on other sites More sharing options...
itman 1,749 Posted June 23, 2021 Share Posted June 23, 2021 (edited) I would then uninstall KMSAuto since it appears you have no need for it. Uninstalling KMSAuto should also remove the local proxy server it is using. Note I said "should remove" it. With KMSAuto uninstalled, I see no reason why KMS Connection Broker process; i.e. SppExtComObj.exe, would run. Hence your outbound IP address 10.3.0.20 traffic should stop. Edited June 23, 2021 by itman Link to comment Share on other sites More sharing options...
Guided 0 Posted June 24, 2021 Author Share Posted June 24, 2021 Is there a way to remove the local proxy server myself if it didn't remove it, or to check if it exists? Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 24, 2021 Most Valued Members Share Posted June 24, 2021 (edited) KMS speaks to itself because the crack modified it to do so. Scanning your computer with PUA(Possibly Unwanted Applications) and Unsafe Applications settings enabled should pick up the crack for you and clear it. Quote KMSPico replaces the original key with the volume licensed key and creates a emulated instance of KMS server locally avoiding online activation. So your Windows system can't connect to online server and continues to work with that replaced license key thinking it as original key.Jun 4, 2018 Edited June 24, 2021 by Nightowl Link to comment Share on other sites More sharing options...
Guided 0 Posted June 24, 2021 Author Share Posted June 24, 2021 Thank you. Link to comment Share on other sites More sharing options...
Guided 0 Posted June 24, 2021 Author Share Posted June 24, 2021 20 hours ago, itman said: I would then uninstall KMSAuto There is no uninstall for it, It should be done with virus scan (if it detects it). Thanks Link to comment Share on other sites More sharing options...
itman 1,749 Posted June 24, 2021 Share Posted June 24, 2021 (edited) 4 hours ago, Guided said: There is no uninstall for it, It should be done with virus scan (if it detects it). Again, enable all Eset PUA and suspicious settings in real-time protection. Set them to "Aggressive" mode. Perform an On-Demand scan for your entire device as "Administrator." -EDIT- Also you should be able to uninstall the KMS activitor. Look for KMSpico in Win 10 installed programs per this article:https://kmspicopro.com/how-to-uninstall-kmspico/ . If not found there, assume you had a malware version of it installed. Edited June 24, 2021 by itman Link to comment Share on other sites More sharing options...
Recommended Posts