Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

"Norton has detected suspicious amount of outbound traffic"

In Progress 
7K views 32 replies 5 participants last post by  kevinf80 
#1 ·
Hey all! So every once in a while I get this pop up:
Rectangle Font Screenshot Parallel Software

So I run NPE and the results are always the same.... "Nothing found". After about the 5th time of this happening, I decided to go into the firewall settings to see if I can find anything. I found that a LOT of programs/apps had inbound and outbound access. I went through and blocked everything I was positive didn't need internet access, and everything else I changed to "Inbound only". This seemed to work for a while, then I got another pop up. I went back into firewall settings, and the programs I switched to "Inbound only" now have an "In/Out" rule listed below the "Inbound only" rule and both boxes in front are checked. Anyone have any ideas or suggestions? Are these 2 separate issues? Or are they related? Thanks.

My O/S is Windows 8. I have both Malewarebytes and SUPERantispyware on my machine, and run one or the other every night and both come up empty. (Sas comes up with cookies but that's it. Nothing major)
 

Attachments

See less See more
2
#28 ·
Yeah, so I really do kind of understand what we've been doing and why.... But like I said, I don't really understand how blocking a program that is not running on my computer is supposed to help, but whatever.... you're the tech guy so... Here's the latest log:
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=fa0b0b00e93bc54ea638ea6203fd1ae1
# end=init
# utc_time=2016-05-02 07:04:59
# local_time=2016-05-02 03:04:59 (-0500, Eastern Daylight Time)
# country="United States"
# osver=6.2.9200 NT
Update Init
Update Download
Update Finalize
Updated modules version: 29344
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=fa0b0b00e93bc54ea638ea6203fd1ae1
# end=updated
# utc_time=2016-05-02 07:12:32
# local_time=2016-05-02 03:12:32 (-0500, Eastern Daylight Time)
# country="United States"
# osver=6.2.9200 NT
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7777
# api_version=3.1.1
# EOSSerial=fa0b0b00e93bc54ea638ea6203fd1ae1
# engine=29344
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2016-05-02 08:31:00
# local_time=2016-05-02 04:31:00 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.2.9200 NT
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 17860607 109031081 0 0
# scanned=179192
# found=2
# cleaned=0
# scan_time=4707
sh=1FCEBB2A25802376D0E31F6D1D394A54E6A2AC7B ft=1 fh=e583751185f1d3f1 vn="Win32/FusionCore.D potentially unwanted application" ac=I fn="C:\Temp\Apps\GOMPLAYERENSETUP.EXE"
sh=647DBADBD515855A774AF3F26761E258EFF99074 ft=1 fh=764965207efe06f8 vn="a variant of Win32/AdkDLLWrapper.A potentially unwanted application" ac=I fn="C:\Users\Joel\AppData\Roaming\uTorrent\updates\3.3.2_30303.exe"
 
#29 ·
Can you tell me why you have uTorrent installed, what is its purpose, what do you use it for?.... If you have Malwarebytes Premium installed, or Malwarebytes trial version installed with realtime protection active, then open uTorrent but do not use it to d/l files, Malwarebytes will constantly block it trying to make an outbound connection.
I`m looking for a reason to tell us the answer to an issue that your Firewall is not blocking. One common cause is P2P software....
 
#30 ·
Again, not to be a jerk, but I'm sure you know what uTorrent is, and what it's used for. I personally use it to d.l. ebooks and other books. I've used it for this purpose for years now - at least 10 or more, along with having Malwarebytes (no realtime protection active) installed during that time and have not had any problems until just recently. The only "thing" new to the mix would be NIS, which I've only had for about 2 years now. And again, I've only had the "suspicious outbound activity" warning pop-up with in the last month or so. I'm kind of aware of how P2P software works basically. I haven't allowed any of my files or folders to be shared with any program, and only use uTorrent to d.l. files and not seed.
I'm leaning towards getting rid of NIS as you suggested earlier, as I only used it at first because it was free to use during the promotional period of my internet connection. Unfortunately, I have since purchased a year subscription as it seemed to be doing a decent job, up until recently. I still have 6 months left on my subscription and would prefer not to throw that money away, but if that's going to solve this issue, then so be it
 
#31 ·
You`re definitely not being a jerk, maybe that ball was in my court asking a question regarding P2P... The problem we have is a Norton popup warning of excessive outbound network activity, yet a bigger problem is finding the root cause..

You have more or less trimmed back to bone outbound connections and yet NIS still gives the warning. Does a definite problem exist or is Norton giving a false alarm. Even using NPE as advised no definite cause is found... Maybe it is worthwhile contacting your ISP and asking them the question..

I have asked for usual logs from typical scanners looking for the root cause, again they are clean with no definite cause....

You could try "CurrPorts" and monitor what is happening yourself, it is a portable tool no installation necessary. Download from the following link and unzip the contents to your Desktop. http://www.nirsoft.net/utils/cports.html
Read the contained instructions for a basic understanding, it is very easy to use..... Right click on the tool and select "Run as Administrator"

When opened you will see your network activity. The easiest way to check what is happening is to "Right click" direct anywhere in the field and select "HTML report - All Items"
That will open the report in an easier to read fomat, have a look at the connections check the "Established" entries, are any suspicious and not known or recognized by your self.
Make a note of any unusual or suspicious IP addresses, you can send in reply for me to check or check them yourself at the following link:

http://whois.domaintools.com/

Does that help, is anything obvious found with currports....

Thank you,

Kevin....
 
#32 ·
I'll try the CurrPotts tool for a while and get back to you if I notice anything. That's one of the reasons I used to use zonealarm or something like that. You were able to monitor in/out connections quite closely. I think they stopped developing that firewall. Anyways, thanks for the help
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top