0

Background:

I have what I believe is a serious malware problem but virtually all scanning tools won't detect anything or if they do rarely do so consistently. I believe the malware (in some way/shape/form) sets up a VM on my computer and links to the main install with network/sharing manipulation. Just a couple of days ago, I decided to encrypt a partition on an external drive and either the OS partition where my windows 10 install or another but don't really remember thanks to a distraction. I never received the confirmation and reboot phase when encrypting the OS partition, so it was probably my storage partition i had previously created.
The machine is now behaving almost normal with the exceptions of a few things. I was having issues with a couple of websites I was trying to get downloads from and decided to see what netstat listed for connections to my PC. There are several established entries to the same name as my PC, all with connections to ports in the range of 44,000-51,000 over TCP and then there are a few with regular IP addresses over https. When trying to look up the addresses using WHOIS IP, it is telling me that several are Microsoft, one Verizon (this one is puzzling because I don't have Verizon service) and the others return an error saying there is no "A" records. Please see the netstat output below along with the questionable connection resolved info.

Questions:

  1. What does the error 'there is no "A" records' mean?

  2. How do I know the other MS connections are legitimate and if not how do I find more about the owner or connection so I can do something about it other than trying to block that IP address? 

source:  whois.arin.net
IP Address:  13.89.187.212
Name:  MSFT
Handle:  NET-13-64-0-0-1
Registration Date:  3/26/15
Range:  13.64.0.0-13.107.255.255
Org:  Microsoft Corporation
Org Handle:  MSFT
Address:  One Microsoft Way
City:  Redmond
State/Province:  WA
Postal Code:  98052
Country:  United States
Name Servers:

Source:  whois.arin.net
IP Address:  72.21.81.200
Name:  EDGECAST-NETBLK-01
Handle:  NET-72-21-80-0-1
Registration Date:  4/23/07
Range:  72.21.80.0-72.21.95.255
Org:  MCI Communications Services, Inc. d/b/a Verizon Business
Org Handle:  MCICS
Address:  22001 Loudoun County Pkwy
City:  Ashburn
State/Province:  VA
Postal Code:  20147
Country:  United States
Name Servers:

Source:  whois.arin.net
IP Address:  204.79.197.222
Name:  ECN-NETWORK
Handle:  NET-204-79-195-0-1
Registration Date:  12/15/94
Range:  204.79.195.0-204.79.197.255
Org:  Microsoft Corporation
Org Handle:  MSFT
Address:  One Microsoft Way
City:  Redmond
State/Province:  WA
Postal Code:  98052
Country:  United States
Name Servers:



    Active Connections  

Proto  Local Address          Foreign Address        State
TCP    127.0.0.1:44117        DESKTOP-5A27A3L:50311  ESTABLISHED
TCP    127.0.0.1:50277        DESKTOP-5A27A3L:50278  ESTABLISHED
TCP    127.0.0.1:50278        DESKTOP-5A27A3L:50277  ESTABLISHED
TCP    127.0.0.1:50279        DESKTOP-5A27A3L:50280  ESTABLISHED
TCP    127.0.0.1:50280        DESKTOP-5A27A3L:50279  ESTABLISHED
TCP    127.0.0.1:50281        DESKTOP-5A27A3L:50282  ESTABLISHED
TCP    127.0.0.1:50282        DESKTOP-5A27A3L:50281  ESTABLISHED
TCP    127.0.0.1:50286        DESKTOP-5A27A3L:50287  ESTABLISHED
TCP    127.0.0.1:50287        DESKTOP-5A27A3L:50286  ESTABLISHED
TCP    127.0.0.1:50311        DESKTOP-5A27A3L:44117  ESTABLISHED
TCP    127.0.0.1:50452        DESKTOP-5A27A3L:50453  ESTABLISHED
TCP    127.0.0.1:50453        DESKTOP-5A27A3L:50452  ESTABLISHED
TCP    192.168.0.100:49677    13.89.187.212:https    ESTABLISHED
TCP    192.168.0.100:50003    a172-226-208-13:http   CLOSE_WAIT
TCP    192.168.0.100:50006    a172-226-180-31:https  CLOSE_WAIT
TCP    192.168.0.100:50007    52.165.171.165:https   ESTABLISHED
TCP    192.168.0.100:50025    ec2-52-51-170-189:https  ESTABLISHED
TCP    192.168.0.100:50293    ec2-54-213-168-194:https  ESTABLISHED
TCP    192.168.0.100:50300    104.16.249.249:https   ESTABLISHED
TCP    192.168.0.100:50363    52.96.10.82:https      ESTABLISHED
TCP    192.168.0.100:50378    52.96.10.82:https      ESTABLISHED
TCP    192.168.0.100:50382    52.96.10.82:https      ESTABLISHED
TCP    192.168.0.100:50387    52.96.10.82:https      ESTABLISHED
TCP    192.168.0.100:50522    ec2-52-11-249-239:https  TIME_WAIT
TCP    192.168.0.100:50528    91.216.218.226:https   TIME_WAIT
TCP    192.168.0.100:50537    a104-99-238-51:http    TIME_WAIT
TCP    192.168.0.100:50538    a-0001:https           ESTABLISHED
TCP    192.168.0.100:50539    72.21.81.200:https     ESTABLISHED
TCP    192.168.0.100:50540    ec2-52-54-93-130:http  ESTABLISHED
TCP    192.168.0.100:50541    13.107.136.254:https   ESTABLISHED
TCP    192.168.0.100:50542    13.107.246.254:https   ESTABLISHED
TCP    192.168.0.100:50543    204.79.197.222:https   ESTABLISHED
blackpine
  • 19
  • 2
  • Welcome. Nothing in the output looks out of the ordinary. Verizon is a major backbone provider and a CDN service, so everyone in America will likely connect to a Verizon network. The problem here is that there is no security issue or concern. What you are needing is first to understand the output of the commands and the underlying technologies, and that's not really what we do here. The results are not "questionable", you just have questions about them. – schroeder Mar 13 '19 at 11:19
  • @schroeder Maybe you can give me advice on what I should or which direction I would be best in taking to ask phrase the question to meet everyone’s needs or what other indicators to look for that would make a security issue stand out well enough not to be mistaken for anything that would be taken to be normal, because from my end, there is a serious security issue. – blackpine Mar 14 '19 at 19:39
  • @schroeder Without getting into the details of that, what I and have been trying to do is to figure out how to remove or stop the malware and every direction I've taken to date has failed, which is why I am now starting to turn my focus towards the possibility that it isn't resident on my machines and learn more about malware attack vectors from a networking aspect. – blackpine Mar 14 '19 at 19:39
  • @schroeder I don't have many local resources and Stack Exchange is one of few websites I have been able to get answers to questions from people who know what they are talking about. Knowing myself that there is a very real problem, I have difficulties providing what other people need to see for evidence there is a problem, which is due mainly to the lack of their physical presence and to my inexperience. – blackpine Mar 14 '19 at 19:40
  • Sure, I get it, you are in a very frustrating place. But you are trying to take shots in the dark and hoping someone here can tell you if you hit something. That's simply not something that we are set up for. Plus, you are admittedly trying start and investigation in an area that you know nothing about. We cannot help you understand the concepts that you need to understand so that the investigation makes sense. – schroeder Mar 14 '19 at 19:46
  • @schroeder I appreciate the honesty. Do you know where I can find the help I'm looking for not including a university to get a CS or IT degree? – blackpine Mar 14 '19 at 19:56
  • You kind of said it yourself. You need a qualified person to look at your machine. – schroeder Mar 14 '19 at 20:04
  • @schroeder Thanks for your input I will retract the question. – blackpine Mar 14 '19 at 20:10

1 Answers1

1

This is probably nothing. Run netstat -aon and see what processes are involved with the network connections.

Why do you believe there is a VM involved? That's quite specific?

SeeYouInDisneyland
  • 1,428
  • 9
  • 20
JoeBlow
  • 11
  • 1