Welcome!
Thank you for joining the section of VIRUSNET association support.

BEFORE ASKING HELP, READ CAREFULLY THIS INSTRUCTION:

Step 1: Show us the required logs (for PC cure only):

• Read carefully: "How to make a request for help in the PC cure section":
  https://github.com/dragokas/hijackthis/wiki/How-to-make-a-request-for-help-in-the-PC-cure-section%3F)

• Attach 'Collection-[Date].zip' log created by "AutoLogger" tool:
  http://tools.safezone.cc/drongo/test/AutoLogger-test.zip

Step 2: Describe your problem in details:

1. What did you done before the problem occurs: I scanned the system with an antivirus, checked with sysinternal tools if I have something unknown installed. I saw with Wireshark that I'm connected to many hosts
2. What programs (browsers) affected by the problem: I cannot find if it is a real problem, I would limit the outgoing connections
3. Steps to reproduce: Open Wireshark e see a ton of connections
4. Expected behavior: Completely eliminate all unnecessary connections
5. If applicable, add screenshots to help explain your problem.
   CollectionLog-2023.07.25-11.24.zip

Hi,
please also include a screenshot of WireShark window, a part where you think the illegal connections are appear.
We'll return to you as soon as possible.

Please, note that only members of VIRUSNET-Association are allowed to respond to PC cure topics.
Ignore any recommendations given by other users, including PM !!!

Assistance is provided free of charge in our free time. If you found our help useful, you can thank us with any amount using this form or you can leave feedback in Guestbook.

Where did you download AutoLogger from?
CheckBrowserLNK tool in its archive is really outdated. I unsure how it is possible such old version got there.

Can you upload AutoLogger.zip file to somewhere and provide us a link, please?

Hi,
below you find a screenshot of WireShark, could it be useful attach a log file? I downloaded the file from here:

https://www.safezone.cc/resources/autologger-regist-drongo.59/
http://dragokas.com/php/Autologger/AutoLogger.zip

I've selected the wrong interface, I'm sorry, this is the VMware loopback. I've stopped the running services but still going on.

These are broadcasting packets (destination == *.*.*.255) over your local network (172.18.* and 172.19.* are related to a local network, likely your VPN service or yeah, VMWare machine traffic). Usually, it is designed so to let other application discover the service and inform about own state.

Hello,
Please uninstall PUP

Bonjour

It came along with an Apple software, but it needed only for Apple TV and sometimes causes some problems on Windows systems.
After that:
Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Please rename file FRST64.exe -> FRSTEnglish.exe

• Right click to run as administrator. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will produce logs called FRST.txt and Addition.txt in the same directory the tool is run from.
• Please attach the logs back here.

this is the VMware loopback

OK, then show us the same with VM switched off.

Thank You :-) I exported the wireshark logging as logging.csv and attached first.txt and Addictions. I've already uninstalled Bonjour service by typing in cmd: winget uninstall Bonjour

FRST.txt
Addition.txt
logging.csv

Lets do a small "housekeeping" things (no obvious signs of infection was found).

Temporarily turn off any antivirus.
Highlight following code:

Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
RemoveProxy:
HKU\S-1-5-21-2304713397-1698732955-1042293715-1001\...\MountPoints2: {2770e6b5-7efb-11ec-8269-2c56dc391060} - "K:\autorun.exe" 
HKU\S-1-5-21-2304713397-1698732955-1042293715-1001\...\MountPoints2: {461ba1af-6244-11ec-825b-2c56dc391060} - "L:\vs_professional.exe" 
HKU\S-1-5-21-2304713397-1698732955-1042293715-1001\...\MountPoints2: {77ae1eda-8223-11ec-826d-2c56dc391060} - "M:\setup.exe" 
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
ProxyServer: [S-1-5-21-2304713397-1698732955-1042293715-1001] => http=127.0.0.1:21218;https=127.0.0.1:21218
EmptyTemp:
Reboot:
End::

Copy highlighted text (right click - Copy).
Run FRSTEnglish.exe as Administrator.
Press Fix button once and wait. Program will create (Fixlog.txt). Attach it to the next post.

PC will reboot.

Fixlog attached.

Fixlog.txt

Well, we don't have a centralized service to make a batch analysis of ip addresses. If only a specific one, it's possible.
That's the list attached of unique ip/host your PC is connected to, however it requires a manual research we can't provide.
My only suggestion is to install a firewall such as NetLimiter or some free alternative to be able track which application make a connection and to have an ability selectively block that if you still have suspicious. Be aware, that a system like Windows 10/11 making itself a lot of legit (or almost legit) connections such as a telemetry, however blocking that may broke specific windows features. To minimize such activity the following projects may be interesting for you (however, do not take this as an official recommendation), - the tools below are only used on your own risk, backup and restore points are absolutely suggested before using them:
https://github.com/adolfintel/Windows10-Privacy
https://github.com/TheWorldOfPC/Windows11-Debloat-Privacy-Guide

srv.txt