0

Whenever an internet connection is established on my pc, I am repeatedly getting warnings from QuickHeal like this:
QuickhealWarning

I am getting such warnings repeatedly with different IP addresses. In the above image one of them is shown. These warnings appear even just after startup when no apps are open except the ones that start at startup.

I decided to investigate and here are some of my observations:

A reverse DNS lookup of the IP addresses revealed that the domain name for most of them is of the form torNN.quintex.com where NN is a number like 48 or 90 (different for different IP addresses against which warnings were received)

I tried to track the process which established the connection using the netstat -ano command and found their PIDs. Then I tried to kill the processes with the PID but it showed that the process doesn't exist. On observing a bit more I noticed that the processes making the connections were terminating instantaneously. My guess is that some other process is spawning these processes that are sending the request and terminating. So I tried to find the ParentPIDs using netstat -ano && wmic process get ProcessID,ParentProcessID, but even then, the PIDs found by the first command didn't show up in the second one, probably because the processes terminated before their PPIDs could be captured by the second command.

The behavior of these processes and the presence of tor in the domain name and url path lead me to the conclusion that this might be because of some malware and I am quite worried about it. I also saw a high fraud risk score here. But I don't know how to get rid of it and am still unable to find the process that is spawning the other instantaneously terminating processes.

Can someone please guide me on how to find the cause and get rid of it ?

Platform: Windows 11

DevRish
  • 1
  • 1
  • 2
    Does this answer your question? [Help! My home PC has been infected by a virus! What do I do now?](https://security.stackexchange.com/questions/138606/help-my-home-pc-has-been-infected-by-a-virus-what-do-i-do-now) – mentallurg Nov 26 '22 at 05:42
  • Could you be using a TOR web browser? – Artem S. Tashkinov Nov 27 '22 at 07:16

0 Answers0