Jump to content

5.61.45.152 / 195.22.26.231


Recommended Posts

I do not know if these are false positives or not:
5.61.45.152 IP 1
195.22.26.231 IP 2
 
The PC is running Windows 7 x64. Windows updates through Nov. 2013 are installed. Active protection is AVG, Malwarebytes, Spybot, and ZoneAlarm. It is encrypted.
 
I was downloading Linux Mint 16 Cinnamon via a mirror from the official Linux Mint website in Maryland, USA at the time when Malwarebytes blocked the first IP. I was also copying data to some flash drives and SD cards that had not been connected to any other PC at the time. Malwarebytes had updated minutes before. The attempt to connect to a malicious IP by SVCHost.exe is the only symptom of a possible infection. No new software has been added.
 
The PC initially tried to connect to the first IP. I let the download complete and disconnected from the network. I scanned the PC with Malwarebytes, Spybot, and AVG. Nothing was found during any of the scans except for a leftover folder from a Conduit Toolbar infection a couple months ago.
 
I reconnected to the same network and the problem persisted. Over the next week I scanned the PC with Malwarebytes, Spybot, AVG, Avira, Avast, Comodo, Bitdefender, Dr. Web Cure It, Junkware Removal, MBAR, RKBuster, TDSSKiller, Root Kit Revealer, BKit, VBA32 Anti-Rootkit, Avast Antirootkit, FARBAR, SpyHunter, Rogue Killer, ADW Cleaner, CWShredder, and ComboFix. No malicious items were detected. I used process explorer to find what programs were using SVCHost.exe and it appeared that only Windows and antimalware programs had access to it during this time.
 
Once I reconnected, the PC continued to attempt to connect to the first IP. I researched the IP and found it was once used to distribute a virus associated with the RIPE network that was prominent about six years ago, but nothing recently. A scan with Virus Total showed no malicious activity.I also found that it connected to a server in Frankfurt, Germany. I removed Dexpot and Ashampoo (German software) and the problem continued. 
 
At this point, the PC attempted to contact the second blocked IP. but not as often as the first. The server the new ip is associated with is in Lisbon, Portugal. Virus Total showed some malicious activity associated with it. A post on RedIt suggests this IP is a command and control server for CryptoLocker. Also, frequency of attempts to connect picked up to every 3-5 minutes.
 
I backed up a few documents to an external HDD. The PC was wiped bith DBAN. I restored the PC from a clean backup image from July 2013. The PC was scanned with several antivirus rescue discs before booting into Windows. I re-installed MS Office, a few open source chemistry programs, and performed offline updates for the antimalware programs. I connected to a network at another house and used FileHippo and Ninite to update other programs, such as iTunes. The PC was online for 2.5 hours.
 
I disconnected from the network and restored data from my external drive. The next day, I connected to the original network. Within five minutes the PC was again trying to connect to both IP's.
 
I let a friend who works in IT take a look. He scanned it with F-secure, verified the MD5 hashes of the system files were correct, and found nothing obviously malicious in OTL and Hijack This! logs.
 
I realize that the malware (if that is what it is) may have re-infected the PC after the wipe and restore via my external HDD or the LAN, however, I have connected the flash drives that I used on that PC to another and it shows no signs of infection.
 
Before I do anything else, I would like to make sure this is not a false positive. Thank you for your help. I am sorry for lack of brevity. I try not to ask for help unless I am sure I need it.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.