Jump to content

Getting spammed with zero-day malware from a botnet.


mysli

Recommended Posts

So I've been getting connections from strange IP's for a long time and Malwarebytes has always notified me of it and classified the attempts as malware. These attempts would usually happen around 4-5 times a week for the past 5 months or so and Malwarebytes Premium would show no additional information on the attempts apart from IP & Port.

Recently though these attempts have been much more frequent (3-9 times a day) and coming from different IP's and sometimes even showing domains which also are different from each other. Instead of saying it was an attempt to infect my PM with malware it now says it was a Trojan instead. I've scanned my PC with Malwarebytes Premium, Adwcleaner and Avast with no results each time. Just recently I've been looking into the IP's with different online tools:

https://exchange.xforce.ibmcloud.com/

https://www.virustotal.com/#/home/url

 

These would show that most of the IP's that Malwarebytes would inform me as Trojan infect attempts are trying to infect me with the Zero-day malware. 

One of the recent IP's I had checked was this and it seems to be a spam bot (from a botnet most likely) trying to infect PC's with the Zero-day malware.

 

 

https://exchange.xforce.ibmcloud.com/ip/81.18.134.18

 

 

Most frightening is the fact that after after using a VPN or even double proxies they still manage to connect to me. I'm using NordVPN and even then I am getting spammed. Majority of the attempts only show the type of the malware and the IP. Not domain or the file it was coming from (assuming I have something on my PC that lets them connect to me through changing my IP address.

 

So is my PC, information and files in danger with how things are now, or am I safe?

 

 

 Sorry the text on the image is in Finnish. Also not sure if the topic is in a wrong category, move it if it is.

asd.thumb.JPG.4648cfa6198c78ec090c2e9cbc5b5c42.JPG

 

 

 

 

 

 

 

 asd.thumb.JPG.4648cfa6198c78ec090c2e9cbc5b5c42.JPG

Edited by AdvancedSetup
Removed live hyperlinks
Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Wait for further instructions
===

Let me know also if you are Syncing this computer with other devices.
Using Chrome, IE or other browsers.

Link to post
Share on other sites

A bit late reply but here.

 

Also I've had a pretty interesting experience happen with my computer twice now. It might be absolutely irrelevant to the problem with the spambots but my computer has frozen twice in the past 2 months now. I don't mean like slowing down or anything of sorts. Just absolutely frozen screen, power doesn't turn off even when forcibly pressing down the power button on multiple occasions even for minutes at times. I've had to pull the cord from the wall to actually close the computer. Luckily so far I've notice no damage happen from it.

FRST.txt

Addition.txt

Link to post
Share on other sites

On 12/30/2018 at 4:29 PM, nasdaq said:

Sorry for this long delay.

Let me know if you still nee help.

 

It seems it seems that the botnet is alternating between IP's and is trying connect to my computer and Malwarebytes is blocking these attempts. 

 

I just would like to know if there is a possibility of one of those attempts to go unnoticed and if so what precautions would there be to avoid that. Since using proxies doesn't seem to make any difference for some reason...

Link to post
Share on other sites

If the problem persists it could be a Syncing issue.
You are probably Syncing Chrome with other devices?
To remove it reset the Sync in Chrome.

Read this article and proceed.

Chrome Secure Preferences detection always comes back
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/
<<<>>>

Link to post
Share on other sites

3 hours ago, nasdaq said:

If the problem persists it could be a Syncing issue.
You are probably Syncing Chrome with other devices?
To remove it reset the Sync in Chrome.

Read this article and proceed.

Chrome Secure Preferences detection always comes back
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/
<<<>>>

There is only an option to enable sync so I don't think I have it enabled.

Also at first when when the problem started I was only using one device using google.

Link to post
Share on other sites


Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

After the restart if the problem persists run this fix.

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]

Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.

Restart the computer normally.

Let me know if the problem persists.


 

fixlist.txt

Edited by nasdaq
Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.