mysli Posted December 21, 2018 ID:1288545 Share Posted December 21, 2018 (edited) So I've been getting connections from strange IP's for a long time and Malwarebytes has always notified me of it and classified the attempts as malware. These attempts would usually happen around 4-5 times a week for the past 5 months or so and Malwarebytes Premium would show no additional information on the attempts apart from IP & Port. Recently though these attempts have been much more frequent (3-9 times a day) and coming from different IP's and sometimes even showing domains which also are different from each other. Instead of saying it was an attempt to infect my PM with malware it now says it was a Trojan instead. I've scanned my PC with Malwarebytes Premium, Adwcleaner and Avast with no results each time. Just recently I've been looking into the IP's with different online tools: https://exchange.xforce.ibmcloud.com/ https://www.virustotal.com/#/home/url These would show that most of the IP's that Malwarebytes would inform me as Trojan infect attempts are trying to infect me with the Zero-day malware. One of the recent IP's I had checked was this and it seems to be a spam bot (from a botnet most likely) trying to infect PC's with the Zero-day malware. https://exchange.xforce.ibmcloud.com/ip/81.18.134.18 Most frightening is the fact that after after using a VPN or even double proxies they still manage to connect to me. I'm using NordVPN and even then I am getting spammed. Majority of the attempts only show the type of the malware and the IP. Not domain or the file it was coming from (assuming I have something on my PC that lets them connect to me through changing my IP address. So is my PC, information and files in danger with how things are now, or am I safe? Sorry the text on the image is in Finnish. Also not sure if the topic is in a wrong category, move it if it is. Edited December 26, 2018 by AdvancedSetup Removed live hyperlinks Link to post Share on other sites More sharing options...
nasdaq Posted December 22, 2018 ID:1288653 Share Posted December 22, 2018 Hello, Welcome to Malwarebytes. I'm nasdaq and will be helping you. If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed. === Download the version of this tool for your operating system.Farbar Recovery Scan Tool (64 bit)Farbar Recovery Scan Tool (32 bit) and save it to a folder on your computer's Desktop. Double-click to run it. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. How to attach a file to your reply: In the Reply section in the bottom of the topic Click the "more reply Options" button. Attach the file. Select the "Choose a File" navigate to the location of the File.Click the file you wish to Attach.Click Attach this file.Click the Add reply button. === Please post the logs for my review. Wait for further instructions === Let me know also if you are Syncing this computer with other devices. Using Chrome, IE or other browsers. Link to post Share on other sites More sharing options...
mysli Posted December 23, 2018 Author ID:1288706 Share Posted December 23, 2018 A bit late reply but here. Also I've had a pretty interesting experience happen with my computer twice now. It might be absolutely irrelevant to the problem with the spambots but my computer has frozen twice in the past 2 months now. I don't mean like slowing down or anything of sorts. Just absolutely frozen screen, power doesn't turn off even when forcibly pressing down the power button on multiple occasions even for minutes at times. I've had to pull the cord from the wall to actually close the computer. Luckily so far I've notice no damage happen from it. FRST.txt Addition.txt Link to post Share on other sites More sharing options...
mysli Posted December 23, 2018 Author ID:1288708 Share Posted December 23, 2018 Using chrome 99% of the time. Link to post Share on other sites More sharing options...
nasdaq Posted December 30, 2018 ID:1289712 Share Posted December 30, 2018 Sorry for this long delay. Let me know if you still nee help. Link to post Share on other sites More sharing options...
mysli Posted January 2, 2019 Author ID:1290125 Share Posted January 2, 2019 On 12/30/2018 at 4:29 PM, nasdaq said: Sorry for this long delay. Let me know if you still nee help. It seems it seems that the botnet is alternating between IP's and is trying connect to my computer and Malwarebytes is blocking these attempts. I just would like to know if there is a possibility of one of those attempts to go unnoticed and if so what precautions would there be to avoid that. Since using proxies doesn't seem to make any difference for some reason... Link to post Share on other sites More sharing options...
nasdaq Posted January 2, 2019 ID:1290149 Share Posted January 2, 2019 If the problem persists it could be a Syncing issue. You are probably Syncing Chrome with other devices? To remove it reset the Sync in Chrome. Read this article and proceed. Chrome Secure Preferences detection always comes backhttps://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/ <<<>>> Link to post Share on other sites More sharing options...
mysli Posted January 2, 2019 Author ID:1290181 Share Posted January 2, 2019 3 hours ago, nasdaq said: If the problem persists it could be a Syncing issue. You are probably Syncing Chrome with other devices? To remove it reset the Sync in Chrome. Read this article and proceed. Chrome Secure Preferences detection always comes backhttps://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/ <<<>>> There is only an option to enable sync so I don't think I have it enabled. Also at first when when the problem started I was only using one device using google. Link to post Share on other sites More sharing options...
nasdaq Posted January 3, 2019 ID:1290421 Share Posted January 3, 2019 (edited) Hi, Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from. The location is listed in the 3rd line of the FRST.txt log you have submitted. Run FRST and click Fix only once and wait. The tool will create a log (Fixlog.txt) please post it to your reply. === After the restart if the problem persists run this fix. Launch Notepad, and copy/paste all the blue instructions below to it.Save in: Desktop File Name: fixme.reg Save as Type: All files Click: Save Windows Registry Editor Version 5.00[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains][HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains][-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges][HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges][-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains][-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges][-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains] Then, disconnect from the Internet! Next, Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.Optional if the following programs are in your computer. Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed. Restart the computer normally. Let me know if the problem persists. fixlist.txt Edited January 3, 2019 by nasdaq Link to post Share on other sites More sharing options...
nasdaq Posted January 7, 2019 ID:1291142 Share Posted January 7, 2019 Are you still with me? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 29, 2019 Root Admin ID:1295297 Share Posted January 29, 2019 Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts