Alpharius Posted July 3, 2019 ID:1320165 Share Posted July 3, 2019 I have a similar problem, but not with such frequency. Website blocked due to Trojan Domain: N/A Type: Inbound Connection IP Adress: 185.244.25.108 Port: 8088 Periodically pops up such an alert, usually once a day from one IP Adress. For the last time for some reason the report indicated svchost.exe in System32 where it should be, I checked it is not a virus but a file of windows. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 3, 2019 Root Admin ID:1320172 Share Posted July 3, 2019 Hello @Alpharius and I moved your topic out of the other topic as you have a different issue going on. This IP is known to be attacking routers known to have exploit issues. Typically a factory reset will get you control of the router back, but if there is a known exploit then an attacker can come back again and try to take it over again. I would highly recommend you visit the manufacturer website for support on the router you're using and see if there is a firmware update or known issue. Thank you Ron Link to post Share on other sites More sharing options...
Alpharius Posted July 3, 2019 Author ID:1320212 Share Posted July 3, 2019 6 hours ago, AdvancedSetup said: Hello @Alpharius and I moved your topic out of the other topic as you have a different issue going on. This IP is known to be attacking routers known to have exploit issues. Typically a factory reset will get you control of the router back, but if there is a known exploit then an attacker can come back again and try to take it over again. I would highly recommend you visit the manufacturer website for support on the router you're using and see if there is a firmware update or known issue. Thank you Ron I don’t quite understand what kind of router we are talking about, because I have a cable connection, can I get an explanation if it's not difficult for you ? I just did not encounter a similar problems before so I don’t know what actions I should take. Link to post Share on other sites More sharing options...
Alpharius Posted July 3, 2019 Author ID:1320219 Share Posted July 3, 2019 And I looked more closely at the logs and find that there was not only this IP Adress but also the followings: 1) Website blocked due to Trojan Domain: N/A Tybe: Inbound Connection IP Adress: 220.194.237.43 Port: 6379 File: None First encountered. 2) Website blocked due to Trojan Domain: N/A Type: Inbound Connection IP Adress: 185.244.25.107 Port: 8088 File: None Encountered after, I think this is the same person or team as 185.244.25.108. Sorry for not pointing this out right away, I hope this helps to better understand the problem. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 3, 2019 Root Admin ID:1320335 Share Posted July 3, 2019 When you trace your Cable from the wall. What does it go to? Please find the Manufacturer Name and Model number and post back. Then see if there is another Ethernet cable that goes to another device or not and let us know. Example of a common modem/switch from an ISP and a switch/router Link to post Share on other sites More sharing options...
Alpharius Posted July 3, 2019 Author ID:1320336 Share Posted July 3, 2019 15 hours ago, AdvancedSetup said: Hello @Alpharius and I moved your topic out of the other topic as you have a different issue going on. This IP is known to be attacking routers known to have exploit issues. Typically a factory reset will get you control of the router back, but if there is a known exploit then an attacker can come back again and try to take it over again. I would highly recommend you visit the manufacturer website for support on the router you're using and see if there is a firmware update or known issue. Thank you Ron I have 2 embedded WiFi adapters, maybe turning them off will solve the problem ? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 3, 2019 Root Admin ID:1320337 Share Posted July 3, 2019 No, that is not the issue. We can scan your system for potential malware which you may have. But the block is coming from a known threat that attempts to take over routers. Let's go ahead and check your computer too. Please run the following steps and post back the logs as an attachment when ready.STEP 01 If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button. If you don't have Malwarebytes 3 installed yet please download it from here and install it. Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button. Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply. If Malwarebytes won't run then please skip to the next step and let me know on your next reply. STEP 02 Please download AdwCleaner by Malwarebytes and save the file to your Desktop. Right-click on the program and select Run as Administrator to start the tool. Accept the Terms of use. Wait until the database is updated. Click Scan Now. When finished, please click Clean & Repair. Your PC should reboot now if any items were found. After reboot, a log file will be opened. Copy its content into your next reply. RESTART THE COMPUTER Before running Step 3 STEP 03 Please download the Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens, click Yes to disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here. Please attach the Additions.txt log to your reply as well. Thanks Ron Link to post Share on other sites More sharing options...
Alpharius Posted July 3, 2019 Author ID:1320338 Share Posted July 3, 2019 1 minute ago, AdvancedSetup said: When you trace your Cable from the wall. What does it go to? Please find the Manufacturer Name and Model number and post back. Then see if there is another Ethernet cable that goes to another device or not and let us know. Example of a common modem/switch from an ISP and a switch/router As far as I know, they go to the server or whatever of my provider where only personnel can access, I can try to contact him and find out the necessary information. Link to post Share on other sites More sharing options...
Alpharius Posted July 3, 2019 Author ID:1320344 Share Posted July 3, 2019 Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/4/19 Scan Time: 1:35 AM Log File: dd4c831e-9de2-11e9-8131-705ab6d3ac11.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11394 License: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Windows -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 256434 Threats Detected: 0 Threats Quarantined: 0 Time Elapsed: 22 min, 6 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) I just copy past text log if you dont mind. Link to post Share on other sites More sharing options...
Alpharius Posted July 4, 2019 Author ID:1320363 Share Posted July 4, 2019 # ------------------------------- # Malwarebytes AdwCleaner 7.3.0.0 # ------------------------------- # Build: 04-04-2019 # Database: 2019-06-28.1 (Cloud) # Support: https://www.malwarebytes.com/support # # ------------------------------- # Mode: Clean # ------------------------------- # Start: 07-04-2019 # Duration: 00:00:26 # OS: Windows 7 Ultimate # Cleaned: 17 # Failed: 0 ***** [ Services ] ***** No malicious services cleaned. ***** [ Folders ] ***** Deleted C:\Program Files (x86)\adbanner Deleted C:\ProgramData\IOBIT\Driver Booster Deleted C:\ProgramData\uBar Deleted C:\Users\Windows\AppData\LocalLow\IObit\Advanced SystemCare Deleted C:\Users\Windows\AppData\LocalLow\Zynga Deleted C:\Users\Windows\AppData\Local\Hostinstaller Deleted C:\Users\Windows\AppData\Roaming\IOBIT\Driver Booster Deleted C:\Users\Windows\AppData\Roaming\IObit\Advanced SystemCare V8 Deleted C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\IObit\Advanced SystemCare Deleted C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare ***** [ Files ] ***** No malicious files cleaned. ***** [ DLL ] ***** No malicious DLLs cleaned. ***** [ WMI ] ***** No malicious WMI cleaned. ***** [ Shortcuts ] ***** No malicious shortcuts cleaned. ***** [ Tasks ] ***** No malicious tasks cleaned. ***** [ Registry ] ***** Deleted HKLM\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\Advanced SystemCare Deleted HKLM\Software\UBar Deleted HKLM\Software\Wow6432Node\IObit\Driver Booster Deleted HKLM\Software\Wow6432Node\IObit\RealTimeProtector Deleted HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{EE171732-BEB4-4576-887D-CB62727F01CA} ***** [ Chromium (and derivatives) ] ***** Deleted Домашняя страница Mail.Ru Deleted Домашняя страница Mail.Ru ***** [ Chromium URLs ] ***** No malicious Chromium URLs cleaned. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries cleaned. ***** [ Firefox URLs ] ***** No malicious Firefox URLs cleaned. ************************* [+] Delete Tracing Keys [+] Reset Winsock ************************* AdwCleaner[S00].txt - [2675 octets] - [04/07/2019 02:42:14] ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ########## Link to post Share on other sites More sharing options...
Alpharius Posted July 4, 2019 Author ID:1320366 Share Posted July 4, 2019 Is step 3 necessary ? I do not think that the problem is in malware, but rather in the provider's router or something else. Tomorrow I will contact the provider and try to get the necessary information. Link to post Share on other sites More sharing options...
Alpharius Posted July 4, 2019 Author ID:1320372 Share Posted July 4, 2019 And additional information, In pop-up messages there are at least 5 different IP Adresses not only that one that attack routers. -Website Data- Category: Trojan Domain: IP Address: 202.97.174.207 Port: [1433] Type: Inbound File: -Website Data- Category: Trojan Domain: IP Address: 222.186.174.95 Port: [60001] Type: Inbound File: -Website Data- Category: Trojan Domain: IP Address: 185.244.25.140 Port: [5353] Type: Inbound File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe -Website Data- Category: Trojan Domain: IP Address: 185.244.25.140 Port: [123] Type: Inbound File: -Website Data- Category: Trojan Domain: IP Address: 185.244.25.140 Port: [389] Type: Inbound File: Link to post Share on other sites More sharing options...
Alpharius Posted July 4, 2019 Author ID:1320376 Share Posted July 4, 2019 -Website Data- Category: Trojan Domain: IP Address: 198.98.59.176 Port: [52869] Type: Inbound File: Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 4, 2019 Root Admin ID:1320380 Share Posted July 4, 2019 Please contact your ISP and let them see this post with our concern about your router. Not saying anything is wrong but inbound probes from that IP are known to be bad. Link to post Share on other sites More sharing options...
Alpharius Posted July 4, 2019 Author ID:1320488 Share Posted July 4, 2019 Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/4/19 Scan Time: 4:41 PM Log File: 77551cff-9e61-11e9-a6e4-705ab6d3ac11.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11404 License: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Windows -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 256558 Threats Detected: 1 Threats Quarantined: 1 Time Elapsed: 25 min, 3 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Trojan.Agent, C:\WINDOWS\SYSWOW64\USERINIT.EXE, Replaced, [442], [704424],0.0.0 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) Detect this malware today. Can this be the case of this attacks or just protection didn't work this time ? Link to post Share on other sites More sharing options...
Alpharius Posted July 4, 2019 Author ID:1320505 Share Posted July 4, 2019 I contacted ISP to what cable connected to SW-YZAO-10-58-2 Qtech QSW-3470-52T-2C switch. Did you need this information ? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 4, 2019 Root Admin ID:1320531 Share Posted July 4, 2019 No that information is not helpful for me. However, the fact that an infected userinit.exe was found could very well be the cause. Please restart the computer. Then run Malwarebytes again and run a new Threat Scan and post back the new log. Link to post Share on other sites More sharing options...
Alpharius Posted July 5, 2019 Author ID:1320564 Share Posted July 5, 2019 Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/4/19 Scan Time: 10:02 PM Log File: 4ee4f668-9e8e-11e9-86b3-705ab6d3ac11.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11408 License: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Windows -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 256603 Threats Detected: 0 Threats Quarantined: 0 Time Elapsed: 22 min, 17 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) Link to post Share on other sites More sharing options...
Alpharius Posted July 5, 2019 Author ID:1320566 Share Posted July 5, 2019 Pop-ups don't stop after deleting userinit.exe, so this is not the case. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 5, 2019 Root Admin ID:1320581 Share Posted July 5, 2019 Please post the FRST logs as requested. Please DO NOT copy/paste. Please attach them. The forum software does not always translate logs properly. Please download Farbar Recovery Scan Tool and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well. Thanks Ron Link to post Share on other sites More sharing options...
Alpharius Posted July 5, 2019 Author ID:1320673 Share Posted July 5, 2019 Malware detected.txt After clean of the malware.txt Additional scan.txt Link to post Share on other sites More sharing options...
Alpharius Posted July 5, 2019 Author ID:1320684 Share Posted July 5, 2019 FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Alpharius Posted July 5, 2019 Author ID:1320690 Share Posted July 5, 2019 There is a small part of the text in russian that I learn, if you need clarifications then write. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 5, 2019 Root Admin ID:1320783 Share Posted July 5, 2019 Part of our program is crashing. Please follow the directions from the following topic and post back the logs as an attachment please. Thanks Ron Link to post Share on other sites More sharing options...
Alpharius Posted July 6, 2019 Author ID:1320815 Share Posted July 6, 2019 I think this is because Avast and Malwarebytes starts at the same time and my laptop not very productive which in turn can cause crashes. mbar-log-2019-07-06 (03-44-21).txt system-log.txt Link to post Share on other sites More sharing options...
Recommended Posts