Jump to content

219.139.81.6 started being blocked last 2 days


gun86

Recommended Posts

Hi,

The last two days the Malwarebytes application is blocking the same ip(also when not using webbrowser), with different ports. This never happened before excepts once. The problem did then dissappear after a couple of updates(after a couple of days) of Malwarebytes had been installed.

I dont know which application this ip belongs to, and i have performed a full scan with Malwarebytes. There was no infected file found.

Could you please check if this report of the ip 219.139.81.6 is a false positive? And could you also please determine to which application this belongs to? And how can i solve this problem?

IP-BLOCK 219.139.81.6 (Type: outgoing, Port: 64359, Process: svchost.exe)

IP-BLOCK 219.139.81.6 (Type: outgoing, Port: 50761, Process: svchost.exe)

IP-BLOCK 219.139.81.6 (Type: outgoing, Port: 58328, Process: svchost.exe)

IP-BLOCK 219.139.81.6 (Type: outgoing, Port: 49314, Process: svchost.exe)

IP-BLOCK 219.139.81.6 (Type: outgoing, Port: 59206, Process: svchost.exe)

IP-BLOCK 219.139.81.6 (Type: outgoing, Port: 63119, Process: svchost.exe)

IP-BLOCK 219.139.81.6 (Type: outgoing, Port: 64773, Process: svchost.exe)

IP-BLOCK 219.139.81.6 (Type: outgoing, Port: 59334, Process: svchost.exe)

IP-BLOCK 219.139.81.6 (Type: outgoing, Port: 56655, Process: svchost.exe)

IP-BLOCK 219.139.81.6 (Type: outgoing, Port: 50066, Process: svchost.exe)

IP-BLOCK 219.139.81.6 (Type: outgoing, Port: 57342, Process: svchost.exe)

IP-BLOCK 219.139.81.6 (Type: outgoing, Port: 60577, Process: svchost.exe)

IP-BLOCK 219.139.81.6 (Type: outgoing, Port: 53895, Process: svchost.exe)

Link to post
Share on other sites

Hello gun86:

At this point enough information is not available to tell what process is calling one of your many probable instances of svchost.exe but the IP address does go to a location in Mainland China.

This indication leads to the conclusion your system may be infected, and here are the steps needed to get your computer cleaned:

Please read the following so that you can begin the cleaning process:

You have 3 Options that you can choose from as listed below:

  • Option 1 —— Free Expert advice in the Malware Removal Forum
  • Option 2 —— Paying customer -- Contact Support via email
  • Option 3 —— Premium, Fee-Based Support

OPTION 1

As we don't deal with malware removal in the
General Malwarebytes' Anti-Malware Forum
, you need to start your own topic in the
Malware Removal - HijackThis Logs subforum
so a qualified expert can help you fix any malware related problems/infections you may have.

  • Please read and
    CAREFULLY
    follow the
    , skipping any steps you are unable to complete. Then post a
    .

  • After posting your new post, make sure under
    options
    , you select
    Track this topic
    and choose
    Immediate Email Notification
    , so that you're alerted when someone has replied to your post.

  • One of the
    there will give you one-on-one assistance when one becomes available.

  • Please refrain from making any further changes to your computer such as (Install/Uninstall programs, use special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.

NOTE:
Please DO NOT post back to (bump) your topic within the first 48 hours.

Replying to your own posts changes the post count and helpers are looking for topics with zero replies. If you reply to your own post helpers may think that you're already being helped and thus overlook your post.
    • If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.

      Or

    • You may send a Private Message to a Moderator asking for assistance.

OPTION 2

Alternatively, as a paying customer, you can contact the help desk at
or
.

OPTION 3

If you would like to use our Malwarebytes Premium Services, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our
support site.

Please be patient, someone will assist you as soon as it is possible.

PS: Please use the Add-Reply.png button instead of other ones when you start replying. :)

Link to post
Share on other sites

This IP is associated with a trojan that downloads additional malware from URLs such as;

219.139.81.6/nba/image.jpg

As mentioned, please follow the instructions to have your machine checked and cleaned.

You can identify the offending process using netstat (Start > Run > type cmd, right click cmd.exe in the list and select "Run as administrator");

netstat -ovbna

ovb are the only ones needed, but na will give additional info.

Link to post
Share on other sites

Hello 1PW and MysteryFCM,

The ip 219.139.81.6 is not listed in the results of the command "netstat -ovbna".

1PW says, "enough information is not available" and MysteryFCM says "This IP is associated with a trojan". MysteryFCM, are you sure that this ip is asscociated with a trojan? If yes, what harm can this trojan do? And why didnt the Malwarebytes scanner and other virus/malware-scanners didnt find any infected files/applications?

I am a paid customer of Malwarebytes, should i then use Option 2? In the past i have requested support via email, they all redirected me to this False Positives forum, because it has to do with ip adresses they said they couldnt do anything about it. So what should i do? How can i fix this?

Link to post
Share on other sites

Hello gun86:

When I said enough information was not available, I meant that we didn't know exactly what system process was calling svchost.exe which is attempting to send data packets to IP 219.139.81.6 and that's still true.

MysteryFCM has many years experience with this area and is quite an authoritative expert in these matters. If he suspects a Trojan, I would heed his advice. New malware is released to the wild at the rate of perhaps one every few minutes. You may wish to full scan your system in Normal (not Safe) mode with the latest MBAM definitions. Repeat with your anti-virus application.

Here is an authoritative description of Trojan Horse malware.

All three resolution paths are still open to you. As to your past experiences with email support, all cases have different facts and you may wish to site this forum thread to whoever you choose to help.

HTH :)

Link to post
Share on other sites

Hello 1PW and MysteryFCM,

The ip 219.139.81.6 is not listed in the results of the command "netstat -ovbna".

1PW says, "enough information is not available" and MysteryFCM says "This IP is associated with a trojan". MysteryFCM, are you sure that this ip is asscociated with a trojan? If yes, what harm can this trojan do? And why didnt the Malwarebytes scanner and other virus/malware-scanners didnt find any infected files/applications?

If the IP isn't listed, it's likely there's no current connections (these never connect constantly). You'd need to monitor it and check when you got the IP block, or run Wireshark and check that when the block occured.

It most definitely is associated with a trojan, yes. As to what harm it can do, these typically send back for example, stolen login credentials, credit card and other payment details (e.g. when you enter them into your banks website form). Without knowing what variant you have, it's impossible to say (the original identification of this IP was way back in 2009, and there's been many variations since).

In the case of this IP, it was used to download additional malware, so most connections only occured once (additional connections were only attempted if the first was unsuccessful).

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.