Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Botnet infection?


  • This topic is locked This topic is locked
27 replies to this topic

#1 Leeonardo

Leeonardo

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 10 June 2017 - 07:41 AM

Welcome,

I`m listed on 2 DNSBL lists. cbl.abuseat.org and dyna.spamrats.com. 
I tried to remove my IP address from cbl.abuseat (i can`t do it on dyna.spamrats.), but about 24 hours later i was listed again.  
I also noticed that svchost.exe process sometimes connects with strange ip address. it`s 93.184.220.29.
This IP have very bad opinions on this site: 
https://www.abuseipdb.com/check/93.184.220.29.
They reporting about web spam, expoited host, etc.
 I scanned my computer with HitmanPro, Malwarebytes Anti Rootkit, Kaspersky TDSSKiller, Malicious Software Removal Tool by Microsoft, and Comodo antivirus, and nothing was found.
My operating system is Windows 7 64, for security i use Comodo Internet Security Premium 10. Can someone check my logs and confirm it`s all clear? I`m disabled Comodo while doing logs. 
Why am I again listed on cbl.abuseat and what is the address 93.184.220.29?
I`m sorry but it looks like the logs are in my native language. I don`t know how to change it.
One more question if you do not mind. Is svchost.exe connections to 
255.255.255.255:67 normal?
Regards
T.

Attached Files



BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:09:37 AM

Posted 12 June 2017 - 04:16 PM

Welcome to Bleeping Computer's Malware Removal Logs area. My name is Sintharius. I will assist you with your problem.

Below are some rules that you will need to follow while receiving my assistance:
  • I am currently in training, so my responses might be delayed. I will generally reply within 48 hours - if this is not possible, I will let you know.
  • Please do not seek assistance elsewhere without letting me know.
  • Please do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • If you wish to do other interventions, please let me know. I will assist you if possible.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the Follow this topic button, and make sure a tick is in the receive notifications and is set to Instantly. Any replies should be made in this topic by clicking the Reply to this topic button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. Please inform me if you need more time.
  • Please stay with me until I have confirmed that you are clean. Absence of symptoms does not mean that the computer is clean.
  • If you do not agree with any of the above, please let me know so I can have this topic closed.
===

Please allow me some time to review your logs and I will be back with instructions.

#3 Leeonardo

Leeonardo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 12 June 2017 - 05:12 PM

Thank you very much for reply.
The rules are clear to me.
Of course I will wait until you check the logs.



#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:09:37 AM

Posted 14 June 2017 - 04:50 PM

Hello Leeonardo,

Which ISP are you using? There is a possibility that your ISP is blacklisted and you are assigned dynamic IPs, so when one of your IPs got whitelisted you get assigned another one.

#5 Leeonardo

Leeonardo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 14 June 2017 - 05:25 PM

Hello,

I`m using internet from local provider. I checked my IP on this site https://www.tcpiputils.com and there i found it`s from TK Telekom? I think it`s a part of Netia but i`m not sure, I`m sorry. 
I have static IP. Everywhere where i check my ip is always the same. Are my logs clean? If i`m not part of botnet, maybe I should call my ISP and ask for other IP?
Really sorry for quite bad English.


Edited by Leeonardo, 14 June 2017 - 06:08 PM.


#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:09:37 AM

Posted 16 June 2017 - 03:35 PM

Hello again,

Is it possible for you to ask someone using the same ISP to check the website to see if they are blacklisted?

#7 Leeonardo

Leeonardo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 16 June 2017 - 03:45 PM

Hello,

Unfortunately I didn`t know anyone who uses this ISP. So I`m not infected and this may be my ISP fault?


Edited by Leeonardo, 16 June 2017 - 03:45 PM.


#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:09:37 AM

Posted 18 June 2017 - 05:09 PM

Hello Leeonardo,

As your log does not show signs of infection, I suspect that the problem might lie in your ISP.

Can you ask your ISP for a new static IP address, then check again to see if you are still blacklisted?

#9 Leeonardo

Leeonardo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 18 June 2017 - 06:02 PM

Hello,

I will call my ISP tomorrow and ask for new IP. 
I haven`t noticed any problems with browsing sites or sending e-mails. When i saw I`m listed on DNSBL and svchost.exe sometimes is connecting with this strange IP, I thought this is an infection.
Thank you for checking logs and advice. I`ll let you know how it looks, when i get new IP.



#10 Leeonardo

Leeonardo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 20 June 2017 - 06:03 AM

Hello,

I called my ISP yesterday, and they told me they can`t change my IP because being only on two lists is not a good reason.
What is interesting I removed my IP from cbl.abuseat after i called(yesterday in the morning), and yesterday evening it was still clear. 
I checked DNSBL before a moment and I`m listed again. The CBL website says when i was last detected.
According to them It was last detected at 2017-06-20 08:00 GMT (+/- 30 minutes), approximately 2 hours, 30 minutes ago.

It`s funny because i wasn`t home at the time. I returned about 20 minutes ago.
On CBL  website is written they listing my IP because it HELOs as 10.x.3x.2xx (I deliberately replaced part of IP with x. I never seen that IP before. If you don`t mind i`ll send you full IP), and this is a violation of RFC2821/5321 section 4.1.1.1, and it`s even more frequently sign of infection, but you said I`m not infected, so that`s not it.
I don`t know what`s going on. As you said it`s might be my ISP fault. Most important is I`m not infected, and I`m don`t part of botnet.



#11 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:09:37 AM

Posted 22 June 2017 - 04:43 AM

Hello Leeonardo,

What is the make and model of your router? It is possible that your router may be infected.

#12 Leeonardo

Leeonardo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 22 June 2017 - 12:42 PM

Hello,

To be honest i don`t know what model is it. I have one here on my desk, it`s Tenda 831N, but I`m using it only for Wi-Fi and I restarted it to factory settings before I started this topic. And one is mounted on my house. I don`t even have login and password for it.
I checked in Wireless Network Watcher and as network adapter company it show Routerboard.com.
Is there any way to check the model exluding climbing on my house?
If my router is infected would not I see any signs of it?
My internet works fine I never saw any redirections, ads etc.



#13 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:09:37 AM

Posted 23 June 2017 - 02:57 PM

Hello again,

Is it possible for you to ask someone else with login information to reset the router?

#14 Leeonardo

Leeonardo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 23 June 2017 - 04:44 PM

Hello,

 

I will call my ISP again and ask for login information to my router. If they don`t want to give it I will ask them to come and reset my router themselves.
If my router is infected reset should help and infection shouldn`t comeback?
What is a router infection? Is it something with DNS or it can be something else? 
What about my passwords? Every day i logs in to Gmail and there is no other logins, IP is always my IP and hours always match with my last login.



#15 Leeonardo

Leeonardo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 24 June 2017 - 09:26 AM

Hello,

I called my ISP. This time i got to a nice person, I described the situation, he checked my router and said there is no signs of attacks or other suspicious behavior, but he changed my DNS, and told me to call if situation with DNSBL will repeat. If this happens they will change my IP. Well, we will see how it goes on.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users