How can I block hacker's IP?

Closed
Report
Posts
18
Registration date
Friday June 2, 2017
Status
Member
Last seen
June 5, 2017
-
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
-
I was scammed and I thought those scammers were really from Microsoft so I let them remotely connected to my computer. I don’t know what they installed on it.

After I realized that it was a scam, I reset my computer, cleaned all the drives and reinstalled Windows 10. I thought whatever virus I had should have gone away.

But I typed in “netstat -ano” in command prompt, and I still see this:

Proto Local Address Foreign Address State PID
TCP 192.168.1.9:49792 111.221.29.253:443 ESTABLISHED 6752
TCP 192.168.1.9:49793 111.221.29.254:443 ESTABLISHED 6752

I looked up the PID in Task Manager, it is DiagTrack service which is like a key logger right? And the IP that’s connected to it: 111.221.29.254 has been reported 8 times in AbuseIpDb.com.

I don’t know why after I totally reset my computer, this IP is still connected to me.

I thought about blocking this IP by modifying host file.

I used “nslookup 111.221.29.254” but couldn’t find the hostname for this ip.

Server: NF4V.Home
Address: 192.168.1.1
      • NF4V.Home can't find 111.221.29.254: Non-existent domain


Is there anyway I can block this IP from connecting to my computer?

Is there anyway I can block this IP from my router?

18 replies

Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,270
Hello

The attack came from Hong-Kong and they faked a Microsoft address. Mean and smart isn't it?

I would suggest that you do the following:

1. Turn off your internet connection.

2. Completely reset your router connection, like a new connection installation.

3. Reconnect to internet

4. Go to command prompt and type ipconfig /release press enter

5. Still in command prompt type ipconfig /renew press enter.

If you still can find the fake, let me know and we shall make a deeper analysis.

Good luck
Posts
18
Registration date
Friday June 2, 2017
Status
Member
Last seen
June 5, 2017

Thanks for the reply. I will try what you suggested to reset ip and let you know the result soon. :)

So like I said in the original post, I got scammed and I let the scammers remotely connected to my pc.

But I realized that it was a scam right after and what I've done was: I changed to a brand new router, I completely reset all 3 of my computers at home.

Since everything was reset, I thought the problem should have been solved. No matter what they installed on my pc they are all vanished now.

But now I still see those malicious ip connected to my computers.

What could be the reason that the hacking was not stopped by all the reset?
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,270
Yes, please let me know after you have tried what I suggested before.
Posts
18
Registration date
Friday June 2, 2017
Status
Member
Last seen
June 5, 2017

Ok I'll try it first thing in the morning.

In the morning all my devices would be off. So what you mean in Step 2 "Completely reset your router connection, like a new connection installation" means that I should do a factory reset for the router, is that what you mean? I think I need to do the factory reset when the power is on for the router right?
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,270
I would think that you did step 2 when you installed the new router.
Posts
18
Registration date
Friday June 2, 2017
Status
Member
Last seen
June 5, 2017

You mean I can start from step 4 now and go to the command prompt and type in the ipconfig commands now? Can I do that from any one of the computers in my house?
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,270
Good question! I had forgotten about the other units. Ensure that the other computers are off. Start with the main computer and tell me if the ip has changed.
Posts
18
Registration date
Friday June 2, 2017
Status
Member
Last seen
June 5, 2017

Yes I can do that in the morning.

Actually the new router is not brand new by now. I installed it 4 days ago. Do you think it's better to do a factory reset since it's 4 days old or do you still consider it as new and I can go ahead with the ipconfig commands in the morning without doing factory reset?
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,270
Reset if the safest.
Posts
18
Registration date
Friday June 2, 2017
Status
Member
Last seen
June 5, 2017

I've just tried it. After I typed "ipconfig /release" the internet disconnected. Then after I typed "ipconfig /renew" the internet was reconnected. So these are normal process?

But after I've done all that, the ip didn't change.

My ISP told me that what I have is dynamic ip, if I turn off modem for more than 6 hours it will change to another ip. But I tried turning off the modem for up to 10 hours and the ip still didn't change.

What can I do now?

BTW, you said that the hacker faked a Microsoft address, but someone told me that "hackers can't change the global registration databases of who owns what IPs". Is that true?

But that ip 111.221.29.254 and also 111.221.29.253 are both been reported more than once in AbuseIpDb.com.
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,270
You isp is right, but explained wrong. Go to command prompt, type ipconfig/release then turn off your modem and wait 6 hours.

Yes hackers are very savy when is comes to making trouble.

What they wanted was access to your personal data, like online banking, or use your machine to commit crime.

Let me know about the above, if your ip has not changed, let me know and we will try something else.

You should also release the ip on all computers.
Posts
18
Registration date
Friday June 2, 2017
Status
Member
Last seen
June 5, 2017

Do I need to type "ipconfig /release" on all computers? Or can I turn all the devices off just remain one main computer on, and release ip on that main computer?

So what I need to do, is type "ipconfig /release" and then turn off both computer and the modem. Wait for 6 hours. And then turn on the modem and the computer, and then type "ipconfig /renew". Is that the right process?

Some people keep telling me that 111.221.29.254 and also 111.221.29.253 are not malicious ip because they belong to Microsoft. But they are been reported in AbuseIpDb.com. Do you think they are malicious?
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,270
Read again my previous reply carefully, especially my last sentence.

You will not need to type ipconfig/renew, a new ip will be assigned to you when you connect to internet.

You should not have a Microsoft ip on any computer unless you are connected to the Microsoft network because you work for Microsoft.
Posts
18
Registration date
Friday June 2, 2017
Status
Member
Last seen
June 5, 2017

Yes I will follow what you said and try it tomorrow before I go to sleep.

Actually my ip changed to a new one on the same day I received my new modem from my ISP. I was happy about that. But that night before I go to sleep I turned off the modem and thought that I might just get another new random ip the next morning. But the next morning I turned on the modem and found out that the ip just changed back to the old one again. I was very worried and I did the same thing the next evening before I go to sleep which is turn off the modem again. But next morning the ip stayed the same.

I didn't do any "ipconfig" for ip to change from the new ip back to the old one.

It seemed like the change of ip had nothing to do with me turning off the modem. I don't know what was going on with my ISP.

After the scam I logged into my router and checked the system log, I don't really understand the information in the system log but I can see lots of words like "alert", "intrusion" in it.

The good thing is I logged into my new router this morning and checked the system log again and don't see those horrifying words anymore. So I guess the new router is safe?

So the DiagTrack service is basically sending the information of this pc back to Microsoft for them to analyze user data, is that right? So could that be the reason why the DiagTrack service was connected to a Microsoft address?

But that ip has been reported for all kinds of bad activities so it's still very questionable...
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,270
Hi

IP addresses have nothing to do with the router. But it's best to turn it off so that your computer is really off internet after you release the ip. Six hours later a new one will be assigned to you.

Microsoft never seeks or ask for information.

Tell you what, before you get to the ip change, do this:

1. Open this link and download ZHPDiag :
https://nicolascoolman.eu
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message, ignore it.) Click on the download button

2. Save the file on your Desktop.

3. Double click on ZHPDiag.exe and follow the installation instructions.

(For Vista, Win 7 and 8 users, click right to ensure you execute with admin right)

4. Double click on the short cut ZHPDiag on your Destktop.

5 Click on scan
Wait for the tool to finished (maybe a long time)

6. Close ZHPDiag.

7. To transmit the report, click on this link :

http://www.tinyupload.com/index.php

8. Search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).

9. Copy the url link obtained from tinyupload and paste it here in your reply.

Ambucias
CCM Moderator and Virus/Security Contributor
Posts
18
Registration date
Friday June 2, 2017
Status
Member
Last seen
June 5, 2017

Oh I actually found a link with the English version of ZHPDiag right here on CCM:

https://ccm.net/download/download-23176-zhpdiag

Should I do the diagnose for all 3 Windows computers in my house?
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,270
Just the main one for now.
Posts
18
Registration date
Friday June 2, 2017
Status
Member
Last seen
June 5, 2017

Here is the URL for the zhpdiag.txt:

http://s000.tinyupload.com/index.php?file_id=08877362512473410921

BTW, I see there are more software like ZHPCleaner. Is that a good one to use?
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,270
It all depends, if you have a problem related to what Cleaner is for. In your case no, but if you need it, I will certainly tell you.

I am missing some info, the version of ZHP Diag you have used is not up-to-date. Please use the one I referred you to.

This is the main computer isn't it? What are the others for?

By the way, before you run the most recent ZHP Diag, do run Cleaner it should get rid of two unwanted programmes: WebPlat and DealsFactor.

When you have time, I am curious to know what is this software installed on your machine is: ÍøÒ×ÉÁµçÓÊ2.4Õýʽ°æ - (.ÍøÒ×»¥¶¯ÓéÀÖÓÐÏÞ¹«Ë¾.) [HKLM][64Bits] -- ÍøÒ×ÉÁµçÓÊ

Login off till the morning and you are on the opposite side of the globe, it's 1800 hrs here, Eastern Advanced Time.

Looking forward to hear from you.

Cheerio, chin-up, have fun and see you in Tipperary.
Posts
18
Registration date
Friday June 2, 2017
Status
Member
Last seen
June 5, 2017

I'm not sure if DiagTrack service was turned off when I did the scan just now or not. But did another scan while the DiagTrack service is running. See if there's any difference?

http://s000.tinyupload.com/index.php?file_id=00112572662023687460

Thanks..
Posts
18
Registration date
Friday June 2, 2017
Status
Member
Last seen
June 5, 2017

I ran the ZHPCleaner, in the end it showed there are 63 Files in red.

And then I clicked on "Repair", here is the URL for the ZHPCleaner Report:

http://s000.tinyupload.com/index.php?file_id=89480198894110140865

So how did the report look? What was wrong with those 63 files? Was it serious?

After the ZHPCleaner I ran the ZHPDiag 2017, here is the report URL:

http://s000.tinyupload.com/index.php?file_id=28850609364266539906

This is the main desktop computer. I have another HP laptop, and my son has his own desktop computer.

The Chinese software is Flashmail is actually a mail software that my mom uses for her emails. We've been using it for a long time, it's a popular email software in China.

I'm in New Zealand. Where are you situated?
Posts
18
Registration date
Friday June 2, 2017
Status
Member
Last seen
June 5, 2017

After I've done ZHPCleaner and ZHPDiag I saw the malicious ip 111.221.29.254 is still connected to the DiagTrack service.

And I do see one ip that's in the same range 111.221.29.96 connected to Windows Push Notification System Service. This ip has not been reported. But it's in the same range and shows also Microsoft Singapore and located in Hong Kong.
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,270
Hi I have looked for the ip's. Some locate it to the Microsoft Asian Data Centre located in Singapore and others locate it in Hong Kong.

They look legitimate.

Most of the files that were deleted were superfluous files which had not use.

I have not seen a malicious ip in your most recent ZHP Diag and your computer seems to be as clean as a whistle.

Cheers from Canada
Posts
18
Registration date
Friday June 2, 2017
Status
Member
Last seen
June 5, 2017

Oh it's great to know that there's no malicious ip shown in ZHP Diag.

My only concern is, the ip 111.221.29.254 which is connected to DiagTrack service, is been reported for DDoS Attack, Port Scan, Web App Attack, Bad Web Bot, Open Proxy, Hacking by AbuseIpDb.com.

Could that be a serious concern?
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,270
Hi

It's not because someone reported the ip that you can consider it to be malicious, some people have fun making false reports. There are only 8 reports, if it was malicious you would have tons of reports and antivirus software designers would issue updates.

Anyway did you or did you not release your ip and waited 6 hours (not turning on your computer) If not, I suggest you do. Best to do it on all machines.