How can I block hacker's IP?Closed

Question

I was scammed and I thought those scammers were really from Microsoft so I let them remotely connected to my computer. I don’t know what they installed on it. 
 
After I realized that it was a scam, I reset my computer, cleaned all the drives and reinstalled Windows 10. I thought whatever virus I had should have gone away.
 
But I typed in “netstat -ano” in command prompt, and I still see this:
 
Proto       Local Address          Foreign Address             State           PID
TCP    192.168.1.9:49792      111.221.29.253:443     ESTABLISHED     6752
TCP    192.168.1.9:49793      111.221.29.254:443     ESTABLISHED     6752
 
I looked up the PID in Task Manager, it is DiagTrack service which is like a key logger right? And the IP that’s connected to it: 111.221.29.254  has been reported 8 times in AbuseIpDb.com.
 
I don’t know why after I totally reset my computer, this IP is still connected to me.
 
I thought about blocking this IP by modifying host file. 
 
I used “nslookup 111.221.29.254” but couldn’t find the hostname for this ip.
 
Server:  NF4V.Home
Address:  192.168.1.1

 NF4V.Home can't find 111.221.29.254: Non-existent domain
 
Is there anyway I can block this IP from connecting to my computer?
 
Is there anyway I can block this IP from my router?

Ambucias · Answer

Hello

The attack came from Hong-Kong and they faked a Microsoft address. Mean and smart isn't it?

I would suggest that you do the following:

1. Turn off your internet connection.

2. Completely reset your router connection, like a new connection installation.

3. Reconnect to internet

4. Go to command prompt and type ipconfig /release press enter

5. Still in command prompt type ipconfig /renew press enter.

If you still can find the fake, let me know and we shall make a deeper analysis.

Good luck

kekehuang · Answer

Thanks for the reply. I will try what you suggested to reset ip and let you know the result soon. :) 

So like I said in the original post, I got scammed and I let the scammers remotely connected to my pc. 

But I realized that it was a scam right after and what I've done was: I changed to a brand new router, I completely reset all 3 of my computers at home. 

Since everything was reset, I thought the problem should have been solved. No matter what they installed on my pc they are all vanished now. 

But now I still see those malicious ip connected to my computers. 

What could be the reason that the hacking was not stopped by all the reset?

Ambucias · Answer

Yes, please let me know after you have tried what I suggested before.

kekehuang · Answer

Ok I'll try it first thing in the morning.

In the morning all my devices would be off. So what you mean in Step 2 "Completely reset your router connection, like a new connection installation" means that I should do a factory reset for the router, is that what you mean? I think I need to do the factory reset when the power is on for the router right?

kekehuang · Answer

You mean I can start from step 4 now and go to the command prompt and type in the ipconfig commands now? Can I do that from any one of the computers in my house?

kekehuang · Answer

Yes I can do that in the morning.

Actually the new router is not brand new by now. I installed it 4 days ago. Do you think it's better to do a factory reset since it's 4 days old or do you still consider it as new and I can go ahead with the ipconfig commands in the morning without doing factory reset?

kekehuang · Answer

I've just tried it. After I typed "ipconfig /release" the internet disconnected. Then after I typed "ipconfig /renew" the internet was reconnected. So these are normal process?

But after I've done all that, the ip didn't change.

My ISP told me that what I have is dynamic ip, if I turn off modem for more than 6 hours it will change to another ip. But I tried turning off the modem for up to 10 hours and the ip still didn't change.

What can I do now?

BTW, you said that the hacker faked a Microsoft address, but someone told me that "hackers can't change the global registration databases of who owns what IPs". Is that true?

But that ip 111.221.29.254 and also 111.221.29.253 are both been reported more than once in AbuseIpDb.com.

Ambucias · Answer

You isp is right, but explained wrong. Go to command prompt, type ipconfig/release then turn off your modem and wait 6 hours.

Yes hackers are very savy when is comes to making trouble.

What they wanted was access to your personal data, like online banking, or use your machine to commit crime.

Let me know about the above, if your ip has not changed, let me know and we will try something else.

You should also release the ip on all computers.

kekehuang · Answer

Do I need to type "ipconfig /release" on all computers? Or can I turn all the devices off just remain one main computer on, and release ip on that main computer?

So what I need to do, is type "ipconfig /release" and then turn off both computer and the modem. Wait for 6 hours. And then turn on the modem and the computer, and then type "ipconfig /renew". Is that the right process?

Some people keep telling me that 111.221.29.254 and also 111.221.29.253 are not malicious ip because they belong to Microsoft. But they are been reported in AbuseIpDb.com. Do you think they are malicious?

kekehuang · Answer

Yes I will follow what you said and try it tomorrow before I go to sleep.

Actually my ip changed to a new one on the same day I received my new modem from my ISP. I was happy about that. But that night before I go to sleep I turned off the modem and thought that I might just get another new random ip the next morning. But the next morning I turned on the modem and found out that the ip just changed back to the old one again. I was very worried and I did the same thing the next evening before I go to sleep which is turn off the modem again. But next morning the ip stayed the same. 

I didn't do any "ipconfig" for ip to change from the new ip back to the old one. 

It seemed like the change of ip had nothing to do with me turning off the modem. I don't know what was going on with my ISP. 

After the scam I logged into my router and checked the system log, I don't really understand the information in the system log but I can see lots of words like "alert", "intrusion" in it.

The good thing is I logged into my new router this morning and checked the system log again and don't see those horrifying words anymore. So I guess the new router is safe?

So the DiagTrack service is basically sending the information of this pc back to Microsoft for them to analyze user data, is that right? So could that be the reason why the DiagTrack service was connected to a Microsoft address?

But that ip has been reported for all kinds of bad activities so it's still very questionable...

Ambucias · Answer

Hi

IP addresses have nothing to do with the router.  But it's best to turn it off so that your computer is really off internet after you release the ip.  Six hours later a new one will be assigned to you.

Microsoft never seeks or ask for information.

Tell you what, before you get to the ip change, do this:

1. Open this link and download ZHPDiag : 
https://nicolascoolman.eu
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message, ignore it.)  Click on the download button

2. Save the file on your Desktop. 

3. Double click on ZHPDiag.exe and follow the installation instructions. 

(For Vista, Win 7 and 8 users, click right to ensure you execute with admin right) 

4. Double click on the short cut ZHPDiag on your Destktop. 

5 Click on scan
Wait for the tool to finished (maybe a long time) 

6. Close ZHPDiag. 

7. To transmit the report, click on this link : 

http://www.tinyupload.com/index.php 

8. Search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).

9. Copy the url link obtained from tinyupload and paste it here in your reply.

Ambucias
CCM Moderator and Virus/Security Contributor

kekehuang · Answer

Oh I actually found a link with the English version of ZHPDiag right here on CCM:

https://ccm.net/download/download-23176-zhpdiag

Should I do the diagnose for all 3 Windows computers in my house?

kekehuang · Answer

Here is the URL for the zhpdiag.txt:

http://s000.tinyupload.com/index.php?file_id=08877362512473410921

BTW, I see there are more software like ZHPCleaner. Is that a good one to use?

kekehuang · Answer

I'm not sure if DiagTrack service was turned off when I did the scan just now or not. But did another scan while the DiagTrack service is running. See if there's any difference?

http://s000.tinyupload.com/index.php?file_id=00112572662023687460

Thanks..

kekehuang · Answer

I ran the ZHPCleaner, in the end it showed there are 63 Files in red.

And then I clicked on "Repair", here is the URL for the ZHPCleaner Report:

http://s000.tinyupload.com/index.php?file_id=89480198894110140865

So how did the report look? What was wrong with those 63 files? Was it serious?

After the ZHPCleaner I ran the ZHPDiag 2017, here is the report URL:

http://s000.tinyupload.com/index.php?file_id=28850609364266539906

This is the main desktop computer. I have another HP laptop, and my son has his own desktop computer.

The Chinese software is Flashmail is actually a mail software that my mom uses for her emails. We've been using it for a long time, it's a popular email software in China.

I'm in New Zealand. Where are you situated?

kekehuang · Answer

After I've done ZHPCleaner and ZHPDiag I saw the malicious ip 111.221.29.254 is still connected to the DiagTrack service. 

And I do see one ip that's in the same range 111.221.29.96 connected to Windows Push Notification System Service. This ip has not been reported. But it's in the same range and shows also Microsoft Singapore and located in Hong Kong.

Ambucias · Answer

Hi I have looked for the ip's.  Some locate it to the Microsoft Asian Data Centre located in Singapore and others locate it in Hong Kong. 

They look legitimate.

Most of the files that were deleted were superfluous files which had not use.

I have not seen a malicious ip in your most recent ZHP Diag and your computer seems to be as clean as a whistle.

Cheers from Canada

kekehuang · Answer

Oh it's great to know that there's no malicious ip shown in ZHP Diag.

My only concern is, the ip 111.221.29.254 which is connected to DiagTrack service, is been reported for DDoS Attack, Port Scan, Web App Attack, Bad Web Bot, Open Proxy, Hacking by AbuseIpDb.com.

Could that be a serious concern?

How can I block hacker's IP?

18 responses

Similar discussions

Subscribe To Our Newsletter!