How can I block hacker's IP?

K

Kay100

I was scammed and I thought those scammers were really from Microsoft so I let them remotely connected to my computer. I don’t know what they installed on it.

After I realized that it was a scam, I reset my computer, cleaned all the drives and reinstalled Windows 10. I thought whatever virus I had should have gone away.

But I typed in “netstat -ano” in command prompt, and I still see this:

TCP 192.168.1.9:49793 111.221.29.254:443 ESTABLISHED 6752

I looked up the PID in Task Manager, it is DiagTrack service which is like a key logger right? And the IP that’s connected to it: 111.221.29.254 has been reported 8 times in AbuseIpDb.com.

I don’t know why after I totally reset my computer, this IP is still connected to me.

I thought about blocking this IP by modifying host file.

I used “nslookup 111.221.29.254” but couldn’t find the hostname for this ip.

Server: NF4V.Home

Address: 192.168.1.1

*** NF4V.Home can't find 111.221.29.254: Non-existent domain

Is there anyway I can block this IP from connecting to my computer?

Is there anyway I can block this IP from my router?
 
% Information related to '111.221.29.0 - 111.221.29.255'

inetnum: 111.221.29.0 - 111.221.29.255
netname: Microsoft
descr: Microsoft
descr: Microsoft Corp, Singapore
country: SG
admin-c: MP234-AP
tech-c: SC1001-AP
status: ALLOCATED PORTABLE

Login as ADMIN
look at your services via SERVICS.MSC
double-click on the heading STATUS which will bring all active to the top of the list

first suspects are services Started but show Startup Type as Manual- - There are some that naturally showup like this so don't get paranoid.

Unconditiionally set these to MANUAL start:
  • remote access auto config
  • remote access connection mgr
  • remote desktop configuration
  • remote desktop services
  • remote desktop servives UserMode
  • remote registry
  • Routing & Remote Access (set to DISABLE)
 
jobeard said:
Login as ADMIN
look at your services via SERVICS.MSC
double-click on the heading STATUS which will bring all active to the top of the list

first suspects are services Started but show Startup Type as Manual- - There are some that naturally showup like this so don't get paranoid.

Unconditiionally set these to MANUAL start:
  • remote access auto config
  • remote access connection mgr
  • remote desktop configuration
  • remote desktop services
  • remote desktop servives UserMode
  • remote registry
  • Routing & Remote Access (set to DISABLE)
Click to expand...

Thanks for the advice.

I opened up the "Service" window, and I can see that:

  • remote access auto config
  • remote access connection mgr
  • remote desktop configuration
  • remote desktop services
  • remote desktop servives UserMode
Above ones are all not running and they are already set as "Manual".

  • remote registry
  • Routing & Remote Access (set to DISABLE)
Above 2 are already Disabled.

And there are many services that are running and "Manual", I'm not sure how to pick out the suspicious ones...
 
BTW: If you access bank accounts online - - STOP. You could easily have a KEY LOGGER and the passwords would be captured.
 
jobeard said:
BTW: If you access bank accounts online - - STOP. You could easily have a KEY LOGGER and the passwords would be captured.
Click to expand...

How can I find out if there is Key Logger on my computer or not? How to get rid of it? I already completely reset and reinstalled my computer. But I still can see those malicious ip connected to DiagTrack service.
 
Kay100 said:
How can I find out if there is Key Logger on my computer or not? How to get rid of it? I already completely reset and reinstalled my computer. But I still can see those malicious ip connected to DiagTrack service.
Click to expand...
That address is NOT Malicious.
 
Why do you think 111.221.29.254 is not malicious ip? If you put this ip into AubseIpDb.com you can see that it's been reported 8 times for DDoS Attack, Port Scan, SSH, Web App Attack, Exploited Host, Bad Web Bot, Open Proxy and Hacking.
 
WHOIS reports this address belongs to Microsoft:
inetnum: 111.221.29.0 - 111.221.29.255
netname: Microsoft
descr: Microsoft
descr: Microsoft Corp, Singapore
country: SG
admin-c: MP234-AP
tech-c: SC1001-AP
status: ALLOCATED PORTABLE
remarks: --------------------------------------------------------
remarks: To report network abuse, please contact mnt-irt
remarks: For troubleshooting, please contact tech-c and admin-c
remarks: Report invalid contact via www.apnic.net/invalidcontact
remarks: --------------------------------------------------------
mnt-irt: IRT-MICROSOFT-APNIC-SG
changed: hm-changed@apnic.net 20090714
mnt-by: APNIC-HM
mnt-lower: MAINT-AP-MICROSOFT
source: APNIC

I've never heard of AubseIpDb.com in 37years. Yes I see the 8 reports- - likely false positives from those that don't know any better

The Diag Service runs WdiServiceHost which will connect to the IP in question

What is the diagnostic service host?
The Diagnostic Service Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a. Local Service context. If this service is stopped, any diagnostics that depend on it will no longer function.
 
The WHOIS is an authenticated Internet Protocol to map IP <--> Domain names.

you can get a free copy here
 
You must log in or register to reply here.

Similar threads

D
How can I do a factory new restore on my laptop computer?
Replies
1
Views
2K
Kshipper
Kshipper
E
GPU Driver or Hardware Issue?
Replies
8
Views
3K
Kshipper
Kshipper
learninmypc
Explained: If I Reset Windows 10 will it Remove Malware?
Replies
0
Views
1K
learninmypc
learninmypc

Latest posts

Back