Troubleshoot IP Prob

[Deleted member 2913]

My IP usually starts with 210.x.x.x
Sometimes IP is assigned as 195.195.x.x. When this IP is assigned ports 80, 443 are open & rest closed. This happens with both direct connection (without router) & with router.
If I restart the system the usual IP is assigned 210.x.x.x & no probs.

Today when I started system IP was assigned as 195.195.x.x.
When I tried to browse, I got the captcha page. Attached is the screenshot.
I restarted the system & the usual IP was assigned 210.x.x.x & no probs.

Dont know why sometimes 195.195.x.x. is assigned?
As you can see above it seems dangerous as ports 80 & 443 open. And today got the captcha page.

Any info?
Is something fishy/malicious here?

Win 7 64

 

[hjlbx]

The infos I posted was for IP 203.115.71.150... from the IPVoid website. Being black-listed by SpamHaus.

It isn't your router as it happens whether or not you are going through a router...

IP 195.195.1.XX is owned by JNT Association located in Lewisham, Great Britain. It is an "association of public authorities and an educational institution" - all connected via JANET.

If this doesn't immediately bring anything to mind, then it's time for detective work...

Something is calling home using 80 and 443. Did you clean out your temp files as I suggested? Have you checked AppData folders for anything fishy... and reviewed firewall logs ?

What security soft you running at this moment?

 

[Deleted member 2913]

I have 3 snapshots with Rollback Rx Home.

1. Bd free + Windows FW
2. Comodo FW
3. Avast free + Windows FW

Win 7 64

I connect to internet 2 ways

1. Direct connection (without router) - I have a dialer of ISP on desktop that requires username & password to connect to internet. Its PPPOE connection.
2. With router i.e Sometimes I use wired router connection & sometimes wifi.

 

[hjlbx]

Whatever you have on your system connecting to 195.195.1.XX - once you rollback - it may be gone.

Just in case it remains I would rollback to Comodo FW. That's just me...

 

[Deleted member 2913]

Sometimes this IP 195.195.x.x is there.
If I am on direct connection then disconnecting my net through ISP dialer & reconnecting or restarting the system changes the IP.
If I am with router then restarting the system or restoring to snapshots doesn't changes IP, only router restart changes IP.

If this IP is assigned then I will restore to Comodo snapshot.
What you want me to do after that?

 

[hjlbx]

Without logs\more infos it is very difficult to say what is happening on your system.

You might have router infection... or it could be your ISP. Since it only occurs with router connection I'd say it's the router... or at least that is part of it. The address it is connecting to is a very odd address - if it doesn't involve any softs installed on your part.

Remember, just because system scan returns no malware detection does not mean your system is actually clean.

You might want to post thread in Malware Removal sub-forum regarding your problem.

 

[Deleted member 2913]

It happens with both router & direct connection.

And 203.115.71.150, previously I mentioned its my ISP gateway. But its the gateway mentioned in router.
When I connect directly i.e no router i.e direct connection with ISP dialer then ipconfig /all for my ISP dialer & adapter (Local Area Connection) shows gateway blank i.e nothing.

My router is old. When I had XP system at that time I had purchased the router. I dont remember now but think on the router box Win 7 & upward was not mentioned i.e compatible with XP. Now I have Win 7 64 & router installed on it. Could this be the prob anyway i.e malfunctioning router thats why IP prob? I dont have any prob with internet with router.

I will post on malware removal thread here.

Format & Reinstall OS will solve the prob?

 

[hjlbx]

Format & Reinstall OS will solve the prob?

Clean install OS is always best solution when infected or even if only suspect infection - in my opinion - if you do not mind the hassle.

You have to be prepared though - what if you perform clean install and your IP issue does not go away ??

It is ultimately your decision... but I suggest you get advice from malware removal expert - as it could be something completely simple and harmless - or - it can be an infection of some sort.

That your ISP gateway is black-listed - even by only SpamHaus - as part of a botnet is a very serious issue. However, it may have absolutely nothing to do with your issue and be just a coincidence. Router infections are fairly common. Plus, you install a lot of softs - so it can be the result of a wide range of things...

Better check it out with Argus or Twin Headed Eagle...

 

[Deleted member 2913]

I have posted in the malware removal assistance thread.
Lets see what happens.
Otherwise will try reinstall.

Thanxx a lot all of you guys for your support & time.

 

[Deleted member 2913]

hjlbx,

I had posted on malware removal assistance & system was found clean.

Today I started the system & IP 195.195.x.x is assigned in the router.

I am on Comodo FW snapshot with Rollback.

Would you like me to check things with Comodo FW in any way? I haven't restarted the router yet & that IP is there in WAN IP.

I checked the router with this Fsecure online service & all was found well.
http://malwaretips.com/threads/f-secure-router-checker-checks-for-dns-hijacking.47147/

 

[hjlbx]

hjlbx,

I had posted on malware removal assistance & system was found clean.

Today I started the system & IP 195.195.x.x is assigned in the router.

I am on Comodo FW snapshot with Rollback.

Would you like me to check things with Comodo FW in any way? I haven't restarted the router yet & that IP is there in WAN IP.

I checked the router with this Fsecure online service & all was found well.
http://malwaretips.com/threads/f-secure-router-checker-checks-for-dns-hijacking.47147/

I am not network guru, but at the same time, just because your physical system has been determined to be clean does not necessarily mean that your WAN is clean. Also, the online F-Secure router scanner can miss things too... Now, I am not saying you have an infection. I just think it very odd that your router keeps connecting to those IP addresses... However, in the end, it could all be a legitimate, safe affair.

If it were me I would get a list of the 195.195.X.XX IP addresses and do a lookup at IP Void or equivalent. I would watch network activity via Comodo network monitor. That's a start...