Hello Avast,
After purchasing you protection upgrade to remove a DNS hijack, I found out 2 things.
Your software detected the DNS hijack when you wanted me to pay you, but after paying and upgrading, it says there’s nothing wrong.
Your support is offline. On a Tuesday afternoon in the Eastern US.
I know i have a DNS on this computer because other computers on my network can get to the website I’d really like to get to (so I can do my job) and if I use the IP address found through an NSLOOKUP it comes back as a european pharmacy.
185.94.192.216 is the ip address… you can check for yourself.
I get this when I try to get to sprout.letsplantseeds.com which works from my phone while I’m connected to WIFI.
Please help me so this or tell me how to get my money back.
Pondus
October 1, 2019, 5:34pm
2
Please help me so this or tell me how to get my money back.
There is free malware removal help here in the forum, you should have tried that first
If you want help, read and follow instructions here https://forum.avast.com/index.php?topic=194892.0
if you want refund https://support.avast.com/en-ww/article/Order-Renew-Refund-FAQ
Pondus
October 1, 2019, 6:00pm
3
I get this when I try to get to [b]sprout.letsplantseeds.com[/b] which works from my phone while I'm connected to WIFI.
Problem may be the website?
This website does not load here on my computer and i get redirected to easyapotheke.de wich also does not load
see attached screenshot
See here: https://urlscan.io/result/199f0c7b-4997-4272-b367-7c3d419de97b
See: https://urlscan.io/result/199f0c7b-4997-4272-b367-7c3d419de97b/content/
See supertool outcome: https://mxtoolbox.com/SuperTool.aspx?action=mx%3A ip-92-222-83.eu&run=toolpage#
The redirect is intentional: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=c3B9XXV0Lmx7dHNwbHxudHN7eyNzLl5dbQ%3D%3D~enc
Redirect takes us here: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Lnt8c3l8cF10aHtrey4jew%3D%3D~enc
→ https://censys.io/ipv4/54.37.201.0 → https://censys.io/ipv4/54.37.201.0/raw#http
Indicators of compromise (IoCs)
This is a term in the security industry to describe indicators around an attack. This includes IPs, hashes, domains, etc.
-sprout.letsplantseeds.com
-www.easyapotheke.de
-185.94.192.216
-54.37.201.0
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Also consider the findings here: https://toolbar.netcraft.com/site_report?url=https%3A%2F%2Fwww.easyapotheke.de+
see: https://www.virustotal.com/gui/ip-address/54.37.201.0/relations
Also see: DOM-XSS issue results from scanning URL: -https://js.kctag.net/kias-easyapotheke.js
Number of sources found: 19
Number of sinks found: 15
See: Results from scanning URL: -http://sprout.letsplantseeds.com
Number of sources found: 14
Number of sinks found: 279
Opening up to: -https://js.kctag.net/kias-easyapotheke.js
Number of sources found: 33
Number of sinks found: 8
&
-https://js.kctag.net/kias-easyapotheke.js
Number of sources found: 19
Number of sinks found: 15
&
-https://js.kctag.net/kias-easyapotheke.js
Number of sources found: 14
Number of sinks found: 279
&
Results from scanning URL: -https://js.kctag.net/kias-easyapotheke.js
Number of sources found: 14
Number of sinks found: 279
That is all we know,
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
In this thread I give this just as I stumbled upon this,
More info from an older cloud dump file, just one report given:
https://intelx.io/?s=https://www.easyapotheke.de
"dehashed info via Расшифровка DFB.de "as they say there.
Also consider: https://intelx.io/?s=kctag.net (with tags like tucows, advertising, onion.hosts)
So that redirect may not be completely “kasher”,
to put it mildly.
polonus