Jump to content

Archived

This topic is now archived and is closed to further replies.

Modey

scrlink.cool

Recommended Posts

hey guys
i have a problem here, eset internet security keeps on showing this message in large numbers up to 100 and more
does anyone know what this is and what's this link in the message

virus.png

Share this post


Link to post
Share on other sites

Is the website blocked in any browser and even if you don't open other websites but this forum's page? Have you tried disabling all installed browser extensions to see if the block stops?

Share this post


Link to post
Share on other sites
1 minute ago, Marcos said:

Is the website blocked in any browser and even if you don't open other websites but this forum's page? Have you tried disabling all installed browser extensions to see if the block stops?

i tried opening internet explorer and the message didn't show up, it only shows up on chrome and the extension i have are installed long time ago before the message started showing up, this message shows up every time i try to open any website using chrome, i did read in some website that this is some kind of a virus

Share this post


Link to post
Share on other sites

Appears Chrome has an issue with Cloudflare and everything else from that matter.

Per Robtex:

Quote

ANALYSIS

This section shows a quick analyis of the given host name or ip number.

Scrlink.cool has two name servers and four IP numbers.

Cloudflare name servers

The name servers are elinore.ns.cloudflare.com and hugh.ns.cloudflare.com.

What's the story behind the names of CloudFlare's name servers?.

IP numbers

The IP numbers are 2606:4700:e0::ac40:6613, 2606:4700:e0::ac40:6713, 172.64.102.19 and 172.64.103.19. The IP numbers are in San Francisco, United States.

We investigated one host name that cnames to scrlink.cool.

Results found

Scrlink.com, clinksr.com, clrskin.com, crinkls.com, crlinks.com, crslink.com, csrlink.com, linkcsr.com, linkscr.com, linksrc.com, lrnicks.com and lskrinc.com.

Share this post


Link to post
Share on other sites
43 minutes ago, itman said:

Appears Chrome has an issue with Cloudflare and everything else from that matter.

Per Robtex:

i don't know what do u mean but the messages that show up to me have an ip address 93.190.140.94
so how can i stop these messages and do i have a virus in my computer or what exactly?

Share this post


Link to post
Share on other sites
1 minute ago, itman said:

Interestingly, URLVoid scan of scrlink.cool shows the reverse DNS to customer.worldstream.nl in the Netherlands: https://www.urlvoid.com/scan/scrlink.cool/ . It is 100% clean.

then why do i keep getting this message on opening any website even eset website

Share this post


Link to post
Share on other sites
10 minutes ago, Modey said:

but the messages that show up to me have an ip address 93.190.140.94

That IP address also resolves to customer.worldstream.nl per IPVoid and is 100% clean: http://www.ipvoid.com/ip-blacklist-check/ .

Share this post


Link to post
Share on other sites
18 minutes ago, Modey said:

then why do i keep getting this message on opening any website even eset website

I don't have an answer for you. It is possible your Internet traffic is being monitored, etc.. It has happened previously in Egypt: https://en.wikipedia.org/wiki/Internet_censorship_and_surveillance_by_country .

Share this post


Link to post
Share on other sites
5 minutes ago, itman said:

I don't have an answer for you. It is possible your Internet traffic is being monitored, etc.. It has happened previously in Egypt: https://en.wikipedia.org/wiki/Internet_censorship_and_surveillance_by_country .

if this is right, could it just happen suddenly like this? it just started after i used a VPN for an online game and it happens only when i open any site with chrome, i tried opening the same site with internet explorer and everything was fine

Share this post


Link to post
Share on other sites
33 minutes ago, itman said:

Go here: https://thebestvpn.com/chrome-extension-vpn-dns-leaks/ and click on "take test here link." Report back with test result.

the vpn i used was a program called SoftEther VPN and i deleted it after the message started showing up
and i clicked on the link and took the test but with no vpn open and i pressed clear host cache and tried to open facebook and the message still shows up

Share this post


Link to post
Share on other sites

Since you are no longer using a VPN, go here: https://dnsleaktest.com/ and click on the Standard test. All the IP address shown should be associated with your ISP assuming you're using your ISP DNS servers. My ISP is AT&T and here are my results:

ivpn-sponsor.png
Query round Progress... Servers found
  1          ......              6
IP Hostname ISP Country
12.121.118.19 none AT&T Services United Statesus.png
12.121.118.22 none AT&T Services United Statesus.png
151.164.110.241 none AT&T Internet Services United Statesus.png
12.121.118.58 none AT&T Services United Statesus.png
151.164.110.238 none AT&T Internet Services United Statesus.png
12.121.118.51 none AT&T Services United Statesus.png

Share this post


Link to post
Share on other sites

Another thing you can do is open an admin command prompt window. Then enter "tracert scrlink.cool " as shown in the below screen shot. As shown, I see a connection to one of my ISP servers that forwards the connection to a relay server in Amsterdam. This in turn routes the connection to its final destination, customer.worldstream.nl.

Eset_tracert.thumb.png.cd399c5eb4f195e91a3157e96a814cc7.png

Of note is URLVoid does show one malware detection for customer.worldstream.nl: https://www.urlvoid.com/scan/customer.worldstream.nl/. However, it is from WOT which leads me to believe the site is OK. However, it appears this is a "hosting" server with other sub-domains associated with it; at least hundreds per Robtex. So it may be that Eset is detecting one or more of the sub-domains as malicious?

Share this post


Link to post
Share on other sites

BTW -  scrlink.cool is also blocked in IE11:

Eset_IE11.thumb.png.421ccfaba991199dd1f2c9f43af7fcf6.png

Share this post


Link to post
Share on other sites

Since you have received no response to this issue in the Malwarebytes forum where you also posted, it appears you have a malicious Chrome extension installed that is connecting to this domain. You will have to remove each extension one by one until you find the one that is performing the attempted connection. My guess it is the extension associated with the game you mentioned.

You can also at your own peril and definitely not recommended, add an exclusion for scrlink.cool for malware scanning within Eset Web Access protection as shown in the below screen shot:

Eset_Excluded.thumb.png.a8d735f2253fd216c5ecc963683b02d7.png

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...