Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Local Area Connection And Wrong Ip Address


  • Please log in to reply
7 replies to this topic

#1 computernoviceAB

computernoviceAB

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 04 January 2008 - 03:17 PM

Hi,
I noticed an odd IP range in the "trusted list" in McAfee (the box was not checked, but the addresses were there). After I deleted the IP range and added the IP range to the not permitted list, I noticed that my computer was still trying to connect to an address in that range before connecting to my ISP (the range has also "reappeared" after I deleted it before). Today, after restarting the computer and unlocking the firewall, the Local Area connection attempted to connect to a different IP (not in the same range) before connecting to my regular ISP. As both addresses etc. are from the "Blackhole" server, not my ISP, I figured something was wrong. I've scanned with Panda, BitDefender, Windows Live, with 2 diff. rootkit programs, as well as with McAfee (online and reg.). I'm running XP.

Any Ideas? It doesn't seem like the connection stays once my ISP connects, but I would like to know how to stop the attempts or determine if someone is getting around my firewall or if I'm infected etc.

Thanks.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:07 PM

Posted 11 January 2008 - 01:27 PM

I would try both AVG Anti-Spyware Free and SuperAntiSpyware Free in Safe Mode.

AVG Anti-Spyware 7.5
Download AVG AntiSpyware 7.5 (formerly Edwido) found here: http://www.ewido.net/en/download/
Directions for use in both normal and safe modes are provided here by our own quietman7:
http://www.castlecops.com/t137442-CCSP_Ewi...structions.html
You will also find the directions to disable the real-time scanning which I would advise doing right away as it is only available for the paid version which the free version is like for the first 30 days. I would suggest doing the scan in safe mode after setting up the proper scanning selections.
---
Here is a brief summary for installation and set-up. If scanning in safe-mode, set-up in Normal mode first, then reboot into safe-mode:
Double click the avg-setup file to begin installation and follow the prompts.
When the program has been installed, and you click the Finish button, AVG A-S will open.

Updating AVG Anti-Spyware:

* By default AVG A-S is configured to update automatically so, if you have an active internet connection, it should do so following installation. If you are unsure whether or not it has done so, do the following: Click the Update icon at the top and under "Manual Update" - click the Start update button.
* Either AVG A-S will update or inform you that no update was available.

Disabling the Resident Shield:
* By default the Resident Shield is active but as it may interfere with the process of cleaning your PC, it will need to be disabled.
(When the PC has been cleaned you can activate the shield again, if you wish.)
* Click the Shield icon at the top and under "Resident shield is..." - click active.
* This should now change to inactive.

Changing Recommended Actions
* Click the Scanner icon at the top and then click the Settings Tab.
* Under "How to act?" click Recommended actions and select "Quarantine" from the menu.

And for scanning:
Ensure that ALL open Windows / Programs / Folders are closed and then run AVG A-S.

* If it is not already selected, click the Scanner icon at the top and then select the Scan Tab.
* Click "Complete System Scan"
* While the scan is in progress the PC should be left otherwise idle.
* When the scan has completed, any threats that AVG A-S has detected will be displayed.
* Click the Apply all actions button at the bottom.
* When AVG A-S has finished, it will display the message "All actions have been applied".

Saving a report:
* Click the Save Report button at the bottom left and the "Reports" window will open.
* The content of the scan report will be displayed in the right hand pane and a copy will be automatically saved as Report-Scan-date-time.txt into the C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports folder.
* You will need to post a copy of this report into your next reply, so if it is more convenient, you can save another copy of this report elsewhere:
Click the Save report as button and select a destination by clicking the down arrow to the right of the Save in: text box and then click Save.

Close AVG Anti-Spyware.


+++++++++++++++++++
Next:
Download and install SUPERAntiSpyware free found here: http://www.superantispyware.com/superantis...efreevspro.html

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.
+++++++++++++

Post both logs in your next reply and let us know how your computer is running.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 computernoviceAB

computernoviceAB
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 14 January 2008 - 04:09 PM

I've posted both logs. AVG didn't find anything; SuperAntiSpy found one cookie and called the games installed by Dell (with the computer) Malware. I've followed your directions and placed them in Quarantine. The same programs were listed as Malware by SpyBot (or Ad-Aware) before, but I've also read that they are ok.

The IP still shows up when I start the computer with the firewall locked but, as before, disappears when the ISP is connected (after unlocking the firewall). Other than that, the computer seems to be running normally (no errors, popups, odd programs running etc).
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:52:37 PM 1/11/2008

+ Scan result:



Nothing found.


::Report end

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/11/2008 at 05:15 PM

Application Version : 3.9.1008

Core Rules Database Version : 3378
Trace Rules Database Version: 1372

Scan type : Complete Scan
Total Scan Time : 01:17:26

Memory items scanned : 627
Memory threats detected : 0
Registry items scanned : 5961
Registry threats detected : 0
File items scanned : 68041
File threats detected : 21

Adware.Tracking Cookie
C:\Documents and Settings\Allen\Cookies\allen@server.iad.liveperson[1].txt

Malware.Installer-Pkg/Gen
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{989E4C3B-B2C9-4486-9A09-D5A8F953837C}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH BEJEWELED 2 DELUXE.LNK
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH BLACKHAWK STRIKER 2.LNK
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH BLASTERBALL 2.LNK
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E0814F95-5380-4892-B8C8-7FA4B349EF46}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH CHUZZLE DELUXE.LNK
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH DINER DASH.LNK
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH FATE.LNK
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH POLAR BOWLER.LNK
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{651956B7-1969-42AA-9453-E0B813019D54}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH POLAR GOLFER.LNK
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH SCRABBLE.LNK
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{3C48F877-A164-45E9-B9DA-26A049FFC207}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH TRADEWINDS.LNK

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:07 PM

Posted 14 January 2008 - 04:44 PM

Hmm. Can you copy down the IP numbers, or the IP range in question? Does your firewall log indicate what program or process is trying to connect to those IP addresses? If so, can you include that in your next response, or if it doesn't let us know that too.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 computernoviceAB

computernoviceAB
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 14 January 2008 - 05:14 PM

When I first noticed this issue, the following range was listed in the "trusted" IP list (but not selected)

192.168.0.0 to 192.168.255.255. I did not select to trust it, but it just appeared. I deleted it, but it reappeared again, so I deleted it again and added it to the banned IP addresses (it has not reappeared). All scans (online virus etc) have come back clean.

About a week or so ago, it was listed when my Local Area connection was locked/not connected, but has not appeared lately.

Instead, the following 2 IPs have appeared (and one appeared this morning) in the Local Area Connection when I turn on the computer (firewall locked at restart/locked on startup). The Icon notes: limited or no connectivity.

When I unlock the firewall, the LAC seems to restart (disappears from the task bar) and then re-appears when I'm connected to my ISP. When I'm able to see the LAC trying to authenticate it usually says something like invalid IP address before it restarts.

As the IPs are "banned," I do not see a program trying to contact them, but they do occasionally show up in the firewall log, but are not listed in the running/connected process list. I'll have to restart to see if the IP is connecting to something when I'm not connected to the ISP.

Right before I first posted this issue, Windows defender stopped the following from occuring:Advice:

Permit this detected item only if you trust the program or the software publisher.

Resources:
firewallport:
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP

Category:
Not Yet Classified

Description:
This program has potentially unwanted behavior.

Advice:
Permit this detected item only if you trust the program or the software publisher.

Resources:
firewallport:
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP

Category:
Not Yet Classified

I denied the action and the file was listed as unknown. The history has been cleared, unfortunately, so this is all I know about this one. It hasn't happened again.

I hope this helps. If I need to clarify anything or add more details, please let me know.
Thanks.

#6 computernoviceAB

computernoviceAB
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 14 January 2008 - 05:32 PM

Oops, I forgot to add the IPs that currently appear in the LAC before the ISP:

169.254.243. 167 and 169.254.95.90.

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:07 PM

Posted 14 January 2008 - 05:51 PM

Good evening computernoviceAB:

When I first noticed this issue, the following range was listed in the "trusted" IP list (but not selected)

192.168.0.0 to 192.168.255.255.


I just researched these numbers, and these are all private network numbers. Is your computer part of a private network, or is it a stand-alone computer? An example of a private network would be a group of computers at a business or a library that communicate with each other but not necessarily with any others. If it is a stand-alone computer, it should not be trying to connect to any of those numbers to the best of my knowledge.

Instead, the following 2 IPs have appeared (and one appeared this morning) in the Local Area Connection when I turn on the computer (firewall locked at restart/locked on startup). The Icon notes: limited or no connectivity.


What are the numbers?

Just caught your added post. I cannot find any information on those IP addresses.

169.254.243. 167 and 169.254.95.90

I think it is time for our experts to take a deeper look at what is going on.

NOTE: If quietman7 or one of our other malware experts (moderator, HJT Team Coach, HJT Team, or Admin.) provides other instructions before you have done the following, please follow their directions rather than mine.

Please follow the directions in this guide. I know that you have already done some of that, but it won't hurt to do it again. Then create an HJT log, you will find the directions in the guide.

Create a new topic in this forum, not here and give it a good descriptive title. Briefly summarize what the problems are, what you have done to try to solve it, and what worked and didn't work, any changes, and paste in your HJT log. I would also include the link to this thread. Just so those reading this thread know that you have posted an HJT log, please add a response to this thread telling us so and include the link.

After you post your log, DO NOT make any further changes to your computer: deleting files, editing the registry, using special fix tools, installing or uninstalling software etc. as this will make it more difficult for the HJT team to help you.

Please be patient as the HJT team is very busy. DO NOT bump your log as the team may think that someone is already helping you. If you have not had a response in five days, add a response to the five days no response topic and paste in the link to your thread.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#8 computernoviceAB

computernoviceAB
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 14 January 2008 - 05:58 PM

Thanks for your reply. I'll add the HJT log to the appropriate forum once I've written the new description of the problem etc.

I'm not connected (or shouldn't be) to a private network. My computer is stand-alone, file sharing deactivated, no Univ. plug'n'play, remote help disabled.

Thanks for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users