Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ip address redirected


  • This topic is locked This topic is locked
5 replies to this topic

#1 Geneva

Geneva

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 26 May 2009 - 03:25 PM

Whenever my wireless computer is abruptly shut down such as a power outage or a auto shutdown after scan, on reboot the ip address is pointed to a black hole domain (I ran a Netstat -an and a who is) instead of to my router's IP address. I have blocked the outbound port to that ip address when I discovered it was trying to export my netuser.dat file.
In order to reconnect to the net, I must do a repair which usually then points the ipconfig to the correct router address and gateway.

My computer had been hacked but now scans show no malware or virus.

After the computer was hacked it was formated but my Documents and Settings had been saved and then restored to the computer.

Do I have a leftover DLL, OCX or script that came back from the doc and settings folders?
If so how do I find and delete it.

If not can anyone explain what is happening?
Thanks
p.S. The rogue ip appears on udp port 135 which is normally the wake up call to the router and then the loopback to open the TCP ports

Edited by Geneva, 26 May 2009 - 03:29 PM.


BC AdBot (Login to Remove)

 


#2 Geneva

Geneva
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 27 May 2009 - 11:17 AM

bump

#3 Linio Alan

Linio Alan

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 PM

Posted 27 May 2009 - 01:58 PM

Do a scan with MalwareBytes Antimalware first. After scan make sure your firewall is correctly configured. Try this.

#4 Geneva

Geneva
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 27 May 2009 - 07:15 PM

I can do a scan but infection is not the problem. The black hole is IANA.org which assigns the port numbers up toabout 50K.
udp and tcp port 123 is end point mapping controled by SCVHOST. I don't understand why when I have a sudden shutdown, windows Netuser.dat points to something other than my normal ip. I have SSDP disabled.
My firewall blocks export...no problem

#5 Geneva

Geneva
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 02 June 2009 - 08:53 PM

bump
Keeps happening and I have to do a repair. Before repair netstat points to UDP port 123 to a unknown address instead of my router gateway. It is like having a rat in the attic trying to call his mother on my line at startup and my firewall is blocking him.

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:39 PM

Posted 04 June 2009 - 08:32 PM

This issue is being discussed here: http://www.bleepingcomputer.com/forums/t/231406/ip-problemmoved/ . Closed to avoid confusion.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users