Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unusual ip address on home network ARP


  • Please log in to reply
14 replies to this topic

#1 bobbis1972

bobbis1972

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 16 March 2012 - 10:07 AM

Hi,
For a very long time, even after multiple formats and reinstallations i keep getting the message when i want to listen to media on some websites that "Http through a proxy server is not allowed", i have made sure NO proxy is checked on firefox and have set registry entries to disable proxy settings.
I still get the message though, today i saw my cursor move to another part of the screen while the mouse was still so i shut down the pc and rebooted immediately starting wireshark on reboot and managed to get it running before the network came live and i caught this entry.




Posted Image


The 192.168.5.1-6 is my home Lan, the other address the 10xxxxxx i have no idea what it is, can someone tell me please?.


(apologies for the smeary bleary)

Edited by hamluis, 29 March 2012 - 06:14 AM.
Moved from Networking to Am I Infected.


BC AdBot (Login to Remove)

 


#2 Nate15329

Nate15329

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:WI, USA
  • Local time:08:42 AM

Posted 22 March 2012 - 01:20 PM

It might be a nic(network interface card) with an static ip address trying to find its non-existant gateway on a non-existant network.
was any of your devices was setup for somewhere else with a static ip(most likely) for a different network or a device with a long dhcp lease time(less likely)?

#3 jhayz

jhayz

  • BC Advisor
  • 6,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 PM

Posted 23 March 2012 - 02:32 AM

Can you follow the suggestion on the first pinned topic posted by a BC Advisor for a more clear view?

Tekken
 


#4 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:10:42 AM

Posted 25 March 2012 - 01:58 AM

As posted above please see my topic at the top of the networking forum located LINK TO NETWORKING PLEASE READ THREAD This information will likely tell us what we need to know. Your next post should answer this, however do you have any Virtual machine software installed? Is remote assistance enabled?

Edited by Sneakycyber, 25 March 2012 - 02:36 AM.

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#5 bobbis1972

bobbis1972
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 27 March 2012 - 05:14 AM

I appreciate the pointer, sorry for not putting it in the right place, im building my thread over there, thank you...

#6 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:10:42 AM

Posted 27 March 2012 - 05:56 AM

Your in the right place we just need u to answer those questions. :)

Edited by Sneakycyber, 27 March 2012 - 05:56 AM.

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#7 bobbis1972

bobbis1972
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 27 March 2012 - 06:07 AM

Hi, For some time i had been seeing unusual activity from time to time, im beginning to understand the process of events that is involved in what i see happening, but i am a lowly n00b in need of some direction in how to determine what it is i am seeing.
I keep seeing recurring addresses in my ARP cache, one of these is an address i have no idea of, the other is my internet side ip address.

My PC is a box i built myself it contains: Gigabyte ep-41 ud3l rev 1 motherboard with latest bios installed.
Q8400 1st gen intel quad core at 2.66ghz
4GB unmatched ram, though works fine.
ATI 5770 GPU
2x 64gb ssd's
550w PSU
320gb Mag H/D
DVD R/W
Peripherals attached are, microsoft itype curve keyboard, RAT3, n52te gamepad, razer piranha headphones.


Minitool box.


MiniToolBox by Farbar Version: 18-01-2012
Ran by anova (administrator) on 27-03-2012 at 11:26:13
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

"network.proxy.type", 0
========================= Hosts content: =================================

127.0.0.1 199.212.0.48
127.0.0.1 192.168.5.2
127.0.0.1 192.168.5.3
127.0.0.1 192.168.5.4
127.0.0.1 192.168.5.6
127.0.0.1 169.254.72.30
127.0.0.1 10.89.28.215
127.0.0.1 199.212.0.48

========================= IP Configuration: ================================



# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add route prefix=0.0.0.0/0 interface="Local Area Connection" nexthop=192.168.5.1 publish=Yes
add address name="Local Area Connection" address=192.168.5.5 mask=255.255.255.0


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : anova-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
Physical Address. . . . . . . . . : 6C-F0-49-08-3A-98
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.5.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.5.1
DNS Servers . . . . . . . . . . . : 208.67.222.222
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: resolver1.opendns.com
Address: 208.67.222.222

Name: google.com
Addresses: 173.194.34.64
173.194.34.65
173.194.34.73
173.194.34.71
173.194.34.72
173.194.34.68
173.194.34.69
173.194.34.66
173.194.34.67
173.194.34.78
173.194.34.70


Pinging google.com [173.194.34.70] with 32 bytes of data:
Reply from 173.194.34.70: bytes=32 time=33ms TTL=55
Reply from 173.194.34.70: bytes=32 time=31ms TTL=55

Ping statistics for 173.194.34.70:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 31ms, Maximum = 33ms, Average = 32ms
Server: resolver1.opendns.com
Address: 208.67.222.222

Name: yahoo.com
Addresses: 72.30.38.140
98.139.183.24
209.191.122.70


Pinging yahoo.com [72.30.38.140] with 32 bytes of data:
General failure.
General failure.

Ping statistics for 72.30.38.140:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Server: resolver1.opendns.com
Address: 208.67.222.222

Name: bleepingcomputer.com
Address: 208.43.87.2


Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:
Reply from 208.43.87.2: Destination host unreachable.
Reply from 208.43.87.2: Destination host unreachable.

Ping statistics for 208.43.87.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
10...6c f0 49 08 3a 98 ......Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.5.1 192.168.5.5 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.5.0 255.255.255.0 On-link 192.168.5.5 276
192.168.5.5 255.255.255.255 On-link 192.168.5.5 276
192.168.5.255 255.255.255.255 On-link 192.168.5.5 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.5.5 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.5.5 276
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.5.1 Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (03/26/2012 11:36:51 AM) (Source: COM+) (User: )
Description: (DtcGetTransactionManagerEx(): hr = 0x8004d01b)

Error: (03/26/2012 11:03:10 AM) (Source: COM+) (User: )
Description: (DtcGetTransactionManagerEx(): hr = 0x8004d01b)

Error: (03/24/2012 07:56:57 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/22/2012 05:49:09 PM) (Source: Application Error) (User: )
Description: Faulting application name: vlc.exe, version: 2.0.0.0, time stamp: 0x4f3e9873
Faulting module name: vlc.exe, version: 2.0.0.0, time stamp: 0x4f3e9873
Exception code: 0xc0000005
Fault offset: 0x00001805
Faulting process id: 0x4b0
Faulting application start time: 0xvlc.exe0
Faulting application path: vlc.exe1
Faulting module path: vlc.exe2
Report Id: vlc.exe3

Error: (03/21/2012 09:10:09 PM) (Source: Application Error) (User: )
Description: Faulting application name: Origin.exe, version: 8.5.0.4554, time stamp: 0x4f5154c2
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b8f
Exception code: 0xc0000005
Fault offset: 0x0002e3be
Faulting process id: 0x99c
Faulting application start time: 0xOrigin.exe0
Faulting application path: Origin.exe1
Faulting module path: Origin.exe2
Report Id: Origin.exe3

Error: (03/19/2012 03:37:55 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/18/2012 11:53:07 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/16/2012 09:04:16 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (03/16/2012 04:37:39 PM) (Source: Application Error) (User: )
Description: Faulting application name: PnkBstrA.exe, version: 0.0.0.0, time stamp: 0x4f144d4e
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x6c316c9c
Faulting process id: 0x544
Faulting application start time: 0xPnkBstrA.exe0
Faulting application path: PnkBstrA.exe1
Faulting module path: PnkBstrA.exe2
Report Id: PnkBstrA.exe3

Error: (03/16/2012 04:37:39 PM) (Source: Application Error) (User: )
Description: Faulting application name: mscorsvw.exe, version: 4.0.30319.1, time stamp: 0x4ba1da21
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x6c316c9c
Faulting process id: 0x5b8
Faulting application start time: 0xmscorsvw.exe0
Faulting application path: mscorsvw.exe1
Faulting module path: mscorsvw.exe2
Report Id: mscorsvw.exe3


System errors:
=============
Error: (03/27/2012 11:03:05 AM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1058

Error: (03/27/2012 11:03:04 AM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1058

Error: (03/27/2012 10:22:07 AM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1058

Error: (03/27/2012 10:22:07 AM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1058

Error: (03/27/2012 10:22:07 AM) (Source: DCOM) (User: )
Description: 1068netprofm{A47979D2-C419-11D9-A5B4-001185AD2B89}

Error: (03/27/2012 10:22:01 AM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1058

Error: (03/27/2012 10:21:57 AM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1058

Error: (03/27/2012 10:21:56 AM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1058

Error: (03/27/2012 10:21:56 AM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1058

Error: (03/27/2012 10:21:55 AM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1058


Microsoft Office Sessions:
=========================
Error: (03/26/2012 11:36:51 AM) (Source: COM+)(User: )
Description: (DtcGetTransactionManagerEx(): hr = 0x8004d01b)

Error: (03/26/2012 11:03:10 AM) (Source: COM+)(User: )
Description: (DtcGetTransactionManagerEx(): hr = 0x8004d01b)

Error: (03/24/2012 07:56:57 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files\ATI\CIM\Bin64\SetACL64.exe

Error: (03/22/2012 05:49:09 PM) (Source: Application Error)(User: )
Description: vlc.exe2.0.0.04f3e9873vlc.exe2.0.0.04f3e9873c0000005000018054b001cd0846eb50f297D:\VLC\vlc.exeD:\VLC\vlc.exef185e696-743e-11e1-b92f-91520ced30ba

Error: (03/21/2012 09:10:09 PM) (Source: Application Error)(User: )
Description: Origin.exe8.5.0.45544f5154c2ntdll.dll6.1.7601.177254ec49b8fc00000050002e3be99c01cd079e99dfb620C:\Program Files (x86)\Origin\Origin.exeC:\Windows\SysWOW64\ntdll.dlldb6cded3-7391-11e1-8cf4-6cf049083a98

Error: (03/19/2012 03:37:55 AM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files\ATI\CIM\Bin64\SetACL64.exe

Error: (03/18/2012 11:53:07 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files\ATI\CIM\Bin64\SetACL64.exe

Error: (03/16/2012 09:04:16 PM) (Source: SideBySide)(User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestD:\bleepStore\esetsmartinstaller_enu.exe

Error: (03/16/2012 04:37:39 PM) (Source: Application Error)(User: )
Description: PnkBstrA.exe0.0.0.04f144d4eunknown0.0.0.000000000c00000056c316c9c54401cd038077529bf5C:\Windows\SysWOW64\PnkBstrA.exeunknownf5f2518a-6f7d-11e1-85dd-6cf049083a98

Error: (03/16/2012 04:37:39 PM) (Source: Application Error)(User: )
Description: mscorsvw.exe4.0.30319.14ba1da21unknown0.0.0.000000000c00000056c316c9c5b801cd0389be173c46C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeunknownf5c6d417-6f7d-11e1-85dd-6cf049083a98


========================= Memory info: ===================================

Percentage of memory in use: 27%
Total physical RAM: 4094.49 MB
Available physical RAM: 2974.27 MB
Total Pagefile: 22515.69 MB
Available Pagefile: 21204.91 MB
Total Virtual: 4095.88 MB
Available Virtual: 3965.6 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:59.53 GB) (Free:31.78 GB) NTFS
3 Drive d: () (Fixed) (Total:59.62 GB) (Free:46.55 GB) NTFS
4 Drive e: () (Fixed) (Total:298.09 GB) (Free:117.26 GB) NTFS

========================= Users: ========================================

User accounts for \\

Administrator anova Guest


**** End of log ****






********************************************************************************************************************************************************************************************************Log created by WinPatrol [FREE Edition] version 24.5.2012.0:24.5.2012.0
Scan saved at 11:10:06 AM, on 3/27/2012
Platform: Windows 7 Home Edition Service Pack 1 (Build 7601)
MSIE: Internet Explorer (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\PROGRAM FILES (X86)\n52te\n52teHid.exe
C:\PROGRAM FILES (X86)\XArp\xarp.exe
C:\PROGRAM FILES (X86)\n52te\n52teTra.exe
D:\Firefox\firefox.exe
C:\PROGRAM FILES (X86)\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES (X86)\BILLP STUDIOS\WINPATROL\WINPATROLEX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\BitComet\tools\BitCometBHO_1.5.4.11.dll
O4 - HKLM\..\Run: [RtHDVCpl]C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
O4 - HKLM\..\Run: [COMODO Internet Security]C:\Program Files\COMODO\COMODO Internet Security\cfp.exe -h
O4 - HKLM\..\Run: [ProfilerU]C:\Program Files\SmartTechnology\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd]C:\Program Files\SmartTechnology\Software\SaiMfd.exe
O4 - HKCU\..\Run: [AtiTrayTools]C:\Program Files (x86)\Ray Adams\ATI Tray Tools\atitray.exe
O4 - HKCU\..\Run: [RESTART_STICKY_NOTES]C:\Windows\System32\StikyNot.exe
O4 - HKCU\..\Run: [NetAgent]C:\Program Files (x86)\Flexbyte S
O4 - HKU\..\Run: [Jomantha]C:\Program Files (x86)\n52te\n52teHid.exe
O4 - HKU\..\Run: [StartCCC]C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe MSRun
O4 - HKU\..\Run: [XArp]C:\Program Files (x86)\XArp\xarp.exe hide
O4 - HKU\..\Run: [WinPatrol [FREE Edition]]C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://E:\BitComet\tools\BitCometBHO_1.5.4.11.dll/206
O11 - Options group: [] -
O23 - Service: AMD External Events Utility - AMD - C:\WINDOWS\SYSTEM32\ATIESRXX.EXE
O23 - Service: BitComet Disk Boost Service - www.BitComet.com - E:\BitComet\tools\BITCOMETSERVICE.EXE
O23 - Service: COMODO Internet Security Helper Service - COMODO - C:\PROGRAM FILES\COMODO\COMODO INTERNET SECURITY\cmdagent.exe
O23 - Service: PnkBstrA - - C:\Windows\System32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - CACE Technologies, Inc. - C:\PROGRAM FILES (X86)\WinPcap\rpcapd.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\PROGRAM FILES (X86)\COMMON FILES\Steam\STEAMSERVICE.EXE
O23 - Service: Windows Defender - - C:\PROGRAM FILES (X86)\WINDOWS DEFENDER\MPSVC.DLL
O23 - Service: Windows Media Player Network Sharing Service - - C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\WMPNETWK.EXE

--- Additional WinPatrol Info ---
Default Browser: Windows® Internet Explorer - Internet Explorer version 8.00.7600.16385
MSIE: Internet Explorer (8.00.7600.16385)
Firefox 10.0.1 installed in D:\Firefox.
0 IE Cookies in Folder: C:\Users\anova\AppData\Roaming\Microsoft\Windows\Cookies\
477 Mozilla Cookies in Folder: C:\Users\anova\AppData\Roaming\Mozilla\FireFox\Profiles\9pbm7wxb.default

WP00 - HKLM\CS1: BootExecute = autocheck autochk *
WP00 - HKLM\CCS: BootExecute = autocheck autochk *
WP00 - HKLM\CS2: BootExecute = autocheck autochk *
WP01 - HKLM\CS1: PendingFileRenameOperations = \??\C:\Users\anova\AppData\Local\Temp\Tsu-05E4.dll
WP01 - HKLM\CCS: PendingFileRenameOperations = \??\C:\Users\anova\AppData\Local\Temp\Tsu-05E4.dll
WP02 - HKLM\CCS: Command = C:\Windows\system32\cmd.exe


WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix: Default = http://
WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes: www = http://


WP16 - ActiveX: {7AEFE841-DCA1-4A95-80CB-BE935D017400} [ESNLaunchAx Control] C:\PROGRAM FILES (X86)\BATTLELOG WEB PLUGINS\1.116.0\ESNLAUNCHAX.OCX 1.0.0.1
WP16 - ActiveX: {EBA7A1E6-E69D-4BA5-B291-95782A004604} [SonarAx Control] C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\SonarAx.ocx 0,70,4
WP16 - ActiveX: {05589fa1-c356-11ce-bf01-00aa0055595a} [ActiveMovieControl Object] C:\Windows\SysWOW64\wmpdxm.dll 12.0.7601.17514
WP16 - ActiveX: {52A2AAAE-085D-4187-97EA-8C30DB990436} [HHCtrl Object] C:\Windows\System32\hhctrl.ocx 6.1.7600.16385
WP16 - ActiveX: {54CE37E0-9834-41ae-9896-4DAB69DC022B} [Microsoft RDP Client Control (redistributable) - version 5a] C:\Windows\System32\mstscax.dll 6.1.7601.17514
WP16 - ActiveX: {6A6F4B83-45C5-4ca9-BDD9-0D81C12295E4} [Microsoft RDP Client Control (redistributable) - version 4a] C:\Windows\System32\mstscax.dll 6.1.7601.17514
WP16 - ActiveX: {8856F961-340A-11D0-A96B-00C04FD705A2} [Microsoft Web Browser] C:\Windows\SysWOW64\ieframe.dll 8.00.7600.16385
WP16 - ActiveX: {971127BB-259F-48c2-BD75-5F97A3331551} [Microsoft RDP Client Control (redistributable) - version 3a] C:\Windows\System32\mstscax.dll 6.1.7601.17514
WP16 - ActiveX: {AE24FDAE-03C6-11D1-8B76-0080C744F389} [Microsoft Scriptlet Component] C:\Windows\SysWOW64\mshtml.dll 8.00.7600.16385

WP32 - Hidden File: C:\hiberfil.sys
WP32 - Hidden File: C:\pagefile.sys
WP32 - Hidden File: C:\Windows\WindowsShell.Manifest
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-security-lsalookup-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-security-sddl-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-service-core-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-service-management-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-service-management-l2-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-service-winsvc-l1-1-0.dll

WP33 - File Type .AVI: [Video Clip]C:\Program Files (x86)\Windows Media Player\wmplayer.exe /prefetch:8 /Open %L
WP33 - File Type .BAT: [Windows Batch File]%1 %*
WP33 - File Type .CAB: [Cabinet File]C:\Windows\Explorer.exe /idlist,%I,%L
WP33 - File Type .CAT: [Security Catalog]C:\Windows\system32\rundll32.exe cryptext.dll,CryptExtOpenCAT %1
WP33 - File Type .CHM: [Compiled HTML Help file]C:\Windows\hh.exe %1
WP33 - File Type .COM: [MS-DOS Application]%1 %*
WP33 - File Type .CMD: [Windows Command Script]%1 %*
WP33 - File Type .EXE: [Application]%1 %*
WP33 - File Type .INF: [Setup Information]C:\Windows\system32\NOTEPAD.EXE %1
WP33 - File Type .JS: [JScript Script File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .LOG: [Text Document]C:\Windows\system32\NOTEPAD.EXE %1
WP33 - File Type .MSI: [Windows Installer Package]C:\Windows\System32\msiexec.exe /i %1 %*
WP33 - File Type .MID: [MIDI Sequence]C:\Program Files (x86)\Windows Media Player\wmplayer.exe /Open %L
WP33 - File Type .MP3: [MP3 Format Sound]C:\Program Files (x86)\Windows Media Player\wmplayer.exe /prefetch:6 /Open %L
WP33 - File Type .PIF: [Shortcut to MS-DOS Program]%1 %*
WP33 - File Type .RAM: [VLC media file (.ram)]D:\VLC\vlc.exe --started-from-file %1
WP33 - File Type .REG: [Registration Entries]regedit.exe %1
WP33 - File Type .RTF: [Rich Text Document]C:\Program Files (x86)\Windows NT\Accessories\WORDPAD.EXE %1
WP33 - File Type .SCR: [Screen saver]%1 /S
WP33 - File Type .TXT: [Text Document]C:\Windows\system32\NOTEPAD.EXE %1
WP33 - File Type .URL: [Windows host process (Rundll32)]C:\Windows\System32\rundll32.exe C:\Windows\System32\ieframe.dll,OpenURL %l
WP33 - File Type .VBS: [VBScript Script File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .VBE: [VBScript Encoded File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .WSF: [Windows Script File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .WSH: [Windows Script Host Settings File]C:\Windows\System32\WScript.exe %1 %*

Memory currently in use: 25%
Physical Memory Free: 3,109,752 KB
Paging File Free: 4,194,303 KB
Virtual Memory Free: 1,957,660 KB


--
End of file


I know you are going to say something about bitcomet being there. firstly i dont d/l illegal torrents, it was the only way to get the USKF official artist release, bit comet is set as an isolated application within HIPS (comodo) and in the Firewall (Denied), unless i need it and then allowed for as long as it takes to get the file then isolated/denied again.

Those office session errors are news to me, i dont use office, or do they mean programs that are regarded as "Office" programs?.


I am with Virgin media on a 50mb/s fibre optic connection, i do not use wireless, but, i do use a Lenovo DLAN highspeed ethernet 11 to use the house electrical wiring as a carrier to and from the router.
There are 3 other pc's connected using this setup, i know what their mac addresses and ip's are, and they do not appear in my ARP cache, their is NO network shares, or a network to speak of other than independent route to and from the router over the same wiring.
All pc's are set up with peerblock which has a deny rule for all other IP's on the LAN except for their own and the routers.
The router is setup with MAC addressing and static ip's, only five addresses are available, one for each pc and a google tv box.



I have been using X arp to monitor what is going on, it tells me that when i switch on my pc there is a packet coming IN that has the SAME MAC address as my PC. i see this multiple times, after reboots, or, renabling the adapter, and it regards this as an ARP attack.


What interfaces i have running.
The Main ipv4 addressed gigabit LAN on the motherboard has ipv6 disabled and a static ipv4 route with dns set.
The WAN miniport has
SSTP
L2TP
PPTP
PPPOE
IPV6
Set as disabled with no MAC addressing available.
The RAS ASYNC adapter is functioning with a MAC address i do not recognise,

As all i do is game with this pc and surf the web, i have the vast majority of services set to disabled as they are not required, if i put my pc to sleep after boot it releases around 350-370 mb ram and runs very stably with no running issues on around 430-450 mb ram and 33-35 processes.

I appreciate the help.
thank you.

ps just capped this for posting.
Posted Image

Also no virtual machines of any sort and virtualisation is set to disabled on the motherboard.
And a full virus scan came back entirely clean.

after seeing two addresses being resolved to IP blocks in china, i have uninstalled bitcomet as i don't trust it.

I also have 6000 packet network capture from this afternoon with some interesting stuff in it i think.

Edited by bobbis1972, 27 March 2012 - 04:00 PM.


#8 bobbis1972

bobbis1972
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 27 March 2012 - 07:23 AM

Your in the right place we just need u to answer those questions. :)

for some reason i thought i had posted in the wrong thread and opened another thread in "Networking", i apologise, im not very bright today, getting old i think, a "Senior moment" 20 years too soon....
could you merge these posts with the other topic i started in "Networking", im going to go and beat myself stupid, which is a step forwards from where i am now. :crazy:

http://www.bleepingcomputer.com/forums/topic447756.html

Edited by bobbis1972, 27 March 2012 - 08:06 AM.


#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,946 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:42 AM

Posted 27 March 2012 - 05:41 PM

I merged the topics for you. The new topic now appears one above your most recent post. ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#10 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:10:42 AM

Posted 28 March 2012 - 10:49 PM

Edit: Just re-read the end of your post. Don't worry I won't flame you for having Torrent software. Contrary to what I have said in the past the software is perfectly fine its what you do with it that draws a line in the sand. In this case Your Host file and ARP table are suspicious I am Recommending this topic be taken over by our malware experts. You are in great hands. My expertise lies in the delivery of the Internet not what it brings with it. When they clear your computer of corruption I will be more than happy to answer any questions you may have. At this time I would keep this machine away from an internet connection when its not needed and avoid sending personal data. The Malware experts will advise you on the level of security risk, if any this is.


Edit 2: This thread will be Moved to the Am I infected forum where it will be reviewed by the Malware Team.

Edited by Sneakycyber, 28 March 2012 - 10:58 PM.

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#11 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:42 PM

Posted 29 March 2012 - 08:24 AM

Can you please perform the following task:

Open up command prompt via Start > All Programs > Accessories > Command Prompt

Type in the following

arp -a >> c:\arp.txt

Then do

start c:\arp.txt

Use the edit feature in Notepad to copy then paste the results in your next post.

This will reveal your arp cache, and the wireshark capture in your post above is showing the DHCP Process starting.

What is your routers default IP?

#12 bobbis1972

bobbis1972
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 30 March 2012 - 09:38 AM

Interface: 192.168.5.5 --- 0xb
Internet Address Physical Address Type
192.168.5.1 a0-21-b7-1c-b5-a7 dynamic

my routers default ip is 192.168.5.1.

Also i had to do a clean install, my motherboard blew so i changed it and got rid of a mag hard drive i could not format as thoroughly as i would like, i also had concerns of a lasting bios virus on the old board, im glad it has gone.
so far i haven't been remote logged off my machine.

Less than 24hrs after a clean install, after using HDD erase a DOD cleansing tool that performs a total format even of any HPA they may have using enhanced secure erase, i am seeing exactly the same activity, i only have the two SSD's now, i like them because doing a firwmware write either up or down a revision completely erases any information on them whatsoever,i am 100% sure i do not have any virus whatsoever, and something else is going on, i have seen the same address from chinanet in wireshark DNS requests, i also get "wireshark was forced to close after it was accessed in an unfamiliar way" something to do with the C++ runtime libraries, this is not the first time i have seen this happen.


I have been into the registry to write a key to disable any automatic proxy through IE or Firefox, as the "Use automatic settings" was ticked, though not by me.
ipv6 is disabled, i have used the HIP's to place MSTSC, p2pcollab, aaclient.dll, and some other stuff into "blocked" status, these have appeared in the hips log as being blocked when something tried to access them.

MSE does not find anything at all, i have SP1 on the machine.

My feeling is i am up against a script running on a server somewhere that is attacking me the moment i come online.

This has been going on for quite some time.
I ran my IP address through spamhaus and a few other spam blacklist databases, and it is there.
I feel thoroughly pi**ed off and i appreciate the help.

Latest ip tables

Posted Image

Edited by bobbis1972, 30 March 2012 - 09:44 AM.


#13 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:42 PM

Posted 30 March 2012 - 12:22 PM

Do you know what the purpose and function of SPAMHAUS is? It is a blacklisting service for email and email alone and that is that.

Secondly for anyone to attack you the instant you get online there would need to be a bot on your computer, and you said you did a clean installation. That would take care of any instance of Malware. You also said you had a BIOS Virus, those type of viruses are extremely rare, and hard to come by. Most of the malware out there is oriented to the rootkit variety.


That image you post, is your routing table:

Here is my routing table:

===========================================================================
Interface List
 13...00 27 10 13 92 6d ......Microsoft Virtual WiFi Miniport Adapter #2
 12...00 27 10 13 92 6d ......Microsoft Virtual WiFi Miniport Adapter
 11...00 27 10 13 92 6c ......Intel(R) Centrino(R) Advanced-N 6200 AGN
 10...00 26 b9 eb 51 5f ......Realtek PCIe GBE Family Controller
 20...08 00 27 00 70 04 ......VirtualBox Host-Only Ethernet Adapter
  1...........................Software Loopback Interface 1
 24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 23...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
 22...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 26...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
 21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.15     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link      192.168.1.15    281
     192.168.1.15  255.255.255.255         On-link      192.168.1.15    281
    192.168.1.255  255.255.255.255         On-link      192.168.1.15    281
     192.168.56.0    255.255.255.0         On-link      192.168.56.1    276
     192.168.56.1  255.255.255.255         On-link      192.168.56.1    276
   192.168.56.255  255.255.255.255         On-link      192.168.56.1    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.56.1    276
        224.0.0.0        240.0.0.0         On-link      192.168.1.15    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.56.1    276
  255.255.255.255  255.255.255.255         On-link      192.168.1.15    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 20    276 fe80::/64                On-link
 20    276 fe80::6149:521f:1f76:b02b/128
                                    On-link
  1    306 ff00::/8                 On-link
 20    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

C:\Users\cryptodan>

The IP's in your match the IP's in mine.

You are being a bit to overly paranoid at this time.

But just to do somethings:

Hello,

And welcome to BleepingComputer.com, before we can assist you with your question of: Am I infected? You will need to perform the following tasks and post the logs of each if you can. If you have performed any of the scans below post the logs for those scans, and then perform the ones you have not done.

Please download and run Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Malwarebytes Anti-Malware

NOTEMalwarebytes is now offering a free trial of their program, if you want to accept it you will need to enter some billing information, so that at the end of the trial you would be charged the cost of the product. Please decline this offer, if you are unable to provide billing information. If you want to try it out, then provide the billing information.

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


SUPERAntiSpyware:

Please download and scan with SUPERAntiSpyware Free

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are unchecked (leave all others checked):
    • Ignore files larger then 4mb
    • Ignore non-executable files

    Now Perform the scan with SUPERAntiSpyware as follows:
    • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes" and reboot normally.
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.[list]
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

SAS Portable
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now GMER

GMER does not work in 64bit Mode!!!!!!

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.


All scans above should be performed in regular boot mode, and if that is not possible then I will post instructions in a follow up reply on how to get into Safe Mode to perform the scans. Also all scans should be COMPLETE and not quick unless specifically instructed to do so.

#14 bobbis1972

bobbis1972
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 30 March 2012 - 03:22 PM

Results of screen317's Security Check version 0.99.32
Windows 7 x64 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Dr.Web anti-virus for Windows 7.0
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Mozilla Firefox (11.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

WinPatrol winpatrol.exe
Comodo Firewall cmdagent.exe
Comodo Firewall cfp.exe
BillP Studios WinPatrol WinPatrol.exe
``````````End of Log````````````


Also malware bytes available as redundancy and microsoft security essentails installed BUT TURNED OFF

no point running gmer as it is 64bit machine.
And i already have malwarebytes installed and updated.

The ip table was posted as i had just completed a clean install and thought it would be wise to post it as i had been asked to provide it earlier.
As for being a little paranoid, well maybe i am, but after spending literally months with unexplained activity even after complete reups it leaves you a little grizzled.
I thank you for your diagnosis.

Edited by bobbis1972, 30 March 2012 - 03:27 PM.


#15 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:42 PM

Posted 30 March 2012 - 03:27 PM

Malwarebytes and Microsoft Security Essentials are two totally different classes of software one is ant-virus, one is anti-malware two totally different tools.

Also I would highly recommend not having more then 1 Anti-Virus installed.

Please run Gmer anyways.

Please scan with Malwarebytes and Post the logs, I would recommend removing Comodo and using Windows Firewall as well its just as good and uses less system resources.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users