Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Missing ARP Cache


  • Please log in to reply
3 replies to this topic

#1 phunkey

phunkey

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 15 October 2014 - 10:38 AM

Please see following link to secondary post re. Virus/malware http://www.bleepingcomputer.com/forums/t/549888/unidentified-infection-playing-havoc-with-registry-missing-docs-bitcoin-id/page-2#entry3503180

 

Subject moved to networking after it was established I can `ping` my IP address and also 127.0.0.1, but not others.

 

May be an attempt to compromise Bitcoin miners/steal coins.

 

At the time of incident I was running a Zeus Hurricane x6 hashminer via Raspberry Pi plus 2 x Antminer's on a Windows 7 based network.

 

My computer was self-built, based on a Gigabyte motherboard and AMD +3 CPU.

 

All connections are wired. I stopped miner's running before I lost the internet connection.

 

I nave a standard Plusnet Technicolor router with a BT fibre modem and Western Digital My Way port extension.

 

I was asked to run minitools on last forum and will post results below.


 


MiniToolBox by Farbar  Version: 21-07-2014
Ran by Cybad4d4 (administrator) on 11-10-2014 at 11:15:33
Running from "C:\Users\Cybad4d4\Desktop"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
 
========================= FF Proxy Settings: ============================== 
 
 
"Reset FF Proxy Settings": Firefox Proxy settings were reset.
 
========================= Hosts content: =================================
 
127.0.0.1    localhost
127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
 
There are 15473 more lines starting with "127.0.0.1"
 
========================= IP Configuration: ================================
 
The following command was not found: int ip dump.
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : DESKTOP
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  UnKnown
Address:  127.0.0.1
 
Ping request could not find host google.com. Please check the name and try again.
Server:  UnKnown
Address:  127.0.0.1
 
Ping request could not find host yahoo.com. Please check the name and try again.
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
  1...........................Software Loopback Interface 1
 14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (10/11/2014 10:49:13 AM) (Source: Application Error) (User: )
Description: Faulting application name: pcee4.exe, version: 7.2.7000.7, time stamp: 0x4de6773b
Faulting module name: KERNELBASE.dll, version: 6.1.7601.18409, time stamp: 0x5315a05a
Exception code: 0xe0434f4d
Fault offset: 0x000000000000940d
Faulting process id: 0x%9
Faulting application start time: 0xpcee4.exe0
Faulting application path: pcee4.exe1
Faulting module path: pcee4.exe2
Report Id: pcee4.exe3
 
Error: (10/11/2014 10:48:32 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/11/2014 10:40:35 AM) (Source: Application Error) (User: )
Description: Faulting application name: pcee4.exe, version: 7.2.7000.7, time stamp: 0x4de6773b
Faulting module name: KERNELBASE.dll, version: 6.1.7601.18409, time stamp: 0x5315a05a
Exception code: 0xe0434f4d
Fault offset: 0x000000000000940d
Faulting process id: 0x%9
Faulting application start time: 0xpcee4.exe0
Faulting application path: pcee4.exe1
Faulting module path: pcee4.exe2
Report Id: pcee4.exe3
 
Error: (10/11/2014 10:40:21 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/11/2014 10:30:51 AM) (Source: Application Error) (User: )
Description: Faulting application name: pcee4.exe, version: 7.2.7000.7, time stamp: 0x4de6773b
Faulting module name: KERNELBASE.dll, version: 6.1.7601.18409, time stamp: 0x5315a05a
Exception code: 0xe0434f4d
Fault offset: 0x000000000000940d
Faulting process id: 0x%9
Faulting application start time: 0xpcee4.exe0
Faulting application path: pcee4.exe1
Faulting module path: pcee4.exe2
Report Id: pcee4.exe3
 
Error: (10/11/2014 10:30:24 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/09/2014 09:41:45 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
 
Error: (10/09/2014 09:15:26 PM) (Source: Application Error) (User: )
Description: Faulting application name: pcee4.exe, version: 7.2.7000.7, time stamp: 0x4de6773b
Faulting module name: KERNELBASE.dll, version: 6.1.7601.18409, time stamp: 0x5315a05a
Exception code: 0xe0434f4d
Fault offset: 0x000000000000940d
Faulting process id: 0x%9
Faulting application start time: 0xpcee4.exe0
Faulting application path: pcee4.exe1
Faulting module path: pcee4.exe2
Report Id: pcee4.exe3
 
Error: (10/09/2014 09:11:19 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/07/2014 07:40:36 AM) (Source: Application Error) (User: )
Description: Faulting application name: pcee4.exe, version: 7.2.7000.7, time stamp: 0x4de6773b
Faulting module name: KERNELBASE.dll, version: 6.1.7601.18409, time stamp: 0x5315a05a
Exception code: 0xe0434f4d
Fault offset: 0x000000000000940d
Faulting process id: 0x%9
Faulting application start time: 0xpcee4.exe0
Faulting application path: pcee4.exe1
Faulting module path: pcee4.exe2
Report Id: pcee4.exe3
 
 
System errors:
=============
Error: (10/11/2014 10:48:24 AM) (Source: Service Control Manager) (User: )
Description: The TurboPC EX DiskCache Control Service service terminated with service-specific error %%1.
 
Error: (10/11/2014 10:48:24 AM) (Source: SNMP) (User: )
Description: The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.
 
Error: (10/11/2014 10:47:51 AM) (Source: EventLog) (User: )
Description: The previous system shutdown at 10:44:14 on ‎11/‎10/‎2014 was unexpected.
 
Error: (10/11/2014 10:40:02 AM) (Source: Service Control Manager) (User: )
Description: The TurboPC EX DiskCache Control Service service terminated with service-specific error %%1.
 
Error: (10/11/2014 10:40:01 AM) (Source: SNMP) (User: )
Description: The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.
 
Error: (10/11/2014 10:34:28 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Visual C++ 2010 Redistributable Package (KB2467173).
 
Error: (10/11/2014 10:31:49 AM) (Source: DCOM) (User: )
Description: {06622D85-6856-4460-8DE1-A81921B41C4B}
 
Error: (10/11/2014 10:30:16 AM) (Source: Service Control Manager) (User: )
Description: The TurboPC EX DiskCache Control Service service terminated with service-specific error %%1.
 
Error: (10/11/2014 10:30:16 AM) (Source: SNMP) (User: )
Description: The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.
 
Error: (10/09/2014 10:01:00 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Visual C++ 2010 Redistributable Package (KB2467173).
 
 
Microsoft Office Sessions:
=========================
Error: (10/11/2014 10:49:13 AM) (Source: Application Error)(User: )
Description: pcee4.exe7.2.7000.74de6773bKERNELBASE.dll6.1.7601.184095315a05ae0434f4d000000000000940d
 
Error: (10/11/2014 10:48:32 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/11/2014 10:40:35 AM) (Source: Application Error)(User: )
Description: pcee4.exe7.2.7000.74de6773bKERNELBASE.dll6.1.7601.184095315a05ae0434f4d000000000000940d
 
Error: (10/11/2014 10:40:21 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/11/2014 10:30:51 AM) (Source: Application Error)(User: )
Description: pcee4.exe7.2.7000.74de6773bKERNELBASE.dll6.1.7601.184095315a05ae0434f4d000000000000940d
 
Error: (10/11/2014 10:30:24 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/09/2014 09:41:45 PM) (Source: SideBySide)(User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestc:\ESET\eset online scanner\ESETSmartInstaller.exe
 
Error: (10/09/2014 09:15:26 PM) (Source: Application Error)(User: )
Description: pcee4.exe7.2.7000.74de6773bKERNELBASE.dll6.1.7601.184095315a05ae0434f4d000000000000940d
 
Error: (10/09/2014 09:11:19 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/07/2014 07:40:36 AM) (Source: Application Error)(User: )
Description: pcee4.exe7.2.7000.74de6773bKERNELBASE.dll6.1.7601.184095315a05ae0434f4d000000000000940d
 
 
CodeIntegrity Errors:
===================================
  Date: 2014-10-04 16:00:55.825
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-10-04 16:00:55.778
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-09-07 07:35:50.474
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume7\Repairs\PortMon\PORTMSYS.SYS because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-09-07 07:35:50.424
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume7\Repairs\PortMon\PORTMSYS.SYS because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-09-06 14:30:57.755
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume7\Repairs\PortMon\PORTMSYS.SYS because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-09-06 14:30:57.711
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume7\Repairs\PortMon\PORTMSYS.SYS because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-09-06 14:30:42.278
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume7\Repairs\PortMon\PORTMSYS.SYS because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-09-06 14:30:42.234
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume7\Repairs\PortMon\PORTMSYS.SYS because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-09-06 14:30:37.599
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume7\Repairs\PortMon\PORTMSYS.SYS because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-09-06 14:30:37.554
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume7\Repairs\PortMon\PORTMSYS.SYS because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
**** End of log ****



BC AdBot (Login to Remove)

 


#2 CaveDweller2

CaveDweller2

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 AM

Posted 15 October 2014 - 11:42 AM

I don't see an ethernet connect. matter of fact I don't see any real connection.


Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College


#3 phunkey

phunkey
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 16 October 2014 - 06:32 AM

Thanks for spotting that CaveDweller. I'm a real noob at internet security and networking so please bear with. My main Windows Desktop 7 desktop no longer connects but Rasperry Pi, Linuz laptop and android device all connect OK.

 

First indications I noticed was that Windows Updater, Anti-MalwareBytes & Emimsoft all failed but not my connection. That disappeared later. While there was still a connection windows security apps appeared effective, with daily updates providing a false sense of security. Whenever I power down I still have to wait for another update to be downloaded!

 

I believe either an attempt was made to hi-jack different mining equipment on my network, or, without getting too paranoid I'm also a political activist and just feel this is all very slick ie. not your standard malware attack.

 

Anyway, prolly just paranoia. Back to minitool. I'll run it again, take a look at Router Configuration and post results back. & see if anything else catches anyone's eye.

 

Nice one CaveDweller - talk soon maybe?


Edited by phunkey, 16 October 2014 - 07:19 AM.


#4 phunkey

phunkey
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 20 October 2014 - 08:10 AM

Anyone have any suggestions as to the whereabouts of my arp cahe and what I might do to sort  myself out?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users