How to stop illegal internet sharing?

[Guest]

[pirt]

Anyone trying to share my internet.I have reformatted my C drive several times and scanned by ESET, KIS  and  Malwarebytes  but these programs didn't find the hacker's virus.The ESET firewall 5 repeatedly blocked  ms.homenet 192.168 IP by reason ARP cache and  DNS cache attack but it also didn't stop the attack so i uninstalled  the ESET and installed Comodo Firewall and NOD AV.

Normally my Local Area Connection uses the IP  169.254 and my PC connected to internet  without any problem by using  the IP 169.But last few days the Local IP switching from 169 to 192 automatically and after this the suspicious  shared connection appearing on my PC.I use broadband internet and i installed Windows XP.

And Comodo detected that the  system process with Local Port microsoft-ds trying to receive connection from internet when i disconnected my internet.Is it normal?

I can't look process properties of some system processes on TCP View program by error "unable to query propertiers for system" despite i reformatted my PC several times.Their status is "listening" and may be they're a viruses? I can't terminate these processes by using "end" command.The hacker knows my IP and uses it for hacking. How to find the hacker's virus and stop hacking?


Edit by EricJH: I made a paragraph structure for an easier read

[EricJH]

Anyone trying to share my internet.I have reformatted my C drive several times and scanned by ESET, KIS  and  Malwarebytes  but these programs didn't find the hacker's virus.The ESET firewall 5 repeatedly blocked  ms.homenet 192.168 IP by reason ARP cache and  DNS cache attack but it also didn't stop the attack so i uninstalled  the ESET and installed Comodo Firewall and NOD AV.

What was the full IP address that you mentioned here? Can you see if that IP address is of your router?

I am not familiar with Eset. But if it said it blocked then it blocked and did what it needed to do. Without having seen the full descriptions of that log and knowing more about what Eset exactly monitors it is hard to comment on these events. F.e if you are sharing your connection and somebody connects wireless then we can expect ARP traffic.

Normally my Local Area Connection uses the IP  169.254 and my PC connected to internet  without any problem by using  the IP 169.But last few days the Local IP switching from 169 to 192 automatically and after this the suspicious  shared connection appearing on my PC .I use broadband internet and i installed Windows XP.

Being behind a router I would expect an IP address in the 192.168 or 10 range. Not in the 169 range.

Can you tell what your network set up is? What type of connection, what router are there other users sharing the connection? Are and others you connecting wired or wireless?

And Comodo detected that the  system process with Local Port microsoft-ds trying to receive connection from internet when i disconnected my internet.Is it normal?

In the Firewall System is the instance that deals with sharing files and folders over the local network. It is normal that is listening at port 445 as well as others System is a pseudo process; it covers various functions in one instance.

I can't look process properties of some system processes on TCP View program by error "unable to query propertiers for system" despite i reformatted my PC several times.

That happens here too. Nothing to worry about. Remember, System is a pseudo process.

Their status is "listening" and may be they're a viruses?

A process listening is its self is not an abnormal thing. It is no proof of being compromised.

I can't terminate these processes by using "end" command.

What processes are you referring to? Notice that System in Task Manager cannot be ended. That is not a sign of being compromised

The hacker knows my IP and uses it for hacking. How to find the hacker's virus and stop hacking?


Edit by EricJH: I made a paragraph structure for an easier read

How do you know it is used for hacking? What proof do you have.

I am not convinced yet you are hacked.

[pirt]

This was default IP for broadband connection 192.168.0.1.Here is the ESET log:

- <COLUMN NAME="Time">
<DATE>9/8/2011</DATE>
<TIME>4:32:14 PM</TIME>
</COLUMN>
<COLUMN NAME="Event">Detected DNS cache poisoning attack</COLUMN>
<COLUMN NAME="Source">192.168.0.1:53</COLUMN>
<COLUMN NAME="Target">192.168.0.37:3586</COLUMN>
<COLUMN NAME="Protocol">UDP</COLUMN>
<COLUMN NAME="Rule/worm name" />
<COLUMN NAME="Application" />
<COLUMN NAME="User" />
</RECORD>
- <RECORD>
- <COLUMN NAME="Time">
<DATE>9/8/2011</DATE>
<TIME>4:31:59 PM</TIME>
</COLUMN>
<COLUMN NAME="Event">Detected DNS cache poisoning attack</COLUMN>
<COLUMN NAME="Source">192.168.0.1:53</COLUMN>
<COLUMN NAME="Target">192.168.0.37:3586</COLUMN>
<COLUMN NAME="Protocol">UDP</COLUMN>
<COLUMN NAME="Rule/worm name" />
<COLUMN NAME="Application" />
<COLUMN NAME="User" />
</RECORD>
- <RECORD>
- <COLUMN NAME="Time">
<DATE>9/8/2011</DATE>
<TIME>4:29:14 PM</TIME>
</COLUMN>
<COLUMN NAME="Event">Detected DNS cache poisoning attack</COLUMN>
<COLUMN NAME="Source">192.168.0.1:53</COLUMN>
<COLUMN NAME="Target">192.168.0.37:3586</COLUMN>
<COLUMN NAME="Protocol">UDP</COLUMN>
<COLUMN NAME="Rule/worm name" />
<COLUMN NAME="Application" />
<COLUMN NAME="User" />
</RECORD>
- <RECORD>
- <COLUMN NAME="Time">
<DATE>9/8/2011</DATE>
<TIME>4:24:47 PM</TIME>
</COLUMN>
<COLUMN NAME="Event">Detected DNS cache poisoning attack</COLUMN>
<COLUMN NAME="Source">192.168.0.1:53</COLUMN>
<COLUMN NAME="Target">192.168.0.37:3586</COLUMN>
<COLUMN NAME="Protocol">UDP</COLUMN>
<COLUMN NAME="Rule/worm name" />
<COLUMN NAME="Application" />
<COLUMN NAME="User" />
</RECORD>
</LOG>
</ESET>

It's my  home wired  broadband  internet with one PC and i don't use router in my home.

For the system processes i mean these processes which i can't look the process properties by error "unable to query properties for system". Maybe they're normal processes.

But sometimes any  secondary internet connection appearing in my Control Panel/Network  Connections and i can't disable this, this sharing connection using any Internet gateway. Also when the secondary connection appeared  i can connect to internet and watch  webpages without using my ISP connection window.

I'm interesting how do enters many times  into my PC  so fastly despite reformatting the C drive several times, by using  a virus or by using any program trick?


Edit by EricJH: I made a paragraph structure to facilitate an easier read

[EricJH]

This was default IP for broadband connection 192.168.0.1.Here is the ESET log:
<COLUMN NAME="Event">Detected DNS cache poisoning attack</COLUMN>
<COLUMN NAME="Source">192.168.0.1:53</COLUMN>
<COLUMN NAME="Target">192.168.0.37:3586</COLUMN>
<COLUMN NAME="Protocol">UDP</COLUMN>
<COLUMN NAME="Rule/worm name" />
<COLUMN NAME="Application" />
<COLUMN NAME="User" />
</RECORD>
</LOG>
</ESET>

It's my  home wired  broadband  internet with one PC and i don't use router in my home.

Are you on a ADSL or cable connection? What modem are you using?

Can you run the following command from the command prompt: ipconfig /all ? Then tell me what it says for default gateway.

From what I see in the logs there is most likely a router built in with your modem. This is a typical practice for ADSL connections but I think cable is starting to follow that practice.

For the system processes i mean these processes which i can't look the process properties by error "unable to query properties for system". Maybe they're normal processes.

They are normal processes and its properties cannot be asked. The same thing happens with me.

But sometimes any  secondary internet connection appearing in my Control Panel/Network  Connections and i can't disable this, this sharing connection using any Internet gateway. Also when the secondary connection appeared  i can connect to internet and watch  webpages without using my ISP connection window.

Can you show screenshots of the two situations?

I think you are seeing the modem being detected by Windows. It will show up as Gateway device. See attached image. Depending on Firewall settings it may not always show up.

I'm interesting how do enters many times  into my PC  so fastly despite reformatting the C drive several times, by using  a virus or by using any program trick?

Until further notice I am not convinced you are hacked but misunderstanding alerts. And until further notice I will ask all the questions until I fully understand what your situation is.

[pirt]

I'm on  cable internet and  not ADSL and i don't use any modem in my home.My ISP provides only cable broadband internet and maybe the ISP uses modem in their office.I don't know about it.

It's the screenshot of the secondary connection before i installing the Comodo and the name of the secondary connection is always changing: Internet on-PC and various user name with "-on PC".Sometimes it using  my ISP name .I can't disable this connection because i keepping get error message "the shared connection will be disabled only in the computer which originated the sharing connection".



The default gateway is 192.168.0.1:


Since the shared connection appeared i can't connect to internet many times by error 691.

[HeffeD]

I'm on  cable internet and  not ADSL and i don't use any modem in my home.My ISP provides only cable broadband internet and maybe the ISP uses modem in their office.I don't know about it.

The box that plugs into your computer and the cable line is your modem. What brand/model # is it?

[pirt]

My PC just uses cable line, for cable model i don't know anything.It must be simple local network cable.The default gateway is  always changing from the 169.154 to 192.168 and from the 192.168 to the 169.154.I've asked about the shared connection  from other users of my ISP and their internet connections are normal.

[EricJH]

Can you show me a screenshot of hthe Firewall logs (View Firewall Events) when using the Gateway in the 192.168 range and the Global Rules?

In the meanwhile please try the suggestions in No network connection after using Stealth Ports Wizard (DHCP Broken).

[pirt]

Today i reformatted the C partition again and installed Comodo before connecting to internet /unplugged  internet cable then plugged the cable while the computer restarting/ and restarted my computer.But just after few seconds  the 2ndary connection again appeared before i creating my default internet connection in Control Panel?
The Comodo is giving alert on the IP 192.168 like the ESET firewall.The Comodo alert information:
Protocol 192.168 -UDP
ms-ds 445
Port: nbd gram 138


And i checked the DHCP in command prompt, the DHCP is enabled.Here are the screenshots of the firewall log and the Global Rules, this is long list, so i divided into several parts.

[pirt]

[pirt]

The Global Rule screenshot:

[EricJH]

Today i reformatted the C partition again and installed Comodo before connecting to internet /unplugged  internet cable then plugged the cable while the computer restarting/ and restarted my computer.But just after few seconds  the 2ndary connection again appeared before i creating my default internet connection in Control Panel?
The Comodo is giving alert on the IP 192.168 like the ESET firewall.The Comodo alert information:
Protocol 192.168 -UDP
ms-ds 445
Port: nbd gram 138


And i checked the DHCP in command prompt, the DHCP is enabled.Here are the screenshots of the firewall log and the Global Rules, this is long list, so i divided into several parts.

Thanks for the screenshots.

Traffic on ports 2869, 138 (NETBIOS) and 445 (Microsoft DS) is normal traffic on a local network. Also the showing up of a Gateway device is part of normal operation of Windows as I have shown with an image of my own system.

The Global Rules you are showing should not give the alerts you got for svchost.exe and System. Did you change the Global Rules after you installed CIS to how they are now?

Can you check the firewall logs now and see if you still traffic reported on ports 138 and 2869?

[pirt]

No, i didn't change the Global Rules.For now the default gateway is the 192.168 and i see traffic on the destination ports  2869 and 138.

[pirt]

I''m  wondering why i can watch webpages normally after disconnecting internet connection, why the name  on the  Internet Gateway is always changing, why i'm  getting an error message 691 for invalid username or password and why other users internet connections are normally before.Can you tell me what is alive connection session?Is  this connection vulnerable in illegal internet sharing?Maybe i need to change my ISP.

[EricJH]

I''m  wondering why i can watch webpages normally after disconnecting internet connection,

How do you disconnect? Can you describe? 

why the name  on the  Internet Gateway is always changing,

That is surely interesting; not something I have come across before/[quote[ why i'm  getting an error message 691 for invalid username or password[/quote]When do you get that message? Can you post a screenshot?

and why other users internet connections are normally before.

Are they with the same provider? What is the provider's name? Are they living in the same neighbourhood?

Can you tell me what is alive connection session?

Where does this term show up? In a log? Is it a screen that pops up? Do you have a screenshot of it?

The first thing I think about is a socalled connection keep alive utility. The utility connects to the web every x minutes to be sure the connection does not gets closed down. It is something that gets used with dial up connections. Do you have a phone modem in your computer and did you install drivers for it from a CD? May be that installed a connection keep alive utility.

Is  this connection vulnerable in illegal internet sharing?Maybe i need to change my ISP.

I am not sure what is going on. It is not something I have come across before.

Can you run the following command from the command prompt: ipconfig /all ? And copy/paste the results of your ethernet connection here?

[Tags:]