Anyone trying to share my internet.I have reformatted my C drive several times and scanned by ESET, KIS and Malwarebytes but these programs didn’t find the hacker’s virus.The ESET firewall 5 repeatedly blocked ms.homenet 192.168 IP by reason ARP cache and DNS cache attack but it also didn’t stop the attack so i uninstalled the ESET and installed Comodo Firewall and NOD AV.
Normally my Local Area Connection uses the IP 169.254 and my PC connected to internet without any problem by using the IP 169.But last few days the Local IP switching from 169 to 192 automatically and after this the suspicious shared connection appearing on my PC.I use broadband internet and i installed Windows XP.
And Comodo detected that the system process with Local Port microsoft-ds trying to receive connection from internet when i disconnected my internet.Is it normal?
I can’t look process properties of some system processes on TCP View program by error “unable to query propertiers for system” despite i reformatted my PC several times.Their status is “listening” and may be they’re a viruses? I can’t terminate these processes by using “end” command.The hacker knows my IP and uses it for hacking. How to find the hacker’s virus and stop hacking?
Edit by EricJH: I made a paragraph structure for an easier read
What was the full IP address that you mentioned here? Can you see if that IP address is of your router?
I am not familiar with Eset. But if it said it blocked then it blocked and did what it needed to do. Without having seen the full descriptions of that log and knowing more about what Eset exactly monitors it is hard to comment on these events. F.e if you are sharing your connection and somebody connects wireless then we can expect ARP traffic.
Normally my Local Area Connection uses the IP 169.254 and my PC connected to internet without any problem by using the IP 169.But last few days the Local IP switching from 169 to 192 automatically and after this the suspicious shared connection appearing on my PC .I use broadband internet and i installed Windows XP.
Being behind a router I would expect an IP address in the 192.168 or 10 range. Not in the 169 range.
Can you tell what your network set up is? What type of connection, what router are there other users sharing the connection? Are and others you connecting wired or wireless?
And Comodo detected that the system process with Local Port microsoft-ds trying to receive connection from internet when i disconnected my internet.Is it normal?
In the Firewall System is the instance that deals with sharing files and folders over the local network. It is normal that is listening at port 445 as well as others System is a pseudo process; it covers various functions in one instance.
I can't look process properties of some system processes on TCP View program by error "unable to query propertiers for system" despite i reformatted my PC several times.
That happens here too. Nothing to worry about. Remember, System is a pseudo process.
Their status is "listening" and may be they're a viruses?
A process listening is its self is not an abnormal thing. It is no proof of being compromised.
I can't terminate these processes by using "end" command.
What processes are you referring to? Notice that System in Task Manager cannot be ended. That is not a sign of being compromised
The hacker knows my IP and uses it for hacking. How to find the hacker's virus and stop hacking?
Edit by EricJH: I made a paragraph structure for an easier read
How do you know it is used for hacking? What proof do you have.
This was default IP for broadband connection 192.168.0.1.Here is the ESET log:
9/8/2011
4:32:14 PM
Detected DNS cache poisoning attack
192.168.0.1:53
192.168.0.37:3586
UDP
9/8/2011
4:31:59 PM
Detected DNS cache poisoning attack
192.168.0.1:53
192.168.0.37:3586
UDP
9/8/2011
4:29:14 PM
Detected DNS cache poisoning attack
192.168.0.1:53
192.168.0.37:3586
UDP
9/8/2011
4:24:47 PM
Detected DNS cache poisoning attack
192.168.0.1:53
192.168.0.37:3586
UDP
It’s my home wired broadband internet with one PC and i don’t use router in my home.
For the system processes i mean these processes which i can’t look the process properties by error “unable to query properties for system”. Maybe they’re normal processes.
But sometimes any secondary internet connection appearing in my Control Panel/Network Connections and i can’t disable this, this sharing connection using any Internet gateway. Also when the secondary connection appeared i can connect to internet and watch webpages without using my ISP connection window.
I’m interesting how do enters many times into my PC so fastly despite reformatting the C drive several times, by using a virus or by using any program trick?
Edit by EricJH: I made a paragraph structure to facilitate an easier read
Are you on a ADSL or cable connection? What modem are you using?
Can you run the following command from the command prompt: ipconfig /all ? Then tell me what it says for default gateway.
From what I see in the logs there is most likely a router built in with your modem. This is a typical practice for ADSL connections but I think cable is starting to follow that practice.
For the system processes i mean these processes which i can't look the process properties by error "unable to query properties for system". Maybe they're normal processes.
They are normal processes and its properties cannot be asked. The same thing happens with me.
But sometimes any secondary internet connection appearing in my Control Panel/Network Connections and i can't disable this, this sharing connection using any Internet gateway. Also when the secondary connection appeared i can connect to internet and watch webpages without using my ISP connection window.
Can you show screenshots of the two situations?
I think you are seeing the modem being detected by Windows. It will show up as Gateway device. See attached image. Depending on Firewall settings it may not always show up.
I'm interesting how do enters many times into my PC so fastly despite reformatting the C drive several times, by using a virus or by using any program trick?
Until further notice I am not convinced you are hacked but misunderstanding alerts. And until further notice I will ask all the questions until I fully understand what your situation is.
I’m on cable internet and not ADSL and i don’t use any modem in my home.My ISP provides only cable broadband internet and maybe the ISP uses modem in their office.I don’t know about it.
It’s the screenshot of the secondary connection before i installing the Comodo and the name of the secondary connection is always changing: Internet on-PC and various user name with “-on PC”.Sometimes it using my ISP name .I can’t disable this connection because i keepping get error message “the shared connection will be disabled only in the computer which originated the sharing connection”.
My PC just uses cable line, for cable model i don’t know anything.It must be simple local network cable.The default gateway is always changing from the 169.154 to 192.168 and from the 192.168 to the 169.154.I’ve asked about the shared connection from other users of my ISP and their internet connections are normal.
Today i reformatted the C partition again and installed Comodo before connecting to internet /unplugged internet cable then plugged the cable while the computer restarting/ and restarted my computer.But just after few seconds the 2ndary connection again appeared before i creating my default internet connection in Control Panel?
The Comodo is giving alert on the IP 192.168 like the ESET firewall.The Comodo alert information:
Protocol 192.168 -UDP
ms-ds 445
Port: nbd gram 138
And i checked the DHCP in command prompt, the DHCP is enabled.Here are the screenshots of the firewall log and the Global Rules, this is long list, so i divided into several parts.
Traffic on ports 2869, 138 (NETBIOS) and 445 (Microsoft DS) is normal traffic on a local network. Also the showing up of a Gateway device is part of normal operation of Windows as I have shown with an image of my own system.
The Global Rules you are showing should not give the alerts you got for svchost.exe and System. Did you change the Global Rules after you installed CIS to how they are now?
Can you check the firewall logs now and see if you still traffic reported on ports 138 and 2869?
I’'m wondering why i can watch webpages normally after disconnecting internet connection, why the name on the Internet Gateway is always changing, why i’m getting an error message 691 for invalid username or password and why other users internet connections are normally before.Can you tell me what is alive connection session?Is this connection vulnerable in illegal internet sharing?Maybe i need to change my ISP.
why the name on the Internet Gateway is always changing,
That is surely interesting; not something I have come across before/[quote[ why i’m getting an error message 691 for invalid username or password
[/quote]
When do you get that message? Can you post a screenshot?
and why other users internet connections are normally before.
Are they with the same provider? What is the provider’s name? Are they living in the same neighbourhood?
Can you tell me what is alive connection session?
Where does this term show up? In a log? Is it a screen that pops up? Do you have a screenshot of it?
The first thing I think about is a socalled connection keep alive utility. The utility connects to the web every x minutes to be sure the connection does not gets closed down. It is something that gets used with dial up connections. Do you have a phone modem in your computer and did you install drivers for it from a CD? May be that installed a connection keep alive utility.
Is this connection vulnerable in illegal internet sharing?Maybe i need to change my ISP.
I am not sure what is going on. It is not something I have come across before.
Can you run the following command from the command prompt: ipconfig /all ? And copy/paste the results of your ethernet connection here?
If this is a home computer you go into your router through your browser usually by default you can type in 192.168.0.1 and it will take you there. Once there set up a user name and password. Then in your pc you’ll have to pute in the same name and password just check the remember box and you wont have to every time you log in. Also block the IP from you router.
It would appear there’s a PC somewhere, running Internet Connection Sharing, it’s this PC acting as the gateway and providing your PC with an IP address in the 192.168.0.x range.