#3761006 - 04/01/13 08:12 PM
Re: Comcast says i have a bot
[Re: Stormtrooper]
|
Joined: Nov 2010
Posts: 790
DetCord
Member
|
Member
Joined: Nov 2010
Posts: 790
Fort Riley, Kansas
|
Stormtrooper, can you copy and paste the email alert please?
Ex-pat Kiwi currently serving in the U.S. Army
|
|
#3761024 - 04/01/13 08:36 PM
Re: Comcast says i have a bot
[Re: SkateZilla]
|
Joined: Jun 2001
Posts: 5,864
Bill_Grant
Hotshot
|
Hotshot
Joined: Jun 2001
Posts: 5,864
Dallas, TX
|
Monitor the sniffer while running only 1 machine at a time for about 30 minutes/1 hour etc.
Which ever system is on when the packets start going is the one that's infected. I concur as well. Run 1 PC at a time until you find your broadcaster...
~Bill
In my defense, I was left unsupervised...
|
|
#3761031 - 04/01/13 08:51 PM
Re: Comcast says i have a bot
[Re: Stormtrooper]
|
Joined: Jul 2002
Posts: 20,834
Stormtrooper
Lifer
|
Lifer
Joined: Jul 2002
Posts: 20,834
|
Nothing came up for netstat. I'll try doing one computer at a time. Should I install this packet sniffer on all computers then when I do it one at a time? The program i'm using is Wireshark ( http://www.wireshark.org/ ) freeware version I blocked port 25 on my router too. Not sure if that'll help, but it says most bots send out email.
|
|
#3761032 - 04/01/13 08:54 PM
Re: Comcast says i have a bot
[Re: Stormtrooper]
|
Joined: Nov 2004
Posts: 17,632
SkateZilla
Skate Zilla Graphics
|
Skate Zilla Graphics
Veteran
Joined: Nov 2004
Posts: 17,632
Virginia Beach, VA
|
which PC is used in "Unsafe Iternetz"... That's usually the culprit
HAF922, Corsair RM850, ASRock Fata1ity 990FX Pro, Modified Corsair H100, AMD FX8350 @ 5.31GHz, 16GB G.SKILL@DDR2133, 2x R7970 Lightnings, +1 HD7950 @ 1.1/6.0GHz, Creative XFi Fata1ity Platinum Champ., 3x ASUS VS248HP + Hanns�G HZ201HPB + Acer AL2002 (5760x1080+1600x900+1680x1050), Oculus Rift CV CH Fighterstick, Pro Throt., Pro Pedals, TM Warthog & MFDs, Fanatec CSR Wheel/Shifter, Elite Pedals Intensity Pro 10-Bit, TrackIR 4 Pro, WD Black 1.5TB, WD Black 640GB, Samsung 850 500GB, My Book 4TB
|
|
#3761038 - 04/01/13 09:01 PM
Re: Comcast says i have a bot
[Re: Stormtrooper]
|
Joined: Nov 2004
Posts: 17,632
SkateZilla
Skate Zilla Graphics
|
Skate Zilla Graphics
Veteran
Joined: Nov 2004
Posts: 17,632
Virginia Beach, VA
|
browser re-directs are usually a hijack virus.
some are simply easy to remove, while others arent.
the Google Hijack virus took me a week to clean off my office PC (mainly cuz i didnt have admin permission).
I usually Scan with: MS SE, TrendMicro, SpyBot, MalwareBYTES Anti-Malware, and a few others.
Combfix as well in extreme cases.
HAF922, Corsair RM850, ASRock Fata1ity 990FX Pro, Modified Corsair H100, AMD FX8350 @ 5.31GHz, 16GB G.SKILL@DDR2133, 2x R7970 Lightnings, +1 HD7950 @ 1.1/6.0GHz, Creative XFi Fata1ity Platinum Champ., 3x ASUS VS248HP + Hanns�G HZ201HPB + Acer AL2002 (5760x1080+1600x900+1680x1050), Oculus Rift CV CH Fighterstick, Pro Throt., Pro Pedals, TM Warthog & MFDs, Fanatec CSR Wheel/Shifter, Elite Pedals Intensity Pro 10-Bit, TrackIR 4 Pro, WD Black 1.5TB, WD Black 640GB, Samsung 850 500GB, My Book 4TB
|
|
#3761043 - 04/01/13 09:07 PM
Re: Comcast says i have a bot
[Re: Stormtrooper]
|
Joined: Feb 2001
Posts: 11,752
Vertigo1
Veteran
|
Veteran
Joined: Feb 2001
Posts: 11,752
Zeta Aquilae System
|
Nothing came up for netstat. I'll try doing one computer at a time. Should I install this packet sniffer on all computers then when I do it one at a time? The program i'm using is Wireshark ( http://www.wireshark.org/ ) freeware version I blocked port 25 on my router too. Not sure if that'll help, but it says most bots send out email. if you only want to view ip traffic between local and remote machines, use the following capture filter on the interface in wireshark: ip and not (src and dst net 192.168.1.0/24) you can set it under the manage interfaces settings. its a capture filter, not a display filter. this will help you keep alot of junk out of your capture.
"Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong remedies." - Groucho Marx
“One of the great mistakes is to judge policies and programs by their intentions rather than their results.” -Milton Friedman
Quem Deus vult perdere, prius dementat
|
|
#3761057 - 04/01/13 09:44 PM
Re: Comcast says i have a bot
[Re: Stormtrooper]
|
Joined: Nov 2010
Posts: 790
DetCord
Member
|
Member
Joined: Nov 2010
Posts: 790
Fort Riley, Kansas
|
Sent By: "Comcast Online Communications" <online.communications@alerts.comcast.net>
Constant Guard Alert Dear XFINITY Customer,
XFINITY identified one or more of your computers may be infected with a bot. You might have already seen an Alert from XFINITY informing you about bot activity.
We strongly recommend you take action to remove malicious software from your computers.
We appreciate your prompt attention to this important security notice.
Sincerely, Constant Guard from XFINITY What did CCSA and or their CS have to say on the matter? FYI, Xfinity has been known to utilize this method in an attempt to get a customer to purchase further "protection" via the subsidiaries they utilize. However, looking at the previous screen you posted, it's kinda hard to tell. I'm assuming SpyBot gave you positives and false-positives?
Ex-pat Kiwi currently serving in the U.S. Army
|
|
#3761089 - 04/01/13 10:40 PM
Re: Comcast says i have a bot
[Re: Stormtrooper]
|
Joined: Apr 2008
Posts: 19,581
Raw Kryptonite
Beat the Kobayashi Maru
|
Beat the Kobayashi Maru
Veteran
Joined: Apr 2008
Posts: 19,581
MS
|
They'll tell you that if you send out a fair amount of email with multiple recipients. My dad got that for sending out monthly HOA newsletters. Nothing came of it though. I'd do some thorough scanning, make sure scanners are running ok and up to date. Malwarebytes Adaware Ccleaner (back up if you clean the registry...save this as a last resort, don't want to mess wit the registry if you don't have to)
·Steam: Raw Kryptonite ·MWO & Elite Dangerous: Defcon Won ·Meager youtube channel·Intel i5-9600K ·EVGA GTX1070 FTW 8GB ·EVGA CLC 120 Cooler ·16 GB Patriot Memory VIPER 4 3000MHz ·GIGABYTE Z390 AORUS PRO WiFi Mobo · CORSAIR CARBIDE AIR 540 case ·BenQ BL3200PT monitor
|
|
#3763873 - 04/07/13 04:58 AM
Re: Comcast says i have a bot
[Re: Stormtrooper]
|
Joined: Apr 2013
Posts: 1
SnoWolf
Junior Member
|
Junior Member
Joined: Apr 2013
Posts: 1
|
I had the same problem, but I was able to track it down and fix it. Do you have Spybot S&D 2 installed by any chance? I don't use it as a malware scanner, but it has a pretty cool "Immunize" feature that creates a dynamic loopback hosts file containing over 100,000 active malicious server IPs and domains. Anyway, here's why I ask:
After a routine XP SP3 clean rebuild yesterday, including Spybot S&D's v2.0.12.0, I too noticed odd outbound beacon-like network traffic on the connected NIC icon in the systray. I ran a Wireshark capture to see what it was and discovered that my system was also sending a continuous flood of high-port UDP packets (at least 1-2 packets every second) to one of the reserved Internet Multicast addresses, 226.178.217.5. If left alone, the flood continues indefinitely. I tracked this packet storm source down to Spybot S&D's scanner service; however, trying to stop the activity permanently has proved more difficult.
Stopping and disabling the service in Services AND in SB's Settings tab only works temporarily because as soon as you open the SB Start Center - Settings tab again, it automatically sets bits to reactivate the malware scanner service at Startup. Now I'd hated to create a hosts file loopback against an actual SB service - the comedy practically writes itself - but that's what I eventually had to do for now. I would have simply uninstalled the product, but as I said, the hosts file it maintains adds a nice layer of security. I reported the finding on Spybot's forum. Others who pay attention to their outbound traffic have reported the same condition and source as well. SB's response was that it is part of their software's client-count feature and that they are "working" on lengthening the packet interval for v2.1. Not sure I'm buying that, but that's their story and they're stickin' to it.
Anyway I found your post while researching the issue and decided to add my two cents because your machine is exhibiting the exact same symptom as mine was. If I were you I would explore your issue to conclusion, but in the interim, and to keep you in good graces with ComCast, I suggest you add a loopback hosts file entry for 226.178.217.5 to eliminate the outbound flood for now until you find the culprit. Below is a sample hosts file mod that includes the multicast destination IP. Hope that helps... Cheers.
***************************************************************************
# Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost 127.0.0.1 226.178.217.5
***********************************************************************
|
|
#3767644 - 04/15/13 12:37 AM
Re: Comcast says i have a bot
[Re: Stormtrooper]
|
Joined: Feb 2001
Posts: 11,752
Vertigo1
Veteran
|
Veteran
Joined: Feb 2001
Posts: 11,752
Zeta Aquilae System
|
heh.
well, either it was a false positive, or you have a particularly nasty rootkit.
"Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong remedies." - Groucho Marx
“One of the great mistakes is to judge policies and programs by their intentions rather than their results.” -Milton Friedman
Quem Deus vult perdere, prius dementat
|
|
|
|
|
|
|
|
|
|
|
|
Exodus
by RedOneAlpha. 04/18/24 05:46 PM
|
|