Stormtrooper, can you copy and paste the email alert please?

Sent By:
"Comcast Online Communications" <online.communications@alerts.comcast.net>


Constant Guard� Alert
Dear XFINITY Customer,

XFINITY identified one or more of your computers may be infected with a bot. You might have already seen an Alert from XFINITY informing you about bot activity.

We strongly recommend you take action to remove malicious software from your computers.

We appreciate your prompt attention to this important security notice.

Sincerely,
Constant Guard from XFINITY

I concur as well. Run 1 PC at a time until you find your broadcaster...

Nothing came up for netstat.

I'll try doing one computer at a time. Should I install this packet sniffer on all computers then when I do it one at a time?
The program i'm using is Wireshark ( http://www.wireshark.org/ ) freeware version

I blocked port 25 on my router too. Not sure if that'll help, but it says most bots send out email.

which PC is used in "Unsafe Iternetz"... That's usually the culprit

Not sure I get that lol. I downloaded a program awhile back for FSX vLSO and my Alienware started acting up with browser redirects etc.

May or may not be that computer.

browser re-directs are usually a hijack virus.

some are simply easy to remove, while others arent.

the Google Hijack virus took me a week to clean off my office PC (mainly cuz i didnt have admin permission).

I usually Scan with:
MS SE, TrendMicro, SpyBot, MalwareBYTES Anti-Malware, and a few others.

Combfix as well in extreme cases.

I'll give those a shot too. Thanks SZ. Gotta run to a baseball game so if I don't answer any questions today i'll be back tomorrow.

if you only want to view ip traffic between local and remote machines, use the following capture filter on the interface in wireshark:

ip and not (src and dst net 192.168.1.0/24)

you can set it under the manage interfaces settings. its a capture filter, not a display filter.

this will help you keep alot of junk out of your capture.

What did CCSA and or their CS have to say on the matter?

FYI, Xfinity has been known to utilize this method in an attempt to get a customer to purchase further "protection" via the subsidiaries they utilize.

However, looking at the previous screen you posted, it's kinda hard to tell. I'm assuming SpyBot gave you positives and false-positives?

Tricky problem. Shutting down all programs (even system tray) will deactviate most, but maybe not all legitimate traffic to the internet. The remaining stuff should be visible in Wireshark as an connection to an external IP that will resolve on WHOIS as something you've never heard about...

No clever automatic way to get this, besides - depending on your router - maybe check the router logs. If they are detailed enough it will be easier to see the traffic there.

They'll tell you that if you send out a fair amount of email with multiple recipients. My dad got that for sending out monthly HOA newsletters. Nothing came of it though.
I'd do some thorough scanning, make sure scanners are running ok and up to date.
Malwarebytes
Adaware
Ccleaner (back up if you clean the registry...save this as a last resort, don't want to mess wit the registry if you don't have to)

There's a lot of good advice here already. The only thing I might add is about malware scanning. I've had more success with offline scanning infected machines. I've been successful with combinations of Microsoft Defender Offline and AVG and Kaspersky rescue CD's/bootable USB drives. Sometimes a machine will not boot with one or another of the above solutions, so I'll use one of the others. I generally try to scan with at least two of the above.

Wizard

If your concern is the NBNS Broadcast traffic seen in the packet capture, try shutting down Network Discovery and then rerun the capture to see if the computer still sends broadcasts. KB below is for vista, but Win7 has the same menu.

http://windows.microsoft.com/en-US/windows-vista/Enable-or-disable-network-discovery

Any update on this?

Short on time so what I did a couple of days ago was pull the Alienware offline (pulled out Ethernet cable)

Every 5 days Comcast sent me alert....tomorrow is day 5 so i'll let you know then.

I had the same problem, but I was able to track it down and fix it. Do you have Spybot S&D 2 installed by any chance? I don't use it as a malware scanner, but it has a pretty cool "Immunize" feature that creates a dynamic loopback hosts file containing over 100,000 active malicious server IPs and domains. Anyway, here's why I ask:

After a routine XP SP3 clean rebuild yesterday, including Spybot S&D's v2.0.12.0, I too noticed odd outbound beacon-like network traffic on the connected NIC icon in the systray. I ran a Wireshark capture to see what it was and discovered that my system was also sending a continuous flood of high-port UDP packets (at least 1-2 packets every second) to one of the reserved Internet Multicast addresses, 226.178.217.5. If left alone, the flood continues indefinitely. I tracked this packet storm source down to Spybot S&D's scanner service; however, trying to stop the activity permanently has proved more difficult.

Stopping and disabling the service in Services AND in SB's Settings tab only works temporarily because as soon as you open the SB Start Center - Settings tab again, it automatically sets bits to reactivate the malware scanner service at Startup. Now I'd hated to create a hosts file loopback against an actual SB service - the comedy practically writes itself - but that's what I eventually had to do for now. I would have simply uninstalled the product, but as I said, the hosts file it maintains adds a nice layer of security. I reported the finding on Spybot's forum. Others who pay attention to their outbound traffic have reported the same condition and source as well. SB's response was that it is part of their software's client-count feature and that they are "working" on lengthening the packet interval for v2.1. Not sure I'm buying that, but that's their story and they're stickin' to it.

Anyway I found your post while researching the issue and decided to add my two cents because your machine is exhibiting the exact same symptom as mine was. If I were you I would explore your issue to conclusion, but in the interim, and to keep you in good graces with ComCast, I suggest you add a loopback hosts file entry for 226.178.217.5 to eliminate the outbound flood for now until you find the culprit. Below is a sample hosts file mod that includes the multicast destination IP. Hope that helps... Cheers.

***************************************************************************

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
127.0.0.1 226.178.217.5

***********************************************************************

After all this i go to

https://amibotted.comcast.net/

and it says i'm clean....wtf

heh.

well, either it was a false positive, or you have a particularly nasty rootkit.