Momadice

Cannot stop - unauthorized network activity? Rootkit? Infection? ISP?

Recommended Posts

I do not know what exactly is happening here except that I have unknown devices hooked up to my network that come and go.  My ISP helped me change my password, and gave me some tools to use to compliment my Emsisoft AV.  As things seems to be out of my control on this network, even after a delete, format clean install of windows 10, I am not sure of what I am dealing with here.  However after the password for connection was changed, the symptoms reappeared.  Will you help me to figure out what is happening?  Do I have something happening at a deeper level than a clean install?

 

I do not know why FARBAR produced three different results of each scan.  I did not run the program more than once.

 

1FRST.txt

 

2Addition.txt

 

3FRST.txt

 

4Addition.txt

 

5FRST.txt

 

6Addition.txt

 

EEK scan_160330-141110.txt

 

post-35515-0-86333700-1459362897_thumb.png
Download Image

 

sofoscan results.txt

 

post-35515-0-61563300-1459362940_thumb.png
Download Image

Share this post


Link to post
Share on other sites

What unknown devices are you talking about?

The unknown hidden files is fairly common and look to be normal activity on your system.

Share this post


Link to post
Share on other sites

I had started having troubles with Chrome no longer being my default browser (my choices being ignored or reverted), my windows updates were not taking effect and being reverted, and my emsisoft choices/settings being changed.  While doing a little diagnosis on my network I discovered a device D-link that was unfamiliar.  Sometimes it is present and sometimes it is disappears quite quickly.  I managed to get a screen shot of it and called my ISP to see if this was normal to be on the network.  It wasn't mine (I know which is mine), so they showed me how to check the mac address as that was the only usable information caught in the screen shot.  It is in the screen shot I attached.  Its Taiwan China, and thats all the info I have.

 

I changed the password to the network, but that didn't stop it from showing up again.  I expect to have  my network hacked from time to time; that seems to be normal these days.  When Sopho's highlighted some issues (which is what my ISP suggested in their guides)  I thought I  better check in with Emsisoft.  I do realize that emsisoft cannot "do it all" and that I may have a problem that simply cannot be fixed.  In an effort to try and see what is what running in the task manager (which I really do not like because they all have the same name it seems) I also seem to have a virtual machine monitoring running on a port.  That seems odd to me, but maybe it is normal.

 

Perhaps I cannot have a default browser of choice anymore because of some windows 'thing', but I did have it for some time.  Maybe it is normal to have devices show up on my network map that I do not recognize.  I may be missing some settings in my av which is why they revert back.

 

Windows update wants to revert back any changes but I do not know why the updates wont take. I am currently following the update troubleshooter on microsoft, hopefully that will help.

 

What I do know is that if an expert looks at my logs I will simply write these issues into the "I don't understand them, but all is well" file, and forget about them.  Generally speaking, these symptoms are often highlighted as red flags in yours and bleepings blogs and tutorials.

 

If all looks good to you, then thank you.  Not all problems are malware related and I realize this.  I rely on emsisoft to alert me when needed, and I like it.

Share this post


Link to post
Share on other sites

Hello,

Since Kevin is away, I'll assist you further with this issue.

 

I've reviewed the relevant logs and screenshots and it doesn't look like you're a victim of a hijacked network. 

The two device identified are both routers from Dlink and fairly similar, which makes me think it might just be an issue with the router being identified incorrectly:

http://www.dlink.com/ro/ro/support/product/dir-615-wireless-n-300-router

http://www.dlink.com/uk/en/support/product/dir-605l-wireless-n-300-home-cloud-router

 

Can you confirm which one you do own/use on your network to connect?

Share this post


Link to post
Share on other sites

post-35515-0-69165900-1459437039_thumb.png
Download Image

 

Very good.  Thank you.  I managed to use the windows update tool:   Microsoft Easy Fix 20179 dot mini do diagcab  :thumbs:

 

It was a little strange at first as it went about installing windows 10 exactly the same in manner as when I first upgraded the OS from 8.1 - The Windows 10 is up to date with the latest updates confirmed by visiting the windows 10 update and reveiwing the ones sent out with the ones in my update history.

 

When it comes to the router the one I have is:  Cisco DPC3825  :thumbs:

 

This is the unit I can use to go into the settings by putting the 192.168.0.1 into my browser and modifying to change password etc.

 

:ph34r:  The dlink.com me cloud router I do not have.  I have actually never even seen one that looks like it.   :ph34r:  The second one the ss-n-300-router is also unknown to me.  I have never seen that one either.

 

Although I rarely check my network (maybe once or twice in the past year) While investigating (trying to) what was running on my computer is when I discovered the other two devices.  So consistently I have the Cisco DPC3825 which is okay, the other two are sometimes there together and sometimes not there at all and or one of them is present.  As I write this to you the Cisco DPC3825 is the only device listed.

 

Since yesterday I have gone over the information from my ISP provider.  They just sent me the manual via email.  When they installed the unit I was told to just leave it, do nothing with it, and that is what I did.  I did not have any manuals etc.  

 

Last evening I used the mac filter section (screen shot attached) and put the mac address of the one unit into the settings to block.  I also changed the user name and password as well as the password to get onto the internet service to use wifi (for my phone and tablet).  The other router I have not seen in two days.  The screen shots of the routers that I originally sent were of the units I do not have or use.  Which means that when I had the screen up of the devices on my network there were three, mine and the other two I didn't recognize.

 

My bigger problem is that after my ISP provider worked over the phone with me, and he changed the passkeys for access to my internet, the other units were in fact still using my system.  They disappeared, then came back, but not at the same time. Yet I had to change my tablet to get wifi and my phone to get wifi because of the new password.  This is what set off some alarms for me, because these units were still accessing my system shortly after my ISP provider changed my password.  If I had to manually enter in a new password for wifi for my own phone and tablet to get access how did any other units get the same password?  The only logical explanation in my mind is that something is happening from with in my laptop that I could not seem to diagnose.  I had literally done three clean, delete, format re-installs of my OS, and the only program I installed was emsisoft.  After the second clean install of win 10 OS  emsisoft would not install properly and gave me a warning to contact support.  I was denied access to chrome through edge to install that browser as well.  Windows 10 would not update and keep reverting backwards.  And thus the troubleshooting began...

 

This is the router I have:  This is the router I have.txt

 

Is there a good utility or a setting I should be aware of on my emsisoft to aid in network security?

 

I really do try to do my homework before engaging anyone's assistance.  Prior to deciding to do a clean install I consistently had adware and jrt highlighting the same issues over and over again.  As soon as my pc was powered up all the same problems appeared and all the same troubleshooting was done and nothing worked to permanently resolve the issue. Although I have wiped the drive, I remember the ask and aol browser kept getting caught by adware, but kept returning, the WOT extension on chrome was being deleted, chrome even reinstalled itself all on its own right in front of me!  Emsisoft settings were continually being set to report only instead of quarantine and notify.  You can see where my frustration is, and it is even more frustrating when the logs show up malware free.  I cant even imagine how frustrating this would be to a tech on the other end of this topic.  I also understand that these problems may be beyond the assistance you can offer.

 

 

I suppose I should mention that even after all this reinstall business, there are many many errors and warning in my event viewer.  I do not understand how to interpret them properly, and do not understand the different sources (different desktop names and computer names) that are associated with the event viewer errors and warnings.

Share this post


Link to post
Share on other sites
When it comes to the router the one I have is:  Cisco DPC3825  

 

Is it possible that your wireless network adapter picks up a neighbor's router or so?

 

It really is not strange to see a bunch of errors in the event viewer, especially not after a reinstall. What happens is that a bunch of drivers, updates and what not have to be installed. Sometimes windows attempts to load devices before drivers are properly installed, sometimes updates fail because other updates first have to be installed and so on and so forth. All this will show up in the event viewer.

 

Aside from all this, what actual problems does your computer have right now (for example, running slow, errors, problems when browsing, just to name a few)?

Share this post


Link to post
Share on other sites

post-35515-0-71531200-1459448869_thumb.png
Download Image

 

I live in an apartment building.  Surrounded by a few other apartment buildings and commericial stores.  There are many many networks I am surrounded by.

 

Since replying to you last, the windows update is continuing to be successful.

My emsisoft has been working very nicely with no change in my preferred options.

I have two network devices on my net work, one is mine and the other is one that is on here periodically (meaning sometimes yes and sometimes no, but I have only been looking the last few days.)  I will look at the mac address and add it into the block section of my router setup.

 

My most important thing is my emsisoft working again.  It is.  I think I should be all good.  I did try and run adware (just to see if things were okay) from Bleeping but emsisoft stopped it because it was doing something bad, so I just left it alone.  I have not run any other scans with any other diagnostic tools, as I do not think I need to anymore.  I will continue to learn about network security, as this may have been a significant issue I have only learned to address now.

 

For the first time in a long time my internet speed is significantly faster.  I mean fast.  I can hardly believe it.

 

As I have shown you some other screen shots here is the one I took right after reading your last post, and again my Cisco one is constant and the other is unknown to me. It is also in my mac filter already on my Cisco page, so I am not sure why I am seeing it.  If I know it's suppose to be there but not misbehaving, that is okay.  I just do not know why it is there, but it does seem blocked now.

 

All the issues that brought me to making this post have been nullified, but the one device, at this time. updates are now working; emsisoft is greatly working; and internet has gotten much better. Except Google Chrome is unresponsive, is an error I am getting at this time, once or twice.  And the DIR-605L.  Non of this is malware though.

 

Here is a screen shot of what is okay:  post-35515-0-77960100-1459449766_thumb.png
Download Image

 

This is my pc and my tablet.  You can see the mac addresses are different.  I think I a all good now.

Share this post


Link to post
Share on other sites

I'm glad to hear everything is working now. :) It is strange those devices showed up, but I really wouldn't call it malicious and since you blocked the MAC addresses anyway, you should be safe.

 

Since this issue appears to be resolved, I'll close this topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.