Sign in with
Sign up | Sign in
Your question

Very concerned... apparently I have a rooted/ infected machine?

Last response: in Networking
Share
September 26, 2012 6:04:10 AM

I tried to vote for something on a website, and it preventing me from doing it because it told me I was listed on DroneBL. Apparently what DroneBL (http://dronebl.org/docs/what) does is it tracks abusable IPs and keeps a database of abusable / rooted machines. This worries me a lot of course.

Doing research apparently the best thing I can do is reinstall my OS? (http://serverfault.com/questions/6190/reinstall-after-a...)

This makes me scared, so does this mean I've been hacked/rooted/infected this whole time without knowing and someone could be viewing my private information?

Also, another thing that's strange, is that when I go to hotmail.com, instead of allowing me to sign up with @hotmail.com email address I have to get a @hotmail.co.uk one (even though it says Microsoft Corportation (US) in the adress bar for firefox). Why is this?
September 26, 2012 6:41:11 AM


Hello and welcome to Tom's Hardware Forums.

Last things first - Microsoft would associate you with your IP address which would show up as UK and give you the appropriate e-mail address so nothing sinister there. I think you can force a .com address if you really want it but Hotmali is not a good address in any even because of their reputation as being easy to hack and used by the Spamming idiots.

As to having to reinstall Windows, I doubt it's that likely yet. Use some specialist utilities and keep us posted on the results and someone wlil guide you through. Start off by clearing out the clutter so the scans can run more quickly.

Go to http://www.piriform.com and download CCleaner then to http://www.atribune.org for ATF Cleaner. Each will find and delete unnecessary files the other doesn't. After running both open CCleaner first and run the Registry scan, accept the offer to back it up before altering the Registry and let CCleaner remove everything it finds. It's quite safe.

Go to http://www.malwarebytes.com and download MalwareBytes - also called MBAM. Install and update it then restart into Safe Mode with Networking by tapping Function 8 when you power up the machine. Update again then run a full scan - at the end, click Show Results then tick everything and click Remove Selected. You're using a trial version so every item has to be individually ticked - it's a way of persuading you to buy the full programme.

Restart back into Normal Mode and go to http://www.bleepingcomputer.com, find and download ComboFix and thoroughly read the instructions before using it.

When it's finished - and be patient here even if it looks as though nothing is happening - post the log back here along with the MBAM log which you find under its Logs tab.


September 26, 2012 10:35:54 AM

I don't live in the UK... so you're telling me my ISP gave me a UK IP -_-? Also I use a broadband connection so I think I have two IP's? How do you change/reset an IP on a broadband connection? I've done it before when I had a regular modem but it doesn't seem to work anymore.

CC is pretty much useless, it doesn't clear much more than Clear Resent History tool from firefox.

Alright so I installed and ran Malwarebytes. Here is the log:

Spoiler
Malwarebytes Anti-Malware (Trial) 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.26.04

Windows XP Service Pack 3 x86 NTFS (Safe Mode)
Internet Explorer


Protection: Disabled

9/26/2012 1:04:17 AM
mbam-log-2012-09-26 (01-39-54).txt

Scan type: Full scan (A:\|B:\|C:\|D:\|G:\|H:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 384062
Time elapsed: 35 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\<Snip>\Desktop\MINECRAFT\AMIDST.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{326DC35B-5AE8-4E88-9A58-CCDFC9F92A11}\RP616\A0299987.exe (Trojan.Agent.H) -> No action taken.

(end)


I removed them & then restarted exiting safe mode via msconfig.

AMIDST is software I downloaded forever ago for minecraft, I'm wondering what is a way to make sure something doesn't contain a virus before you download it?

Also I forgot to mention that I've been using Norton 360 for awhile now.
Related resources
Can't find your answer ? Ask !
September 26, 2012 1:10:34 PM

Being on a black list doesn't necessarily mean you have a problem. Someone could have had that IP address before you. They could have been infected and put on the black list. In the meantime, your ISP's DHCP server may have reassigned that IP address to your computer, but the address was never removed from the black list. If you go to the black list's web site, there should be a way for you to have them remove the IP address from their list.
September 26, 2012 6:10:03 PM

CC is pretty much useless, it doesn't clear much more than Clear Resent History tool from firefox.



Pardon me - I had no idea you were so well informed. The CCleaner I use removes exactly what I want it to.

The confusion over IP addresses could be malware related but I can't see the MBAM log so I don't know what to suggest next. I assume you didn't bother with ComboFix - are you using any rootkit removers?


September 27, 2012 1:32:44 AM

Quote:
Being on a black list doesn't necessarily mean you have a problem. Someone could have had that IP address before you. They could have been infected and put on the black list. In the meantime, your ISP's DHCP server may have reassigned that IP address to your computer, but the address was never removed from the black list. If you go to the black list's web site, there should be a way for you to have them remove the IP address from their list.


I can remove it from there but I'd rather reset/ change my IP. Something I use to do periodically but since getting broadband I think it gives me two IPs and makes it so I can't do it anymore.

Quote:
Pardon me - I had no idea you were so well informed. The CCleaner I use removes exactly what I want it to.

The confusion over IP addresses could be malware related but I can't see the MBAM log so I don't know what to suggest next. I assume you didn't bother with ComboFix - are you using any rootkit removers?


Well I downloaded and ran it because you wanted me to but it barely removed anything. I'd rather use disk defrag but that takes forever.

I didn't touch ComboFix because it told me I shouldn't use it unless I have a professional watching me. No I don't have any rootkit removers what one would you recommend?

Also the log is right there in the spoiler just click it and it should reveal it.

Also I really want to know how to "reset" my IP on a broadband connection using cmd / ipconfig. Another thing are there any free proxy or paid ones you'd recommend? I used free ones before but they wouldn't last very long.
September 27, 2012 7:09:39 AM



I use Kaspersky's TDSS Killer as a first choice. You're right to be cautious about ComboFix but many people do have success with it if they carefully follow the instructions.

As to resetting the IP in command line, ipconfig can only operate on your internal IP - the one DHCP gives each individual PC. The IP which has you in the wrong country is your external IP. Try Googling for it and find out where the batch it's in is handled.




September 27, 2012 12:11:06 PM

You can't set your WAN IP address. That is assigned to you via DHCP from your ISP and most ISP's use pretty long DHCP leases, so the odds of you rebooting your modem and getting a different IP address are almost none. I think my WAN IP changes like once a year if even.
September 27, 2012 12:50:26 PM

I know why you are telling me I can't change a dynamic / WAN IP using cmd when I used to do it all the time to bypass things that store your IP information. But I figured out I have a static IP and apparently changing that is much harder and I'm wondering if you guys had an easier way or should I just change it to dynamic so I can change it... and yes you can change it like I said I did it all the time, it would change my IP by like 1 digit but it still changed it.
Quote:

The IP which has you in the wrong country is your external IP. Try Googling for it and find out where the batch it's in is handled.


I don't get this. Google what and look for what? Could I just phone up my ISP and tell then to change my external IP to that of my region and not the uk (so this means I DO have a uk ip adress? but most websites detect that I'm in canada, it doesn't make sense. Can you go to hotmail.com and sign up and see if it's .co.uk for you?).

Also where do I download that kaspersky thing, not sure if http://support.kaspersky.com is trustable or not, don't want to risk it. Should I run the .exe in safe mode?
September 27, 2012 12:58:51 PM

thetechnoobguy said:
I know why you are telling me I can't change a dynamic / WAN IP using cmd when I used to do it all the time to bypass things that store your IP information.


The only IP address you can change from a cmd is the PC's address. Your WAN IP is on the router/modem, which is not accessable from cmd. You need to login to your router or modem to do anything with it.

Also, dynamic means the IP address changes automatically. Static means it remains constant unless someone changes it. Unless your ISP (which you haven't mentioned) has short DHCP leases, your WAN IP won't change anytime soon.
September 27, 2012 3:03:52 PM

So there's the PC's address IP, and an internal / external IP? Urgh I thought there was only one :/ . So how do I change my PC address since I'm static and no longer dynamic. My ISP is shaw.

Why are you telling me I have a WAN Ip I thought WAN = dynamic, or is there now four types of IPs (or more)?
September 27, 2012 4:42:53 PM

WAN = Wide Area Network or in this case the Internet. LAN = Local Area Network or in this case, your home PC's and devices. And yes, your PC's have IP addresses that are different than your router's/modem's WAN address.

WAN and LAN addresses can be static or dynamic. If you have windows setup to "obtain an IP address automatically" then it's using a dynamic address as it can change at any time. Setting windows to use the same IP address all the time, like 192.168.2.10 is static since it will never change unless you change it.

The IP address settings in windows has nothing to do with the IP address your ISP assigns to your router/modem. Your modem just acts as a brdige between your LAN and a WAN (the Internet in this case).

If you want to see your WAN address check out this link.

http://www.whatismyip.com/

Notice, it probably looks nothing like the IP address on your PC.
September 27, 2012 6:42:17 PM



When I suggested that the external IP confusion could be malware related, perhaps I should have asked you to check in Control Panel>Internet Options>Connection tab>LAN button to see if there are any ticks in the Proxy section. If there are, remove them and tick "Automatically detect settings", then Apply and OK your way out.

If there are ticks in Proxy, it would certainly explain a thing or two.


September 28, 2012 12:52:59 AM

Ok so how do I change my internal IP then on a broadband connection. The one I used to be able to change all the time. The one that is used to connect to websites and may be recorded.

Nope nothing is ticked at all. Should I still tick Automatically detect settings?

This is getting annoying I want to get to the bottom of this, I need to know where to download that kaspersky thing.
September 28, 2012 1:05:54 AM

Wait.. what the hell...
I checked my email junk folder and found this:


Why is it UK and Ireland forums?! I never used them and do they even exist? This is making me very frusterated and I want to get to the bottom of this asap...
September 28, 2012 1:27:21 AM



This link is quite safe.
http://support.kaspersky.com/faq/?qid=208283363

This is still a bit of a mystery but we'll soon have you back in Canada - I hope. :D  This thread has been on the .co.uk site since it started but it's probably also visible on the .com site.


September 28, 2012 5:16:50 AM

I ran the exe (not in safe mode) and it didn't find anything.

My new computer is going to be using windows 7 and so when I install it on this hardrive it completely wipes it so that any possible virus or anything is removed, correct? But it wouldn't fix this whole UK thing would it.

It's just so weird because most website detect that I'm in Canada, but then you have things thinking I'm in UK? I've been using tomshardware.com since forever so why would it still post my thread in the UK... This is so strange!

I'm going to phone up my ISP and ask them why it's doing this. Also I'm going to ask them how to change my internal IP.
September 28, 2012 7:34:22 AM



Changing your internal P is easy enough but it's the external one - the one they supply you with - that's making you appear to be here rather than where you really are.

In the Properties pages of your network connections - wired and wireless - is the facility under TCP/IP Properties to fix an IP address for each computer. In a network with the Default gateway of 192.168.0.1 for example, each computer can have an individually assigned fixed IP of anywhere between 192.168.0.2 and 192.168.0.254. There are hardly any good reasons for wishing to do that and it's better to allow DHCP to allocate those numbers on a first come, first served basis.

However, as I've said, it's a matter for Shaw to assign you a fixed one but as Hawkeye said above, that's unlikely to have changed in a year or more even if you turn your router off every night.

When you went to Whatsmyip.com, the address you saw was the external one from Shaw and nothing like the one you have indoors. I suggested you put that into a Google search to check that it goes back to Shaw as one of the batches they're allocated.

For the same reason, I asked you to check your system for use of a Proxy - an IP address specifically designed to fake a location - but the settings were OK.




September 28, 2012 7:37:20 AM



On the malware issue, your TDSS scan makes it look as though you're in the clear but turn System Restore off and restart the system to clear out the old files it's carefully saving in case you want them back. With those in there, as MBAM noted - they can still pose a risk.


September 28, 2012 11:44:55 AM

Quote:
In the Properties pages of your network connections - wired and wireless - is the facility under TCP/IP Properties to fix an IP address for each computer.


Is this a question..?

Shaw to assign me a fixed what? Internal or external IP? I was to do the /ipconfig/release ipconfig/renew technique for my internal IP that I used to do all the time when it was dynamic but it doesn't work anymore it gives me the exact same IP I had before and it's very frusterating and this is what I've been telling you and you still haven't told me how to change it. I will be phoning shaw tommorow regarding my external IP but as for my internal one I don't understand why you can't just tell me how to do it if you know how to.

Ok I turned off system restore and restarted. Even thought system restore doesn't even work in the first place. Also I should mention that Automatic Updates doesn't work, I reinstalled it so there has to be some sort of files missing from my OS, I'd reinstall xp if I had the disc but it doesn't matter because I'm getting windows 7 and someone else will be using this PC.
September 28, 2012 12:27:13 PM

thetechnoobguy said:
I was to do the /ipconfig/release ipconfig/renew technique for my internal IP that I used to do all the time when it was dynamic but it doesn't work anymore it gives me the exact same IP I had before and it's very frusterating and this is what I've been telling you and you still haven't told me how to change it.


Your router is most likely set up with long DHCP leases. If you want to change your computer's address via ipconfig, you will first have to login into your router and shorten the DHCP lease time to something like 30 minutes. Even this may not work depending on how many other computers/devices are in your house. If the computer is all you have, DHCP may just continue to assign you the same IP address.

Besides that, changing your internal IP address will accomplish nothing. It's your WAN IP that the rest of the world can see. Only your home network can see the IP address on your PC.
September 28, 2012 12:43:31 PM

I am officially 100% confused.

The Ip that websites track and keep record of is the internal IP is it not. The IP Address / Subnet Mask / Default Gateway. This is what I change (or, used to be able to change) with cmd, this is what allows me to bypass websites. I've done it before and it has worked, stop trying to confuse me :( .

I don't really use a router, I use a broadband modem which has a built-in router. I only have one computer. So once I shorten the DHCP lease time I will be able to change my ip via cmd?

Please be as simple as possible because so many terms and information is being tossed around and it's hard to keep up.
September 28, 2012 12:52:19 PM

thetechnoobguy said:
I am officially 100% confused.

The Ip that websites track and keep record of is the internal IP is it not. The IP Address / Subnet Mask / Default Gateway. This is what I change (or, used to be able to change) with cmd, this is what allows me to bypass websites. I've done it before and it has worked, stop trying to confuse me :( .


It's appearent that you do not understand networking. The terms are as simple as they get. There is no other way to explain it. It's your lack of knowledge that is confusing you.

thetechnoobguy said:
I don't really use a router, I use a broadband modem which has a built-in router. I only have one computer. So once I shorten the DHCP lease time I will be able to change my ip via cmd?


This was already answered in my last post. I'm afraid that with your lack of understanding I will not be able to help you. Changing your internal IP address will not allow you to "bypass" websites, whatever that means. You either go to a web site or you don't Bypass?. Something else was coming into play before.

I'm not trying to belittle you. Everyone starts out as a techNOOBguy. You just need to study up on networking and how DHCP works.
September 28, 2012 3:24:24 PM

Unless everything I knew about networking was a lie, I thought that certain websites tracked / stored information regarding your IP address, which they could use against you ie file sharing websites giving you a time limite - reseting the IP (like I did in cmd) would allow me to bypass this so that I could do unlimited downloaded, or if I got IP banned from something I could "bypass" it. So you're telling me that's all a lie and I simply imagined myself "bypassing" websites?

You don't understand I don't have the time for learning and theres five hundred billion terms and things flying around, just because you fully understand networking doesn't mean it's simple to everyone else. I just want to get to the bottom of my problem and everyone is beating around the bush and confusing me! How do I change my IP address etc in cmd like I used to be able to and how to I fix the UK problem that's it! That's all I want to know!

Also sometimes I tend to ask questions that seem rhetorical or stupid but this is just to "double check" so that I know for sure. I do this all the time on the forums but it's just to clarify things, it doesn't mean I don't understand something. Also your argument of "you don't understand networking therefore I can't help you" makes NO sense, isn't that what this whole forum is for? So that I can learn and so that you can teach me? Why do you even have a networking badge if you wont help people understand it? :( 
September 28, 2012 3:36:10 PM

You are talking about cookies. They can track certain information. Simply clearing your cookies from your web browser should have sufficed. no need to change your IP address.

We have told you several times that DHCP is controlling your WAN IP address. We also told you sites check your WAN IP address to determine geographic location. Until that WAN address changes, sites on the Internet will think you are in the U.K. We've also explainsed that your ISP controls your WAN IP address. There is nothing more that can be said that hasn't already been said.
September 28, 2012 3:41:49 PM

I am not talking about cookies.............................

Yes! Finally! Very simple straight forward explanation, thank you!

My WAN IP address (if your website is correct) is in Canada, it is correct.
September 30, 2012 1:01:16 PM

Alright since this thread was abandoned by you guys I decided to call up my ISP and we found out that the whole UK thing is browser related. If I use Internet Explorer (which I hate using) I can see @hotmail.com adresses display correctly. So for whatever reason Mozilla Firefox / and apparently Google Chrome will set my default location as the UK and think that I'm in the UK.

They didn't have a clue how to change my internet IP Address, but I figured out how to change my Default Gateway successfully. Not sure if this is anything like changing the IP Address.

First person to tell me how to change my IP Address gets cookies & best answer.
September 30, 2012 2:15:29 PM



I thought I'd told you - set it as an Alternative in TCP/IP. Right click the Local Area (ethernet) connection in Control Panel>Network Conections and go to Properties. Under teh General tab, click the Properties button then in the centre pane, scroll to Internet Protocol (TCP/IP). Highlight that line and click Properties then blob the Use the following etc. radio button and enter IP address of your choice but within the range of the Default Gateway plus a maximum of 253.

The subnet will set itself - put teh gateway in where it belongs and also in the DNS in the next box. Click Apply and OK your way out.

You say you changed your Default Gateway - are you still connected to the Net? That's the address of your MODEM/router, without which you can't connect or see its settings.




September 30, 2012 2:56:14 PM

Ah okay. What I did was I went into my router modem and under LAN Setup > Local IP Address I changed that by a digit, and in TCP/IP it turns out it was my Default Gateway that was changed, and yes I connected to the internet fine. I changed it back to it's original just now.

Ok I did as you said but here's what I did in more detail:
Ip Address: I left the first three numbers the same and the last one as 205
Subnet Mask: Left the same. (filled in automatically)
Default Gateway: Left the same (ends in 1 not sure if that's in range of 205)
Preferred DNS Server: Same as Default Gateway

Couldn't connect to the internet.
September 30, 2012 7:07:55 PM



That's odd because 205 is in the range from 1 to 254 and is therefore a perfectly valid address. Change it back to automatic and let DHCP allocate a number for you. It was never going to make a difference to the confusion over the country because it's only your internal IP anyway.

As to that issue, I can't see how different browsers can cause that. The Internet Options in Control Panel control all browsers. My best shot at that is that two browsers have stored Cookies that IE doesn't have but I though the suggestion was made earlier to delete all Cookies.



October 1, 2012 12:40:06 PM

Saga Lout said:


That's odd because 205 is in the range from 1 to 254 and is therefore a perfectly valid address. Change it back to automatic and let DHCP allocate a number for you. It was never going to make a difference to the confusion over the country because it's only your internal IP anyway.

As to that issue, I can't see how different browsers can cause that. The Internet Options in Control Panel control all browsers. My best shot at that is that two browsers have stored Cookies that IE doesn't have but I though the suggestion was made earlier to delete all Cookies.



Yes, I told the OP to clear his cookies like 5 posts above. I don't see how a browser can cause this issue either. As for his ISP not knowing how to change an IP address... either he was lying or he was too low a level of technical support and needed upgraded to a higher level of support, maybe someone in network engineering.
October 2, 2012 3:56:55 AM

And I told you I cleared them already infact I clear them via mozilla all the time. They had the exact same thing happen to them on their end so it must be a glitch for mozilla for my network or something.

The guy told me nobody there was trained to deal with IP's so nobody knew anything and could help me regarding that. Which I thought was really strange and dumb.
October 2, 2012 5:55:05 AM



What they were probably saying is they didn't see how the IP address they allocate to you could possibly show up anywhere other than being in Canada.

My last shot at this is reluctrant but so long as you're careful, you shouldn't go dar wrong. Open firefox and in the URL box type about:config then press Enter. Accept te "Here be dragons" warning but remember how serious it was because you can seriously screw the browser in there.

Scroll down to intl.hyphenation-alias. and if the value is UK, post back.

A safer alternative to this would be to uninstall Firefox and get a fresh download. If clearing Cookies didn't help, there must be something embedded in Firefox's memory.



October 2, 2012 6:20:49 AM

As I've said my WIP address is in Canada and they had no clue how to change my IP Address, they mentioned going into TCP/IP like you did and asked me to do basically what you asked me and it didn't do anything.

Uhm, theres like 20+ intl.hyphenation-alias, ie intl.hyphenation-alias.en has value en.us, the uk one has value uk.

I'd have to save all my bookmarks and everything. Well I'm making a new computer in like 5 days so when I install chrome or mozilla and I'm still experiencing the problem I'll post back. I might just use IE when I have to make a hotmail or whatever, but that would suck.
!