Possible connection to my PC. Tried as much as I know.

peader99 · 07 May 2014

I was on last night and had skype running inbackground and malwarebyes notified me out of nowhere..

Then I turned off all connections to internet liek browser etc.. restarted to do a netstat.. it showed established on 1 only..to foreign address and ip address:server. Also mouse started being bit unusual.

I ran malwarebytes.. all ok except 2 cookies.
I ran CCleaner all ok
I ran AVG Pro... all ok
I ran Kaspersky rootkit killer.. all ok

I can run dds.scr and give logs if that's what ye do on here.

When I ran netstat this morning, the established connection now does not show from last night,

there are some established but to my ip i think? example connection 127.0.0.1:65400 a port on my PC.. I'm not sure I can screenshot if needed.. also there are a few time_waits..

I've also started using firefox and not IE explorer.. but i tried uninstall IE and it won;t show up in ccleaner to uninstall or in remove programs.

let me know if you look at logs.. .. any help would be great...

matts6887 · 07 May 2014

From the sounds of it; it sounds like someone(hacker maybe?) was trying to access your system remotely(well obviously). I would turn of all "remote" connections that allow other people to access your pc remotely; as that is a big security loophole in windows unfortunately; and I dont believe microsoft has ever found a way to completely secure remote connections. So if you ever have to use it; once yer done; disable the connections. I dont recall exactly where it is right now; but there is a check box in the system control panel somewhere that will allow you to disable remote connections.

jimbo45 · 07 May 2014

Hi there.

If you are on a HOME connection with a Router then a hugely valuable piece of infortmation is to look at the router logs. Usually acessible via 192.168.0.1 or 192.168.1.1 and you get the routers control panel.

I think also Virgin UK customers can get at this sort of stuff too. Check the documentation to get access to the routers / tivo / cable box's control panel.

The router should be able to STOP anything incoming before it even GETS to your PC.

I'm not sure though if you are on a CABLE connection whether you can get the same sort of info. -- Sometimes the older slower stuff provides more assistance than the One-click setup of all modern gear.

The other thing is to ensure your INCOMING firewall blocks all ports other than those you specifically need.

Cheers
jimbo

peader99 · 07 May 2014

Ok, @ matts6887 I went to remote desktop and done opposite to what is in settings here...

@jimbo45

Based in Ireland.. but I'm logged in to router now.
Logs show all from januuarty 1st a lot of info, the next date is may 7th with lots of info which was this morning when it happened?

I'm unsure what logs mean.. its listed from 4:58 this morning up until 5minutes ago, here are the 1st logs since january 1st...

45 May 7 04:58:09 INFO set time to 2014/5/7/ 4:58:9 46 May 7 04:58:12 INFO Internet up, PPPoE LLC, 8/35, IP=(EDITED OUT IP COS DNO IF SHOULD POST IT)
47 May 7 04:58:16 INFO Periodic inform fail 48 May 7 04:58:22 INFO Periodic inform success 49 May 7 04:58:54 INFO received INFORM 50 May 7 05:09:01 INFO received INFORM 51 May 7 05:13:35 INFO received INFORM 52 May 7 05:15:16 INFO received REQUEST 53 May 7 05:15:16 INFO sending ACK to 192.168.1.1

If the connection was established last night on netstat then possibly he has access and will connect later, these logs go up from 53 to 356 so far? Is this normal?

Britton30 · 07 May 2014

Here's what I get Googling the IP shown, but may not be correct.
89.28.98.167 | IPLocationTools.com

I pinged 89.28.98.167 and I got the same MBAM warning too but I didn't see it in time to note what app it was from. A second ping did nothing.

derekimo · 08 May 2014

peader99 said:

... but i tried uninstall IE and it won;t show up in ccleaner to uninstall or in remove programs.

IE is part of Windows so you can't actually uninstall it, you can disable it,

Windows Features - Turn On or Off

While newer versions can be uninstalled from windows update, there will always be a version of IE on your system.

Porthos · 08 May 2014

Skype is a Peer-to-Peer (P2P) application. This means that it connects to a wide variety of IP addresses dynamically in order to establish a connection from one point to another.
Because of this, Skype may sometimes connect to IP addresses that are also known for hosting malicious content such as malware. For this reason, Malwarebytes Anti-Malware may block such connections, though this should not affect your usage of Skype or the quality of communication through Skype itself.

In MBAM 2.0

Clicking the Add Process button allows you to exclude a process which would otherwise be blocked from accessing an internet address. Please note that this option is only functional on Windows Vista Service Pack 2, Windows 7, and Windows 8.x. This is typically of value to users who need to access filesharing and/or peer-to-peer applications. On occasion, IP addresses used by these applications may be blacklisted, so that Malwarebytes Website Protection blocks access to the website as a whole. Excluding the IP address makes the user more vulnerable, as would exclusion of the domain (if the website uses a domain name). Excluding the process — providing that the process is not an internet browser — would allow the P2P application to function without increasing risk.

Jacee · 08 May 2014

IP Information for 89.28.98.167

IP Location:

Moldova, Republic Of Balti Starnet S.r.l ASN:

AS31252 STARNET-AS StarNet Moldova,MD (registered Mar 31, 2004) Resolve Host: 89-28-98-167.starnet.md IP Address: 89.28.98.167

Whois Serverwhois.ripe.net

ONE-CLICK MONITORING
Create an IP Monitor to monitor future changes to “89.28.98.167”.