[katyz]

I hope you can help me. I got an alert from Yahoo saying that there was suspicious login activity detected on my account & directing me to check my Recent Login Activity. Everything looked OK except that times seemed to be consistently off by 2 hours and IP location said CO, US instead of WV, US. IP address was listed as 184.20.22.179 (I had never checked my Login Activity before so I have no idea if this has changed recently) It shows the same IP address whether I access it from my laptop or my desktop.

This is what my computer shows for my IP Configuration on my laptop which is what I use mostly:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Kathryn>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Kate
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Atheros AR5006EG Wireless Network Ad
apter
Physical Address. . . . . . . . . : 00-16-E3-6B-B3-89
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 184.63.128.68
184.63.128.69
Lease Obtained. . . . . . . . . . : Wednesday, August 01, 2012 3:22:53 A
M
Lease Expires . . . . . . . . . . : Thursday, August 02, 2012 3:22:53 AM


Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Eth
ernet NIC
Physical Address. . . . . . . . . : 00-A0-D1-4C-1B-A4

Since the IP address that is accessing my Email doesn't match anything that is showing up here I am wondering if this is a sign that someone else has taken over my machine. I do have my firewall turned on but in the past my virus protection has been spotty because I was on dial-up and updates just would not download on such a narrow bandwidth. Also a few of my friends have received Emails which appeared to be from me but which I didn't send that had nothing in the subject line and just some link.

I recently (1 month ago) switched from dial-up internet to Satellite based internet - Wildblue which is a ViaSat company. This includes anti-virus protection in the package. I ran an online virus scanning program (Microsoft) and it did find 1 malware which it removed and said it had affected 10 files. It occured to me that maybe my Email access was being routed through a Wildblue server and that was the strange IP address but when I called tech support at Wildblue the guy assured me that it didn't have anything to do with them and suggested that it might be my wireless router's IP. When I looked online to find out how to look up my router's IP I found out that 192.168.1.100 is the default IP for Linksys routers which is my Default Gateway.

So now I'm just confused! I still have no idea where this strange IP is coming from. I'm afraid to use my computer for any financial activity until I can be sure it is safe. I had to deactivate my Webaccess to my financial institutions until I can get this sorted out.

Can you tell me what is going on here? What should I do next? I am a real neophyte when it comes to this technical stuff but if you speak slowly and use small words I can usually follow directions. Thanks for your help and patience.

[1002richards]

Hi and Welcome,
Some basics 'til someone more knowledgeable chips in -

I had a similar warning on my Google Mail account some months ago. I changed by Google Mail password and security question and answer - that was reassuring 'cos I was able to & no one had messed with those.
I then changed my banking passwords & security questions & answers.

I then kept an eye on my recent login activity and saw nothing untoward - and still haven't.

As I said, some basics to have a think about.

[Cookiegal]

Every time you visit a web site your IP address is logged. It doesn't mean it's being routed through that IP address. The IP address 184.20.22.179 indeed belongs to WildBlue and if you enter that into the box at this link you will see that it resolves to WildBlue in Englewood, Colorado, which is probably where they are routing from:

http://www.all-nettools.com/toolbox/smart-whois.php

The same applies for the IP addresses in your IP config log where it shows:

DNS Servers . . . . . . . . . . . : 184.63.128.68 - 184.63.128.69

If you enter those into the SmartWhoIs tool you will see that they are WildBlue ranges as well.

Having said that, IP addresses can be spoofed. It would be important to know what malware was detected. Please check the logs and report back what the findings were.

[lunarlander]

First, I think you need to understand routers. Your router's IP address is 192.168.1.1 on the inside. And PCs in your network PCs gets assigned IP addresses beginning probably with 192.168.1.100. However, on the Outside, your ISP has a router too, and hands out IP addresses to customers' routers. To find out what ip address your ISP handed out to your router, visit http://www.whatsmyip.org/ . the difference between Inside IP addresses and Outside IP addresses, you just have to know that the IP that the ISP gave your router can be routed through the internet. While the inside IP address which your router hands out, isn't recognized on the internet. When any of your PCs send traffic out to the internet,and passes thru your router,, your router modifies the 'sender address' with the Outside IP.. And when the internet responds to your PC's queries, it sends it back to your router, ( your Outside address ) and the router figures out which of your PC's sent the request. It keeps a table of who sent what to where.

[katyz]

CookieGal - Thank you for your help. So it sounds like I don't really have anything to worry about since the IP address resolves back to my internet provider... right? I don't really know how to check the logs to find out what malware was detected. It was an online virus scanner from Microsoft and all I remember is that it said it had detected 1 malware and had removed it.

lunarlander - Thank you for your explanation - I think I understand - at least a little more than I did before.

Katyz

[Elvandil]

Unless you have a static IP, your own IP address can change from one login to another, too. You may have had a different IP address at some previous time when you went to Yahoo.

It doesn't look like anything is wrong or that anyone else is involved.

[Cookiegal]

I agree that it looks like everything is fine but without knowing what "malware" was found and deleted, it's difficult to say all is comletely well. If you want to, we can run a few scans to check to see if anything shows up. Let me know if you would like to do that.

[aka Brett]

Something to add here as well...With wildblue your ip can change quite often if you are using their optimizer which essentially sends you through their proxy.
Personally I dont use it much as it can cause an occasional issue with sites.