Can't get a ARP Spoofer off my PC

[David979]

I got ARP spoofed by a unknown person trying to get into my PC. I turned on my PC which was slow and having internet connection problems. Avast antivirus tells me it is a “ARP spoofing attempt from XX.XX.16 to take my data transmitted to and from my PC”. I clicked the “disconnect and disable the connection” option. A few worked but other windows said “Sorry, we cannot execute this action.” Than, several Avast windows up pop up showing from more:  XX.XX.10, XX.XX.17, XX.XX.22, XX.XX.27, XX.XX.44, XX.XX.236, XX.XX.252. Than from IP "169.254.174.164" several times. I think I accidently press the X(close window) on the "XX.XX.27." The rest I just left it there because my PC wasn't working amid the flurry of Avast window pop up alerts.

 I restarted my PC 2 times and more Avast ARP spoofing detections, this time with the same name of my WIFI except for a number 2 at the end. Another with a 3, 4, and 5! I restarted my PC for a 4th time and Avast doesn't detect the ARP Spoofing anymore. My internet works again and PC not slow anymore. I can't find the fake WIFI names in my WIFI connections.

However, using XArp, the IP "XX.XX.27" is still there. I scanned using Avast, Malwarebytes, adwcleaner and nothing pops up. I enabled Packet Filtering and static ARP entry. Did a network reset. Downloaded and used the Microsoft Safety Scanner on full scan and it detected 9 infected items and removed them. But, the "XX.XX.27" is still there so I did the scan again and now it detects 8 infected items. But after the scan, it says no files were infected. Did the scan again and 11 infected items were detected but after the scan, says no files were infected. I cleared the ARP cache on CMD but the same address still pops up. Avast no longer notifies when "XX.XX.27" is on my computer anymore because I think I press the close button amid the panic when this attack started.  Lastly, I went into the "connected devices" in my router and saw the "XX.XX.27" device and cut its connection to my router, but "XX.XX.27" is still detected through XArp and CMD. How can I remove the "XX.XX.27" ARP spoofer from my PC ? 

[polonus]

Hi David979,

Important Note: 169.254.174.164 is a private IP address and is only used in internal network environments. Any abusive activity you see coming from an internal IP is either coming from within your network itself or is the result of an error or misconfiguration.

Suggested Steps to Remove the ARP Spoofer
Reconfirm the Device on the Network:

Since you are still detecting "XX.XX.27" through XArp and CMD, double-check your router's admin page. Look for any devices that do not belong, and if needed, change your Wi-Fi password to prevent unauthorised access.
Static ARP Entries:

You mentioned you enabled static ARP entries. Make sure these are set correctly. You should have entries that only include your legitimate devices. Remove any suspicious static entries related to "XX.XX.27.".
Network Isolation:

If feasible, isolate your network. Disconnect all devices except your primary PC. This can help you determine whether the issue persists even in a limited environment.
Complete Scan and Removal:

Since you've scanned with multiple tools (Avast, Malwarebytes, etc.), consider using additional security tools like ESET Online Scanner or RKill to ensure there are no hidden threats.
Reset Network Settings:

You mentioned doing a network reset. If that hasn't cleared the ARP cache, try manually flushing the ARP table again by running:
CopyReplit
arp -d *
After that, restart your PC to see if the entries persist.
Update and Secure Router Firmware:

Ensure that your router's firmware is up to date. Some routers may have vulnerabilities that allow unauthorised users to spoof ARP requests. After updating, change your router's admin password.
Consider Hardening Your Network:

To prevent future spoofing attempts, consider implementing security measures such as MAC address filtering or setting up a guest network for untrusted devices.
Monitor Your Network:

Keep monitoring your network using tools like XArp to see if the device keeps reappearing, even after you’ve taken the previous steps.

polonus (volunteer 3rd-party cold recon website-security-analyst and website error-hunter)

[David979]

Hi polonus,

Much appreciation for your help.

I changed the password of my router and WIFI. When reconnecting to my WIFI, a Avast pop up window appears with “connection to new network” where my WIFI name had a strange EXT2 and then a EXT3 on a 2nd reconnection. On a 3rd reconnection, Avast doesn’t give me those fake connection names anymore but instead my regular WIFI name without the EXT2 or EXT3. Can I trust this connection is truly mine and the ARP Spoofer is out?

I disconnected a device with the “XX.XX.27” in my router which left my WIFI Extender not working. So I enabled it again and my Wifi Extender works again. Therefore, I assume that IP number is my WIFI range extender. When I check XArp, the “XX.XX.27” and the other numbers have a green checkmark on them. If I reconnect, the results sometimes are the same, but other times are different with the same numbers with a red X. Xarp sometimes give my router ip and my laptop ip a red X. Sometimes a green checkmark. Oddly, the only consistent green checkmark is the “XX.XX.27”.

XArp pop up windows says "Corrupt Filter: ethernet sender mac does not match arp sender mac" and another that says "MacFilter: incoming packet but sender mac set to our own mac address". Not sure what these two descriptions mean.

I scanned using ESET Online Scanner and Rkill and no detections pop up. Using the Microsoft Safety Scanner still shows 8 virus detections but once the scan finishes, it says no infections.

I did a network reset again. Using the CopyReplit on CMD doesn't work. But the arp -d * does work but after a restart the entries persist. I don't know how to remove suspicious static ARP entries.

I am confused if the ARP Spoofer is still on my PC or not. Changing the password on my WIFI has changed my "XX.XX.27" from being a consistent red X to a consistent green checkmark. I don't know why Microsoft Safety Scanner keeps on detecting viruses but after the scan, it says no detection.

[polonus]

Hi David979,

To check whether the ARP-Spoofer has really been cleansed from your computer, you could ask a qualified remover.
We did have such qualified removers in the past, but to-day I would advise you to go to the Malwarebytes forum
and ask for assistance.

Mind you, that the instructions given are just for your individual case and cannot be taken as a general cleansing method.

I hope your OS is now clean or soon will be,

polonus