Confused after attacks

Discussion in 'Malware Help (A Specialist Will Reply)' started by And21ob, May 23, 2007.

  1. And21ob

    And21ob Private E-2

    I wasn’t sure where to post this, but as I have attached some scans and my main concern is the vulnerability of my computer, I thought this best, although it may cross over into Networking.

    I have a 3com OfficeConnect 11g Firewall Wireless Router off which I connect a desktop and laptop, both running XP.

    At around the same time most evenings the desktop disconnects from the network with the message “limited or no connectivity” and will stay like this for anything between 15-90 minutes. However the laptop will still connect OK.

    When I check the router log I see entries such as:
    2007.05.22 17:19:02**SYN Flood to Host**192.168.1.2,1145->>207.36.239.153, 80 (from ATM1 Outbound)
    2007.05.21 22:12:28**Smurf**169.254.255.255->>169.254.43.130, Type3,Code3 (from ATM1 Outbound)

    Which makes me think I’m part of some sort of ‘smurf’ attack. A back trace on one of the IP’s shows its address as IANA (Internet Assigned Numbers Authority) with a couple of hops beforehand and the eventual originator shown only as Private.

    I’m running Sygate firewall and this shows no security events in its log, so I guess that the routers firewall is doing its job and blocking anything getting through to my machine, but the loss of connection is really annoying.

    I can’t think I’m the target, as from what I’ve read this would appear to be IANA, but the fact is it would appear to sending my connection down. I also don’t think my machine is pingable, so would hope not to be contributing to anybody else’s problem.

    Is there some way to stop this happening? Is it something I should take up with my ISP (it must be clogging their pipes)? Should I report it to some Internet monitor? Why does it only affect the desktop, because the laptop still connects OK? Am I correct in my assumptions? Any suggestions or more information would be gratefully received.

    As only the desktop is affected, this makes me think there may be something lurking on my machine, which I’m not picking up. I’ve got AVG Free, Spywareblaster, Spybot S&D, AdAware, Sygate Firewall, I’ve also run Counterspy trial version.

    I’ve run the scans on the “RUN ME & READ ME”, if someone can check them to make sure nothing is going on that I can’t spot I’d REALLY appreciate it.

    Cheers
     

    Attached Files:

    And21ob, May 23, 2007
    #1
  2. And21ob

    And21ob Private E-2

    Here are the rest of the scans
     

    Attached Files:

    And21ob, May 23, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs do not show any malware issues. I have a few things below for you to do but they are not malware issues nor should they have anything to do with your problem.
    Do both PC's connect via wireless? If not, how do each of them connect?
    Are you sure you do not have any kind of scans, defrags, ....etc set to run at this time of day on the PC in question.
    When the problem, occurs, do you see anything out of the ordinary in your process list? What about CPU usage at the time (is anything using a lot of CPU time)?

    Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
    C:\Documents and Settings\Andy\Local Settings\Application Data\Sunbelt Software
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software(2)
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software(2)
    C:\Program Files\Sunbelt Software

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 10
    Make sure you reboot after uninstalling the above!

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

    After clicking Fix, exit HJT.
    Now reboot in normal mode

    Now attach the below new logs and tell me how the above steps went.

    1. ShowNew
    2. HJT


    Make sure you tell me how things are working now!
     
    chaslang, May 23, 2007
    #3
  4. And21ob

    And21ob Private E-2

    Thanks for taking a look Chaslang

    Attached are the new logs.

    Both computers are wireless and there is nothing out of the ordinary running at the time the problem occurs, in fact it hasn't happened for a few days now and it would only appear I've had a few flood attacks blocked.

    If it happens again I'll check out processes and CPU.

    Cheers
     

    Attached Files:

    And21ob, May 25, 2007
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, May 25, 2007
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds