Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: Packets in are 10x packets out

  1. #1

    Packets in are 10x packets out

    Hello all:

    I am extremely new to both computers and security. unfortunately, the web doesnt wait for one to become familiar with things before getting hit... I am running Microsoft XP, and surf the web with Internet Explorer.

    I was surfing the web a few days ago, and one of the pages that came up was a trojan. i caught it (i thought) before it got into my comp, and I thought I deleted it. But now my packets out are 10 times my packets in, in my network connection status.

    I have AVG, and have run it 3 times, once in safe mode. I have ad aware and spybot, and have run those as well. Finally, I have kerio firewall, and have always had that running.

    I checked my Kerio intrusions, and have found several things:

    BACKDOOR trojan active trojancow
    trojan probe orifice
    trojan backdoor construction
    DDOS shaft synflood incoming

    a bunch of SCAN things, from nmap to webtrends

    a plethora of BACKDOOR trojans, from yetanother to Voodoo to portalofdoom.
    finally, there were severa attempts to remote activation bind.

    in the vast majority of things, the reference URL was www.whitehats.com/info/ID####
    the other common reference URL was www.cve.mitre.org
    there were several 4 digit numbers used.

    Aside from the incoming packet thing, my comp has no problems. I did not have the latest updates from Microsoft, but I have them now.

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    updating was a very good start. You may want to try housecall.trendmicro.com It is one of the best virus scanners I know of. Also download stinger (just google it, it is a mcafee product that has saved me tons of time and agrovation in the past) both are free and both are awesome. Make sure all your anti malware software is up to date and run thoe two scanners. run stinger in safe mode and re run adaware and spybot in safe mode also. After all that is done, if the problem still continues download hijackthis and post the log here and some of us can help you out with what to delete.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  3. #3
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    As long as the intrusions have been logged by Kerio, you have nothing to worry about - it's the ones that Kerio didn't detect you should worry about

    The reference URL is just a link to more information on the attack.

    In your case, what I would do first is delete all Kerio rules, and start all over. Any time something requests a connection, look it up or ask for advice (look at what it's trying to connect to - look up the IP address). In addition to that, follow XTC46's advice

    And run a trojan scanner (http://www.agnitum.com/tauscan for example).

  4. #4
    Senior Member
    Join Date
    Mar 2005
    Posts
    175

    Use Firefox

    ...surf the web with Internet Explorer...
    Hi RamsestheGreat, have u checked out Firefox at http://********firefox.com or somebody recommended you using IE

    Use firefox and get rid of most of spyware/malware problems.
    \"And life is what we make it. Always has been, always will be.\"

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Yes, it certainly sounds as if "ET is phoning home"

    Get Ewido, and the Microsoft anti-spyware beta.

    Update everything then re-boot into safe mode and run them.

    Be warned, AVG, in common with a lot of AVs is not very good at detecting spyware and trojans. Hence the need to run specialist products in safe mode.

    Good luck

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    If your machine is compromised you need to reinstall it and restore carefully from backups.

    If you don't have a hardware firewall, be sure to install the updates before connecting to the internet; this is tricky if you have to connect to the internet to obtain them - ask a friend (who has not had their machine compromised) to burn the SP2 and latest updates on to a CD for you, so you can install them after you reinstall but before you connect to the internet (of course, run Windows Update too, once connected, to get any more recent ones).

    Slarty

  7. #7
    Junior Member
    Join Date
    Apr 2005
    Posts
    4
    <a href="http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en&Hash=FP4FH6C">M$Antispyware Beta</a> - the only free one that stays running in the task bar
    $p33k L337?

  8. #8
    OK, SO here's an update.

    I did all of the above suggestions. The only thing found was something that dealtwith Internet Explorer. I fixed that, but the problem persists.

    I guess I will download the hackerlog and see if that provides any illumination...

    Thanks for the advice, everyone. It was very appreciated.

  9. #9
    OK, I got hijackthis, and here's the log:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:08:45 PM, on 4/21/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint2K\Apoint.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\SmackyMc\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/news?ned=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/news?ned=
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: eurekster Toolbar - {7380543E-F530-42EF-BDB0-D03BCCFA7185} - C:\WINDOWS\Downloaded Program Files\eurekster-2.10.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O8 - Extra context menu item: &eurekster Toolbar search - res://C:\WINDOWS\Downloaded Program Files\eurekster-2.10.dll/SEARCH.HTML
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra button: eurekster Toolbar - {B9510087-D944-4309-9823-38D3D544D15B} - C:\WINDOWS\Downloaded Program Files\eurekster-2.10.dll
    O9 - Extra 'Tools' menuitem: eurekster Toolbar - {B9510087-D944-4309-9823-38D3D544D15B} - C:\WINDOWS\Downloaded Program Files\eurekster-2.10.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
    O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/game...ts/y/ht1_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
    O16 - DPF: {7380543E-F530-42EF-BDB0-D03BCCFA7185} (eurekster Toolbar) - http://home.eurekster.com/toolbar/eurekster.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/A...oadcontrol.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

  10. #10
    Greeting's

    you hijackthis log looks clean to me except 1 entry

    Extra context menu item: &eurekster Toolbar search - res://C:\WINDOWS\Downloaded Program Files\eurekster-2.10.dll/SEARCH.HTML

    This search bar has been identified as nasty. Anyway looking at your hijackthis log it looks good except this i would advise you too creat new rules for your firewall something what negative said.

    I have saved analysis of your log at
    http://www.hijackthis.de/logfiles/fb...05792fd01.html
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •