Virus Assistance Please...

Ok, I'm getting ready to throw my computer out the window. Here is what's going on....If anyone has any ideas, it would be great. We have a home network with several computers on it, all behind a router. The only firewall running is that on the router.

I chat on IRC on occasion, recently, everytime I make a connection, even if only for a few seconds, we get 100's of 'attacks' from a certain ip address. From what I can tell, nothing is being downloaded to my computer during this. I have run every spyware/virus software/virus removal program I can think of. I have done searches for irc trojans and worms, and i've run removal programs for all of them. They found nothing.

Also, my computer is sending out probes to port 139 on my hubby's computer every 13 minutes, and I have no idea why....

I'm close to reformating the whole stupid computer, but that won't stop this from happening again.

 

Wendy, I had a Sygate firewall on my box and it was showing attacks on ports from many different sources.

You are telling us it is your computer that is being used as a Zombie by some malware program

Have you saved all your files off of your hard drive yet before you reformat the hard drive

You have the original CD to reload the OS after you do this, right

ps: We have a member here named DarkSat who is an expert at this sort of thing, pull his profile and find the link to his Tech Forum, join and ask the question over there, he is really good at this sort of thing and can guide you

 

im not sure if i am right but port 139 is something todo with a netbios exploit, some hackers could be running a scanning app on ip ranges to find exploitable machines.

 

What do you call an attack? Just a connection attempt or you see some other evidence (e.g. malformed packets, etc). Are you on a cable or a DSL?

What's the OS and how do you know that it does this? Are you running a network sniffer? In general, port 139 is used by Windows for accessing shares. Does either of your computers have shares that the other one is trying to access?

If it's a configuration issue, reformatting your hard drive won't do much good. Find the reason first and then decide how to deal with it.

J.D.

 

Exactly JD, I would have her discuss it with you or DarkSat before she does anything drastic

 

The attack is a connection attempt. He is running a firewall and it notifies him of this, he has blocked my ip now, because we aren't trying to share anything. we're on cable modem and i'm running XP.

I'll look up DarkSat, thanks

 

Most likely then this is not an attack, but some idiot who's running an unprotected PC on the same network segment as you are. I'm getting about 5-10 such attempts per second. If you are on a DSL, your IP address changes every time you connect, but it's common for cable subscribers to retain the IP address between connections. Most likely this is why you are getting the same guy trying to connect to you again and again.

You can easily verify if this is the case. Create a temporary account (so that your name wouldn't be logged) and run this command from the command prompt:

net view \\<ip-address>

If you get a list of shares or an "Access Denied" message, than this poor guy/girl is indeed sitting on a shared segment and broadcasting his/her info all over the web.

J.D.

 

JD, important question, I had an automatic update from M$ that installed their firewall by default and enabled it.

Then it screwed up my dial up connection after reboot.

I called Bell South and they told my to take down the M$ firewall and don't use it, M$ blamed it on Bell South as they claimed they did not patch their software.

What is a good free firewall for XP pro, I used Sygate on my last box (XP home), can you comment?

I am not running any firewall right now at all, I do have the best AV running, NOD 32 though

 

AV is not a replacement for a firewall. I would recommend you to invest $50 into a standalone router/firewall (e.g. http://www.amazon.com/exec/obidos/t..._6/104-8044148-8250360?v=glance&s=pc&n=507846).
Obviously, you need to check if it is compatible with your ISP, but in general most routers support a variety of ISP connection mechanisms.

External firewalls are simple to configure and provide good level of protection. Some of them also can even help you to fool evil ISP's if they do not allow you to have more than one machine on their connection (the router will pretend that it's a single machine).

Don't connect to the network without a firewall. It takes only a few seconds for a scanner to pick you up. You can check you connection here: www.grc.com. Follow the Shields Up link a couple of times (it's way down the page on the second page). The website generates a report which ports are open and which shares can be accessed by the outside world.

J.D.

 

What about just enabling the M$ firewall again, do you think it would screw up the dial up connection again

 

What happens to your connection when you enable MS' firewall?

 

I don't know JD, I never enabled it after the update after it screwed up my dial up settings, Bell South told me to turn it off as it does not do much good by what they said

I should just go back to Sygate and get their free firewall, last time I had it it worked for a while and then we had some problems with it and removed it because of a conflict with other programs.

I really need to get a MAC and get away from Windows to be honest about it, I hate Windows OS

 

Well, they lied. Never trust to what the first-level support tells you. They don't know squat. Try turning it on and see if it connects. You may be able to work out the problem, if you have any, if you right-mouse click on My Network Places > Properties > your-connection-name > Advanced > Windows Firewall Settings. These dialogs are made for non-techies and you should be able to click around.

Don't assume that it's all easy and safe. I used Mac and I hated their help - for most advanced items it was "talk to your administrator" and I had to search for a lot of things on Apple's website. That was some time ago, though, may be they improved.

J.D.

 

I turned the M$ firewall in XP pro back on and it did dial up JD.

The download and automatic enable of the Windows Update was the problem and that changed the dial up connection.

We will see what happens, but I still do not trust M$ or their firewall or anti-spyware software, there have been reports that it is eating hard drives, the good news is the M$ will give users $5.00 for their screwed up drives as they mention in the anti-spyware EULA

JD, my next box will be on MAC or Linux, can't keep up with being a security expert to run windows and am tired of all the flawed patches and the flawed OS/IE Windows platform

 

So, I take it that you were able to connect with the firewall on. Right?

Ok, I *do not* want to start a discussion on this topic - just a practical advice. Don't assume that all alternative platforms are much, much better. They have flaws as well and not as few as many believe. Invest into a hardware firewall and disable firewall on all of your machines (unless you have kids, but that would be a whole different thread ).

J.D.

 

Yes JD, it got through after the M$ firewall was enabled, but it is not showing the icon on the bottom of the screen as the old XP home OS showed.

A software/hardware firewall, explain the differences to the forum, a hardware firewall is a little black box

 

Go to your connection properties and you will see a checkbox at the bottom "show iceon in notification area when connected". This should get you your icon back.

You might want to go to the site I mentioned to double-check that you are safe (all of your shares must not be visible and all of your ports must be marked as Stealth). If you see any shares, go to firewall's properties and disable them.

Just to remind everybody, a firewall is software (running on your machine or on a dedicate device) that inspects every packet of data that you send or receive from the network and either forwards inspected packets to their final destination or drops them. Most consumer routers do have built-in firewalls and may be configured in a number of ways (e.g. if you play online, you may need to open certain ports, etc). Typical wiring goes like this:

wall socket (cable, DSL, etc) > ISP modem > router/firewall > N computers

This way you are able to connect more than one machine to the Internet and because you will be able to uninstall your dial-up software, you may even receive quite a bit of a boost on transfer speeds (I saw software provided by ISPs to throttle 150KBps connections to about 30KBps).

The big advantage of this setup is that your machines (N computers) will be able to communicate between each other without any firewall, so that you will see all of your shares, but the outside world will not be able to see them. With a software firewall, you will have to manage multiple exceptions and access lists, which is not what you want to do.

J.D.

 

Thanks for the help JD, but you must also understand that most folks are not security experts and do not want to become one just to compute and go online.

This is why M$ is investing in anti-spyware technology and AV also.

They do understand that consumers are tired of this BS of malware spyware and IE problems in addition to major problems with the Windows OS.

 

You don't need to be one in order to set up a hardware firewall. If I'm still around by the time you get one, PM me and I will help you out to configure it.

J.D.

 

The house network is sitting behind a router, so my computer is as well. It shows as my computer attempting to connect to my husbands.