Hi,

I am using Windows XP Home edition, with Service Pack 3.

I am running Norton Antivirus 2005. I regularly receive the following message from Norton:
_______

Details: Attempted Intrusion "MS ASN1 Integer Overflow TCP" against your machine was detected and blocked.
Intruder: 84.183.235.235(3660).
Risk Level: High.
Protocol: TCP.
Attacked IP: CHRISGRAY(84.115.134.94).
Attacked Port: netbios-ssn(139).
_______

I have looked on the Microsoft security updates page, but the available patches for this 'Integer Overflow' problem are not relevant to me, since I already have Service Pack 3 installed.

What does this Norton message mean? Should I be worried? How can I fix this?

Thanks very much for your help.

regards
Chris

Hi Chris

Your best bet is to take a read here first:
http://www.symantec.com/avcenter/attack_sigs/s20421.html

David

Thanks David...but I have already looked at this. The linked Microsoft Security bulletin seems to suggest that only Service Pack 1 should be affected (they provide a patch for this - doesn't help me though!)

any other input gratefully received...!

Thnx

I am using Windows XP Home edition, with Service Pack 3.

Are you sure about this? There is no XP service pack 3. There is an office SP3, and a windows 2000 SP3.
Can you confirm what the actual service pack for windows is.

David

yeah - sorry! I have Windows XP with service pack 2 (not 3!)

regards
Chris

Does this ring any bells at all:

DTAG Global IP-Addressing
Deutsche Telekom AG
D-90492 Nuernberg
Germany
+49 180 5334332
+49 180 5334252
ripe.dtip@telekom.de

Do you live anywhere near there, or use DTAG Global IP-Addressing?

David

I live in Austria, which borders Germany, so yeah not so far away.

I don't know what "DTAG Global IP-Addressing" is. Where did you get this info?!

Chris

Well the IP that is trying to infiltrate your computer is rooted to that address. You can use a program called SmartWhoIs to determine the roots of IP addresses.
Give me a bit and i'll research and see what i can find. One addition question - is your Norton update to date? If not then please update it now.

David

Basically, this message is generated because a remote computer is trying to get into your computer (which is bad as you can understand).
Norton is doing its job and has blocked that attack.
After updating Norton let me know what happens.
David

Hi David,

Ok, I've updated Norton (and there were a few new things to install). However, Norton has stoppped informing me regularly about this attack since at some point I clicked on 'don't notify me about this problem again'. Perhaps this was foolish of me? I was getting really distracted from work by the constant messages popping up!

Is it likely that the attempt by the remote computer is a deliberate act by someone at the source IP addres? Should I / can I take any further action to prevent this?

Thanks very much for your support

Chris

I think that Norton is just doing it's job and blocking the intrusion. It happened to me a while back, i just used my firewall to block (Kerio) and asked the firewall to stop notifying me. After about a week i turned the notifications back on and nothing come up. I'm by no way an expert at this sort of thing, but i imagine this instrusion was not directly solely at you. As long as Norton is updated and enabled you should be safe.

One thing that may be happening is that you may have some sort of file on your computer that is calling this IP to access your computer. It's a long shot but by no means impossible. What i suggest is that I ask for a Hijackthis log from you. I can then get you transferred to a secuity expert who can generally see if you are clean and perhaps offer further insight to the problem. What do you think?

David

Sounds good! I think first it would be a good idea for me to run Ad-Aware to make sure I'm as clean as possible, then I'll run Hijackthis and post the log on this thread. Could you tell me a couple of things:

1. How do I reactivate the notification from Norton?
2. How do I run Hijackthis? (I did it a couple of years ago, but can't remember the drill!)

Thanks
Chris

I need to look up how to reactivate that message. In the meantime I recommend you follow the HijackThis preparation guide which can be found here. It is important that you follow the guide closely. A number of scans will be run which may well fix your problem. You may find you have some of the programs already - like ad-aware as you said.

As the guide says, after you have completed the scans that are recommended, please post your "HijackThis" log in a new topic in the forum found here. Please add your system infomation and also what problems you are having. Please be patient, and a HJT team member will help you to clean up your system

David

p.s. also give a link back to this topic.

Hi,

I've run through this suggested procedure and posted my hijackthis log here:

http://www.bleepingcomputer.com/forums/topic47125.html


No reply yet...but I know you guys are busy! Hope someone can help.

Thanks for all the support David.

Regards,
Chris

Excellent Chris --> you've got lots of detail there.
At the moment the HJT forum is getting snowed under - don't bump the topic as it will put you to the back of the queue. At the moment there are logs dating back to the 13th which haven't been answered.
Never-the-less you will definatley get an answer, but it may not be for a few days now.
Good Luck, and if you have any extra questions, ask here.
David

Hi David,

ok, I'll be patient! Just want to say a big thanks for your help - it's really much appreciated.



Take it easy!
Chris

Thanks Chris. I wish you the best of luck.
David