Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Port scans and attacks to my IP-address


  • Please log in to reply
12 replies to this topic

#1 Nielsvds

Nielsvds

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Linden
  • Local time:02:37 AM

Posted 14 March 2005 - 02:58 PM

Please help me I don't know what to do. First I will give you guys some info : I use (the Dutch version) Panda Platinum Internet Security 8.05.02. These are my pc specs : win xp home edition (5.1, build 2600) with sp 2 installed. I think that's the info you need or do you need also further specs. I have an ADSL-connection from Skynet my internetprovider. This is what information : Diva ADSL, 1000 ADSL LP and SMC EZ SWITCH 10/100. The IP-adress that attacks my computer is the follow an networkaddress : 192.168.1.4 , I've tried to check if that address was from my father's computer but I wasn't able to see it when I type ipconfig (he uses win 98 se) the screens disappears so I can't read his IP-address. When I tried scanning with a-squared personal the PC crashes.

Hopefully it's understandable what I've written.
Thanks in advance
Niels

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 AM

Posted 16 March 2005 - 05:10 PM

What ports are it scanning and how does it stay its attacking?

#3 Nielsvds

Nielsvds
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Linden
  • Local time:02:37 AM

Posted 17 March 2005 - 02:19 PM

What ports are it scanning and how does it stay its attacking?

The problem is that the message that Panda gives is not so clear the only information it gives is port scan and that he (Panda) blocked the IP-address for 10 minutes , I found the attacking IP-address in the pandalog (of all incidents).Every day I got this message it doesn't happen every day on the same time. The port scans and attacks to my IP-address started on 3 march (03-03-05).

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 AM

Posted 17 March 2005 - 07:49 PM

On your fathers machine click on start, run, and type winipcfg and press enter. That will bring up a window that will show his ip address info. Change the adapter to his ethernet card and see if its that. If it is, then your father's computer is probably infected with something.

#5 Nielsvds

Nielsvds
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Linden
  • Local time:02:37 AM

Posted 18 March 2005 - 11:47 AM

On your fathers machine click on start, run, and type winipcfg and press enter. That will bring up a window that will show his ip address info. Change the adapter to his ethernet card and see if its that. If it is, then your father's computer is probably infected with something.

@ Grinler : thanks again , I will try what you suggest me to do. :thumbsup:

#6 Nielsvds

Nielsvds
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Linden
  • Local time:02:37 AM

Posted 19 March 2005 - 07:31 AM

@ Grinler : I've done what you suggest me to do and it was the IP-address of the ethernet card from my fathers PC who is attacking my PC. What should I do now ? If I try to scan (on my fathers PC) with a-squared personal it crashes.(PC and program)

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 AM

Posted 19 March 2005 - 02:37 PM

Get a hjt log from your fathers machine and post it here.

Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis Download Site

Save this file into the directory you made previously and then run the program named hijackthis.exe. When the program opens click on the Config button, then click on the Misc Tools button, and click on the Check for update online button. When it completes checking/applying updates press the back button.

Now click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post here and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial with screenshots on using HijackThis you can click on the link below:

How to use HijackThis to remove Browser Hijackers, Malware, & Spyware

#8 Nielsvds

Nielsvds
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Linden
  • Local time:02:37 AM

Posted 19 March 2005 - 04:38 PM

@ Grinler Here is the hijachthislog from my fathers PC :

Logfile of HijackThis v1.99.1
Scan saved at 22:42:38, on 19-3-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINMEI01\SYSTEM\KERNEL32.DLL
C:\WINMEI01\SYSTEM\MSGSRV32.EXE
C:\WINMEI01\SYSTEM\MPREXE.EXE
C:\WINMEI01\SYSTEM\mmtask.tsk
C:\WINMEI01\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINMEI01\SYSTEM\DDHELP.EXE
C:\WINMEI01\EXPLORER.EXE
C:\WINMEI01\PTSNOOP.EXE
C:\WINMEI01\TASKMON.EXE
C:\WINMEI01\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINMEI01\SYSTEM\QTTASK.EXE
C:\WINMEI01\SYSTEM\WMIEXE.EXE
C:\WINMEI01\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\PROMOTIONS\HPPROMO.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\THE CLEANER\TCA.EXE
C:\PROGRAM FILES\THE CLEANER\TCM.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPLORER 8.0 SE BASIC\MONITOR.EXE
C:\WINMEI01\RunDLL.exe
C:\PROGRAM FILES\WEBROOT\WASHER\WWDISP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\WINMEI01\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINMEI01\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skynet.be/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skynet.be
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.skynet.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F1 - win.ini: load=ptsnoop.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINMEI01\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINMEI01\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINMEI01\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [QuickTime Task] C:\WINMEI01\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\Trust Ami Mouse\Amoumain.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINMEI01\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPpromo psc 1300 series] "C:\PROGRAM FILES\HP\DIGITAL IMAGING\PROMOTIONS\HPPROMO.exe" /N "psc 1300 series" -r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [tcactive] C:\PROGRAM FILES\THE CLEANER\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\PROGRAM FILES\THE CLEANER\tcm.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINMEI01\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/148119a...all/xscan53.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game14.zylomgames.com/activex/zylomgamesplayer.cab

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 AM

Posted 20 March 2005 - 01:50 AM

Looks fine. You can fix this:

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

but that wont be causing the portscan. I am wondering if its a false positive. Does your father's machine print to your machine or access files on your computer?

#10 Nielsvds

Nielsvds
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Linden
  • Local time:02:37 AM

Posted 20 March 2005 - 05:32 AM

@ Grinler My father doesn't use my printer and he never access files on my PC. I use panda platinum internet security 8.05.02 from Christmas and then our computers where also in a network and I never got that message only from 3 march. Could it be a networkvirus on his PC , I've scanned my PC on spyware, viruses and trojans but my PC was clean. His PC is also very slow when he wants to download something his download speed is also very slow. He uses norton 2004 as anti virus and doesn't have a firewall on his PC.

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 AM

Posted 20 March 2005 - 12:03 PM

I just dont see anything there at all. I would disable norton while you do the following:

Download, install, and update Kapersky antivirus and test to see if that finds anything

#12 Nielsvds

Nielsvds
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Linden
  • Local time:02:37 AM

Posted 20 March 2005 - 12:50 PM

@ Grinler : The problem is that my father doesn't allow me to install another anti virus. But I shall try an online virusscan.

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 AM

Posted 20 March 2005 - 07:17 PM

Time to explain to your father that Norton is just not that great.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users