Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Router showing UDP Flood from WAN Inbound


  • This topic is locked This topic is locked
2 replies to this topic

#1 ttcole1254

ttcole1254

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 15 June 2010 - 11:01 AM

My Belkin Wireless N Router has been recently showing UDP Floods constantly coming from random IPs and random ports, and targeting only one of my computers. Here is the log from the router so far:

Firewall Log
06/15/2010 10:36:15 **UDP Flood to Host** 77.83.225.60, 35168->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:21 **UDP flood** 221.64.21.205, 11407->> 24.110.44.8, 9424 (from WAN Inbound)
06/15/2010 09:23:21 **UDP Flood Stop** (from WAN Inbound)
06/15/2010 09:23:21 **UDP flood** 123.192.210.21, 8080->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:21 **UDP flood** 72.189.117.247, 22887->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:21 **UDP flood** 112.118.146.203, 16707->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:21 **UDP flood** 24.185.249.57, 22303->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:20 **UDP flood** 94.96.170.111, 19505->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:20 **UDP flood** 86.11.91.87, 10772->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:20 **UDP flood** 111.224.3.108, 32768->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:20 **UDP flood** 121.117.85.41, 15072->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:20 **UDP flood** 81.227.130.18, 33006->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:19 **UDP flood** 113.4.196.166, 1483->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:19 **UDP flood** 70.107.204.101, 50048->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:18 **UDP flood** 220.213.183.29, 9554->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:18 **UDP flood** 218.186.199.163, 26122->> 24.110.44.8, 9568 (from WAN Inbound)
06/15/2010 09:23:18 **UDP flood** 117.205.49.59, 11619->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:18 **UDP flood** 85.23.12.58, 7871->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:18 **UDP flood** 119.40.181.61, 7311->> 24.110.44.8, 9616 (from WAN Inbound)
06/15/2010 09:23:18 **UDP flood** 123.201.121.65, 24662->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:18 **UDP flood** 119.40.181.61, 7311->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:18 **UDP flood** 79.177.184.241, 16278->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:18 **UDP flood** 88.81.43.14, 20980->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:18 **UDP flood** 117.94.13.86, 21094->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:17 **UDP flood** 114.86.45.96, 4041->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:17 **UDP flood** 62.198.222.146, 53242->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:17 **UDP flood** 24.57.132.234, 9649->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:17 **UDP flood** 125.168.96.117, 20224->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:16 **UDP flood** 78.58.81.173, 18677->> 24.110.44.8, 9313 (from WAN Inbound)
06/15/2010 09:23:16 **UDP flood** 110.55.80.30, 23520->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:16 **UDP flood** 221.178.8.64, 9156->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:16 **UDP flood** 94.59.217.51, 22203->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:15 **UDP flood** 119.40.181.61, 7311->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:15 **UDP flood** 85.137.114.123, 21517->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:15 **UDP flood** 88.236.27.63, 40705->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:15 **UDP flood** 87.126.41.20, 11870->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:15 **UDP flood** 114.45.11.80, 16001->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:15 **UDP flood** 94.138.1.189, 13579->> 24.110.44.8, 9462 (from WAN Inbound)
06/15/2010 09:23:15 **UDP flood** 80.48.30.189, 8677->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:15 **UDP flood** 114.41.199.8, 63205->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:14 **UDP flood** 212.40.231.122, 22283->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:14 **UDP flood** 123.222.101.136, 11436->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:14 **UDP flood** 126.114.248.57, 52196->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:14 **UDP flood** 221.217.242.110, 22221->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:14 **UDP flood** 71.144.68.46, 22449->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:14 **UDP flood** 78.183.225.90, 14086->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:13 **UDP flood** 70.48.120.154, 13725->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:13 **UDP flood** 195.211.188.98, 24879->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 09:23:13 **UDP flood** 212.118.142.230, 58897->> 192.168.2.2, 9305 (from WAN Inbound)


Avast! Free Antivirus shows the computer is clean, but I'm not completely sure. I ran HiJackThis and here is the log for that:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:26:19 AM, on 6/15/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Users\Tyler\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tyler\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tyler\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tyler\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tyler\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tyler\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKCU\..\Run: [Google Update] "C:\Users\Tyler\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: OfficeSAS.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\vmware\vmware workstation\vsocklib.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agr64svc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files (x86)\Kodak\AiO\Center\ekdiscovery.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SAS Core Service (SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files (x86)\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9661 bytes





Recently before that I was getting other firewall warnings but now the UDP Floods have replaced them. I have three wired computers attached to the router. Two of them run Windows 7 Ultimate 64-Bit, while the third one runs the Openfiler OS that is my NAS. The NAS contains my iTunes library and random files that I've needed to transfer from computer to computer. Both Windows 7 computers list the NAS as a Network Location, and they are connected to the NAS 24/7 if that makes any difference. The Internet on both computers has been recently slow and even stops as some points for more than 5 minutes, with page could not be found errors. I am running Google Chrome as the browser on both machines. If you would like me to post the log for the other computer, please let me know. I just thought this PC had something in it tying up the router which would make the other PC slow down as well.


EDIT: I cleared the Firewall Log and waited a few minutes and it showed up again, this time showing a Smurf attack.

Firewall Log
06/15/2010 11:56:10 **UDP Flood (per Min)** 83.10.12.198, 14655->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:56:10 **UDP flood** 83.10.12.198, 14655->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:56:10 **UDP Flood (per Min) Stop** (from WAN Inbound)
06/15/2010 11:56:10 **UDP Flood Stop** (from WAN Inbound)
06/15/2010 11:56:10 **UDP Flood (per Min)** 217.9.226.66, 26383->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:56:10 **UDP flood** 217.9.226.66, 26383->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:56:10 **UDP Flood (per Min)** 60.56.70.254, 15408->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:56:10 **UDP flood** 60.56.70.254, 15408->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:56:09 **UDP Flood (per Min)** 74.15.186.80, 1206->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:56:09 **UDP flood** 74.15.186.80, 1206->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:56:09 **UDP Flood (per Min)** 124.121.138.7, 12458->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:56:09 **UDP flood** 124.121.138.7, 12458->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:56:06 **UDP Flood (per Min)** 113.22.159.225, 17254->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:56:06 **UDP flood** 113.22.159.225, 17254->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:56:02 **UDP Flood (per Min)** 122.123.185.245, 7645->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:56:02 **UDP flood** 122.123.185.245, 7645->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:56:01 **UDP Flood (per Min)** 116.65.152.186, 15277->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:56:01 **UDP flood** 116.65.152.186, 15277->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:56:00 **UDP Flood (per Min)** 113.22.159.225, 17254->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:55:58 **UDP Flood (per Min)** 192.168.2.2, 9305->> 216.17.246.251, 44007 (from WAN Outbound)
06/15/2010 11:55:57 **UDP Flood (per Min)** 75.22.75.29, 61909->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:55:57 **UDP Flood (per Min)** 113.22.159.225, 17254->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:55:56 **UDP Flood (per Min)** 188.4.76.124, 43999->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:55:56 **UDP Flood (per Min)** 83.45.44.70, 65535->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:55:56 **UDP Flood (per Min)** 165.246.172.9, 54997->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:55:56 **UDP Flood (per Min)** 61.238.218.65, 55181->> 192.168.2.2, 9305 (from WAN Inbound)
06/15/2010 11:55:32 **Smurf** 202.152.79.0, 42825->> 192.168.2.2, 9305 (from WAN Inbound)


EDIT 2:
Okay, I found out that when I turned off BitComet on my wireless computer, it stopped showing these UDP Floods. That's great and all but what I don't understand is that the IP of the BitComet computer is 192.168.2.3, not 2.2. That is the kitchen wired computer, which doesn't have any torrent client installed. The BitComet computer also had one infection of a trojan that was removed immediately, but other than that there were no infections on the network. I'll try downloading a RedHat Linux distro and see what my log starts doing and I'll post back. Thanks. Oh I also heard from a lot of places that BitComet is a "dirty" torrent downloader and that some trackers do not like it. Should I switch to uTorrent? I also checked the HiJackThis log myself and didn't see anything out of the ordinary, so I don't think it's an infection causing it.

Thanks

Edited by ttcole1254, 16 June 2010 - 07:05 AM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:30 AM

Posted 21 June 2010 - 02:11 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:30 AM

Posted 24 June 2010 - 10:49 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users