Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Parents PC sluggish and Router is being attacked from Chinese ip


  • Please log in to reply
18 replies to this topic

#1 azdownhiller

azdownhiller

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 09 July 2011 - 06:17 PM

Just as the title says, My parents PC feels sluggish and is not very responsive. On our routers security log we are getting hammered from Chinese ip addresses. Is their PC infected? and can whatever it is spread to my pc over our network?

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:11 AM

Posted 09 July 2011 - 10:32 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 azdownhiller

azdownhiller
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 10 July 2011 - 09:07 AM

Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 26
Out of date Java installed!
Adobe Flash Player
Adobe Reader 9.4.5
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
``````````End of Log````````````


MiniToolBox by Farbar
Ran by Lydia (administrator) on 10-07-2011 at 07:01:04
Windows 7 Home Premium (X64)

***************************************************************************


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================
=============== Hosts content: ============================================

127.0.0.1 localhost

=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : family-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Belkin

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : Belkin
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 90-E6-BA-F4-FA-EE
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:446d:913c:1234:b929:346c:2088:db65(Preferred)
Temporary IPv6 Address. . . . . . : 2002:446d:913c:1234:21f5:42ab:be12:6640(Preferred)
Link-local IPv6 Address . . . . . : fe80::b929:346c:2088:db65%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, July 09, 2011 1:46:55 PM
Lease Expires . . . . . . . . . . : Tuesday, July 07, 2020 5:02:29 AM
Default Gateway . . . . . . . . . : fe80::222:75ff:fefc:40f0%11
192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 234890776
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-A0-73-CE-90-E6-BA-F4-FA-EE
DNS Servers . . . . . . . . . . . : 192.168.2.1
192.168.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.Belkin:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:1493:3274:bb92:6ec3(Preferred)
Link-local IPv6 Address . . . . . : fe80::1493:3274:bb92:6ec3%13(Preferred)
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: WL.ph.cox.net
Address: 192.168.2.1

Name: google.com
Addresses: 74.125.115.147
74.125.115.99
74.125.115.103
74.125.115.104
74.125.115.105
74.125.115.106


Pinging google.com [74.125.115.106] with 32 bytes of data:
Reply from 74.125.115.106: bytes=32 time=88ms TTL=54
Reply from 74.125.115.106: bytes=32 time=90ms TTL=54

Ping statistics for 74.125.115.106:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 88ms, Maximum = 90ms, Average = 89ms
Server: WL.ph.cox.net
Address: 192.168.2.1

Name: yahoo.com
Addresses: 67.195.160.76
69.147.125.65
72.30.2.43
98.137.149.56
209.191.122.70


Pinging yahoo.com [209.191.122.70] with 32 bytes of data:
Reply from 209.191.122.70: bytes=32 time=44ms TTL=56
Reply from 209.191.122.70: bytes=32 time=44ms TTL=56

Ping statistics for 209.191.122.70:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 44ms, Maximum = 44ms, Average = 44ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
11...90 e6 ba f4 fa ee ......Realtek PCIe GBE Family Controller
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.2 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.2.0 255.255.255.0 On-link 192.168.2.2 266
192.168.2.2 255.255.255.255 On-link 192.168.2.2 266
192.168.2.255 255.255.255.255 On-link 192.168.2.2 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.2.2 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.2.2 266
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
11 266 ::/0 fe80::222:75ff:fefc:40f0
1 306 ::1/128 On-link
13 58 2001::/32 On-link
13 306 2001:0:4137:9e76:1493:3274:bb92:6ec3/128
On-link
11 18 2002:446d:913c:1234::/64 On-link
11 266 2002:446d:913c:1234:21f5:42ab:be12:6640/128
On-link
11 266 2002:446d:913c:1234:b929:346c:2088:db65/128
On-link
11 266 fe80::/64 On-link
13 306 fe80::/64 On-link
13 306 fe80::1493:3274:bb92:6ec3/128
On-link
11 266 fe80::b929:346c:2088:db65/128
On-link
1 306 ff00::/8 On-link
13 306 ff00::/8 On-link
11 266 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/10/2011 01:02:57 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error: (07/10/2011 01:02:47 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (07/09/2011 10:54:17 PM) (Source: Application Error) (User: )
Description: Faulting application name: splwow64.exe, version: 6.1.7600.16385, time stamp: 0x4a5bd3ca
Faulting module name: hpz3rw71.dll, version: 0.3.7071.0, time stamp: 0x4a5bdf2f
Exception code: 0xc0000005
Fault offset: 0x000000000004296b
Faulting process id: 0x178c
Faulting application start time: 0xsplwow64.exe0
Faulting application path: splwow64.exe1
Faulting module path: splwow64.exe2
Report Id: splwow64.exe3

Error: (07/09/2011 04:25:54 PM) (Source: Application Hang) (User: )
Description: The program OTL.exe version 3.2.26.1 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: b14

Start Time: 01cc3e8ebf8cb47b

Termination Time: 0

Application Path: C:\Users\Lydia\Desktop\OTL.exe

Report Id:

Error: (07/09/2011 04:14:02 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error: (07/09/2011 04:12:09 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (07/09/2011 05:52:57 AM) (Source: WPDMTPDriver) (User: )
Description: MTP WPD Driver0x80070002

Error: (07/09/2011 03:19:52 AM) (Source: WPDMTPDriver) (User: )
Description: MTP WPD Driver0x80070002

Error: (07/08/2011 00:32:03 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error: (07/08/2011 00:31:11 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.


System errors:
=============
Error: (07/09/2011 04:45:33 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk5\DR9.

Error: (07/09/2011 04:45:33 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk5\DR9.

Error: (07/09/2011 04:45:32 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk5\DR9.

Error: (07/09/2011 04:39:33 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk5\DR8.

Error: (07/09/2011 04:39:32 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk5\DR8.

Error: (07/09/2011 04:39:31 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk5\DR8.

Error: (07/09/2011 04:19:50 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk5\DR7.

Error: (07/09/2011 04:19:49 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk5\DR7.

Error: (07/09/2011 04:19:48 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk5\DR7.

Error: (07/09/2011 03:52:11 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk5\DR6.


Microsoft Office Sessions:
=========================
Error: (03/14/2010 02:07:33 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6524.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 3999 seconds with 300 seconds of active time. This session ended with a crash.

Error: (02/22/2010 11:14:32 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 63 seconds with 0 seconds of active time. This session ended with a crash.


========================= End of Event log errors =========================

========================= Memory info: ====================================

Percentage of memory in use: 21%
Total physical RAM: 8191.23 MB
Available physical RAM: 6406.21 MB
Total Pagefile: 16380.6 MB
Available Pagefile: 14099.2 MB
Total Virtual: 4095.88 MB
Available Virtual: 3980.77 MB

======================= Partitions: =======================================

1 Drive c: (HP) (Fixed) (Total:686.46 GB) (Free:598.07 GB) NTFS
2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:12.08 GB) (Free:2.19 GB) NTFS

================= Users: ==================================================

User accounts for \\FAMILY-PC

-------------------------------------------------------------------------------
Administrator Alex Dan
Guest Leah Lydia
The command completed successfully.

================= End of Users ============================================

#4 azdownhiller

azdownhiller
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 10 July 2011 - 09:08 AM

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7062

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

7/10/2011 7:07:01 AM
mbam-log-2011-07-10 (07-07-01).txt

Scan type: Quick scan
Objects scanned: 218228
Time elapsed: 2 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 azdownhiller

azdownhiller
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 10 July 2011 - 09:33 AM

GMER, Did not pick up anything.

#6 azdownhiller

azdownhiller
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 10 July 2011 - 10:34 AM

This is a very small chunk of what the security log on our router is picking up-

=>Found attack from 216.245.196.122.
Source port is 12200 and destination port is 27977 which use the TCP protocol.
Sun Jul 10 06:08:57 2011
=>Found attack from 58.218.199.227.
Source port is 12200 and destination port is 27977 which use the TCP protocol.
Sun Jul 10 06:08:57 2011
=>Found attack from 58.218.199.227.
Source port is 12200 and destination port is 73 which use the TCP protocol.
Sun Jul 10 06:28:49 2011
=>Found attack from 58.218.199.147.
Source port is 12200 and destination port is 8090 which use the TCP protocol.
Sun Jul 10 06:28:49 2011
=>Found attack from 58.218.199.147.
Source port is 12200 and destination port is 1080 which use the TCP protocol.
Sun Jul 10 06:28:49 2011
=>Found attack from 58.218.199.147.
Source port is 12200 and destination port is 8000 which use the TCP protocol.
Sun Jul 10 06:30:52 2011
=>Found attack from 60.173.26.185.
Source port is 6000 and destination port is 9415 which use the TCP protocol.
Sun Jul 10 06:35:00 2011
=>Found attack from 216.245.196.122.
Source port is 12200 and destination port is 27977 which use the TCP protocol.
Sun Jul 10 06:36:01 2011
=>Found attack from 58.218.199.250.
Source port is 12200 and destination port is 9090 which use the TCP protocol.
Sun Jul 10 06:36:01 2011
=>Found attack from 58.218.199.250.
Source port is 12200 and destination port is 3128 which use the TCP protocol.
Sun Jul 10 06:52:01 2011
=>Found attack from 221.192.199.49.
Source port is 12200 and destination port is 27977 which use the TCP protocol.
Sun Jul 10 06:52:01 2011
=>Found attack from 221.192.199.49.
Source port is 12200 and destination port is 9090 which use the TCP protocol.
Sun Jul 10 06:52:01 2011
=>Found attack from 221.192.199.49.
Source port is 12200 and destination port is 9000 which use the TCP protocol.
Sun Jul 10 06:56:08 2011
=>Found attack from 80.89.191.39.
Source port is 62287 and destination port is 4899 which use the TCP protocol.
Sun Jul 10 07:06:27 2011
=>Found attack from 221.194.46.176.
Source port is 12200 and destination port is 8085 which use the TCP protocol.
Sun Jul 10 07:06:27 2011
=>Found attack from 221.194.46.176.
Source port is 12200 and destination port is 9415 which use the TCP protocol.
Sun Jul 10 07:06:27 2011
=>Found attack from 221.194.46.176.
Source port is 12200 and destination port is 2479 which use the TCP protocol.
Sun Jul 10 07:17:17 2011
=>Found attack from 216.245.196.122.
Source port is 12200 and destination port is 27977 which use the TCP protocol.
Sun Jul 10 07:22:26 2011
=>Found attack from 121.142.232.182.
Source port is 3110 and destination port is 23 which use the TCP protocol.
Sun Jul 10 07:29:39 2011
=>Found attack from 58.218.199.227.
Source port is 12200 and destination port is 9000 which use the TCP protocol.
Sun Jul 10 07:29:39 2011
=>Found attack from 58.218.199.227.
Source port is 12200 and destination port is 8080 which use the TCP protocol.
Sun Jul 10 07:39:28 2011
=>Found attack from 216.157.195.166.
Source port is 5481 and destination port is 110 which use the TCP protocol.
Sun Jul 10 07:44:37 2011
=>Found attack from 221.192.199.49.
Source port is 12200 and destination port is 9000 which use the TCP protocol.
Sun Jul 10 07:44:37 2011
=>Found attack from 221.192.199.49.
Source port is 12200 and destination port is 3128 which use the TCP protocol.
Sun Jul 10 07:44:37 2011
=>Found attack from 221.192.199.49.
Source port is 12200 and destination port is 8008 which use the TCP protocol.
Sun Jul 10 07:59:35 2011
=>Found attack from 216.245.196.122.
Source port is 12200 and destination port is 27977 which use the TCP protocol.
Sun Jul 10 08:00:36 2011
=>Found attack from 60.173.10.27.
Source port is 12200 and destination port is 27977 which use the TCP protocol.
Sun Jul 10 08:21:46 2011
=>Found attack from 58.218.199.250.
Source port is 12200 and destination port is 8085 which use the TCP protocol.
Sun Jul 10 08:21:46 2011
=>Found attack from 58.218.199.250.
Source port is 12200 and destination port is 2479 which use the TCP protocol.
Sun Jul 10 08:21:46 2011
=>Found attack from 58.218.199.250.
Source port is 12200 and destination port is 3128 which use the TCP protocol.
Sun Jul 10 08:22:47 2011
=>Found attack from 58.218.199.147.
Source port is 12200 and destination port is 27977 which use the TCP protocol.

Sun Jul 10 08:22:47 2011
=>Found attack from 58.218.199.147.
Source port is 12200 and destination port is 3128 which use the TCP protocol.

Sun Jul 10 08:22:47 2011
=>Found attack from 58.218.199.147.
Source port is 12200 and destination port is 8088 which use the TCP protocol.

Edited by azdownhiller, 10 July 2011 - 10:38 AM.


#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:11 AM

Posted 10 July 2011 - 10:53 AM

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:
Posted Image

On completion of the scan click "Save log", save it to your desktop and post in your next reply:
Posted Image

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#8 azdownhiller

azdownhiller
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 10 July 2011 - 01:39 PM

aswMBR version 0.9.7.705 Copyright© 2011 AVAST Software
Run date: 2011-07-10 09:55:08
-----------------------------
09:55:08.004 OS Version: Windows x64 6.1.7600
09:55:08.004 Number of processors: 4 586 0x170A
09:55:08.004 ComputerName: FAMILY-PC UserName: Lydia
09:55:13.105 Initialize success
09:55:42.272 AVAST engine defs: 11071000
09:55:49.744 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
09:55:49.744 Disk 0 Vendor: ST375052 HP34 Size: 715404MB BusType: 8
09:55:49.760 Disk 0 MBR read successfully
09:55:49.760 Disk 0 MBR scan
09:55:49.760 Disk 0 unknown MBR code
09:55:49.776 Service scanning
09:55:50.540 Disk 0 trace - called modules:
09:55:50.540 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
09:55:50.540 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80098c6060]
09:55:50.540 3 CLASSPNP.SYS[fffff88001af743f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8008620050]
09:55:57.014 AVAST engine scan C:\Windows
10:16:05.002 File: C:\Windows\System32\drivers\en-US\bfe.dll.mui **SUSPICIOUS**
10:16:05.548 File: C:\Windows\System32\drivers\en-US\ndiscap.sys.mui **SUSPICIOUS**
10:16:06.172 File: C:\Windows\System32\drivers\en-US\pacer.sys.mui **SUSPICIOUS**
10:16:06.312 File: C:\Windows\System32\drivers\en-US\qwavedrv.sys.mui **SUSPICIOUS**
10:16:06.390 File: C:\Windows\System32\drivers\en-US\scfilter.sys.mui **SUSPICIOUS**
10:16:06.515 File: C:\Windows\System32\drivers\en-US\tcpip.sys.mui **SUSPICIOUS**
10:16:14.440 File: C:\Windows\System32\drivers\wimmount.sys **SUSPICIOUS**
10:43:21.461 AVAST engine scan C:\Users\Lydia
10:46:36.414 AVAST engine scan C:\ProgramData
11:02:46.627 Scan finished successfully
11:36:24.303 Disk 0 MBR has been saved successfully to "C:\Users\Lydia\Desktop\MBR.dat"
11:36:24.350 The log file has been saved successfully to "C:\Users\Lydia\Desktop\aswMBR2.txt"

Edited by azdownhiller, 10 July 2011 - 01:39 PM.


#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:11 AM

Posted 10 July 2011 - 01:52 PM

Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#10 azdownhiller

azdownhiller
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 10 July 2011 - 02:11 PM

It said no infections were found. Maybe im overexagerating abit about how sluggish it really is, But its still not as fast and snappy as it was when they bought it. But what concerns me is the constant attacks on our router.

#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:11 AM

Posted 10 July 2011 - 02:13 PM

Go ahead with my previous reply.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#12 azdownhiller

azdownhiller
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 10 July 2011 - 03:29 PM

I did and it said no infections were found.

#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:11 AM

Posted 10 July 2011 - 03:48 PM

Let's try to reset your router....

Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista and Windows 7, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"


Turn the computer off.

On your router, you'll find a pinhole marked "Reset".
Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
NOTE. Simple router disconnecting from a power source will NOT do.
Restart computer and check for redirections.

NOTE. You may need to re-check your router security settings, as described HERE

Let me know if you have more reports in your router log.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#14 azdownhiller

azdownhiller
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 10 July 2011 - 08:00 PM

I did as you said, these two did not work.

net stop "dns client"
net start "dns client"

I reset the router changed passwords, ssid and psk. I made sure the security features were enabled as well, however it appears there still attacking the router. This is what the security log came up with in about 5 minutes.

System log:
Send Discover Packet => Sat Jan 1 00:00:22 2000

Send Discover Packet => Sat Jan 1 00:00:22 2000

Send Discover Packet => Sat Jan 1 00:00:22 2000

Send Discover Packet => Sat Jan 1 00:00:44 2000

Send Discover Packet => Sat Jan 1 00:00:44 2000

Get DHCP OFFER Packet => Sat Jan 1 00:00:44 2000

Send Request Packet => Sat Jan 1 00:00:44 2000

Get DHCP ACK Packet => Sat Jan 1 00:00:44 2000

Internet connection fail => Sat Jan 1 00:00:49 2000

Get IP Address 68.109.145.60 From DHCP Server => Sat Jan 1 00:00:47 2000

User Login From 192.168.2.2 => Sun Jul 10 17:40:40 2011


Security log:
Sun Jul 10 17:45:47 2011
=>Found attack from 221.192.199.49.
Source port is 12200 and destination port is 27977 which use the TCP protocol.
Sun Jul 10 17:45:47 2011
=>Found attack from 221.192.199.49.
Source port is 12200 and destination port is 9090 which use the TCP protocol.
Sun Jul 10 17:45:47 2011
=>Found attack from 221.192.199.49.
Source port is 12200 and destination port is 9000 which use the TCP protocol.
Sun Jul 10 17:46:17 2011
=>Found attack from 125.69.133.218.
Use the ICMP protocol.
Sun Jul 10 17:50:23 2011
=>Found attack from 216.245.196.122.
Source port is 12200 and destination port is 27977 which use the TCP protocol.
Sun Jul 10 17:57:35 2011
=>Found attack from 58.218.199.147.
Source port is 12200 and destination port is 2479 which use the TCP protocol.

Sun Jul 10 17:57:35 2011
=>Found attack from 58.218.199.147.
Source port is 12200 and destination port is 27977 which use the TCP protocol.

Sun Jul 10 17:57:35 2011
=>Found attack from 58.218.199.147.
Source port is 12200 and destination port is 8090 which use the TCP protocol.

#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:11 AM

Posted 10 July 2011 - 08:20 PM

According to discussion here: http://www.dslreports.com/forum/r22587692-There-are-a-TON-of-found-attack-from-on-my-security-log you have no reason to be concerned.

is your computer experiencing any current issues?

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users