Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Attack from possibly spoofed address


  • Please log in to reply
7 replies to this topic

#1 JamesPeters

JamesPeters

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 28 April 2014 - 07:44 AM

I've been notified by Kaspersky that my computer is being attacked by DoS.Generic.SYNFlood:TCP from a changing address.  It appears the attack is being continuously repeated every three seconds from a new IP address and being continuously blocked.  The notice says the address may be spoofed.  This has been going on for over an hour.  Should I be concerned?  Is the attack likely to go on indefinitely?

 



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:12 PM

Posted 28 April 2014 - 11:08 PM

Hello -

EDIT - Click on Follow This Topic at the Top Right Side and you will be notified when you get a reply -

 

Download all programs to Desktop, Copy and Paste any logs and Temporarily Disable Your Anti-virus if required.

Please tell me if any of these links are not current, as some programs often change their location.

 

 

Please read about and install the program below. Post me back any decent/constant results that you get from it -

 

TCPView - TCPView is the real work horse for detecting if you have been hacked.

This program will list all the programs on your computer that are connected to a remote computer or are waiting for a connection.

The program will also list all the IP addresses that are connected and even perform reverse DNS on them so that you can get useful information on who is connected.

 

We can run a quick clean-up of anything already there.

 

First -

Download Security Check by Screen317 from HERE
* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If a security program requests permission to access the Internet, allow it to do so.
 

 

Next -

Please download and run RKill by Grinler.
A black DOS box will briefly flash and then disappear.
This is normal and indicates the tool ran successfully.

Please post the small log back here

 

Important: Do not reboot your computer until you complete the next step.

 

Now: Please download AdwCleaner by Xplode and save to your Desktop.
* NOTE : Please close or save all work, as the computer will be Rebooted
* Double-click on AdwCleaner.exe to run the tool.
* Vista/Windows 7/8 users right-click and select Run As Administrator.
* Click on the Scan button. (only once)
* AdwCleaner will begin...be patient as the scan may take some time to complete.
* After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review. 
* If you see any which you do not want removed, remove the check mark next to it. 
* Next: Click on the Clean button (only once) to remove the selected items. 
* You will receive a message telling you that all programs will be close so that the infections can be removed. 
* Click on OK, and then OK again to confirm the reboot.
When cleaning process is complete a log (AdwCleaner[S0].txt ) of what was removed will be on your desktop. 
Please copy and the paste this log in your next post.

A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

Next -

Please download Junkware Removal Tool by thisisu to your desktop.
* Shut down your protection software now to avoid potential conflicts.(see above).
* Run the tool by double-clicking it -
* If you are using Windows Vista, 7, or 8; right-mouse click JRT.exe and select "Run as Administrator".
* The tool will open and start scanning your system.
* Please be patient as this can take a while to complete depending on your system's specifications.
* On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

* Post the contents of JRT.txt into your next message.

 

Next -

Please run a scan with Malwarebytes Anti-Malware

If you have the New Version 2.0.1 installed, ignore the first section .............

•• Remove Old Versions of Malwarebytes Anti-Malware
• Please download mbam-clean.exe from Here to your desktop and save it.
• Please close all open applications and Temporarily Disable Your Anti-virus to avoid any conflicts when running the tool.
* Note : It will reboot your computer to complete the removal process (Very Important)


• Download new Malwarebytes Anti-Malware Free V2.0.1 and save it to your desktop
• Double click the desktop icon, click Run, then OK
• Click Next
• Select I accept the agreement then continue to click Next then finally click Install
• Uncheck Enable free trial of Malwarebytes Anti-Malware Premium if you do not want the free trial of the paid version, then click Finish
• If you are notified the Database is out of date click Update Now
• Click Scan Now >>
----------

• Note: If Malwarebytes will not launch please do the following to launch Malwarebytes Chameleon:
• Click Start (Start, Search, All files and folders for Windows XP) then type mbam
• Double click one of the four following files (if one does not work try the next one, and so on) - A black command window will open.

Follow those instructions until the Malwarebytes program starts the scan
mbam-chameleon.scr
mbam-chameleon
mbam-chameleon.exe
mbam-chameleon.com

----------

• When completed click the down arrow on Export Log and select Text file (*.txt)
• Save the file to your desktop as MBAM
• Click Apply Actions then restart your computer if requested
• Copy and past the contents of MBAM.txt in your reply

 

 

Take your time, and read each item first, and only post them once you are OK with them.

Please include, any details from TCP.View that may help (constant IP links).

Also - Security Check.txt

RKill.txt

AdwCleaner.txt

JRT.txt

Malwarebytes Results

Add any information that you think may help (how is computer running etc.)


Edited by noknojon, 28 April 2014 - 11:11 PM.


#3 JamesPeters

JamesPeters
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 29 April 2014 - 06:16 AM

Was the above a reply?  If so, I recently went through a nightmare doing one of these recommended cleaning processes.  Things always go wrong for me.  So I still want to ask the question:  Should I be worried?  The attack yesterday apparently ended eventually, but the same has come back the same way today, being handled by Kaspersky. 



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:12 PM

Posted 29 April 2014 - 05:39 PM

I've been notified by Kaspersky that my computer is being attacked by DoS.Generic.SYNFlood:TCP from a changing address.  It appears the attack is being continuously repeated every three seconds from a new IP address and being continuously blocked.  The notice says the address may be spoofed.  This has been going on for over an hour.  Should I be concerned?  Is the attack likely to go on indefinitely?

The TCPView program is one of the First programs directed at any suspected hacking.

 

As for the other programs, we were going to clean up any minor intrusions / infections -

 

If Kaspersky is handling this, then why did you post this here ??



#5 JamesPeters

JamesPeters
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 30 April 2014 - 11:26 AM

I don't understand anything, so I need to ask questions.  Yes, my anti-virus is Kaspersky, and it is currently actively blocking a continuous repeated attack.  It says it is blocking the port, but not the attacking computer whose address may be spoofed.  The window shows the IP changing every three seconds.  This has now been going on almost continuously, and if the little windoe disappears, it comes back every time I boot up. Should I be concerned?  Is Kaspersky handling this, or is it failing? 

 

Yes, I am cautious of running a lot of these programs, as I have had a lot of undesirable consequences in the past.  I certainly don't dare disable Kaspersky while it is blocking an attack.  I did, however, follow your suggestions, ran the programs, except AdwCleaner didn't show me any list to scan or to uncheck before scan, so I couldn't run it. Previously ran Spybot S&D and removed what they suggested.  Already ran Kaspersky scan before posting here. 

 

Here are the logs.  In the first one, the references to Internet Explorer and Google Chrome concern me because I don't want or need them on my computer. Can I get rid of them? :

 

 

 Results of screen317's Security Check version 0.99.82  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled!  
Kaspersky PURE 3.0   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Spybot - Search & Destroy
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 51  
 Java version out of Date!
  Adobe Flash Player 12.0.0.77 Flash Player out of Date!  
 Adobe Reader XI  
 Mozilla Firefox (28.0)
 Google Chrome 34.0.1847.116  
 Google Chrome 34.0.1847.131  
````````Process Check: objlist.exe by Laurent````````  
 Spybot Teatimer.exe is disabled!
 Kaspersky Lab Kaspersky PURE 3.0 avp.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
 

 

 Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 04/30/2014 11:37:26 AM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Users\ce-user\Desktop\SecurityCheck.exe (PID: 6508) [UP-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Firewall Disabled

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.
 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Professional x64
Ran by ce-user on Wed 04/30/2014 at 11:39:11.33
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\softonic



~~~ Files



~~~ Folders



~~~ FireFox

Emptied folder: C:\Users\ce-user\AppData\Roaming\mozilla\firefox\profiles\lgt3hmmn.default\minidumps [9 files]



~~~ Event Viewer Logs were cleared
 

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.04.30.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16521
ce-user :: CEUSER-PC [administrator]

4/30/2014 11:47:37 AM
mbam-log-2014-04-30 (11-47-37).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 266089
Time elapsed: 1 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)
 



#6 JamesPeters

JamesPeters
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 30 April 2014 - 11:44 AM

I need to add that the first apparent consequence of running those programs is that the small icon for a small folder of hidden icons at the right end of the bottom toolbar has disappeared.  Had about 9 icons, including Kaspersky. 



#7 JamesPeters

JamesPeters
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 01 May 2014 - 11:00 AM

I did updates indicated.  The attack is still ongoing.  What next?  What do the reports show? 



#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:12 PM

Posted 01 May 2014 - 07:57 PM

What do the reports show? << There was no information in any reports (as yet)

 

Sorry but I posted "If Kaspersky is handling this, then why did you post this here ??" as this was your only reply at the time.

 

My first reply included TCPView, and this is the main tool used for tracing hackers for several reasons.

1/ It has nothing to do with this forum, but it is recognised as a main tool to find hackers, since the suspect IP will be repeated quite often.

2/ You can relate your "regular" IP's (Antivirus updates etc) against the listed IP's.

 

Now if you can not find AdwCleaner from AdwCleaner, what is the page it links you to ?? (This is our onsite link)

Malwarebytes Anti-Malware 1.75.0.1300 is the Old Version as 1.75 was outed for 2.01 a month or 2 back

 

Please run an Updated Full System Scan with Malwarebytes Anti-Malware. 2.01
Note that this is a link for the New Version, and it will not look the same as the last version.
If you wish to uninstall the old version see below (from Malwarebytes Links).

• If not existing, please download Malwarebytes Anti-Malware to your desktop.
• Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to the following:
* Launch Malwarebytes Anti-Malware
* A 14 day trial of the Premium features is pre-selected.
* You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
• Click Finish.

• Removal Only
• Please download mbam-clean.exe from Here to your desktop and save it.
• Please close all open applications and Temporarily Disable Your Anti-virus to avoid any conflicts when running the tool.

 

* Threat scan + Rootkit scan
* Click the Settings tab >> Detection and Protection >> Detection Options, tick the box 'Scan for rootkits'.
* Click on the Scan tab,

* Click on Scan Now
* A Threat/Rootkit Scan will begin.
* With some infections, you may see this message box.
'Could not load DDA driver'
* Click 'Yes' to this message, to allow the driver to load after a restart.
* Allow the computer to restart. Continue with the rest of these instructions.
* When the scan is complete, click Apply Actions.
* Wait for the prompt to restart the computer to appear, then click on Yes.
(Copy to clipboard for pasting into forum replies)
* After the restart once you are back at your desktop, open MBAM once more.
* Click on the History tab >> Application Logs.

* Double click on the scan log which shows the Date and time of the scan just performed.
* Click 'Copy to Clipboard'

* Paste the contents of the clipboard into your reply.

 

 

Is there any log that Kaspersky Pure displays that shows this invasion, or is it just "implied" ?
All extra information is needed to help you -

 

 

Please post a snapshot with Speccy for more system details -
How to Publish a snapshot with Speccy <<-- Full Directions Here (only post the link)


Edited by noknojon, 01 May 2014 - 07:59 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users