[timthepoolman]

Hope someone can help a newbie?
I have a new system (3 weeks) P4, 3.0 GHz runing XP SP2, all updated. With the system came Norton Internet Security, loaded & updated. I then joined a new ISP who supplied a ADSL router (iconnect Access621)
The router has a hardware firewall enabled, NIS firewall is on and I have tried with XP firewall on or off.
PROBLEM: I noticed the icon in notification area flashing activity even though I had no browser or email open. Double clicked it, the Activity - sent was running wild; current figures are: sent-1,359,939,568(!!); receieved-202,004,344.
I cannot imagine what has been sent, I have not loaded much data on this machine yet.
I ran Norton "check security" it advised that I was "exposed to hackers". More info showed ports open:
ICMP Ping
23 Telnet
113 Ident/Authentication
The solution proposed: Instal a personal firewall eg NIS (!!!)

I have been advised to close these ports: Neither Norton, system supplier or my ISP can tell me how to do this!!
Please Help, I believe that I am under attack even though I have done all the right things.
Thanks
Timthepoolman

 

[Resolution]

Calm down. You're not under attack. I doubt you have the Telnet service running, so there is no way someone can access that port. ICMP Ping is nothing to worry about. Port 113 isn't anything to worry about either, and you can read about that here.

You can do an online scan of your system with Shields Up, however, your router and your local firewall should take care of most of the filtering.

 

[timthepoolman]

Thanks for the reply, Resolution. Just to allay the fears of a non tech user, can you suggest an explanation of the 1.3GB outward data?
Cheers
Tim
ps I have looked at the links you sent and am currently running the "shields up" scan

 

[timthepoolman]

Sorry I should have waited for shields up to run before replying: It has returned the same results as before, with the same advice that I should URGENTLY attend to these issues and close these ports.
Please, how do I do this??

 

[Resolution]

Sorry I should have waited for shields up to run before replying: It has returned the same results as before, with the same advice that I should URGENTLY attend to these issues and close these ports.
Please, how do I do this??

Set a rule on your firewall to block incoming TCP/UDP traffic to the open ports. If you are confused, read your firewall's documentation on setting rules. There really isn't much need to worry from what I can tell.

As for your packet activity, that's the number of packets you have sent and received since you first came online. The longer you stay online and the more network-based programs you run (p2p, instant messengers, spyware removal programs, software updates, etc.), the higher the send/recieve count will be. You should see an icon of two little computer monitors on your taskbar. If you doubleclick it, then it will give you the duration of how long you have been online. What does the duration say?

 

[timthepoolman]

Do I do that to the router firewall or NIS or XP firewall?
NIS help has been useless so far, it tells me to fix it but doesnt say how!!

Duration approx 3 hours ie current session.
The activity appears to be cumulative, ie it doesnt reset with each logon.

I dont use P2P, messenger or spyware programs. Just XP & NIS updates. I do use Skype, but during a conversation the in & outgoing would surely be similar?

Tim

 

[Resolution]

In My Network Places, Disable and then Enable your connection to reset the count (alternatively, you can just restart your computer), and try to see if your send and receive increases dramatically. If it does, then you may have a few malicious programs running on your system.

Edit:
The number can also increase when you are downloading, or if XP downloaded a large number of security updates through Automatic Updates, however, I doubt it would increase that much within 3 hours. In fact, I doubt you could get numbers that high with 3 days of normal usage.

 

[timthepoolman]

Disabling/reenabling connection, restarting computer does not reset the counts. Have been cumulative since first connection...

The other odd thing I should have mentioned is that since I first mentioned this problem last night (on email) the activity has stopped... no longer flashing while not in use, and count no longer increasing rapidly.

I am not doing anything different, is the scum hacker hiding while I investigate?

 

[Resolution]

It's uncertain if you are infected with anything. Your count should have reset itself, and i'm not sure why it didn't. You may want to submit a HijackThis log to the HijackThis forum to see if others can spot anything suspicious running on your PC. Download HijackThis here.

 

[timthepoolman]

"It's uncertain if you are infected with anything. Your count should have reset itself, and i'm not sure why it didn't. "

OK I tried something different which I hadnt done since first connecting: I unplugged the router from the power.
This has now reset the activity counters.
As I watch, doing Nothing the Sent has already gone over 1 MB, about 5 times the received. On my old dialup connection, the ratio was always about 10:1 the other way!!

 

[Resolution]

And that is unusual if you said you are not downloading anything. Please follow the advice I gave you in my previous post.

 

[timthepoolman]

OK I downloaded & ran HJT. Log follows.
Is there a way to move this topic to the other forum so they can see what we have already discussed? (Newbie ;-)

THANKS for your help so far...

Logfile of HijackThis v1.99.1
Scan saved at 3:27:20 PM, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iprimus.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wascc.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iprimus.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iprimus.com.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.IPrimus.com.au;10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.168.*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127323873649
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127899934343
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://dolalol.landonline.com.au/iws/panairama/ecwplugins/ncs.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

[Resolution]

No, I meant submit the log to Tech Support Forums' HijackThis Forum so that the analysts there can comb through it and see if there is anything unusual. Just explain to them your situation with the send and receive packets.

And your welcome.

 

[timthepoolman]

OK I have taken this to the HJT forum: "I thank I am being hacked?"

http://www.techsupportforum.com/showthread.php?p=366746#post366746

 

[Zerk.Antihacker]

I want to make the port ICMP PING stealth... I have been connected to mIRC for long amounts of time (2 - 5 days in a row) the last weeks... and during that time I have had to attacks at my computer. I am using Norton Antivirus. I made that "Shields Up" scan and all ports were stealth execpt the ICMP PING port! I have been on internet for about 3 days searching for someone that can tell me how to stealth that port. So I found this and you might be able to help me. So please help me.

Well by the way do you know some site that I can post "hackers" ip adresses to? That should be great! I really want to get those evil hackers!

 

[ukric]

the sent and recieved rates are prolly down to skype. it uses your pc as a hub to route otehr calls even if your not making a call.. try disabling it and see if that affects your counts

 

[Zerk.Antihacker]

Can anyone help me with my problem`?? that should be really nice of you ;D

 

[Resolution]

Instead of hijacking this thread, start a new thread with your question and i'm sure someone will answer you.

 

[Zerk.Antihacker]

Ok then I will start a new thread ;D