Solved

PC is pinging out of control.

Posted on 2004-10-22
639 Views
Last Modified: 2012-06-21
Uugh...I can't believe this has happened to me, but it has.  I've got a laptop that I use at a bunch of different client sites.  I'm always doing security scans and virus removal, spyware removal, etc.  Anyway, I'm back in my office and working on an IDS system (SNORT) and was trying to ssh to it, but for whatever reason was getting a network connection error.  So, I go to my checkpoint firewall log and look to see where I'm being stopped.  And what do you know...my machine is pinging ip addresses sequentially.  Luckily, checkpoint is blcoking this traffic, but what the heck?  I have updated virus software (symantec enterprise) and the...this is going to sound stupid...only virus it has found is iishack.exe.  I was using this to test vulnerabilities on a host system at a client site.  Of course, I couldn't figure it out as it was my first time using it...so I just updated all the security patches for the NT box and went about my business, but I kept the file to mess with it later.  Could this be the cause?  Is there a way to stop it?  Thanks.

Steve
0
Question by:slaroche
    10 Comments
     
    LVL 95

    Expert Comment

    by:Lee W, MVP
    Sounds like you have a virus that came out last august - can't remember the name, I'll try to look it up.  In the mean time, I'd suggest doing a virus scan.
    0
     
    LVL 95

    Expert Comment

    by:Lee W, MVP
    This is the ones I'm thinking you might have:
    http://www.cit.cornell.edu/computer/security/alerts/blaster.html

    Make sure Symantec is up to date
    0
     
    LVL 4

    Expert Comment

    by:tmcguiness
    I'm not too sure it's a iishack problem norton should've cleared that up. But you can look to see if the process  exploit.win32.iishack.exe is running. If it is, stop it. Then search for and remove the file exploit.win32.iishack.exe. That should be all you need to do.

    Let me know what happens.
    0
     

    Author Comment

    by:slaroche
    Would NCX.EXE have these characteristics?  It was part of the IISHACK.EXE package.  I've found a few viruses in a folder that I used to back up some client data, but it was the w32.beagle virus and does not do ICMP actions.  It was not active either...just found it.  
    0
     

    Author Comment

    by:slaroche
    also ncx99.exe was in there.
    0
     

    Expert Comment

    by:askdavid

    seems your PC is infected !!

    try scaning in safe mode with below tool
    http://securityresponse.symantec.com/avcenter/FxNimdaE.com

    Download the above tool and put it on desktop

    David
    0
     

    Author Comment

    by:slaroche
    I scanned in safe mode with the fxnimdae.com and symantec's scan engine.  Neither came up with any viruses.  Symantec is current as of 10/20.  My PC is still pinging sequentially...there are no random services running and there is nothing strange in CurrentVersion\Run.  Is there a way to find out what process is running the ping command?
    0
     
    LVL 4

    Accepted Solution

    by:
    http://www.diamondcs.com.au/openports/

    There are several others
    0
     

    Author Comment

    by:slaroche
    That is a sweet tool.  Thanks.  I'm not sure how to decipher it, though.  The Checkpoint log is showing the source port of the ping packets to be on port 1043 and the only service I can see in this list using port 1043 is NSCTOP.EXE which is a Symantec service that looks for available symantec servers.  I doubt this is the cause because everyone at the office is running the same Symantec version and configuration.  Checkpoint also indicates that the service is UDP 38293 that is part of this process.  I'm going to uninstall Symantec and see if the problem stops.  Again...sweet tool.

    SYSTEM [0]
      TCP  127.0.0.1:3041         127.0.0.1:3247         TIME_WAIT
      TCP  127.0.0.1:3041         127.0.0.1:3251         TIME_WAIT
      TCP  192.168.85.211:3250    63.240.76.10:110       TIME_WAIT
      TCP  192.168.85.211:3252    209.217.36.160:110     TIME_WAIT
      TCP  127.0.0.1:3041         127.0.0.1:3249         TIME_WAIT
    SYSTEM [4]
      TCP  192.168.85.211:3016    192.168.85.14:445      ESTABLISHED
      TCP  0.0.0.0:445            0.0.0.0:0              LISTENING
      TCP  192.168.85.211:139     0.0.0.0:0              LISTENING
      TCP  0.0.0.0:3016           0.0.0.0:0              LISTENING
      TCP  0.0.0.0:1047           0.0.0.0:0              LISTENING
      UDP  192.168.85.211:137     0.0.0.0:0              LISTENING
      UDP  192.168.85.211:138     0.0.0.0:0              LISTENING
      UDP  0.0.0.0:445            0.0.0.0:0              LISTENING
    alg.exe [556]
      TCP  127.0.0.1:3001         0.0.0.0:0              LISTENING
    MsgSys.EXE [676]
      TCP  0.0.0.0:38292          0.0.0.0:0              LISTENING
      UDP  0.0.0.0:38037          0.0.0.0:0              LISTENING
    pds.exe [748]
      UDP  0.0.0.0:38293          0.0.0.0:0              LISTENING
    xfr.exe [976]
      TCP  0.0.0.0:12174          0.0.0.0:0              LISTENING
      TCP  127.0.0.1:1049         0.0.0.0:0              LISTENING
    NSCTOP.EXE [1048]
      UDP  0.0.0.0:1043           0.0.0.0:0              LISTENING
      UDP  0.0.0.0:1042           0.0.0.0:0              LISTENING
    winlogon.exe [1272]
      UDP  0.0.0.0:3008           0.0.0.0:0              LISTENING
    lsass.exe [1328]
      UDP  0.0.0.0:500            0.0.0.0:0              LISTENING
      UDP  0.0.0.0:1028           0.0.0.0:0              LISTENING
    CcmExec.exe [1444]
      UDP  0.0.0.0:3029           0.0.0.0:0              LISTENING
    svchost.exe [1544]
      TCP  0.0.0.0:135            0.0.0.0:0              LISTENING
    svchost.exe [1636]
      TCP  127.0.0.1:3002         0.0.0.0:0              LISTENING
      TCP  127.0.0.1:3003         0.0.0.0:0              LISTENING
      TCP  0.0.0.0:1025           0.0.0.0:0              LISTENING
      UDP  127.0.0.1:123          0.0.0.0:0              LISTENING
      UDP  192.168.85.211:123     0.0.0.0:0              LISTENING
    svchost.exe [1840]
      UDP  0.0.0.0:1027           0.0.0.0:0              LISTENING
      UDP  0.0.0.0:1026           0.0.0.0:0              LISTENING
    svchost.exe [1872]
      TCP  0.0.0.0:5000           0.0.0.0:0              LISTENING
      UDP  192.168.85.211:1900    0.0.0.0:0              LISTENING
      UDP  127.0.0.1:1900         0.0.0.0:0              LISTENING
    Wuser32.exe [1932]
      TCP  0.0.0.0:2701           0.0.0.0:0              LISTENING
      TCP  0.0.0.0:2702           0.0.0.0:0              LISTENING
    iexplore.exe [2628]
      UDP  127.0.0.1:3134         0.0.0.0:0              LISTENING
    NLNOTES.EXE [3272]
      TCP  192.168.85.211:3125    192.168.85.11:1352     ESTABLISHED
      TCP  0.0.0.0:3125           0.0.0.0:0              LISTENING
    ccApp.exe [3700]
      TCP  127.0.0.1:3041         0.0.0.0:0              LISTENING
    msmsgs.exe [3776]
      TCP  192.168.85.211:3058    207.46.106.136:1863    ESTABLISHED
      TCP  0.0.0.0:3058           0.0.0.0:0              LISTENING
      TCP  192.168.85.211:6922    0.0.0.0:0              LISTENING
      UDP  127.0.0.1:3061         0.0.0.0:0              LISTENING
      UDP  192.168.85.211:7325    0.0.0.0:0              LISTENING
      UDP  192.168.85.211:6291    0.0.0.0:0              LISTENING
      UDP  0.0.0.0:3046           0.0.0.0:0              LISTENING
    CPlgv.exe [3812]
      TCP  192.168.85.211:3132    192.168.85.12:18190    ESTABLISHED
      TCP  127.0.0.1:3130         127.0.0.1:3131         ESTABLISHED
      TCP  127.0.0.1:3129         127.0.0.1:3128         ESTABLISHED
      TCP  127.0.0.1:3131         127.0.0.1:3130         ESTABLISHED
      TCP  127.0.0.1:3128         127.0.0.1:3129         ESTABLISHED
      TCP  0.0.0.0:3131           0.0.0.0:0              LISTENING
      TCP  0.0.0.0:3128           0.0.0.0:0              LISTENING
      TCP  0.0.0.0:3132           0.0.0.0:0              LISTENING
      TCP  0.0.0.0:3129           0.0.0.0:0              LISTENING
      TCP  0.0.0.0:3130           0.0.0.0:0              LISTENING
    aim.exe [3824]
      TCP  127.0.0.1:5180         0.0.0.0:0              LISTENING
      UDP  127.0.0.1:3079         0.0.0.0:0              LISTENING
    Weather.exe [3960]
      UDP  127.0.0.1:3059         0.0.0.0:0              LISTENING
    ypager.exe [4036]
      TCP  192.168.85.211:3047    216.155.193.180:5050   ESTABLISHED
      TCP  0.0.0.0:5101           0.0.0.0:0              LISTENING
      TCP  0.0.0.0:3047           0.0.0.0:0              LISTENING
      UDP  127.0.0.1:3053         0.0.0.0:0              LISTENING

    C:\unzipped\openports>
    0
     

    Author Comment

    by:slaroche
    Symantec somehow got corrupted and was trying to find it's "group."  I had to use a removal tool to get rid of all of the processes because uninstalling it wouldn't stop the NSCTOP.EXE process from running.  Thanks for your help and that sweet tool.  
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

    877 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now