Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PC is pinging out of control.

Posted on 2004-10-22
10
Medium Priority
?
723 Views
Last Modified: 2012-06-21
Uugh...I can't believe this has happened to me, but it has.  I've got a laptop that I use at a bunch of different client sites.  I'm always doing security scans and virus removal, spyware removal, etc.  Anyway, I'm back in my office and working on an IDS system (SNORT) and was trying to ssh to it, but for whatever reason was getting a network connection error.  So, I go to my checkpoint firewall log and look to see where I'm being stopped.  And what do you know...my machine is pinging ip addresses sequentially.  Luckily, checkpoint is blcoking this traffic, but what the heck?  I have updated virus software (symantec enterprise) and the...this is going to sound stupid...only virus it has found is iishack.exe.  I was using this to test vulnerabilities on a host system at a client site.  Of course, I couldn't figure it out as it was my first time using it...so I just updated all the security patches for the NT box and went about my business, but I kept the file to mess with it later.  Could this be the cause?  Is there a way to stop it?  Thanks.

Steve
0
Comment
Question by:slaroche
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 12381392
Sounds like you have a virus that came out last august - can't remember the name, I'll try to look it up.  In the mean time, I'd suggest doing a virus scan.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 12381407
This is the ones I'm thinking you might have:
http://www.cit.cornell.edu/computer/security/alerts/blaster.html

Make sure Symantec is up to date
0
 
LVL 4

Expert Comment

by:tmcguiness
ID: 12381482
I'm not too sure it's a iishack problem norton should've cleared that up. But you can look to see if the process  exploit.win32.iishack.exe is running. If it is, stop it. Then search for and remove the file exploit.win32.iishack.exe. That should be all you need to do.

Let me know what happens.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:slaroche
ID: 12381647
Would NCX.EXE have these characteristics?  It was part of the IISHACK.EXE package.  I've found a few viruses in a folder that I used to back up some client data, but it was the w32.beagle virus and does not do ICMP actions.  It was not active either...just found it.  
0
 

Author Comment

by:slaroche
ID: 12381657
also ncx99.exe was in there.
0
 

Expert Comment

by:askdavid
ID: 12381792

seems your PC is infected !!

try scaning in safe mode with below tool
http://securityresponse.symantec.com/avcenter/FxNimdaE.com

Download the above tool and put it on desktop

David
0
 

Author Comment

by:slaroche
ID: 12383102
I scanned in safe mode with the fxnimdae.com and symantec's scan engine.  Neither came up with any viruses.  Symantec is current as of 10/20.  My PC is still pinging sequentially...there are no random services running and there is nothing strange in CurrentVersion\Run.  Is there a way to find out what process is running the ping command?
0
 
LVL 4

Accepted Solution

by:
tmcguiness earned 2000 total points
ID: 12383267
http://www.diamondcs.com.au/openports/

There are several others
0
 

Author Comment

by:slaroche
ID: 12383429
That is a sweet tool.  Thanks.  I'm not sure how to decipher it, though.  The Checkpoint log is showing the source port of the ping packets to be on port 1043 and the only service I can see in this list using port 1043 is NSCTOP.EXE which is a Symantec service that looks for available symantec servers.  I doubt this is the cause because everyone at the office is running the same Symantec version and configuration.  Checkpoint also indicates that the service is UDP 38293 that is part of this process.  I'm going to uninstall Symantec and see if the problem stops.  Again...sweet tool.

SYSTEM [0]
  TCP  127.0.0.1:3041         127.0.0.1:3247         TIME_WAIT
  TCP  127.0.0.1:3041         127.0.0.1:3251         TIME_WAIT
  TCP  192.168.85.211:3250    63.240.76.10:110       TIME_WAIT
  TCP  192.168.85.211:3252    209.217.36.160:110     TIME_WAIT
  TCP  127.0.0.1:3041         127.0.0.1:3249         TIME_WAIT
SYSTEM [4]
  TCP  192.168.85.211:3016    192.168.85.14:445      ESTABLISHED
  TCP  0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP  192.168.85.211:139     0.0.0.0:0              LISTENING
  TCP  0.0.0.0:3016           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:1047           0.0.0.0:0              LISTENING
  UDP  192.168.85.211:137     0.0.0.0:0              LISTENING
  UDP  192.168.85.211:138     0.0.0.0:0              LISTENING
  UDP  0.0.0.0:445            0.0.0.0:0              LISTENING
alg.exe [556]
  TCP  127.0.0.1:3001         0.0.0.0:0              LISTENING
MsgSys.EXE [676]
  TCP  0.0.0.0:38292          0.0.0.0:0              LISTENING
  UDP  0.0.0.0:38037          0.0.0.0:0              LISTENING
pds.exe [748]
  UDP  0.0.0.0:38293          0.0.0.0:0              LISTENING
xfr.exe [976]
  TCP  0.0.0.0:12174          0.0.0.0:0              LISTENING
  TCP  127.0.0.1:1049         0.0.0.0:0              LISTENING
NSCTOP.EXE [1048]
  UDP  0.0.0.0:1043           0.0.0.0:0              LISTENING
  UDP  0.0.0.0:1042           0.0.0.0:0              LISTENING
winlogon.exe [1272]
  UDP  0.0.0.0:3008           0.0.0.0:0              LISTENING
lsass.exe [1328]
  UDP  0.0.0.0:500            0.0.0.0:0              LISTENING
  UDP  0.0.0.0:1028           0.0.0.0:0              LISTENING
CcmExec.exe [1444]
  UDP  0.0.0.0:3029           0.0.0.0:0              LISTENING
svchost.exe [1544]
  TCP  0.0.0.0:135            0.0.0.0:0              LISTENING
svchost.exe [1636]
  TCP  127.0.0.1:3002         0.0.0.0:0              LISTENING
  TCP  127.0.0.1:3003         0.0.0.0:0              LISTENING
  TCP  0.0.0.0:1025           0.0.0.0:0              LISTENING
  UDP  127.0.0.1:123          0.0.0.0:0              LISTENING
  UDP  192.168.85.211:123     0.0.0.0:0              LISTENING
svchost.exe [1840]
  UDP  0.0.0.0:1027           0.0.0.0:0              LISTENING
  UDP  0.0.0.0:1026           0.0.0.0:0              LISTENING
svchost.exe [1872]
  TCP  0.0.0.0:5000           0.0.0.0:0              LISTENING
  UDP  192.168.85.211:1900    0.0.0.0:0              LISTENING
  UDP  127.0.0.1:1900         0.0.0.0:0              LISTENING
Wuser32.exe [1932]
  TCP  0.0.0.0:2701           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:2702           0.0.0.0:0              LISTENING
iexplore.exe [2628]
  UDP  127.0.0.1:3134         0.0.0.0:0              LISTENING
NLNOTES.EXE [3272]
  TCP  192.168.85.211:3125    192.168.85.11:1352     ESTABLISHED
  TCP  0.0.0.0:3125           0.0.0.0:0              LISTENING
ccApp.exe [3700]
  TCP  127.0.0.1:3041         0.0.0.0:0              LISTENING
msmsgs.exe [3776]
  TCP  192.168.85.211:3058    207.46.106.136:1863    ESTABLISHED
  TCP  0.0.0.0:3058           0.0.0.0:0              LISTENING
  TCP  192.168.85.211:6922    0.0.0.0:0              LISTENING
  UDP  127.0.0.1:3061         0.0.0.0:0              LISTENING
  UDP  192.168.85.211:7325    0.0.0.0:0              LISTENING
  UDP  192.168.85.211:6291    0.0.0.0:0              LISTENING
  UDP  0.0.0.0:3046           0.0.0.0:0              LISTENING
CPlgv.exe [3812]
  TCP  192.168.85.211:3132    192.168.85.12:18190    ESTABLISHED
  TCP  127.0.0.1:3130         127.0.0.1:3131         ESTABLISHED
  TCP  127.0.0.1:3129         127.0.0.1:3128         ESTABLISHED
  TCP  127.0.0.1:3131         127.0.0.1:3130         ESTABLISHED
  TCP  127.0.0.1:3128         127.0.0.1:3129         ESTABLISHED
  TCP  0.0.0.0:3131           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:3128           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:3132           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:3129           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:3130           0.0.0.0:0              LISTENING
aim.exe [3824]
  TCP  127.0.0.1:5180         0.0.0.0:0              LISTENING
  UDP  127.0.0.1:3079         0.0.0.0:0              LISTENING
Weather.exe [3960]
  UDP  127.0.0.1:3059         0.0.0.0:0              LISTENING
ypager.exe [4036]
  TCP  192.168.85.211:3047    216.155.193.180:5050   ESTABLISHED
  TCP  0.0.0.0:5101           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:3047           0.0.0.0:0              LISTENING
  UDP  127.0.0.1:3053         0.0.0.0:0              LISTENING

C:\unzipped\openports>
0
 

Author Comment

by:slaroche
ID: 12383858
Symantec somehow got corrupted and was trying to find it's "group."  I had to use a removal tool to get rid of all of the processes because uninstalling it wouldn't stop the NSCTOP.EXE process from running.  Thanks for your help and that sweet tool.  
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question