PC is pinging out of control.

Uugh...I can't believe this has happened to me, but it has.  I've got a laptop that I use at a bunch of different client sites.  I'm always doing security scans and virus removal, spyware removal, etc.  Anyway, I'm back in my office and working on an IDS system (SNORT) and was trying to ssh to it, but for whatever reason was getting a network connection error.  So, I go to my checkpoint firewall log and look to see where I'm being stopped.  And what do you know...my machine is pinging ip addresses sequentially.  Luckily, checkpoint is blcoking this traffic, but what the heck?  I have updated virus software (symantec enterprise) and the...this is going to sound stupid...only virus it has found is iishack.exe.  I was using this to test vulnerabilities on a host system at a client site.  Of course, I couldn't figure it out as it was my first time using it...so I just updated all the security patches for the NT box and went about my business, but I kept the file to mess with it later.  Could this be the cause?  Is there a way to stop it?  Thanks.

Steve
slarocheAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Sounds like you have a virus that came out last august - can't remember the name, I'll try to look it up.  In the mean time, I'd suggest doing a virus scan.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
This is the ones I'm thinking you might have:
http://www.cit.cornell.edu/computer/security/alerts/blaster.html

Make sure Symantec is up to date
0
tmcguinessCommented:
I'm not too sure it's a iishack problem norton should've cleared that up. But you can look to see if the process  exploit.win32.iishack.exe is running. If it is, stop it. Then search for and remove the file exploit.win32.iishack.exe. That should be all you need to do.

Let me know what happens.
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

slarocheAuthor Commented:
Would NCX.EXE have these characteristics?  It was part of the IISHACK.EXE package.  I've found a few viruses in a folder that I used to back up some client data, but it was the w32.beagle virus and does not do ICMP actions.  It was not active either...just found it.  
0
slarocheAuthor Commented:
also ncx99.exe was in there.
0
askdavidCommented:

seems your PC is infected !!

try scaning in safe mode with below tool
http://securityresponse.symantec.com/avcenter/FxNimdaE.com

Download the above tool and put it on desktop

David
0
slarocheAuthor Commented:
I scanned in safe mode with the fxnimdae.com and symantec's scan engine.  Neither came up with any viruses.  Symantec is current as of 10/20.  My PC is still pinging sequentially...there are no random services running and there is nothing strange in CurrentVersion\Run.  Is there a way to find out what process is running the ping command?
0
tmcguinessCommented:
http://www.diamondcs.com.au/openports/

There are several others
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
slarocheAuthor Commented:
That is a sweet tool.  Thanks.  I'm not sure how to decipher it, though.  The Checkpoint log is showing the source port of the ping packets to be on port 1043 and the only service I can see in this list using port 1043 is NSCTOP.EXE which is a Symantec service that looks for available symantec servers.  I doubt this is the cause because everyone at the office is running the same Symantec version and configuration.  Checkpoint also indicates that the service is UDP 38293 that is part of this process.  I'm going to uninstall Symantec and see if the problem stops.  Again...sweet tool.

SYSTEM [0]
  TCP  127.0.0.1:3041         127.0.0.1:3247         TIME_WAIT
  TCP  127.0.0.1:3041         127.0.0.1:3251         TIME_WAIT
  TCP  192.168.85.211:3250    63.240.76.10:110       TIME_WAIT
  TCP  192.168.85.211:3252    209.217.36.160:110     TIME_WAIT
  TCP  127.0.0.1:3041         127.0.0.1:3249         TIME_WAIT
SYSTEM [4]
  TCP  192.168.85.211:3016    192.168.85.14:445      ESTABLISHED
  TCP  0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP  192.168.85.211:139     0.0.0.0:0              LISTENING
  TCP  0.0.0.0:3016           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:1047           0.0.0.0:0              LISTENING
  UDP  192.168.85.211:137     0.0.0.0:0              LISTENING
  UDP  192.168.85.211:138     0.0.0.0:0              LISTENING
  UDP  0.0.0.0:445            0.0.0.0:0              LISTENING
alg.exe [556]
  TCP  127.0.0.1:3001         0.0.0.0:0              LISTENING
MsgSys.EXE [676]
  TCP  0.0.0.0:38292          0.0.0.0:0              LISTENING
  UDP  0.0.0.0:38037          0.0.0.0:0              LISTENING
pds.exe [748]
  UDP  0.0.0.0:38293          0.0.0.0:0              LISTENING
xfr.exe [976]
  TCP  0.0.0.0:12174          0.0.0.0:0              LISTENING
  TCP  127.0.0.1:1049         0.0.0.0:0              LISTENING
NSCTOP.EXE [1048]
  UDP  0.0.0.0:1043           0.0.0.0:0              LISTENING
  UDP  0.0.0.0:1042           0.0.0.0:0              LISTENING
winlogon.exe [1272]
  UDP  0.0.0.0:3008           0.0.0.0:0              LISTENING
lsass.exe [1328]
  UDP  0.0.0.0:500            0.0.0.0:0              LISTENING
  UDP  0.0.0.0:1028           0.0.0.0:0              LISTENING
CcmExec.exe [1444]
  UDP  0.0.0.0:3029           0.0.0.0:0              LISTENING
svchost.exe [1544]
  TCP  0.0.0.0:135            0.0.0.0:0              LISTENING
svchost.exe [1636]
  TCP  127.0.0.1:3002         0.0.0.0:0              LISTENING
  TCP  127.0.0.1:3003         0.0.0.0:0              LISTENING
  TCP  0.0.0.0:1025           0.0.0.0:0              LISTENING
  UDP  127.0.0.1:123          0.0.0.0:0              LISTENING
  UDP  192.168.85.211:123     0.0.0.0:0              LISTENING
svchost.exe [1840]
  UDP  0.0.0.0:1027           0.0.0.0:0              LISTENING
  UDP  0.0.0.0:1026           0.0.0.0:0              LISTENING
svchost.exe [1872]
  TCP  0.0.0.0:5000           0.0.0.0:0              LISTENING
  UDP  192.168.85.211:1900    0.0.0.0:0              LISTENING
  UDP  127.0.0.1:1900         0.0.0.0:0              LISTENING
Wuser32.exe [1932]
  TCP  0.0.0.0:2701           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:2702           0.0.0.0:0              LISTENING
iexplore.exe [2628]
  UDP  127.0.0.1:3134         0.0.0.0:0              LISTENING
NLNOTES.EXE [3272]
  TCP  192.168.85.211:3125    192.168.85.11:1352     ESTABLISHED
  TCP  0.0.0.0:3125           0.0.0.0:0              LISTENING
ccApp.exe [3700]
  TCP  127.0.0.1:3041         0.0.0.0:0              LISTENING
msmsgs.exe [3776]
  TCP  192.168.85.211:3058    207.46.106.136:1863    ESTABLISHED
  TCP  0.0.0.0:3058           0.0.0.0:0              LISTENING
  TCP  192.168.85.211:6922    0.0.0.0:0              LISTENING
  UDP  127.0.0.1:3061         0.0.0.0:0              LISTENING
  UDP  192.168.85.211:7325    0.0.0.0:0              LISTENING
  UDP  192.168.85.211:6291    0.0.0.0:0              LISTENING
  UDP  0.0.0.0:3046           0.0.0.0:0              LISTENING
CPlgv.exe [3812]
  TCP  192.168.85.211:3132    192.168.85.12:18190    ESTABLISHED
  TCP  127.0.0.1:3130         127.0.0.1:3131         ESTABLISHED
  TCP  127.0.0.1:3129         127.0.0.1:3128         ESTABLISHED
  TCP  127.0.0.1:3131         127.0.0.1:3130         ESTABLISHED
  TCP  127.0.0.1:3128         127.0.0.1:3129         ESTABLISHED
  TCP  0.0.0.0:3131           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:3128           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:3132           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:3129           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:3130           0.0.0.0:0              LISTENING
aim.exe [3824]
  TCP  127.0.0.1:5180         0.0.0.0:0              LISTENING
  UDP  127.0.0.1:3079         0.0.0.0:0              LISTENING
Weather.exe [3960]
  UDP  127.0.0.1:3059         0.0.0.0:0              LISTENING
ypager.exe [4036]
  TCP  192.168.85.211:3047    216.155.193.180:5050   ESTABLISHED
  TCP  0.0.0.0:5101           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:3047           0.0.0.0:0              LISTENING
  UDP  127.0.0.1:3053         0.0.0.0:0              LISTENING

C:\unzipped\openports>
0
slarocheAuthor Commented:
Symantec somehow got corrupted and was trying to find it's "group."  I had to use a removal tool to get rid of all of the processes because uninstalling it wouldn't stop the NSCTOP.EXE process from running.  Thanks for your help and that sweet tool.  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.