• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 759
  • Last Modified:

PC is pinging out of control.

Uugh...I can't believe this has happened to me, but it has.  I've got a laptop that I use at a bunch of different client sites.  I'm always doing security scans and virus removal, spyware removal, etc.  Anyway, I'm back in my office and working on an IDS system (SNORT) and was trying to ssh to it, but for whatever reason was getting a network connection error.  So, I go to my checkpoint firewall log and look to see where I'm being stopped.  And what do you know...my machine is pinging ip addresses sequentially.  Luckily, checkpoint is blcoking this traffic, but what the heck?  I have updated virus software (symantec enterprise) and the...this is going to sound stupid...only virus it has found is iishack.exe.  I was using this to test vulnerabilities on a host system at a client site.  Of course, I couldn't figure it out as it was my first time using it...so I just updated all the security patches for the NT box and went about my business, but I kept the file to mess with it later.  Could this be the cause?  Is there a way to stop it?  Thanks.

Steve
0
slaroche
Asked:
slaroche
  • 5
  • 2
  • 2
  • +1
1 Solution
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Sounds like you have a virus that came out last august - can't remember the name, I'll try to look it up.  In the mean time, I'd suggest doing a virus scan.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
This is the ones I'm thinking you might have:
http://www.cit.cornell.edu/computer/security/alerts/blaster.html

Make sure Symantec is up to date
0
 
tmcguinessCommented:
I'm not too sure it's a iishack problem norton should've cleared that up. But you can look to see if the process  exploit.win32.iishack.exe is running. If it is, stop it. Then search for and remove the file exploit.win32.iishack.exe. That should be all you need to do.

Let me know what happens.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
slarocheAuthor Commented:
Would NCX.EXE have these characteristics?  It was part of the IISHACK.EXE package.  I've found a few viruses in a folder that I used to back up some client data, but it was the w32.beagle virus and does not do ICMP actions.  It was not active either...just found it.  
0
 
slarocheAuthor Commented:
also ncx99.exe was in there.
0
 
askdavidCommented:

seems your PC is infected !!

try scaning in safe mode with below tool
http://securityresponse.symantec.com/avcenter/FxNimdaE.com

Download the above tool and put it on desktop

David
0
 
slarocheAuthor Commented:
I scanned in safe mode with the fxnimdae.com and symantec's scan engine.  Neither came up with any viruses.  Symantec is current as of 10/20.  My PC is still pinging sequentially...there are no random services running and there is nothing strange in CurrentVersion\Run.  Is there a way to find out what process is running the ping command?
0
 
tmcguinessCommented:
http://www.diamondcs.com.au/openports/

There are several others
0
 
slarocheAuthor Commented:
That is a sweet tool.  Thanks.  I'm not sure how to decipher it, though.  The Checkpoint log is showing the source port of the ping packets to be on port 1043 and the only service I can see in this list using port 1043 is NSCTOP.EXE which is a Symantec service that looks for available symantec servers.  I doubt this is the cause because everyone at the office is running the same Symantec version and configuration.  Checkpoint also indicates that the service is UDP 38293 that is part of this process.  I'm going to uninstall Symantec and see if the problem stops.  Again...sweet tool.

SYSTEM [0]
  TCP  127.0.0.1:3041         127.0.0.1:3247         TIME_WAIT
  TCP  127.0.0.1:3041         127.0.0.1:3251         TIME_WAIT
  TCP  192.168.85.211:3250    63.240.76.10:110       TIME_WAIT
  TCP  192.168.85.211:3252    209.217.36.160:110     TIME_WAIT
  TCP  127.0.0.1:3041         127.0.0.1:3249         TIME_WAIT
SYSTEM [4]
  TCP  192.168.85.211:3016    192.168.85.14:445      ESTABLISHED
  TCP  0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP  192.168.85.211:139     0.0.0.0:0              LISTENING
  TCP  0.0.0.0:3016           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:1047           0.0.0.0:0              LISTENING
  UDP  192.168.85.211:137     0.0.0.0:0              LISTENING
  UDP  192.168.85.211:138     0.0.0.0:0              LISTENING
  UDP  0.0.0.0:445            0.0.0.0:0              LISTENING
alg.exe [556]
  TCP  127.0.0.1:3001         0.0.0.0:0              LISTENING
MsgSys.EXE [676]
  TCP  0.0.0.0:38292          0.0.0.0:0              LISTENING
  UDP  0.0.0.0:38037          0.0.0.0:0              LISTENING
pds.exe [748]
  UDP  0.0.0.0:38293          0.0.0.0:0              LISTENING
xfr.exe [976]
  TCP  0.0.0.0:12174          0.0.0.0:0              LISTENING
  TCP  127.0.0.1:1049         0.0.0.0:0              LISTENING
NSCTOP.EXE [1048]
  UDP  0.0.0.0:1043           0.0.0.0:0              LISTENING
  UDP  0.0.0.0:1042           0.0.0.0:0              LISTENING
winlogon.exe [1272]
  UDP  0.0.0.0:3008           0.0.0.0:0              LISTENING
lsass.exe [1328]
  UDP  0.0.0.0:500            0.0.0.0:0              LISTENING
  UDP  0.0.0.0:1028           0.0.0.0:0              LISTENING
CcmExec.exe [1444]
  UDP  0.0.0.0:3029           0.0.0.0:0              LISTENING
svchost.exe [1544]
  TCP  0.0.0.0:135            0.0.0.0:0              LISTENING
svchost.exe [1636]
  TCP  127.0.0.1:3002         0.0.0.0:0              LISTENING
  TCP  127.0.0.1:3003         0.0.0.0:0              LISTENING
  TCP  0.0.0.0:1025           0.0.0.0:0              LISTENING
  UDP  127.0.0.1:123          0.0.0.0:0              LISTENING
  UDP  192.168.85.211:123     0.0.0.0:0              LISTENING
svchost.exe [1840]
  UDP  0.0.0.0:1027           0.0.0.0:0              LISTENING
  UDP  0.0.0.0:1026           0.0.0.0:0              LISTENING
svchost.exe [1872]
  TCP  0.0.0.0:5000           0.0.0.0:0              LISTENING
  UDP  192.168.85.211:1900    0.0.0.0:0              LISTENING
  UDP  127.0.0.1:1900         0.0.0.0:0              LISTENING
Wuser32.exe [1932]
  TCP  0.0.0.0:2701           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:2702           0.0.0.0:0              LISTENING
iexplore.exe [2628]
  UDP  127.0.0.1:3134         0.0.0.0:0              LISTENING
NLNOTES.EXE [3272]
  TCP  192.168.85.211:3125    192.168.85.11:1352     ESTABLISHED
  TCP  0.0.0.0:3125           0.0.0.0:0              LISTENING
ccApp.exe [3700]
  TCP  127.0.0.1:3041         0.0.0.0:0              LISTENING
msmsgs.exe [3776]
  TCP  192.168.85.211:3058    207.46.106.136:1863    ESTABLISHED
  TCP  0.0.0.0:3058           0.0.0.0:0              LISTENING
  TCP  192.168.85.211:6922    0.0.0.0:0              LISTENING
  UDP  127.0.0.1:3061         0.0.0.0:0              LISTENING
  UDP  192.168.85.211:7325    0.0.0.0:0              LISTENING
  UDP  192.168.85.211:6291    0.0.0.0:0              LISTENING
  UDP  0.0.0.0:3046           0.0.0.0:0              LISTENING
CPlgv.exe [3812]
  TCP  192.168.85.211:3132    192.168.85.12:18190    ESTABLISHED
  TCP  127.0.0.1:3130         127.0.0.1:3131         ESTABLISHED
  TCP  127.0.0.1:3129         127.0.0.1:3128         ESTABLISHED
  TCP  127.0.0.1:3131         127.0.0.1:3130         ESTABLISHED
  TCP  127.0.0.1:3128         127.0.0.1:3129         ESTABLISHED
  TCP  0.0.0.0:3131           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:3128           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:3132           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:3129           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:3130           0.0.0.0:0              LISTENING
aim.exe [3824]
  TCP  127.0.0.1:5180         0.0.0.0:0              LISTENING
  UDP  127.0.0.1:3079         0.0.0.0:0              LISTENING
Weather.exe [3960]
  UDP  127.0.0.1:3059         0.0.0.0:0              LISTENING
ypager.exe [4036]
  TCP  192.168.85.211:3047    216.155.193.180:5050   ESTABLISHED
  TCP  0.0.0.0:5101           0.0.0.0:0              LISTENING
  TCP  0.0.0.0:3047           0.0.0.0:0              LISTENING
  UDP  127.0.0.1:3053         0.0.0.0:0              LISTENING

C:\unzipped\openports>
0
 
slarocheAuthor Commented:
Symantec somehow got corrupted and was trying to find it's "group."  I had to use a removal tool to get rid of all of the processes because uninstalling it wouldn't stop the NSCTOP.EXE process from running.  Thanks for your help and that sweet tool.  
0

Featured Post

Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

  • 5
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now