?
Solved

Spyware Broadcast Storm

Posted on 2008-06-12
6
Medium Priority
?
365 Views
Last Modified: 2013-12-04
We had a computer come into our shop infected with WinAntivirus and some other spyware/virus crap. After disinfecting the machine no signs of the spyware showed up with one glaring exception: Whenever the machine was plugged into our network it hammered the lan with 255.255.255.255 broadcasts. It was so bad that it would shut down our cable router within a minute and it needed to be rebooted. We ran stuff like Winsockfix, LSPfix, etc. but no luck. The solution was to re-format the machine, which worked, but I would like to know what else could have been done without re-formatting. Any thoughts?
0
Comment
Question by:landymas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 7

Expert Comment

by:manu4u
ID: 21767809
You have to Disable system restore, first.
Then, boot in safemode and do all your antispam things.

You could have installed a Personal Firewall ( comodo etc, its free ) and see which application makes the traffic.

CDs like HIRONS BOOT CD would be a good choice as well, which you can boot your PC with the CD and do a complete scan, google for it , it's free as well.

0
 

Author Comment

by:landymas
ID: 21767889
We did the safemode thing and even removed the drive from the computer and scanned it while it was attached to another unit but it came up clean. Did the Hiern's boot CD too. I ran a packet sniffer on it and it was broadcasting TCP packets to 255.255.255.255 and going port by port, apparently looking to "phone home."
0
 
LVL 23

Expert Comment

by:Mohamed Osama
ID: 21768602
Try using TCPView on the infected machine to map the Broadcast / ARP traffic to a ceertain application.
Also Please try posting a hijack this log .
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 21773043
It's more likely to be an attack from another computer or the infected PC was hacked by a server file "Trojan"...
The Trojan could use that subnet to send the packets from the infected pc back to the destination computer "attacker", maybe you can ask the user of the PC if he has any weird issues like losing control of the mouse, keyboard or pc shutsdown automatically.

You could have scanned the pc by using some dos commands before formatting it.

http://crack2hackzone.blogspot.com/2008/01/check-ur-pc-infected-or-not-using-dos.html
0
 

Author Comment

by:landymas
ID: 22024852
Gave up and re-formatted. Problem solved.
0
 

Accepted Solution

by:
landymas earned 0 total points
ID: 23147379
We have had a few more come in like this and used Combofix to disinfect them. The problem seems to be a rootkit.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question