Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 378
  • Last Modified:

Spyware Broadcast Storm

We had a computer come into our shop infected with WinAntivirus and some other spyware/virus crap. After disinfecting the machine no signs of the spyware showed up with one glaring exception: Whenever the machine was plugged into our network it hammered the lan with 255.255.255.255 broadcasts. It was so bad that it would shut down our cable router within a minute and it needed to be rebooted. We ran stuff like Winsockfix, LSPfix, etc. but no luck. The solution was to re-format the machine, which worked, but I would like to know what else could have been done without re-formatting. Any thoughts?
0
landymas
Asked:
landymas
1 Solution
 
manu4uCommented:
You have to Disable system restore, first.
Then, boot in safemode and do all your antispam things.

You could have installed a Personal Firewall ( comodo etc, its free ) and see which application makes the traffic.

CDs like HIRONS BOOT CD would be a good choice as well, which you can boot your PC with the CD and do a complete scan, google for it , it's free as well.

0
 
landymasCEOAuthor Commented:
We did the safemode thing and even removed the drive from the computer and scanned it while it was attached to another unit but it came up clean. Did the Hiern's boot CD too. I ran a packet sniffer on it and it was broadcasting TCP packets to 255.255.255.255 and going port by port, apparently looking to "phone home."
0
 
Mohamed OsamaSenior IT ConsultantCommented:
Try using TCPView on the infected machine to map the Broadcast / ARP traffic to a ceertain application.
Also Please try posting a hijack this log .
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Mohammed HamadaSenior IT ConsultantCommented:
It's more likely to be an attack from another computer or the infected PC was hacked by a server file "Trojan"...
The Trojan could use that subnet to send the packets from the infected pc back to the destination computer "attacker", maybe you can ask the user of the PC if he has any weird issues like losing control of the mouse, keyboard or pc shutsdown automatically.

You could have scanned the pc by using some dos commands before formatting it.

http://crack2hackzone.blogspot.com/2008/01/check-ur-pc-infected-or-not-using-dos.html
0
 
landymasCEOAuthor Commented:
Gave up and re-formatted. Problem solved.
0
 
landymasCEOAuthor Commented:
We have had a few more come in like this and used Combofix to disinfect them. The problem seems to be a rootkit.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now