Computer attack!

[Ken Ibold]

Help! My son's computer has started getting bombarded by an attack that slows it down to a crawl when it's connected to the internet, either by wireless or ethernet. When we disable the wireless card or unplug the LAN, it's fine. Attached is the warning Norton gives me. I'll get this every minute or two.

How can I fix this?

 

[gismo]

Help! My son's computer has started getting bombarded by an attack that slows it down to a crawl when it's connected to the internet, either by wireless or ethernet. When we disable the wireless card or unplug the LAN, it's fine. Attached is the warning Norton gives me. I'll get this every minute or two.

How can I fix this?

Unless his computer is set up as a server, chances are it's not an external "attack" per se, but rather some malware that's running on his computer reaching out to the network. I would think that your malware protection should be able to detect and remove the offender. Also there's a good chance that the executable identified by Norton in the message you posted is only part of the problem.

 

[Ken Ibold]

Unless his computer is set up as a server, chances are it's not an external "attack" per se, but rather some malware that's running on his computer reaching out to the network. I would think that your malware protection should be able to detect and remove the offender. Also there's a good chance that the executable identified by Norton in the message you posted is only part of the problem.

I've run every malware finder (defender, spybot, norton and mcafee) I have on that machine a couple of times, to no avail. Any suggestions for other software?

 

[Let'sgoflying!]

http://www.liveipmap.com/91.188.60.19.html
91.188.60.19 2 days 13 hr 50 min ago
Malware / trojan tdss (x64)
trojan tdss (x64)
Reported By IP Address 80.108.65.8 at 8/27/2010 4:51:45 PM

 

[Palmpilot]

Help! My son's computer has started getting bombarded by an attack that slows it down to a crawl when it's connected to the internet, either by wireless or ethernet. When we disable the wireless card or unplug the LAN, it's fine. Attached is the warning Norton gives me. I'll get this every minute or two.

How can I fix this?

This site has helped me get rid of malware a couple of times:

http://www.greyknight17.com/spyware.php

After you follow the steps in the tutorial, you can post on his forum and the guy will help you fix any remaining problems, or let you know if you have a clean bill of health.

 

[RJM62]

The IP is out of Latvia, which is enough to get me suspicious. Can you block it at the router? That would at least spare Norton from having to block every attempt and brag about it to you.

Also, does your son use any file-sharing software?

-Rich

 

[kyleb]

I've run every malware finder (defender, spybot, norton and mcafee) I have on that machine a couple of times, to no avail. Any suggestions for other software?

Have you downloaded Ccleaner? It's freeware and has worked for me in the past.

There is a special place in hell for people who write/disseminate malware. I suspect it is near the accounting department.

 

[shywon]

On another machine, go to:
http://www.malwarebytes.org/ and download the free version. copy it to the infected machine and run it (mem stick should not go back to uninfected machine)
while disconnected to internet.

One thing you might do if none of your antivirus finds it, to see if things speed up, is tell Norton to stop notifying you.

Also, you might try going back to a restore point if you have that set.
Good luck with it

 

[Ken Ibold]

The IP is out of Latvia, which is enough to get me suspicious. Can you block it at the router? That would at least spare Norton from having to block every attempt and brag about it to you.

Also, does your son use any file-sharing software?

-Rich

No file sharing software that I'm aware of. He mostly just goes to facebook and gaming sites, plus the homework stuff.

How would I block it at the router? I'm not a computer neophyte, but I'm not an expert either.

 

[mikegreen]

I'll second Malwarebytes - worked for me a few times when AVG, Nortion, and corporate IT couldnt get somethign clean.

good luck,
Mike

 

[RJM62]

No file sharing software that I'm aware of. He mostly just goes to facebook and gaming sites, plus the homework stuff.

How would I block it at the router? I'm not a computer neophyte, but I'm not an expert either.

Some routers have the ability to deny all connections from specific IP addresses or ranges, usually somewhere in the "Firewall" settings. I sometimes block addresses or netranges that are consistent sources of annoyance.

You would find this functionality, if your router has it, in its Web-based administration interface, generally found by entering the router's local IP address in a Web browser.

-Rich

 

[flyingcheesehead]

No file sharing software that I'm aware of. He mostly just goes to facebook and gaming sites, plus the homework stuff.

There's the original source, most likely.

I would guess that it's one of the many pieces of malware that sets up a mail server on the computer when you're not looking and turns you into a spam-bot. So, please keep the network disconnected until it's fixed, lest you spread it around to thousands of others...

... And, yes I'm still glad I own a Mac.

 

[rotorhead1026]

Did you get this fixed? Let us know.

 

[mikea]

You ought to ask how the attacking server in Latvia is getting through your firewall. No firewall should let that come in from the outside world. If it can reach SVCHOST it can do a lot of un-good things like accessing your shared files.

 

[Pi1otguy]

In addition to the other advice, you should boot into safe mode before scanning for malware. Haven't had to do it in a while, but many of these viruses/malware/etc will attempt to crash av and/or anti-spyware software, interfere with the scan, or many times "respawn" while being deleted/cleaned if not in safe mode.

 

[rotorhead1026]

You ought to ask how the attacking server in Latvia is getting through your firewall.

It's probably not. The suggestion that malware is using his computer as a server is correct - he's talking to Latvia, not the converse.

One day I'm going to get my hands around the throat of one of the ##########s that write these things.

 

[RJM62]

Sometimes I just slave the drive to a Linux box and scan it in Linux.

-Rich

 

[Ken Ibold]

Did you get this fixed? Let us know.

I finally got around to dealing with it. I downloaded Malwarebytes on a different computer and ran it. It found six issues that were not found by the other software I tried. Fired up the machine, connected it to the internet and let it run. Got another "message." Ran the malwarebytes update (the one on the web site was a couple months old) and ran the program again, and it found 4 more issues. It's been on for a day and a half now and no more "messages." The performance issues are gone as well.

So I am now a believer in malwarebytes!!

 

[shywon]

Cool!
Oh, be sure to check mem stick or other transfer media

 

[kgruber]

I've run every malware finder (defender, spybot, norton and mcafee) I have on that machine a couple of times, to no avail. Any suggestions for other software?

Yes. I FINALLY had to buy a Mac.

One thing I like is the quality of the build of the machine, as well as not having to worry as much about a crummy virus. I think Microsoft actually fosters these viruses. They sell a lot of software that way.

When I reinstalled my last system, Office 2007 would not accept the registration code. There is no way around it. You can't call for less than $100 and there is NO way to get tech support on line....NONE!!

I would have laughed at myself a short time ago. But, every minute that goes by, I like the Mac better and better.