Greetings,

Recently my firewall (agnitum) detected nuke attack, after I got a lot of icmp and netbios traffic. ThenI pull the plug, checked pc with the latest antivir, anti-trojan, find and destroy. Nothing..

So I applied gibson applet to block access to the potentially dangerous raw sockets. After I went back online. Netbios was blocked, ICMP not.

I restart my pc again, this time waiting for firewall to kick in before switching cable modem on. This time both icmp and outbond netbios traffic was blocked by firewall.

This is a connections that gets blocked everytime I go online:

Application n/a remote host all-routers.mcast.net type 10/0 outbond

Blocked netbios traffic ip x.x.x.225 Look║s like it║s belong to my internet provider network:))) Netbios -dgm Outbond UDP

Netbios - NS Outbond UDP

And then I get a lot of icmp echo type traffic from the provider network .

Plus there is a netbous connection listening and firewall don║t block it at all.

On top of all I canˇt use IE to access internet, even ping donˇt work, Firewall is blocking legit traffic somehow.

I did try to use internet without internet for a few sec, forked fine.

However afterwards I saw the was three more ports open in my system.

The ports that are open are: 135, 445, 1025, 3001, 3002, 3003 and few more ports.

Any ideas why itˇs happening?

Your,

OsirisEU.

HI OsirisEU, Go here: www.diamondcs.com.au and download the trial version of Port Explorer this will show what is doing what with your ports.

Also available from DCS ia the useful & free Autostart Viewer which will allow you to see if there are any unknown (to you) processes running, You can save the Asviewer info' to text & post it here ifyou are unsure of the results.

HTH Pilli

Thanks Pilli,

Iˇll try it, and post results here.

Yours,

OsirisEU.

I did used asviewer, looks more less ok, however there is a few suspicious entries:

HKCR\vbsfile\shell\open\command
C:\Windows\System32\WScipt.exe "%1" %*

HKCR\vbefile\shell\open\command
C:\Windows\System32\WScipt.exe "%1" %*

HKCR\jsfile\shell\open\command
C:\Windows\System32\WScipt.exe "%1" %*

HKCR\jsefile\shell\open\command
C:\Windows\System32\WScipt.exe "%1" %*

HKCR\wshfile\shell\open\command
C:\Windows\System32\WScipt.exe "%1" %*

HKCR\wsffile\shell\open\command
C:\Windows\System32\WScipt.exe "%1" %*

HKLM\System\CurrentControlSet\Session Manager\BootExecute autocheck autochk*

When I used regedit in a HKCR\Batfile\shell\open\....

the was a following entry multi reg - SZ 2ABSA
S reg - SZ 3G@:<962AS
Sys reg - SZ sysv

Plus when using hijackthis there was a few entries one restriciting access to options and second making changes in Windows host files 203.161.127.141 desresearch.com. I removed them both just in case :)

However I still canˇt figure out why outpost blocking all my traffic. It was perfectly ok before nuke attack:) Maybe it is becouse ICMP traffic are blocked and DHCP sever gets no alive responce?

Maybe I should reinstall it?


Thanks in advance,

OsirisEU.

The entry in your hostsfile (203.161.127.141 ) was made by TDS to redirect you to the current TDS forum
The registry entries Wscript you can delete if you are not using VBS
Dolf