Advice needed

Discussion in 'other security issues & news' started by OsirisEU, Oct 25, 2003.

Thread Status:
Not open for further replies.
  1. OsirisEU

    OsirisEU Guest


    Recently my firewall (agnitum) detected nuke attack, after I got a lot of icmp and netbios traffic. ThenI pull the plug, checked pc with the latest antivir, anti-trojan, find and destroy. Nothing..

    So I applied gibson applet to block access to the potentially dangerous raw sockets. After I went back online. Netbios was blocked, ICMP not.

    I restart my pc again, this time waiting for firewall to kick in before switching cable modem on. This time both icmp and outbond netbios traffic was blocked by firewall.

    This is a connections that gets blocked everytime I go online:

    Application n/a remote host type 10/0 outbond

    Blocked netbios traffic ip x.x.x.225 Look║s like it║s belong to my internet provider network:))) Netbios -dgm Outbond UDP

    Netbios - NS Outbond UDP

    And then I get a lot of icmp echo type traffic from the provider network .

    Plus there is a netbous connection listening and firewall don║t block it at all.

    On top of all I canˇt use IE to access internet, even ping donˇt work, Firewall is blocking legit traffic somehow.

    I did try to use internet without internet for a few sec, forked fine.

    However afterwards I saw the was three more ports open in my system.

    The ports that are open are: 135, 445, 1025, 3001, 3002, 3003 and few more ports.

    Any ideas why itˇs happening?


  2. Pilli

    Pilli Registered Member

    Feb 13, 2002
    Hampshire UK
    HI OsirisEU, Go here: and download the trial version of Port Explorer this will show what is doing what with your ports.

    Also available from DCS ia the useful & free Autostart Viewer which will allow you to see if there are any unknown (to you) processes running, You can save the Asviewer info' to text & post it here ifyou are unsure of the results.

    HTH Pilli
  3. OsirisEU

    OsirisEU Guest

    Thanks Pilli,

    Iˇll try it, and post results here.


  4. OsirisEU

    OsirisEU Guest

    I did used asviewer, looks more less ok, however there is a few suspicious entries:

    C:\Windows\System32\WScipt.exe "%1" %*

    C:\Windows\System32\WScipt.exe "%1" %*

    C:\Windows\System32\WScipt.exe "%1" %*

    C:\Windows\System32\WScipt.exe "%1" %*

    C:\Windows\System32\WScipt.exe "%1" %*

    C:\Windows\System32\WScipt.exe "%1" %*

    HKLM\System\CurrentControlSet\Session Manager\BootExecute autocheck autochk*

    When I used regedit in a HKCR\Batfile\shell\open\....

    the was a following entry multi reg - SZ 2ABSA
    S reg - SZ 3G@:<962AS
    Sys reg - SZ sysv

    Plus when using hijackthis there was a few entries one restriciting access to options and second making changes in Windows host files I removed them both just in case :)

    However I still canˇt figure out why outpost blocking all my traffic. It was perfectly ok before nuke attack:) Maybe it is becouse ICMP traffic are blocked and DHCP sever gets no alive responce?

    Maybe I should reinstall it?

    Thanks in advance,

  5. DolfTraanberg

    DolfTraanberg Registered Member

    Nov 20, 2002
    The entry in your hostsfile ( ) was made by TDS to redirect you to the current TDS forum
    The registry entries Wscript you can delete if you are not using VBS
Thread Status:
Not open for further replies.