My computer is under attack

Discussion in 'other firewalls' started by IManovice, Mar 6, 2004.

Thread Status:
Not open for further replies.
  1. IManovice

    IManovice Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    28
    Location:
    Pennsylvania
    Hi:

    I have Windows XP and Sygate Firewall and AVG Antivirus along with, Spybot S&D, Ad-Aware, SpywareBlaster, SpywareGuard and and MRU-Blaster. For the past 12 hours the Sygate Firewall has been giving this message to me:

    Denial of Service "Code Red" attack detected.
    Description:
    A Code Red attack from outside is detected, it is a very dangerous virus that will deface your webpages, perform a denial-of-service attack, and even crash your system.

    I don't know what to do. Please help! I have tried to register at the forums at Sygate twice now and now my email is locked up for security reasons. So if Sygate sent me the url to activate my account, I won't be able to get it. Wonder what I've done wrong!!!!!!!!o_Oo_O :oops: :'(
     
  2. IManovice

    IManovice Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    28
    Location:
    Pennsylvania
    Hi again,
    Ok, I got my email back. But could someone help me out on what further information you might need to help me?
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Hello IManovice,

    One question first - are you running a webserver on your PC? Meaning, do you have your own webpages that people access by connecting directly into your system and browsing there? (Most people don't, and most ISP's don't allow it anyway. So, I'm guess you don't run one either since you are getting firewall alerts about blocked events.)

    That message is merely informational... The firewall is seeing connection attempts against TCP port 80 on your system coming in from outside somewhere. Because it has some intrusion analysis capability, it knows those attempts are of the type used by "Code Red", which basically spreads automatically from infected "webservers" looking for other "webservers" to infect.

    For those of us not running webservers on our systems, these attacks are totally meaningless. If there isn't a webserver to infect, no harm can be done. Further, the fact that your firewall is seeing it means it blocked it anyway, so again no harm can be done.

    A lot of people question the value of very chatty and verbose firewall alerts. If a system does not have a port open (in this case, is not running a webserver), what good does it do to constantly alert the PC user about harmless attempts to connect?
     
  4. IManovice

    IManovice Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    28
    Location:
    Pennsylvania
    Hello LowWaterMark,
    Thank you for putting my mind at ease. No webpages like you describe here. Couple of different things going on here and just got paranoid.

    I guess Sygate isn't into helping people too easily. I still haven't gotten the email to activate my account so I could get on their forum. So hoping you could answer one more question for me.

    I purchased NetTurbo, MemTurbo and ClipTrakker. NetTurbo is supposed to make the computer more efficient after letting it know what kind of connection you have. MemTurbo defrags physical memory and recaptures RAM. ClipTrakker captures everything that goes on the clipboard and you can use it for quite a few things. I did a search and couldn't find anything negative about any of these things. However, after getting this firewall, I noticed something about the NetTurbo. Here is a copy of what the firewall told me:
    My question is, would this indicate to you that NetTurbo is reporting back to the people at MemTurbo information about my computer?
     
  5. IManovice

    IManovice Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    28
    Location:
    Pennsylvania
    the attachment didn't work,, sorry. Maybe I have it this time. :)
     

    Attached Files:

  6. IManovice

    IManovice Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    28
    Location:
    Pennsylvania
    Sorry, I don't know what I am doing wrong. Oh well, here is what the message was:

    NetTurbo MFC Application (NetTurbo.exe) is trying to connect to www.memturbo.com (66.216.126.170) using remote port 80 (HTTP-World Wide Web). Do you want to allow this program to access the network?

    Thanks again, :)
     
  7. ShotgunGirl

    ShotgunGirl Guest

    The Following was Clip From A Third Party WebSite: True or False is unknown to me

    "ABetterInternet.E, also called "NetTurbo", shows according to the EULA advertisements based on the web pages you view and the web sites you visit. ABetterInternet.E may update itself without any input or user interaction, install third party software and add links to your desktop. It will also hijack the browser's error page.

    From the developer: During the process of accepting this Agreement, downloading and/or using the Software, you may be offered the opportunity by BetterInternet to download software ("Third Party Software") from third party software vendors ("Third Party Vendors") pursuant to the terms of sublicense agreements or other arrangements between BetterInternet and yourself or between the Third Party Vendors and yourself ("Third Party Software Agreements"). to enable BetterInternet to provide its Software, BetterInternet collects certain types of non-personally identifiable information about individuals who are served ads by the Software.
    By installing the Software, you understand and agree that the Software may, without any further prior notice to you, automatically perform the following: display advertisements of advertisers who pay a fee to BetterInternet; display links to and advertisements of related websites based on the information you view and the websites you visit; store non-personally identifiable statistics of the websites you have visited; redirect certain URLs including your browser default 404-error page to or through the Software; automatically update the Software and install added features or functionality conveniently without your input or interaction; and install desktop icons and installation files and third-party software. Source

    Classification
    Adware

    LWM is best to advise you. No it would not be allow out in my case.
     
  8. ShotgunGirl

    ShotgunGirl Guest

    After reading this you may want to discuss the subject at the proper forum her which one of the members can direct you to.


    "Transponder/Host is distributed by stop-popup-ads-now.com under the pretence that it is a pop-up advertisement killer. But Transponder/Host and Transponder/BI are installed by ActiveX drive-by download on pop-up adverts under a variety of names, eg. 'Internet Accelerator', 'NetTurbo', 'Clean Get-away'.
     
  9. IManovice

    IManovice Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    28
    Location:
    Pennsylvania
    Hi ShotgunGirl,

    Thank you for the info. But my question is: Is Sygate trying to tell me that NetTurbo is gathering info from my computer to report to www.memturbo.com?

    I didn't realise that NetTurbo would be connecting to anyone on the internet. But I guess it's people like me that spyware people just love.


    But to add, I tried to remove the NetTurbo from my system and I am going to have a hard time doing it. The file is being used so have to close first. Another thing I don't know what to do. Would I have to just delete the Shareware files from my program files? Would that be how to close the file? (shareware is the file that the NetTurbo is in)

    I ran my AVG and found 427 files infected with the I-Worm/Bagle.K. It was able to remove the infection from 426 of these files. The only one it couldn't was C:\WINDOWS\SYSTEM32\WINSYS.EXE. I also couldn't remove it to the vault. I have no idea of what to do next. Can anyone help me?

    Please tell me if I am off topic. AND which forum I should be in.
    If this gets moved, could you let me know where so I can keep up to date?

    Thanks
     
  10. IManovice

    IManovice Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    28
    Location:
    Pennsylvania
    ShotgunGirl again please,

    I don't have problems with pop-ups at all. Extra desktop items have not appeared. But I don't know about the rest you are talking about. I bought those 3 items through www.memturbo.com. All 3 items are found on www.sharewareonline.com along with ArmorIE, which I now find hard to trust this company anymore. But thanks again for what you submitted.
     
  11. ShotgunGirl

    ShotgunGirl Guest

    Sygate is simply doing its job as a firewall by advising you that an outbound connection attempt is being made. Its up to you to know if the connection is one you trust or some other. If you saw someone going out the backdoor of your house carrieing your tv you may be concerned huh...
    Do not get yourself upset. The People here at the forum will no doubt come to your aid hopefully. They seem very nice.
    For the moment download the programs: Adawear....Spybot Search and Distroy, and Spyblaster. All freeware that can be locate at the Wilders free tools. These programs should get most of the spyware trash but am not certain if they will remove all.
    You really need to make another topic asking help with the virus removal. The virus needs to be entirely removed
    This is not as complicated as it may appear. Until you have your computer cleaned be careful not to spread the virus by email or to give out your personal information such as credit card number.
    Did not notice which operating system you have? That information is needed. Win95 is not WinXP an cleaning varies
    You may have to use DOS to clean. Hopefully not.
    Install and run the programs listed and see what results. For sure running the programs wont do any harm. Since my status here is that of a guest am rather hestitant to give any further instructions.
     
  12. ShotgunGirl

    ShotgunGirl Guest

    You mention not understanding all that was posted so the following url may better inform you of the nasty involded.

    http://www.spy-bot.net/Transponder.asp


    This is just for information purposes and may help others here to help you remove the bug. Do not try any of the removal instructions by yourself. WAIT FOR ADVICE FROM MEMBERS HERE!
     
  13. ShotgunGirl

    ShotgunGirl Guest

    Got ahead of myself. you DID mention you OS and the programs that were suggested.
    Sorry, didn't notice....my head hurts after a long night out.

    Am rather concerned that you not be comfortable removing that nasty if the registry is involded. So, some other means you can consider are: System Restore to a previous time before you installed the nasty....first run Adawear..Spybot and Spyblaster.....otherwise System Restore may "see" the nasty as an installed program and not remove anything.
    After doing the Restore run Adawear, etc., again. If this works its an easy way out..if its does not work you have not loss anything.
    An if you tremble at the thought of playing in the registry or using DOS you can consider a reformat as a last resort. If you have a CD burner download the programs you use and burn then onto a CD. Your anti-virus, firewall, etc. After the reformat you can install the programs directly from the CD saving time. An just get the needed updates afterwards. This is a last resort an only if others can not help you or you fear the removal of the nasty.
    Most likely this will be my last post so good luck. Normally forums are not my thing for lack of time with school and work
     
  14. beetlejuice

    beetlejuice Registered Member

    Joined:
    Oct 12, 2002
    Posts:
    8,523
    Hi IManovice. Why don't you run Hijackthis, you can get it here https://www.wilderssecurity.com/showthread.php?t=12516

    Post the log for the experts to look at. It will provide much needed information. DO NOT TRY TO FIX ANYTHING!!! Wait for the experts to look at the log. I'm sure someone will be able to help you. Good luck.
     
  15. IManovice

    IManovice Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    28
    Location:
    Pennsylvania
    ShotgunGirl,
    Sorry if I came off in a negative way. Didn't mean too. :oops: I know the people here are nice and helpful, too. I've seen that in many posts. :)

    I have kept all of the spyware tools updated, and have run them everyday for the past few days. It looks as though Spybot S&D has captured the one that the AVG couldn't take care of. But how do I know for sure? I ran the AVG again and it still says "Virus Infection Detected", and it looks like all was healed. But why was it detected again?

    No, I am not afraid of the registry as long as I have guidance. I've never burned a cd but I think I can learn to. I am hoping to avoid reformatting.

    I appreciate you taking your time to help me. TYVM :)
     
  16. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
  17. IManovice

    IManovice Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    28
    Location:
    Pennsylvania
    CrazyM,

    Thank you very much. :)
     
  18. ShotgunGirl

    ShotgunGirl Guest

    Decided a make a special visit bach here to see how you are doing with your problem. Am very tired so wont say much.
    Came upon this program that may be right for the job. Have never used it. Never needed to. So read everything carefully before trying it.

    http://www.spysweeper.com/betterinternet-uninstall.html
     
  19. IManovice

    IManovice Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    28
    Location:
    Pennsylvania
    Hi ShotgunGirl,

    Thanks for the program. I sure will give it a shot if nothing else will take care of it. Don't want that nasty getting my sensitive information. I will get rid of it one way or another. :)
     
  20. ShotgunGirl

    ShotgunGirl Guest

    WONDERFUL!! Notice in the other post that your problems were solved. THATS GREAT!!

    Best Wshes and Safe Surfing
     
  21. IManovice

    IManovice Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    28
    Location:
    Pennsylvania
    Hi ShotgunGirl,

    Yes, thank goodness, the virus is gone. But still have that Nasty, NetTurbo. Looks like I may try your suggestion. :) Thanks again
     
  22. Minera

    Minera Registered Member

    Joined:
    Oct 31, 2003
    Posts:
    42
    Location:
    Canada
    HI Imanovice:
    Try running the virus program in safe mode, and turning off the system restore before. If the infection is saved in the temp file it will just reinstall itself when you reboot. Won't hurt to try it at least. Then make sure you turn the system restore back on once it is cleaned.
    :)
     
Thread Status:
Not open for further replies.