Question on 3 Items

3 detected NTFS Data Streams:

_restore.mln/{1e5795f9-77ea-40b9-871c-9b6921aa9686}\rp91\a0021203.mln

_restore/{1e5795f9-77ea-40b9-871c-9b6921aa9686}\rp91\a0021207.ink

_restore/{1e5795f9-77ea-40b9-871c-9b6921aa9686}\rp91\a0021213.mnc

Should I delete these 3 keys?

MZ Exe: Unknown on all 3
Name: :a

Another question concerning ports, in reference to 32656:

Could someone please advise me what problems/trouble occur from this port it has been under attack very often, here lately.

Thanks

 

Hi Mike20041

... and welcome to Wilders

http://isc.incidents.org/port_details.php?port=32656

If it is related to Kazaa Lite and your firewall is blocking it, nothing to worry about. If your IP is dynamic try changing it and see if that helps in reducing those log entries.

Regards,

CrazyM

 

Thx for the update on this info

The strange thing is I don't use Kazaa at all, never have...

My PC has been under attack by the following ports for 6 hours 26 minutes and still is under attack.

It goes like this:

32656 many times
80 ICMP Echo request
137 once, then it loops

I have been monitoring it and anything that has wait or established I close the socket on immediately.

I have another question you might be able to answer...

GRC.com always shows a TAG "certain computer name & location linked to the PC" on my pc, how would I stealth this? It worries me because whoever can see this knows that its a active PC.

 

If your IP is dynamic, you may have inherited one that was previously being used by someone who does use Kazaa. It is not unusual to see this happen with dynamic IP's.

This type of traffic being blocked by a firewall is not really an attack, and nothing to worry about. As suggested, if your IP is dynamic try doing an ipconfig /release and then ipconfig /renew at the commond prompt to get a new IP and see if that helps.

Just where is it you are seeing/dealing with these wait/established connections?
Any of these this port 32656 you are concerned about?

Are you refering to the part about "The text below might uniquely identify you on the Internet"?
If so, and it is something that never changes, then it something you would want to know about. If it changes along with your IP, then no real need to worry. Your IP and reverse DNS provided by your ISP is not something you can stealth or hide unless you go through an anonymous proxy service.

Regards,

CrazyM

 

Hello there and welcome!

About the NTFS streams, they are in system restore so if you disable system restore, reboot and enable it again all former restore points are deleted and you make a new restore point manually.
How large/small are they?
If TDS alarms on them, since they are probably .exe files, Gavin might be interested in them, is it possible to submit them from the alerts console before you delete them via the restore tric i just described?

For the "kazaa attack" i think somebody just kept trying, but your firewall stopped it, like CrazyM described.
In general try not to backtrace attackers.

With Port Explorer you can do some more investigation on the attackers, who/what is trying to connect to you/which application, hidden and suspicious connections, so if there would be any application or trojan be responsible (those in system restore i doubt that those could be active from there but i might be wrong) you see it in your Port Explorer screen immediately.
I just checked and no scans on that port here, to give an example.

 

The IP refresh did the trick, the second thing I noticed, sorry bout this... the unique ID is tied into the IP. Thanks for the assistance with this

TDS-3 Netstat Remote/Established/Above 5000

Right clicking on that enabled me to shut it down.

I will submit them before I shutdown system restore, I never use system restore since I do a full format and reinstall.

I will also report back on the file size.

Thanks for the assistance

 

Stream 1 is 497kb
Stream 2 is 497kb
Stream 3 is 521kb

I have no option submitting in the alert area Left click or right click

I am submitting under help

I had to choose dump stream to file

TAGS as sent

stream1.exe
stream2.exe
stream3.exe

 

Hi there, thanks for submitting them. I forgot to ask to zip them preferably if you sent them that way. These are big guys and definitely worth an investigation. Let's wait for Gavin's confirmation of receipt before deleting them definetely.

Second important thought (maybe): if something is in system restore, i suppose there is or has been an original on the system.
After being in system restore i guess such files have no original date and time when they entered your system anymore i guess? Such details might be interesting to look if there were maybe other things going wrong and your firewall logs and windows find/search for new files that day/time might give information around that same time, etc.
Did you recently find any infections or suspicious files anywhere else?
You might have been very lucky of the thing(s) possibly not having been able to execute, or they might be part of the other ports knock problem.
So if that kind of behavior is still going on, it's most certainly wordt to look with Port Explorer if anything unwanted is going on (connecting, trying to connect, blocked by the firewall in- and outgoing traffic, etc)
Fingers crossed the TDS Exec Protection blocked any execution if those are nasties!

 

I already sent them, but they were not zipped if you like I can zip and resend...

I will check back in an hour or two

I started using Port Explorer about one hour ago and I like it.. Big Grin

I am uncertain where to find this information...

I did about two days ago, but I simply deleted them. [8] thumbs.db files appeared under the alert panel (mainly within my documents user accounts and various other folders)

 

I did about two days ago, but I simply deleted them. [8] thumbs.db files appeared under the alert panel (mainly within my documents user accounts and various other folders)

Hi Mike20041, Thumbs.db is a genuine windows file and is used for the collation of image files.
You can set your data streams to ignore any streams less than about 128bytes as there is unlikely to be any harm in such a small file, most are 88 bytes and are generated by windows.

HTH Pilli