Suspected DDoS attack

[Guest]

[Datasys]

Not sure if this is the right place for this post.  I am experiencing what I think is a DDos  Attack on  my  XP SP3 box,  I just recently  did a fresh install on the  PC, and  everything  was running fine for  about a month.  Now, when the machine is  booted up,  network traffic   increases exponentially, and  there are over 600 outbound connections  programs  involved, were  Skype (now uninstalled) and something called 4E a game form  MSN games.  (also uninstalled) traffic for the  programs  was  counted in multiple Gb's (7 digits)  I have also done a system restore to  day one  of the o/s.  but the  "DDoS"  remains and i don't know  what to do  from  here.  Also  the defense + is  malfunctioning  per a warning form  cis 3.09.  I  ran  Spybot and it found 99  "problems"  and fixed them a good portion of the errors were registry changes.

my  questions are:

1. How do I find  what is causeing this?

2. Should i just  start over  with a  a new  "clean install" of XP  sans  sp3 and IE 8? (The  user of this machine  refuses to  use  Firefox)

3. If I go with the clean install how can I prevent reinfection?

Either i have not configured  CIS properly (likely)  , or it is not sufficient. what other tools\ software would be recommended?

system  specs:
O/S:  Windows  XP Pro SP3
Intel  P4 2.66 Ghz
2 Gb  ram
200 Gb  HDD (X2)
256 Mb ATI Radeon 9600

As you can see, not a screamer this  PC is just for  browsing the internet and email  ect..

Thank  you for your time  and assistance.

Datasys ~   

[EricJH]

Start with What to do if you're infected - eXPerience Rev.3 and keep us posted.

[Datasys]

thank you for the reply,  I am also  having  problems with the router, just  bought a new one and will be installing it  on  Saturday.  perhaps the router is proliferating  this whatever it is,  it  has crippled the  third  PC in the house   it is  exhibiting  symptoms of  saser /blaster or  something.  I just  learned that  the  owner of that  PC  has NOT been doing  his updates!  his is  running  XP  pro  as well.  A correlation?  I think so.  This  brings another question  a bit out of the scope of this  thread.  how can i  isolate  his  PC  form the other 2 on the network?

thanks,

Datasys ~

[EricJH]

You can try by giving the infected pc a fixed internal IP address and then make that IP address part of the My Blocked Network Zones (Firewall --> Common Tasks) on the other computers.

[Datasys]

update... new  router installed, and i am  currently  running the scans  as per  the  thread.  i have only found the "normal tracking cookies" so far.  i have more information on the  mystery bandwidth  monster.  it looks like it is  alg.exe that is responsible for the  large amount of  bandwidth on  is that start with the first octet as 0.X.X.X  interestingly  the  ip  address  changes with each boot, but  it has always started with the 0. the other octets are  different  after each boot.  I  have  told  CIS  to block  alg.exe but it looks like it  hasn't done that. once i get the  hijack this log,  do you think it  will be safe to  email it to myself so i can  post it here?

[EricJH]

Can you show us a screenshot of the firewall logs? They can be found under Firewall --> Common Tasks --> View Firewall Events.

[Datasys]

I gave up  tracing the  weirdness.  if it reappears ill be sure to  open a new thread.

 it was just  to  strange of a problem.  i guess the slipstream install  got messed up  when  the program " Nlite"  did the compression/decompresion.  i should have tested the installation in a  virtual box  before  putting it on my  pc.

 thanks for the help anyways..  at least i have a  good tool box  for  when / if  i  do  get  any  nasties
 

[Tags:]