Buffer overflow attack, need urgent help please

Hello, I suffered a suspected buffer overflow attack and since then I have had numerous rogue IP addresses connecting to my pc and transmitting/receiving data. Because of this I am sending this message in an internet cafe as I cannot use my pc online. I have tried the following with no success:

  1. Virus scans: VIPRE, Antimalware, Superantispyware, AVAST
  2. Windows vista system restore to a restore point from last week (restores successfully but IP’s still connecting)
  3. Acronis tru image backup - formats C drive which has operating system and main files on and replaces with a backup which I take once a month (Problem still persists) Other drive is D drive which just has pictures and music on.

If I open firefox and leave it just on google within 5 minutes I have 20 different IP addresses connecting to my computer.

Here are some screenshots of what it’s like within 2 minutes dare take a screenshot of 5 minutes:

Pictures coming shortly, have to go to a different computer.

I am using comodo Firewall, Will be posting screenshots. I have multiple svc.exe’s running too which never happened prior to this.

FYI: svc.exe - Google Search

SVC.exe is probably BAD. Fireup CIS and kill it, Defence+ > view active process list… here you should see svc.exe… right click, and chose Terminate & Block…

If you did right you should see the file svc.exe under Defence+ > My blocked files… you can locate it here and pick “delete file”… (if you are unlucky this can course system instability tho…)

Anyway go Firewall>Advanced>Network Security Policy. If an instance of SVC.exe is found, set the policy to blocked application…

If you are worried that you are being monitored: You may check under Firewall > View Active Connections… NO traffic should be INBOUND only outbound (unless you are some kind of server)… if you see a inbound connection KILL that connection by right clicking and terminate… I wouldn’t worry if something says “listening”. But most likely you can kill any connection except those made by: Firefox and svchost… (leave any such unless you know what you are doing… terminating such a connection may result in problems connecting online… if you find that you are unable to connect online after such a step, just reboot and skip this step)

Anyway, download MBAM… possible Hijack this… and scan… Also you might run sigverif.exe its a application already installed that will check if you have any unsigned stuff in the windows folder… (start>run) Also please make sure you are running the latest CIS (Misc>about) it should say version 3.13.126709.581… If not, update CIS…

Here is a good tourial else that will help you get rid of most stuff: https://forums.comodo.com/virusmalware-removal-assistance/what-to-do-if-youre-infected-experience-rev3-t41380.0.html

Thanks so much for replying I mean svchost.exe sorry about that here are screenshots:




(Boinc is normal btw, but the lsass.exe never used to be there and neither did the MULTIPLE svchosts. the firefox thing never used to happen either)

I contacted my ISP and they tell me I must have some kind of virus on the computer that VIPRE and the other antiviruses aren’t picking up.

Everytime I kill a connection a new one with a different IP address pops up. Within ten minutes I literally have dozens of different IP addresses via firefox when Im just on google.

I will download Hijack this and run sigverif when I get home. What is MBAM?

Reading the link you kindly gave me now.

Its normal for firefox to have several connections (as long as they are not INBOUND…) :smiley: Fx open many connections to download pages faster… :-TU

svchost is actually a collect name for some of the services running in the background (somewhat hidden stuff)… Its possible to limit those connections, simplest would be to disable services…

To see what services are running start services.msc (start>run) and type in services.msc (if your on xp…)
Here is a guide in XP about what services are safe/none safe to disable: http://www.blackviper.com/WinXP/servicecfg.htm
And here is the same for vista: http://www.blackviper.com/WinVista/servicecfg.htm

(however be a bit careful, you may end up with huge issues if you disable the wrong thing… SAFE is a good configuration if you are unaware of what you are doing)

If you are confident that boinc is safe then I don’t see that much odd with that list… Mine is a bit stricter, but thats about it…

malwarebytes anti-malware: http://www.malwarebytes.org/

Oh, just one thing. Its possible that your firefox is running some junk I guess… What version are you using??
I hope you are using the latest 3.5.7… If not update(!) You can look under: Tools> Addons> Plugins and the “exstension” part… If you have some ■■■■■■ tool-bar, its likely you can find it somewhere there… For improved security, I would try disable some plugins… except mozilla default plugin and (shockvawe) flash (the last is needed for youtube… but has unfortunately been a object for many security flaws)…

I’m confused so there is no way those connections can see what I am typing?

There are no suspicious connections in your screen shots.

Turn ‘stealth port’ off.
go to ‘Stealth ports Wizard’>choose ‘Alert me to
incoming connections stealth my ports on a per-case basis’>apply.
(do not chooose ‘Block all~~~~~’)

Like Creasy said… :-TU

However its still possible that you have a keylogger of some sort or some advanced Trojan masking its actions, hard to tell without checking your computer hands on… :-\

One thing you may do tho, if it helps calm your nerves:

CIS by default don’t guard your keyboard… But you can make it do that if you like, it will however result in a few more pop-ups, if you want this set CIS to PROACTIVE… To do that start CIS and click: Miscellaneous>Manage My Configurations> COMODO Proactive Security… and click Activate… 8) :-TU (but if you don’t understand or pay attention to HIPS(D+) alerts this may be a unnecessary move…