Suspected DDoS attack

Not sure if this is the right place for this post. I am experiencing what I think is a DDos Attack on my XP SP3 box, I just recently did a fresh install on the PC, and everything was running fine for about a month. Now, when the machine is booted up, network traffic increases exponentially, and there are over 600 outbound connections programs involved, were Skype (now uninstalled) and something called 4E a game form MSN games. (also uninstalled) traffic for the programs was counted in multiple Gb’s (7 digits) I have also done a system restore to day one of the o/s. but the “DDoS” remains and i don’t know what to do from here. Also the defense + is malfunctioning per a warning form cis 3.09. I ran Spybot and it found 99 “problems” and fixed them a good portion of the errors were registry changes.

my questions are:

  1. How do I find what is causeing this?

  2. Should i just start over with a a new “clean install” of XP sans sp3 and IE 8? (The user of this machine refuses to use Firefox)

  3. If I go with the clean install how can I prevent reinfection?

Either i have not configured CIS properly (likely) :-[, or it is not sufficient. what other tools\ software would be recommended?

system specs:
O/S: Windows XP Pro SP3
Intel P4 2.66 Ghz
2 Gb ram
200 Gb HDD (X2)
256 Mb ATI Radeon 9600

As you can see, not a screamer this PC is just for browsing the internet and email ect…

Thank you for your time and assistance.

Datasys ~ ???

Start with What to do if you’re infected - eXPerience Rev.3 and keep us posted.

thank you for the reply, I am also having problems with the router, just bought a new one and will be installing it on Saturday. perhaps the router is proliferating this whatever it is, it has crippled the third PC in the house it is exhibiting symptoms of saser /blaster or something. I just learned that the owner of that PC has NOT been doing his updates! his is running XP pro as well. A correlation? I think so. This brings another question a bit out of the scope of this thread. how can i isolate his PC form the other 2 on the network?


Datasys ~

You can try by giving the infected pc a fixed internal IP address and then make that IP address part of the My Blocked Network Zones (Firewall → Common Tasks) on the other computers.

update… new router installed, and i am currently running the scans as per the thread. i have only found the “normal tracking cookies” so far. i have more information on the mystery bandwidth monster. it looks like it is alg.exe that is responsible for the large amount of bandwidth on is that start with the first octet as 0.X.X.X interestingly the ip address changes with each boot, but it has always started with the 0. the other octets are different after each boot. I have told CIS to block alg.exe but it looks like it hasn’t done that. once i get the hijack this log, do you think it will be safe to email it to myself so i can post it here?

Can you show us a screenshot of the firewall logs? They can be found under Firewall → Common Tasks → View Firewall Events.

I gave up tracing the weirdness. if it reappears ill be sure to open a new thread.

it was just to strange of a problem. i guess the slipstream install got messed up when the program " Nlite" did the compression/decompresion. i should have tested the installation in a virtual box before putting it on my pc.

thanks for the help anyways… at least i have a good tool box for when / if i do get any nasties