Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: TCP Flooding Attack


23 Feb 2013   #1

Windows 7 32bit
 
 
TCP Flooding Attack

I'm not sure if it's a right place for this, but I'm kind of desperate. I don't have much technical computer knowledge, so please bear with me. Here's the thing. Recently I moved to a new student dormitory with a wired internet connection. And my ESET 6 started sending me notifications about TCP flooding attacks (ip - internet gateway). The disturbing part is that after turning on the computer a newly created user account appears with some (seems like) random letter combination name. After deleting, it reappears again the same way. I put a password to the new account. And then the third account appeared. Just to mention - almost right after moving in I've configured my new ESET 6 update. Beside that I didn't download any other software. What are Your thoughts, suggestions?


My System SpecsSystem Spec
.

23 Feb 2013   #2

W7 Pro SP1 64bit
 
 

Welcome to the Seven Forums.

There are some great security folks here (I'm not one of them). Until one of them can chime in on your thread, I'll suggest a scan with WDO: What is Windows Defender Offline?

I like using WDO from a USB flash drive. Let it run the quick scan and then you can run the full scan.
My System SpecsSystem Spec
23 Feb 2013   #3

Windows 7 Professional SP1 64-bit
 
 

Download and install Malwarebytes Antimalware Free. When it ask if you want to do a free trial of the pro version, say yes. It has an automatic malicious IP blocker which may help in this scenario. Run a full scan.

You definitely have some kind of malware/hack going on as far as I can tell. I'm not willing to call myself an expert, but hopefully my advice will get you going in the right direction.
My System SpecsSystem Spec
.


23 Feb 2013   #4

Win7 Home Premium 64x
 
 

I would also boot into the hidden admin account while offline and set a password so if they are getting in through this, you can prevent it. (This can be enabled with a basic command. Not sure if they can send this command remotely though, but it would be good to password protect it so they can't.)

Built-in Administrator Account - Enable or Disable

After that, I would run this site and see if any ports are open or if you have any security issues: https://www.grc.com/x/ne.dll?bh0bkyd2

you can also turn off all remote access and sharing capabilities.

If you see it again, look in your processes on startup with ProcessMonitor. This will log all programs that run from startup to shutdown in case there is actual malware installed: http://technet.microsoft.com/en-us/s.../bb896645.aspx
My System SpecsSystem Spec
23 Feb 2013   #5

Win7 Home Premium 64x
 
 

also get TCPView to see all your network connections. TCPView for Windows

you can manually disconnect any TCP connection through this.
My System SpecsSystem Spec
23 Feb 2013   #6

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
 
 

Also, it might be a good idea to run TDSSKiller to see if you have a rootkit.

How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?
My System SpecsSystem Spec
23 Feb 2013   #7

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by bruberry View Post
.........The disturbing part is that after turning on the computer a newly created user account appears with some (seems like) random letter combination name. After deleting, it reappears again the same way. I put a password to the new account. And then the third account appeared. Just to mention - almost right after moving in I've configured my new ESET 6 update. Beside that I didn't download any other software. What are Your thoughts, suggestions?
I use ESET's online scanner, but I've not played with their other products. I installed ESET 6 into a virtual machine to see if there was a feature that could account for these randomly named accounts showing up. The good news is - these accounts are probably a part of ESET's anti-theft protection. It is a way for the product to help you locate a stolen computer.

This is what I saw as I was setting up that feature:

Name:  eset-1.png
Views: 23
Size:  25.8 KB
Notice that I called the account "test". My assumption is that I would use that info on ESET's website while I was looking for a lost or stolen computer. The name on the account that the ESET product created on the computer was not "test". And after a restart of the computer - I saw this:

Name:  eset-2.png
Views: 22
Size:  7.4 KB

After activating the trial license for ESET 6, that randomly named account was enabled. (The down arrow in the account's icon was gone.) The account came back after I deleted it. I put a password on the that randomly named account... but a new one has not yet appeared. It probably will once the ESET software checks on things.

BTW, the randomly named account is a standard user.

You still have the issue of ESET's warnings about the TCP Flood attack(s) and it is possible that the randomly named accounts are the result of some malware. But those accounts could just be from ESET.

Edit: ESET 6 might be taking care of these attacks for you. You might not need to take any further action against them. Even the native Windows 7 firewall will protect you from such attacks to an extent. This might be a case of the ESET product attempting to justify its existence.

I hope that you have set the network connection type to Public.
Network Location - Set as Home, Work, or Public Network

Edit2: corrected some typos and probably added other ones :-)


My System SpecsSystem Spec
23 Feb 2013   #8

Windows 7 Professional SP1 64-bit
 
 

After seeing Usernameissues post I am less concerned. I found some threads searching with google that state that many instances of ESET reporting a TCP flooding attack are false positives. Skype and any torrent software are the two I see most often. I also saw some where streaming to a smart device, like a smart TV or Xbox 360, caused it, and one instance of an old router causing it. I still suggest doing everything previously listed to be sure.
My System SpecsSystem Spec
23 Feb 2013   #9

Windows 7 Home Premium
 
 

bruberry,

Consider using the Kaspersky Security Scan...

Download:
Kaspersky Security Scan | Free Virus Scanner | Kaspersky Lab US
Save to the Desktop

Double-click the downloaded program to run it.

If you receive a security warning, allow the program to run.

The setup wizard starts...follow the prompts and Install.
To finalize the install, click: Finish

The Kaspersky Security Scan console appears.

Click the Full Scan button


The scan takes a while, depending on the amount of data on your hard drive.
If the scan detects problems it opens a Problems Found window.
Click on Details to generate a scan results report.

Once the scan is complete, navigate to the DataRoot folder:
For Windows 7 - C:\ProgramData\Kaspersky Lab\KSS2\DataRoot

Right-click on the HtmlReport folder > Send to > Compressed (zipped) folder
Save to the Desktop

Close the Kaspersky Security Scan.

Please attach the HtmlReport zipped folder to your next reply.
My System SpecsSystem Spec
24 Feb 2013   #10

Windows 7 32bit
 
 

Wow, thank YOU very much for ALL Yours replies. I thought also it may have to do something with the ESET Phantom thing. I'm very impressed. Big thanks to UsernameIssues, Petey7, Thorsen, Borg 386, cottonball
My System SpecsSystem Spec
Reply

 TCP Flooding Attack




Thread Tools



Similar help and support threads for2: TCP Flooding Attack
Thread Forum
DDoS Attack, Changed IPs Still Under Attack System Security
BF3 under attack Gaming
Identical IP Address, DNS Cache and TCP Flooding Attack Network & Sharing
Solved Ati driver flooding system log Graphic Cards
MAC Attack System Security
New SSL attack. Security News

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:51 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33