TCP Flooding Attack

[bruberry]

I'm not sure if it's a right place for this, but I'm kind of desperate. I don't have much technical computer knowledge, so please bear with me. Here's the thing. Recently I moved to a new student dormitory with a wired internet connection. And my ESET 6 started sending me notifications about TCP flooding attacks (ip - internet gateway). The disturbing part is that after turning on the computer a newly created user account appears with some (seems like) random letter combination name. After deleting, it reappears again the same way. I put a password to the new account. And then the third account appeared. Just to mention - almost right after moving in I've configured my new ESET 6 update. Beside that I didn't download any other software. What are Your thoughts, suggestions?

 

[UsernameIssues]

Welcome to the Seven Forums.

There are some great security folks here (I'm not one of them). Until one of them can chime in on your thread, I'll suggest a scan with WDO: What is Windows Defender Offline?

I like using WDO from a USB flash drive. Let it run the quick scan and then you can run the full scan.

 

[Petey7]

Download and install Malwarebytes Antimalware Free. When it ask if you want to do a free trial of the pro version, say yes. It has an automatic malicious IP blocker which may help in this scenario. Run a full scan.

You definitely have some kind of malware/hack going on as far as I can tell. I'm not willing to call myself an expert, but hopefully my advice will get you going in the right direction.

 

[Thorsen]

I would also boot into the hidden admin account while offline and set a password so if they are getting in through this, you can prevent it. (This can be enabled with a basic command. Not sure if they can send this command remotely though, but it would be good to password protect it so they can't.)

http://www.sevenforums.com/tutorials/507-built-administrator-account-enable-disable.html

After that, I would run this site and see if any ports are open or if you have any security issues: https://www.grc.com/x/ne.dll?bh0bkyd2

you can also turn off all remote access and sharing capabilities.

If you see it again, look in your processes on startup with ProcessMonitor. This will log all programs that run from startup to shutdown in case there is actual malware installed: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

 

[Thorsen]

also get TCPView to see all your network connections. TCPView for Windows

you can manually disconnect any TCP connection through this.

 

[Borg 386]

Also, it might be a good idea to run TDSSKiller to see if you have a rootkit.

How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?

 

[UsernameIssues]

.........The disturbing part is that after turning on the computer a newly created user account appears with some (seems like) random letter combination name. After deleting, it reappears again the same way. I put a password to the new account. And then the third account appeared. Just to mention - almost right after moving in I've configured my new ESET 6 update. Beside that I didn't download any other software. What are Your thoughts, suggestions?

I use ESET's online scanner, but I've not played with their other products. I installed ESET 6 into a virtual machine to see if there was a feature that could account for these randomly named accounts showing up. The good news is - these accounts are probably a part of ESET's anti-theft protection. It is a way for the product to help you locate a stolen computer.

This is what I saw as I was setting up that feature:


Notice that I called the account "test". My assumption is that I would use that info on ESET's website while I was looking for a lost or stolen computer. The name on the account that the ESET product created on the computer was not "test". And after a restart of the computer - I saw this:



After activating the trial license for ESET 6, that randomly named account was enabled. (The down arrow in the account's icon was gone.) The account came back after I deleted it. I put a password on the that randomly named account... but a new one has not yet appeared. It probably will once the ESET software checks on things.

BTW, the randomly named account is a standard user.

You still have the issue of ESET's warnings about the TCP Flood attack(s) and it is possible that the randomly named accounts are the result of some malware. But those accounts could just be from ESET.

Edit: ESET 6 might be taking care of these attacks for you. You might not need to take any further action against them. Even the native Windows 7 firewall will protect you from such attacks to an extent. This might be a case of the ESET product attempting to justify its existence.

I hope that you have set the network connection type to Public.
http://www.sevenforums.com/tutorials/43629-network-location-set-home-work-public-network.html

Edit2: corrected some typos and probably added other ones

 

[Petey7]

After seeing Usernameissues post I am less concerned. I found some threads searching with google that state that many instances of ESET reporting a TCP flooding attack are false positives. Skype and any torrent software are the two I see most often. I also saw some where streaming to a smart device, like a smart TV or Xbox 360, caused it, and one instance of an old router causing it. I still suggest doing everything previously listed to be sure.

 

[cottonball]

bruberry,

Consider using the Kaspersky Security Scan...

Download:
Kaspersky Security Scan | Free Virus Scanner | Kaspersky Lab US
Save to the Desktop

Double-click the downloaded program to run it.

If you receive a security warning, allow the program to run.

The setup wizard starts...follow the prompts and Install.
To finalize the install, click: Finish

The Kaspersky Security Scan console appears.

Click the Full Scan button

The scan takes a while, depending on the amount of data on your hard drive.
If the scan detects problems it opens a Problems Found window.
Click on Details to generate a scan results report.

Once the scan is complete, navigate to the DataRoot folder:
For Windows 7 - C:\ProgramData\Kaspersky Lab\KSS2\DataRoot

Right-click on the HtmlReport folder > Send to > Compressed (zipped) folder
Save to the Desktop

Close the Kaspersky Security Scan.

Please attach the HtmlReport zipped folder to your next reply.

 

[bruberry]

Wow, thank YOU very much for ALL Yours replies. :grouphug: I thought also it may have to do something with the ESET Phantom thing. I'm very impressed. Big thanks to UsernameIssues, Petey7, Thorsen, Borg 386, cottonball

 

[UsernameIssues]

You are welcome.

Stop by anytime.

 

[5cotty]

Wife forgot password and logged into the phantom account created in Eset anti theft, this caused another strange name account to appear. Just disable the anti theft option and the weird user name disappears.