port 139/445 traffic not picked up by antivirus

TheMSsForum.com: The Microsoft Software Forum

Having a lot of 139/445 traffic in my network, so much
that when this virus runs on one of the servers gets a
event id 2022 -out of connections. All patches and updates
have been loaded. Been in contact with Trend they picked
up some spyware appending to secfind.exe, but haven't
fixed it as yet. We have a mixed enviroment, win2k and XP.
This only affects the Win2k. Win2k security problem?

Have spoken to Microsoft in S.Africa but they only have a
sweat and rather charming Gal to help you with virus
removal tools etc but no where to excalate to.

Been hacking at this for 2 weeks now!!!!!!!!!!
Top

Re: port 139/445 traffic not picked up by antivirus by Dave

Dave
Tue Aug 24 06:43:14 CDT 2004


"Tom" <anonymous@discussions.microsoft.com> wrote in message
news:be9901c489cb$7d3e7c70$a501280a@phx.gbl...
> Having a lot of 139/445 traffic in my network, so much
> that when this virus runs on one of the servers gets a
> event id 2022 -out of connections. All patches and updates
> have been loaded. Been in contact with Trend they picked
> up some spyware appending to secfind.exe, but haven't
> fixed it as yet. We have a mixed enviroment, win2k and XP.
> This only affects the Win2k. Win2k security problem?
>
> Have spoken to Microsoft in S.Africa but they only have a
> sweat and rather charming Gal to help you with virus
> removal tools etc but no where to excalate to.
>
> Been hacking at this for 2 weeks now!!!!!!!!!!
>
>

so you are the source of all those port scans and probes! unplug from the
world and don't come back until you have it fixed! anti-virus products are
not firewalls, nor are most of them designed to get rid of spyware, addware,
or many other nasties. find the faq on this group that lists all the other
tools you need and start scanning.


Top

Re: port 139/445 traffic not picked up by antivirus by G

G
Tue Aug 24 07:00:43 CDT 2004

Tom wrote:
> Having a lot of 139/445 traffic in my network, so much
> that when this virus runs on one of the servers gets a
> event id 2022 -out of connections. All patches and updates
> have been loaded. Been in contact with Trend they picked
> up some spyware appending to secfind.exe, but haven't
> fixed it as yet. We have a mixed enviroment, win2k and XP.
> This only affects the Win2k. Win2k security problem?
>
> Have spoken to Microsoft in S.Africa but they only have a
> sweat and rather charming Gal to help you with virus
> removal tools etc but no where to excalate to.
>
> Been hacking at this for 2 weeks now!!!!!!!!!!
>
>

Spyware needs a spyware removal tool, 2 are free, spybot and adaware. A
google search will take you to their Home Page. AV software will rarely
help but they are adding spyware detection and removal in newer versions.

g-w
Top

Re: port 139/445 traffic not picked up by antivirus by Steven

Steven
Tue Aug 24 14:55:10 CDT 2004

Try downloading the McAfee stinger tool which is compact and free and will
scan for many common worms and viruses at the link below.

http://vil.nai.com/vil/stinger/

Also check for Spyware/parasites with the free AdAware and try using
TCPView, Process Explorer, and Autoruns from SysInternals to try and find
the process/executable that is causing this activity by looking for port use
that maps to an application/process that should not be there. If you
identify a process, you can try to kill it and search for the name of the
executeable on Google which may help identify the virus/worm though names
can be randomly choosen. If you can identify it, you may be able to find a
removal tool though a rebuild is the best way to insure the problem is
corrected if it is a virus or worm, but that is your call. Software
firewalls [ Zone Alarm or Sygate -free to try ] can also help identify a
process/application accessing certain ports as they can be configured to ask
for permission before gaining network access which would happen very quickly
after install on an infected computer.--- Steve

http://www.sysinternals.com/ntw2k/source/tcpview.shtml
http://www.microsoft.com/athome/security/protect/default.aspx

"Tom" <anonymous@discussions.microsoft.com> wrote in message
news:be9901c489cb$7d3e7c70$a501280a@phx.gbl...
> Having a lot of 139/445 traffic in my network, so much
> that when this virus runs on one of the servers gets a
> event id 2022 -out of connections. All patches and updates
> have been loaded. Been in contact with Trend they picked
> up some spyware appending to secfind.exe, but haven't
> fixed it as yet. We have a mixed enviroment, win2k and XP.
> This only affects the Win2k. Win2k security problem?
>
> Have spoken to Microsoft in S.Africa but they only have a
> sweat and rather charming Gal to help you with virus
> removal tools etc but no where to excalate to.
>
> Been hacking at this for 2 weeks now!!!!!!!!!!
>
>


Top

Re: port 139/445 traffic not picked up by antivirus by Karl

Karl
Wed Aug 25 05:21:32 CDT 2004

I would be surprised if a two week old virus wasn't in the anti-virus
updates yet. Try a second opinion scan by going to
http://housecall.antivirus.com Also try running an anti-virus scan of the
server from another Windows computer across the network. It is possible
that whatever it is is using Windows root kit functionality to hide files,
registry values, processes, services and/or ports from the local GUI, and
scanning remotely often allows you to find the hidden files.

Free firewalls like www.sygate.com, www.kerio.com and/or www.zonealarm.com
should tell you which executable is generating that traffic.
www.sysinternals.com has a variety of tools that should help you, such as
filemon and process explorer to show you what files are being accessed.
Search Google for the free tools Silent Runners and RKDetect and run them.
Look at the startup locations on the server using Silent Runners and/or one
of these startup tools:

http://securityadmin.info/faq.asp#startup

You could also press CTRL-ALT-DELETE to bring up Task Manager and tell us
the name of all the processes in the list. For example, if you find one
that is using up a lot of CPU time, or you find one whose name brings up few
or no hits in Google not counting discussions about viruses, then that file
is likely malicious. Note that using file name alone is not a reliable way
to tell which virus it is, but it can sometimes be used to tell whether a
file is abnormal.

Here are some other links that may help:

http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#re-secure
http://securityadmin.info/faq.asp#harden


"Tom" <anonymous@discussions.microsoft.com> wrote in message
news:be9901c489cb$7d3e7c70$a501280a@phx.gbl...
> Having a lot of 139/445 traffic in my network, so much
> that when this virus runs on one of the servers gets a
> event id 2022 -out of connections. All patches and updates
> have been loaded. Been in contact with Trend they picked
> up some spyware appending to secfind.exe, but haven't
> fixed it as yet. We have a mixed enviroment, win2k and XP.
> This only affects the Win2k. Win2k security problem?
>
> Have spoken to Microsoft in S.Africa but they only have a
> sweat and rather charming Gal to help you with virus
> removal tools etc but no where to excalate to.
>
> Been hacking at this for 2 weeks now!!!!!!!!!!
>
>


Top