TECHNICAL SUPPORT QUERY - FIREWALL GETTING SLAMMED SO HARD THAT IE TIMES OUT

[Chancellor Palpatine]

Here is my problem:

Yesterday AM, my box at home (a P3 running WinMe) was running really slow. It is on a cable modem through Insight. I rebooted a couple of times, and unplugged the modem several times just to be able to open a browser. I figured it was just with them, and didn't bother with a trouble call.

After I got home from work, it was worse, so I called tech support. Only then did I look at my Zone Alarm, which showed an alarming number of hits (the tech guy was no help). I have been good about running McAfee and updating my definitions there and on Ad Aware - and ran scans with both. I also managed to update my Zone Alarm - which was showing huge hits (according to the tech guy, my attempted intrusions were coming worldwide - Europe, Asia, South America, according to the IPs of several of the thousands of attempted hits).

This morning, I booted up the home box, and in the space of about twenty minutes, nearly 4000 hits came in.

I called tech support again and asked if he could assign me a new IP - his suggestion was that I wait 48 hours or so and stay off the net (the modem is unplugged), and set the thing to change then - something about them giving up on me.

Also, McAfee found on "potentially unwanted" program related to adware that it can't clean, delete or quarantine, nor could I do it via "find". It is c:/_restore/archive/fs85.cab (Stinger didn't catch that at all).

I feel like there is some trojan or something in it, HELP!

[xsmommy]

all that porn finally catching up with ya, is it...? ; )

[HEY4QDEMS]

Sounds like the Welchia worm.
Check the log file of your firewall and look to see how many hits came through on port 135, also check to see if there are any errors defining the cache or buffer as being full.
If this is the case, there is a removal tool at Symantec, McAfee may also provide a tool.
Good Luck

[Chancellor Palpatine]

Oh, and when the computer was off, the moment I plugged in the modem, the "cable activity" light flickered like a strobe in a disco.

[Chancellor Palpatine]

There was no one particular port that was being targeted, the tech guy had me browse the list for that. Not a lot of similarity, but as I said, there were thousands of hits.

[VeniVidiVici]

Search the net on the "...potentially related to adaware" program.

I seem to remember a virus or trojan that renames itself as an adaware file or something like an adaware file.

[Chancellor Palpatine]

I'll check that when I get home. Thanks.

[Registered]

I need your current IP in order to lend assistance.



hehehe.

[Chancellor Palpatine]

I'll check that when I get home. Its an interesting sort of thing - but frustrating as all hell.

[Chancellor Palpatine]

Hell, every hacker in the world has it now. What is one more, LOL.

[AppyPappy]

Boot into safe mode and do a virus scan

Remove any file-sharing software on your computer

[Registered]

I think he should slap a shipping label on it and send it your way.

[Chancellor Palpatine]

I already killed WinMx (of course, even though I thought I killed it, I still keep finding chunks of Kazaa floating around). As far as I know, WinMx was the only file sharer I had left on that box.

[John123]

Have you've thought about getting a router after determining that you don't have a virus? It should be part of your firewall.

[Chancellor Palpatine]

Thats a nicer idea than the one I had this morning - it involved the driveway, that laptop, and my sledgehammer.

[tentmaker]

Doubtful that it's the welchia worm. Welchia should not infect a Win ME system. Besides, the main impact of welchia is that it attempts to apply the MS DCOM RPC patch. That should not create such an increase of traffic.

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

[Chancellor Palpatine]

I had almost gotten a router for it a couple of years ago for that very reason, but got sold on the idea of software only by somebody (and if I ever remember who that somebody was, I'll brain them).