Weird Virus! Formatting the computer doesnt get rid of it.

[dxkj]

Sends 30 billion (according to the network card) packets per second on port 445, to the University of Wisconsin IP range.


Formatting the computer and removing all the files, reinstalled windows XP, and its back. Without plugging it into anything, or sticking in any contaminated disks... fresh install of windows XP



Any ideas? Bios infected on the network card? I have no clue.

 

[Viper22]

Bootsector virus possibly...you would need to do a low level format on the HDD to get rid of it.

 

[notfred]

If a packet is one bit, you're sending over 3GB/second from that NIC.

 

Maybe your network card is bad. 3 GB/sec. is impossible from a 10/100 Mbps card.

 

[hevnsnt]

stupid question, but did you try virus scanning?

 

[Pex]

couldnt you just delete and remake the MBR?

 

[hevnsnt]

also, when you reinstalled XP was it on the network? It might have got re-infected as soon as it came back on..

 

[dxkj]

Im not saying its actually sending that much, but the number is 300000000000000000 with tons of zeros after it

 

[EyeMWing]

Faulty network card - that's freaking impossible. What ever gave you the idea it was a virus?

 

[hevnsnt]

Originally posted by: EyeMWing
Faulty network card - that's freaking impossible. What ever gave you the idea it was a virus?

I'm sorry but port 445 to a specified range.. sounds viral to me

 

[dxkj]

Originally posted by: EyeMWing
Faulty network card - that's freaking impossible. What ever gave you the idea it was a virus?

3 other computers on campus has it...... same things, thats what gave me the idea.

 

[dxkj]

dp

 

[hevnsnt]

Originally posted by: dxkj

Originally posted by: EyeMWing
Faulty network card - that's freaking impossible. What ever gave you the idea it was a virus?

3 other computers on campus has it...... same things, thats what gave me the idea.

You didn't answer my 2 questions.. I work in the security/virus field..

 

[dxkj]

Originally posted by: hevnsnt
also, when you reinstalled XP was it on the network? It might have got re-infected as soon as it came back on..

tried scanning, nothing comes up



Disconnected from the network the entire time once the network admins noticed the extreme influx from the computer

 

[hevnsnt]

Originally posted by: dxkj

Originally posted by: hevnsnt
also, when you reinstalled XP was it on the network? It might have got re-infected as soon as it came back on..

tried scanning, nothing comes up



Disconnected from the network the entire time once the virus was discovered

Disconnected during format & reinstall?

Download TCPview and see what is using port 445

 

[EyeMWing]

Originally posted by: dxkj

Originally posted by: EyeMWing
Faulty network card - that's freaking impossible. What ever gave you the idea it was a virus?

3 other computers on campus has it...... same things, thats what gave me the idea.

Okay, now it sounds like some dickhead in EE/CS trying to be cool.

Edit: Do all three machines have the same/similar NICs?
Edit: And furthermore, since I assume you're using some reporting software to pull these numbers, does the machine exhibit the same symptoms from outside the OS (i.e. during boot) (watch the NIC or hub LEDs)

 

[dxkj]

Originally posted by: hevnsnt

Originally posted by: dxkj

Originally posted by: hevnsnt
also, when you reinstalled XP was it on the network? It might have got re-infected as soon as it came back on..

tried scanning, nothing comes up



Disconnected from the network the entire time once the virus was discovered

Disconnected during format & reinstall?

Download TCPview and see what is using port 445

ok, what am I looking for? Sending someone over to run the program right now.

green or red?

 

[OutHouse]

Originally posted by: hevnsnt

Originally posted by: dxkj

Originally posted by: hevnsnt
also, when you reinstalled XP was it on the network? It might have got re-infected as soon as it came back on..

tried scanning, nothing comes up



Disconnected from the network the entire time once the virus was discovered

Disconnected during format & reinstall?

Download TCPview and see what is using port 445

Cool program. Thanks.

 

[spidey07]

Originally posted by: dxkj

Originally posted by: EyeMWing
Faulty network card - that's freaking impossible. What ever gave you the idea it was a virus?

3 other computers on campus has it...... same things, thats what gave me the idea.

Sounds like some kind of nimda or blaster variant if it is trying to use port 445 (microsoft active directory)

Make sure you do not plug into any network, patch the machine entirely through CD. Otherwise you'll just pick up the worm as soon as you boot.

 

[dxkj]

Process: svchost.exe:736

Protocol: UDP

Local Adress: ComputerName:bootpc

Remoted Address: *.*

State: blank

 

[hevnsnt]

Originally posted by: dxkj

Originally posted by: hevnsnt

Originally posted by: dxkj

Originally posted by: hevnsnt
also, when you reinstalled XP was it on the network? It might have got re-infected as soon as it came back on..

tried scanning, nothing comes up



Disconnected from the network the entire time once the virus was discovered

Disconnected during format & reinstall?

Download TCPview and see what is using port 445

ok, what am I looking for? Sending someone over to run the program right now.

green or red?

Either on port 445.. It will show you what program is sending/receiving on that port. Remember though, that this port is a Microsoft admin port, so windows components might be using it as well.. Look for weird things like svch0st (that is a zero) or other weird things.

 

[dxkj]

Originally posted by: hevnsnt

Originally posted by: dxkj

Originally posted by: hevnsnt

Originally posted by: dxkj

Originally posted by: hevnsnt
also, when you reinstalled XP was it on the network? It might have got re-infected as soon as it came back on..

tried scanning, nothing comes up



Disconnected from the network the entire time once the virus was discovered

Disconnected during format & reinstall?

Download TCPview and see what is using port 445

Ok, I just found out that it is sending TO port 445 not, sending out on port 445....



ok, what am I looking for? Sending someone over to run the program right now.

green or red?

Either on port 445.. It will show you what program is sending/receiving on that port. Remember though, that this port is a Microsoft admin port, so windows components might be using it as well.. Look for weird things like svch0st (that is a zero) or other weird things.

 

[dxkj]

Originally posted by: hevnsnt

Originally posted by: dxkj

Originally posted by: hevnsnt

Originally posted by: dxkj

Originally posted by: hevnsnt
also, when you reinstalled XP was it on the network? It might have got re-infected as soon as it came back on..

tried scanning, nothing comes up



Disconnected from the network the entire time once the virus was discovered

Disconnected during format & reinstall?

Download TCPview and see what is using port 445

Ok, I just found out that it is sending TO port 445 not, sending out on port 445....



ok, what am I looking for? Sending someone over to run the program right now.

green or red?

Either on port 445.. It will show you what program is sending/receiving on that port. Remember though, that this port is a Microsoft admin port, so windows components might be using it as well.. Look for weird things like svch0st (that is a zero) or other weird things.

 

[dxkj]

30 billion sent per second
15 trillion and counting (he just turned the machine on again).


lsass:524 (only other process that shows up)



692 736 872 are the ports being used for all the svchost processes..

None go crazy unless you disable the network card, then the bootpc one shows up.

 

[txxxx]

Formatting doesnt get rid of it as its reinfecting the fresh install of the system upon reboot and connection to network via RPC exploit or something similar. Wipe out again and firewall before network connection?