Help !! Helkern and pop up

[VampireXxX]

Hi guys, few days ago my puter suddenly slowed down then i scanned it with ad-aware, ms anti spyware and kav to no avail so i thought that my sygate & kav incompatible. I uninstall sygate to see if it was the problem...big mistake....after i uninstall it suddenly i received an ad pop up message every half hour saying " Message from microsoft to system on 8/1/2005 10:18:08AM. Windows

[php]

click start - run - services.msc, scroll down to the Messenger service, stop it, and disable it.

That should take care of the popup, if not, you still have a "nasty" of some kind on your computer because that isn't a Windows message.

[VampireXxX]

thanks dude, it doesn't show up again. the only problem now is that damn helkern attack. well i guess i'll uninstall kis and reinstall sygate again so i can get a peace of mind not knowing helkern attack me or not  ;)

[php]

yea, then someone is attacking your computer... the message you got can be sent via the net send command, which is why I had you disable the messenger service (it's completely unnecessary to have enabled)  Maybe wait and see if the attacks continue...

[FallowEarth]

I use IP Tools, found HERE, to monitor connections to my computer.  You can see the IP addresses trying to contact your computer.  I would also try using another firewall to try to block remote access.  As far as free firewalls go, Sygate is one that is very solid.  You can find it HERE

[VampireXxX]

Yeah i use sygate and disable the notification so i didn't know abt the helkern's attack until i uninstall it few days ago. Now i'm confused whether i keep kis or replace it with sygate & nav....i use nav just because i still have 2 months subcription  sygate and kis block 10 different ip address, kis identified them as helkern! well the attacks still continue and kis still blocking the attack every 1 hour or so.  :confused1:

edit : well i still have kis installed on my server...and now i have lovesan!  :angry5: anyone know how to rid this attack??

Detected

--------

Status Object

Event Time

Helkern! Attacker's IP: 61.185.24.67. Protocol/service:  on local port 1434 .  Time: 31/07/2005 9:29:23. 31/07/2005 9:29:23

Helkern! Attacker's IP: 217.118.220.75. Protocol/service:  on local port 1434 . Time: 31/07/2005 10:35:25. 31/07/2005 10:35:25

Helkern! Attacker's IP: 219.111.101.52. Protocol/service:  on local port 1434 . Time: 31/07/2005 13:17:46. 31/07/2005 13:17:46

Helkern! Attacker's IP: 210.74.224.79. Protocol/service:  on local port 1434 .  Time: 31/07/2005 13:45:18. 31/07/2005 13:45:17

Helkern! Attacker's IP: 218.87.42.202. Protocol/service:  on local port 1434 .  Time: 31/07/2005 14:12:29. 31/07/2005 14:12:29

Helkern! Attacker's IP: 61.180.86.11. Protocol/service:  on local port 1434 .  Time: 31/07/2005 14:21:50. 31/07/2005 14:21:49

Helkern! Attacker's IP: 221.202.129.164. Protocol/service:  on local port 1434 .Time: 31/07/2005 15:40:05. 31/07/2005 15:40:04

Helkern! Attacker's IP: 61.185.142.14. Protocol/service:  on local port 1434 .  Time: 31/07/2005 15:49:59. 31/07/2005 15:49:59

Helkern! Attacker's IP: 60.191.129.114. Protocol/service:  on local port 1434 . Time: 31/07/2005 16:23:03. 31/07/2005 16:23:02

Helkern! Attacker's IP: 60.18.168.25. Protocol/service:  on local port 1434 .  Time: 31/07/2005 19:41:00. 31/07/2005 19:41:00

Helkern! Attacker's IP: 61.145.227.5. Protocol/service:  on local port 1434 .  Time: 31/07/2005 22:16:50. 31/07/2005 22:16:50

Helkern! Attacker's IP: 219.132.16.242. Protocol/service:  on local port 1434 . Time: 01/08/2005 1:23:48. 01/08/2005 1:23:48

Helkern! Attacker's IP: 61.143.101.100. Protocol/service:  on local port 1434 . Time: 01/08/2005 2:43:52. 01/08/2005 2:43:51

Helkern! Attacker's IP: 199.203.54.218. Protocol/service:  on local port 1434 . Time: 01/08/2005 5:14:29. 01/08/2005 5:14:28

Helkern! Attacker's IP: 202.99.159.6. Protocol/service:  on local port 1434 .  Time: 01/08/2005 6:10:46. 01/08/2005 6:10:44

Helkern! Attacker's IP: 219.153.14.94. Protocol/service:  on local port 1434 .  Time: 01/08/2005 7:10:12. 01/08/2005 7:10:11

Helkern! Attacker's IP: 66.70.74.120. Protocol/service:  on local port 1434 .  Time: 01/08/2005 9:59:19. 01/08/2005 9:59:18

Lovesan! Attacker's IP: 203.84.136.253. Protocol/service:  on local port 135 .  Time: 01/08/2005 10:48:11. 01/08/2005 10:48:09

Helkern! Attacker's IP: 61.157.208.124. Protocol/service:  on local port 1434 . Time: 01/08/2005 11:31:07. 01/08/2005 11:31:05

Lovesan! Attacker's IP: 203.84.136.253. Protocol/service:  on local port 135 .  Time: 01/08/2005 13:09:46. 01/08/2005 13:09:45

Helkern! Attacker's IP: 218.64.55.25. Protocol/service:  on local port 1434 .  Time: 01/08/2005 16:40:24. 01/08/2005 16:40:24

Settings

--------

Security Level: Recommended

i doesn't know how to insert a file from my puter to this post, so i use copy paste  :oops:

[php]

Do you have a hardware firewall?  If so, block or preferrably stealth the ports listed...

[VampireXxX]

i don't have a hardware firewall. Strange is i don't have port 1434  :confused1: while port 135 is used by 1 of my pc client.  :whaa: I'm using a router.

[FallowEarth]

i don't have a hardware firewall. Strange is i don't have port 1434

[VampireXxX]

i'm using d-link.

[php]

If you don't have the ports blocked, your computer has ports 0-65535 or something available...

[VampireXxX]

wew you lost me there

[php]

If you add it to your firewall, you don't have to worry about your software firewalls having to block it...

[VampireXxX]

so i add port 1434 in my firewall and i block it?? but it doesn't stop helkern and lovesan attack...only block it...is there a way this worm thing don't attack me anymore??

[peepnklown]

Which D-link are you using?

Most likely your router has NAT (hardware firewall)

[VampireXxX]

just replaced it with D-link DES1008D few weeks ago

[FallowEarth]

just replaced it with D-link DES1008D few weeks ago

Strange...when I go to the Dlink support site, the lowest model for the DES line they support is the 1009G.

[VampireXxX]

:icon_scratch: now that's odd.....i got that from my isp....better contact them tomorrow and see what they say....thanks for the info FallowEarth

[VampireXxX]

odd thing happens today....when i open my network place i have 3 more connection that doesn't belong to me and give me full access to their folder  :confused2: told my isp abt it and they said it was the user's fault for being careless so others can access their files  :icon_scratch: my isp changed the ip address to open public so the helkern, lovesan and pop up things that were originally their problem, now are user's problem :angry5:

[netmasta]

Strange...when I go to the Dlink support site, the lowest model for the DES line they support is the 1009G.

It's probably a router made specfically fora certain ISP. The VDI-624 is another example.

[MarilynSW]

In the last 6 days I replaced my 160 gig hard drive back to an 80 gig hard drive...I removed Norton because Norton did NOT catch the wrom and it slowed my 160 down to a crawl....I now have defender Pro 10-in-1 my computer is MUCH faster and I counted 20 kelkern worm attacks that have been blocked by my def firewall....the pop-up is driving me mad....but I don't have the worm anymore and my Norton WORM protection was onand I never turn off my firewall for ANY reason now.  Helkern comes from a different IP address each time....2 from China and two from right here in Anoka MN.......

Marilyn

[VampireXxX]

marilyn...just block the port mention by your firewall although if someone know how to get rid of this helkern for good, i'll gladly try it   2 days ago i did a clean install on my puter, messenger's pop up messages come out of nowhere when i plug the cable and i hadn't install any program yet anyone know where is this pop up message come from ?? so i don't have to disable messenger service everytime i reinstall xp....thanks

[MarilynSW]

On my firewall pop-up there is no port just an IP address and a different one each time....according to the geeks its evidently someone whom I opened an email from or something I clicked on and opened a website.....from email so now I open NOTHING that I don't know who it came from.  the one that are popping up now are the ones that got into my email the first time (before replacement) and are trying again....but my firewall won't let them...so now I only download from secure sites and trusted sites....nothing that anyone says go here and download this....I got a fake email from PayPal yesterday that looks very authentic but they said they didn't send it....so thats how hackers get into your system you click on the site they send you....its better to get the pop-up saying it was repulsed then replacing your hard drive again ......thanks

Marilyn

[Elite.Pete]

helkern only affects windows 2000 server anyway if im not mistaken. i use Kaspersky antivirus and it tells me that it blocked it every once in awhile. i also ditched sygate along time ago because it would always tell me it blocked nydis.sys or something like that.. and it got to the point of me being super annoyed