VampireXxX Posted August 1, 2005 CID Share Posted August 1, 2005 Hi guys, few days ago my puter suddenly slowed down then i scanned it with ad-aware, ms anti spyware and kav to no avail so i thought that my sygate & kav incompatible. I uninstall sygate to see if it was the problem...big mistake....after i uninstall it suddenly i received an ad pop up message every half hour saying " Message from microsoft to system on 8/1/2005 10:18:08AM. Windows Quote Link to comment Share on other sites More sharing options...
php Posted August 1, 2005 CID Share Posted August 1, 2005 click start - run - services.msc, scroll down to the Messenger service, stop it, and disable it. That should take care of the popup, if not, you still have a "nasty" of some kind on your computer because that isn't a Windows message. Quote Link to comment Share on other sites More sharing options...
VampireXxX Posted August 1, 2005 Author CID Share Posted August 1, 2005 thanks dude, it doesn't show up again. the only problem now is that damn helkern attack. well i guess i'll uninstall kis and reinstall sygate again so i can get a peace of mind not knowing helkern attack me or not ;) Quote Link to comment Share on other sites More sharing options...
php Posted August 1, 2005 CID Share Posted August 1, 2005 yea, then someone is attacking your computer... the message you got can be sent via the net send command, which is why I had you disable the messenger service (it's completely unnecessary to have enabled) Maybe wait and see if the attacks continue... Quote Link to comment Share on other sites More sharing options...
FallowEarth Posted August 1, 2005 CID Share Posted August 1, 2005 I use IP Tools, found HERE, to monitor connections to my computer. You can see the IP addresses trying to contact your computer. I would also try using another firewall to try to block remote access. As far as free firewalls go, Sygate is one that is very solid. You can find it HERE Quote Link to comment Share on other sites More sharing options...
VampireXxX Posted August 1, 2005 Author CID Share Posted August 1, 2005 Yeah i use sygate and disable the notification so i didn't know abt the helkern's attack until i uninstall it few days ago. Now i'm confused whether i keep kis or replace it with sygate & nav....i use nav just because i still have 2 months subcription sygate and kis block 10 different ip address, kis identified them as helkern! well the attacks still continue and kis still blocking the attack every 1 hour or so. :confused1: edit : well i still have kis installed on my server...and now i have lovesan! :angry5: anyone know how to rid this attack?? Detected -------- Status Object Event Time Helkern! Attacker's IP: 61.185.24.67. Protocol/service: on local port 1434 . Time: 31/07/2005 9:29:23. 31/07/2005 9:29:23 Helkern! Attacker's IP: 217.118.220.75. Protocol/service: on local port 1434 . Time: 31/07/2005 10:35:25. 31/07/2005 10:35:25 Helkern! Attacker's IP: 219.111.101.52. Protocol/service: on local port 1434 . Time: 31/07/2005 13:17:46. 31/07/2005 13:17:46 Helkern! Attacker's IP: 210.74.224.79. Protocol/service: on local port 1434 . Time: 31/07/2005 13:45:18. 31/07/2005 13:45:17 Helkern! Attacker's IP: 218.87.42.202. Protocol/service: on local port 1434 . Time: 31/07/2005 14:12:29. 31/07/2005 14:12:29 Helkern! Attacker's IP: 61.180.86.11. Protocol/service: on local port 1434 . Time: 31/07/2005 14:21:50. 31/07/2005 14:21:49 Helkern! Attacker's IP: 221.202.129.164. Protocol/service: on local port 1434 .Time: 31/07/2005 15:40:05. 31/07/2005 15:40:04 Helkern! Attacker's IP: 61.185.142.14. Protocol/service: on local port 1434 . Time: 31/07/2005 15:49:59. 31/07/2005 15:49:59 Helkern! Attacker's IP: 60.191.129.114. Protocol/service: on local port 1434 . Time: 31/07/2005 16:23:03. 31/07/2005 16:23:02 Helkern! Attacker's IP: 60.18.168.25. Protocol/service: on local port 1434 . Time: 31/07/2005 19:41:00. 31/07/2005 19:41:00 Helkern! Attacker's IP: 61.145.227.5. Protocol/service: on local port 1434 . Time: 31/07/2005 22:16:50. 31/07/2005 22:16:50 Helkern! Attacker's IP: 219.132.16.242. Protocol/service: on local port 1434 . Time: 01/08/2005 1:23:48. 01/08/2005 1:23:48 Helkern! Attacker's IP: 61.143.101.100. Protocol/service: on local port 1434 . Time: 01/08/2005 2:43:52. 01/08/2005 2:43:51 Helkern! Attacker's IP: 199.203.54.218. Protocol/service: on local port 1434 . Time: 01/08/2005 5:14:29. 01/08/2005 5:14:28 Helkern! Attacker's IP: 202.99.159.6. Protocol/service: on local port 1434 . Time: 01/08/2005 6:10:46. 01/08/2005 6:10:44 Helkern! Attacker's IP: 219.153.14.94. Protocol/service: on local port 1434 . Time: 01/08/2005 7:10:12. 01/08/2005 7:10:11 Helkern! Attacker's IP: 66.70.74.120. Protocol/service: on local port 1434 . Time: 01/08/2005 9:59:19. 01/08/2005 9:59:18 Lovesan! Attacker's IP: 203.84.136.253. Protocol/service: on local port 135 . Time: 01/08/2005 10:48:11. 01/08/2005 10:48:09 Helkern! Attacker's IP: 61.157.208.124. Protocol/service: on local port 1434 . Time: 01/08/2005 11:31:07. 01/08/2005 11:31:05 Lovesan! Attacker's IP: 203.84.136.253. Protocol/service: on local port 135 . Time: 01/08/2005 13:09:46. 01/08/2005 13:09:45 Helkern! Attacker's IP: 218.64.55.25. Protocol/service: on local port 1434 . Time: 01/08/2005 16:40:24. 01/08/2005 16:40:24 Settings -------- Security Level: Recommended i doesn't know how to insert a file from my puter to this post, so i use copy paste :oops: Quote Link to comment Share on other sites More sharing options...
php Posted August 1, 2005 CID Share Posted August 1, 2005 Do you have a hardware firewall? If so, block or preferrably stealth the ports listed... Quote Link to comment Share on other sites More sharing options...
VampireXxX Posted August 2, 2005 Author CID Share Posted August 2, 2005 i don't have a hardware firewall. Strange is i don't have port 1434 :confused1: while port 135 is used by 1 of my pc client. :whaa: I'm using a router. Quote Link to comment Share on other sites More sharing options...
FallowEarth Posted August 2, 2005 CID Share Posted August 2, 2005 i don't have a hardware firewall. Strange is i don't have port 1434 Quote Link to comment Share on other sites More sharing options...
VampireXxX Posted August 2, 2005 Author CID Share Posted August 2, 2005 i'm using d-link. Quote Link to comment Share on other sites More sharing options...
php Posted August 2, 2005 CID Share Posted August 2, 2005 If you don't have the ports blocked, your computer has ports 0-65535 or something available... Quote Link to comment Share on other sites More sharing options...
VampireXxX Posted August 2, 2005 Author CID Share Posted August 2, 2005 wew you lost me there Quote Link to comment Share on other sites More sharing options...
php Posted August 2, 2005 CID Share Posted August 2, 2005 If you add it to your firewall, you don't have to worry about your software firewalls having to block it... Quote Link to comment Share on other sites More sharing options...
VampireXxX Posted August 2, 2005 Author CID Share Posted August 2, 2005 so i add port 1434 in my firewall and i block it?? but it doesn't stop helkern and lovesan attack...only block it...is there a way this worm thing don't attack me anymore?? Quote Link to comment Share on other sites More sharing options...
peepnklown Posted August 2, 2005 CID Share Posted August 2, 2005 Which D-link are you using? Most likely your router has NAT (hardware firewall) Quote Link to comment Share on other sites More sharing options...
VampireXxX Posted August 2, 2005 Author CID Share Posted August 2, 2005 just replaced it with D-link DES1008D few weeks ago Quote Link to comment Share on other sites More sharing options...
FallowEarth Posted August 2, 2005 CID Share Posted August 2, 2005 just replaced it with D-link DES1008D few weeks ago Strange...when I go to the Dlink support site, the lowest model for the DES line they support is the 1009G. Quote Link to comment Share on other sites More sharing options...
VampireXxX Posted August 2, 2005 Author CID Share Posted August 2, 2005 :icon_scratch: now that's odd.....i got that from my isp....better contact them tomorrow and see what they say....thanks for the info FallowEarth Quote Link to comment Share on other sites More sharing options...
VampireXxX Posted August 3, 2005 Author CID Share Posted August 3, 2005 odd thing happens today....when i open my network place i have 3 more connection that doesn't belong to me and give me full access to their folder :confused2: told my isp abt it and they said it was the user's fault for being careless so others can access their files :icon_scratch: my isp changed the ip address to open public so the helkern, lovesan and pop up things that were originally their problem, now are user's problem :angry5: Quote Link to comment Share on other sites More sharing options...
netmasta Posted August 3, 2005 CID Share Posted August 3, 2005 Strange...when I go to the Dlink support site, the lowest model for the DES line they support is the 1009G. It's probably a router made specfically fora certain ISP. The VDI-624 is another example. Quote Link to comment Share on other sites More sharing options...
MarilynSW Posted August 17, 2005 CID Share Posted August 17, 2005 In the last 6 days I replaced my 160 gig hard drive back to an 80 gig hard drive...I removed Norton because Norton did NOT catch the wrom and it slowed my 160 down to a crawl....I now have defender Pro 10-in-1 my computer is MUCH faster and I counted 20 kelkern worm attacks that have been blocked by my def firewall....the pop-up is driving me mad....but I don't have the worm anymore and my Norton WORM protection was onand I never turn off my firewall for ANY reason now. Helkern comes from a different IP address each time....2 from China and two from right here in Anoka MN....... Marilyn Quote Link to comment Share on other sites More sharing options...
VampireXxX Posted August 18, 2005 Author CID Share Posted August 18, 2005 marilyn...just block the port mention by your firewall although if someone know how to get rid of this helkern for good, i'll gladly try it 2 days ago i did a clean install on my puter, messenger's pop up messages come out of nowhere when i plug the cable and i hadn't install any program yet anyone know where is this pop up message come from ?? so i don't have to disable messenger service everytime i reinstall xp....thanks Quote Link to comment Share on other sites More sharing options...
MarilynSW Posted August 18, 2005 CID Share Posted August 18, 2005 On my firewall pop-up there is no port just an IP address and a different one each time....according to the geeks its evidently someone whom I opened an email from or something I clicked on and opened a website.....from email so now I open NOTHING that I don't know who it came from. the one that are popping up now are the ones that got into my email the first time (before replacement) and are trying again....but my firewall won't let them...so now I only download from secure sites and trusted sites....nothing that anyone says go here and download this....I got a fake email from PayPal yesterday that looks very authentic but they said they didn't send it....so thats how hackers get into your system you click on the site they send you....its better to get the pop-up saying it was repulsed then replacing your hard drive again ......thanks Marilyn Quote Link to comment Share on other sites More sharing options...
Elite.Pete Posted September 9, 2005 CID Share Posted September 9, 2005 helkern only affects windows 2000 server anyway if im not mistaken. i use Kaspersky antivirus and it tells me that it blocked it every once in awhile. i also ditched sygate along time ago because it would always tell me it blocked nydis.sys or something like that.. and it got to the point of me being super annoyed Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.