Router security logs **SMURF**

M

mcgrizzein

New Member
Recently, I have been having some problems with webpages not loading, displaying as if I am on a mobile device, slow loading etc. etc. These are security logs from my Belkin N Wireless router. I am not a trained IT pro, but I know a few things. Any suggestions on what to do about these attacks is appreciated.


03/21/2012 18:11:15 192.168.2.5 login success
03/21/2012 18:10:59 User from 192.168.2.5 timed out
03/21/2012 18:10:26 sending ACK to 192.168.2.5
03/21/2012 18:10:24 sending ACK to 192.168.2.5
03/21/2012 18:10:12 DHCP Client: [WAN]Receive Ack from 68.114.39.226,Lease time=28800
03/21/2012 18:10:12 DHCP Client: [WAN]Send Request, Request IP=71.80.150.206
03/21/2012 18:10:12 DHCP Client: [WAN]Receive Offer from 68.114.39.226
03/21/2012 18:10:12 DHCP Client: [WAN]Send Discover
03/21/2012 18:10:10 DHCP Client: [WAN]Send Release
03/21/2012 18:09:57 **Smurf** 0.0.0.0->> 10.103.192.1, Type:5, Code:1 (from WAN Outbound)
03/21/2012 18:09:57 DHCP Client: [WAN]Receive Ack from 68.114.39.226,Lease time=25015
03/21/2012 18:09:57 DHCP Client: [WAN]Send Request, Request IP=71.80.150.206
03/21/2012 18:09:57 DHCP Client: [WAN]Receive Offer from 68.114.39.226
03/21/2012 18:09:57 DHCP Client: [WAN]Send Discover
03/21/2012 18:09:37 DHCP Client: [WAN]Could not find DHCP daemon to get information
03/21/2012 18:09:35 DHCP Client: [WAN]Send Request, Request IP=192.168.100.10
03/21/2012 18:09:33 DHCP Client: [WAN]Send Request, Request IP=192.168.100.10
03/21/2012 18:09:31 DHCP Client: [WAN]Send Request, Request IP=192.168.100.10
03/21/2012 18:09:29 DHCP Client: [WAN]Send Request, Request IP=192.168.100.10
03/21/2012 18:09:08 DHCP Client: [WAN]Receive Ack from 192.168.100.1,Lease time=30
03/21/2012 18:09:08 DHCP Client: [WAN]Send Request, Request IP=192.168.100.10
03/21/2012 18:09:08 DHCP Client: [WAN]Receive Offer from 192.168.100.1
03/21/2012 18:09:08 DHCP Client: [WAN]Send Discover
03/21/2012 18:08:48 DHCP Client: [WAN]Could not find DHCP daemon to get information
03/21/2012 18:08:46 DHCP Client: [WAN]Send Discover
03/21/2012 18:08:44 DHCP Client: [WAN]Send Discover
03/21/2012 18:08:42 DHCP Client: [WAN]Send Discover
03/21/2012 18:08:40 DHCP Client: [WAN]Send Discover
03/21/2012 18:08:40 DHCP Client: [WAN]Could not find DHCP daemon to get information
03/21/2012 18:08:38 DHCP Client: [WAN]Send Discover
03/21/2012 18:08:36 DHCP Client: [WAN]Send Discover
03/21/2012 18:08:34 DHCP Client: [WAN]Send Discover
03/21/2012 18:08:32 DHCP Client: [WAN]Send Discover
03/21/2012 18:08:09 DHCP Client: [WAN]Send Release
03/21/2012 18:01:47 **TCP FIN Scan** 70.37.131.153, 80->> 192.168.2.5, 1845 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 65.55.253.27, 80->> 192.168.2.5, 1595 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 66.135.210.181, 80->> 192.168.2.5, 1864 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 204.78.32.70, 80->> 192.168.2.5, 1640 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 65.55.206.203, 80->> 192.168.2.5, 1996 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 107.22.237.66, 80->> 192.168.2.5, 2033 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 65.55.72.135, 80->> 192.168.2.5, 1722 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 206.16.59.12, 80->> 192.168.2.5, 1991 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 65.55.5.231, 80->> 192.168.2.5, 1865 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 204.245.34.203, 80->> 192.168.2.5, 1631 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 204.245.34.138, 80->> 192.168.2.5, 1600 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 204.245.34.170, 80->> 192.168.2.5, 1986 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 204.245.34.146, 80->> 192.168.2.5, 2070 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 204.245.34.184, 80->> 192.168.2.5, 1811 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 184.24.133.186, 443->> 192.168.2.5, 1728 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 65.55.18.18, 80->> 192.168.2.5, 1847 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 65.55.58.199, 80->> 192.168.2.5, 1741 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 204.245.34.144, 80->> 192.168.2.5, 1679 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 204.245.34.162, 80->> 192.168.2.5, 1759 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 98.142.98.190, 80->> 192.168.2.5, 2026 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 207.46.19.254, 80->> 192.168.2.5, 1736 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 66.220.149.67, 80->> 192.168.2.5, 2043 (from WAN Inbound)
03/21/2012 18:01:47 **TCP FIN Scan** 74.125.224.113, 80->> 192.168.2.5, 1628 (from WAN Inbound)
03/21/2012 17:54:13 192.168.2.5 login success
03/21/2012 17:53:59 User from 192.168.2.5 timed out
03/21/2012 17:48:13 DHCP Client: [WAN]Receive Ack from 68.114.39.226,Lease time=26315
03/21/2012 17:48:13 DHCP Client: [WAN]Send Request, Request IP=71.80.150.206
03/21/2012 17:48:13 DHCP Client: [WAN]Receive Offer from 68.114.39.226
03/21/2012 17:48:13 DHCP Client: [WAN]Send Discover
03/21/2012 17:47:46 192.168.2.5 login success
03/21/2012 17:46:31 sending ACK to 192.168.2.5
03/21/2012 17:46:29 sending ACK to 192.168.2.5
03/21/2012 17:46:29 sending OFFER to 192.168.2.5
03/21/2012 17:46:24 sending ACK to 192.168.2.5
 
Also HiJackThis and Malware Bytes logs

Hijack This
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:37:00 PM, on 3/22/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Documents and Settings\Linhart\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {652853ad-5592-4231-88c6-706613a52e61} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Linhart\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A93902E-C386-4F03-9C32-292B02452867}: NameServer = 8.8.8.8,68.116.46.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{2A93902E-C386-4F03-9C32-292B02452867}: NameServer = 8.8.8.8,68.116.46.70
O17 - HKLM\System\CS2\Services\Tcpip\..\{2A93902E-C386-4F03-9C32-292B02452867}: NameServer = 8.8.8.8,68.116.46.70
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4703 bytes


Malware Bytes Full Scan

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.22.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Linhart :: XGAMER [administrator]

Protection: Enabled

3/22/2012 6:12:42 PM
mbam-log-2012-03-22 (18-35-54)full scan

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 244382
Time elapsed: 19 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 22
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{78919608-B066-4B5A-B248-38E12A783E05} (Adware.ArcadeWeb) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{78919608-B066-4B5A-B248-38E12A783E05} (Adware.ArcadeWeb) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{D9291F9E-7010-4D7A-8DF6-455DEEF8EF51} (PUP.LivingPlay) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D9291F9E-7010-4D7A-8DF6-455DEEF8EF51} (PUP.LivingPlay) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (PUP.MyWebSearch) -> No action taken.
HKCU\SOFTWARE\MyWebSearch (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Fun Web Products (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\MyWebSearch (PUP.MyWebSearch) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Malware Bytes memory and runtime scan

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.22.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Linhart :: XGAMER [administrator]

Protection: Enabled

3/22/2012 6:10:29 PM
mbam-log-2012-03-22 (18-11-10).txt

Scan type: Flash scan
Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Registry | File System | P2P
Objects scanned: 153586
Time elapsed: 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 3
HKCU\SOFTWARE\MyWebSearch (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Fun Web Products (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\MyWebSearch (PUP.MyWebSearch) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
Make sure you click on the remove selected button in malwarebytes to actually remove those infections.

Some of the IP addresses in your security log go back to an area around wichita kansas, others go to charter communications and microsoft. You are using google and charter dns servers

You also have a Somoto Toolbar installation that needs to be removed. Look in add/remove programs for any instances of it.

Also have hijackthis fix the R3 entry here.

R3 - URLSearchHook: (no name) - - (no file)
 
You must log in or register to reply here.
Back
Top