Think BO has been Partially killed by a Trojan

Hi Kevin,

Have a problem here. Believe I have a Trojan.
BO didn’t catch it. Caught it sending out through KPF firewall and incoming through firewall. I set it to lock (deny) it going out an coming in.

BO is sitting in tray very quiet. Came to website to look through list of baddies because when I try to load list from BO , he freezes up (stops responding). had to do CAD to get it to release.

In the kpf firewall status panel it shows:

See Attachment

In the kpf firewall log file it shows it shows:

See Attachment

Need some help with this one I think. It appears to be still active an is attacking. Not sure i know where it is or how to contain it to send to you.

RuthM

Edit: See further info in 3 following post

RuthM

[attachment deleted by admin]

[attachment deleted by admin]

I had just finished up doing a clean install on this PC. Before going to net I installed BOClean, SG, SpyWBlaster, KPF,& IEClean. Then went to MS Update to DL win 98 updates.

Was doing a search to DL a AV. as old one was expired. Not easy to find one for win98SE.

RuthM

I think this a trojan and/or a bot as to the way its acting. Its messing with Quick Task bar(moving the icons around) also in OE when open it is removing my name an email addys.
while I was in NG at SecureComp i had KPF open an was watching it work, it started doing attacks in NG GRC which i wasn’t in at that time. When i close OE , open Browser, it starts attacking whatever site i am on.
Thru all that time Bo never responded at all.

Ruth

Ok, did a search with find files for System. I found 2 possibles, maybe 3, not sure. Did Properties on them.

First 1 :
Named: SYSTEM.i~i Type: l~l File Location: C:\Windows Size 1.76 KB MS DOS Name SYSTEM l~l
Created Monday Sept 15, 2008 Archive & Hidden are Checked

Second 1 : Named: SYSTEM.cb Type: Cb File Location: C:\Windows Size 86 bytes
MS DOS Name SYSTEM.CB Created Monday Sept 15, 2008 Archive is Checked

RuthM

Edit: just did Google search for the 2 files named above, unable to find anything.
Did another search for: nbname as it is shown on the status panel i uploaded.

found this: NBName Trojan Description
Although this trojan usually acts like a sniffer on the infected computer and carry no real damage to its stability, it still would be a wise decision to remove this spyware from the machine as soon as possible. NBName Trojan searches for some specific information and sends it to the unanimous address.

Ruth

In the kpf firewall status panel it shows:
Status panel shows nothing suspicious.

In the kpf firewall log file it shows it shows:

The First block is showing that it’s blocking normal windows traffic localhost 137 → hostX 137.

The Ack Attack is probably because you chose to log packets to unopened ports in KPF (i used an seen this before when i was on KFP) Look at the source it’s the webserver you were connected to web:80 → localhost 1370. etc…

Can you test with disabled unopened port logging and see if the ACK attacks disappear also ?

Hi Ronnie,

I will try, but I am on a different system currently.

Shut the other system down till I could get help or figure this thing out. I will bring it back online.

RuthM

OK am on the prob sys now. I diabled unopened port logging. The ACK attacks disappear it seems.
But, it still is showing the 3 listings for SYSTEM as listening but they are blocked.

On the other sys i was on earlier, those listing for SYSTEM are not present. Why is SYSTEM trying to get out on this sys an not the other sys?

RuthM

HUmmm, Seems i spoke too soon. It is now showing: TCP ack packet attacks *Blocked In TCP, forums.comodo.com

RuthM

The system part is file and printersharing udp 137 / 138 and tcp 139.
You could try to untick this on the network stack if you don’t use file or printer sharing.

I guess the snortrule for ACK attacks is trigger happy, or you could be having a bad connection, how’s your speed ? normal or less lately ?

Ok in the FW nothing is ticked for file and printersharing. Also in FW, under MS Networking there was the in Cont Panel, a Local address of 198.168.1.2 (rest of local addy now not seen) as i deleted it thru Netwoking in Cont Panel.
I have no idea as to how that addy got in there to begin with tho. As I never share files or printers with the other systems.
In in Cont Panel, Networking, I did find that Under file and Print sharing was also unticked

Since that addy was deleted, according to the FW log the ack attacks seem to have stoped.

Now, I am going to delete the 3 Listings of System in the FW Stats info. Then reboot, and see if this has stopped.

TYVM for you’re help!
Will be back here soon to let you know the outcome.

RuthM

As to the *speed and/or bad connection question, I have not seen or noticed any degradation.

OK, deleted the 2 rules denying in or out, rebooted, immediately got notice that system wanted to connect out, denyed it, no rule made tho, came here.
Then got another notice that SYSTEM again wanted to connect out, had to deny 2x’s, again no rule made.

Opened Network in Control panel an all still unchecked for file and Print sharing was also unticked still.

Opened Firewall ADmin, System not there under FW Rules.

Opened FW Status, All 3 Systems are still listed there.
I would have thought they would not be there since I removed the rules an rebooted. How can they be removed and/or deleted???
Does the Log need to be cleared to remove them?

Opened Log, it shows that 4 attempts to TCP ack attempts were made,
1st 2 to TCP,208.122.24.146:80->localhost: 1032.
2nd to TCP,72.20.6.62:80->localhost:1054.

I think all of those were from when system tried to connect out after reboot but was denied, but no rules made.
As I write this now, no more attempts out, so far.

RuthM

Edit: As soon as i posted this reply, log shows 3 more TCP ack attacks were blocked:
IN TCP, forums.comodo.com [91.199.212.149:443]->local host:1087

Ruthm

Ruthm,

You have 2 issues:
1)
Windows NetBios by default listens and actively speeks on those ports so if you create rules to block incoming/outgoing traffic to ports 137 - 139. There is nothing to worry about.

Here is a link to a the that describes how to “kill” netbios on win98, you at your own risk !!
I have not tested this and don’t know if it works or only kills you whole system.

The TCP ACK attack, have you set the “Suspicious packets” from log to block ?
This looks like the attack signature is trigger happy, your not attacked from forums.comodo.com.
That’s just your browser connection to this forum and the build in Snort rule triggers to fast apparently.
Check the other addresses in the logging and i think you will see this are all numbers from sites you visited.

RuthM

Please follow Ronny’s advice on FW logs. If you want to run some scans for peace of mind, may I suggest,(All are 9.x compatible)

1: DR WEB CureIT,( FREE) (9.x compatible,no install or updating, updated hourly or more, only leaves 2 files, log & quarantine.

http://www.freedrweb.com/ * Check Logs *

2: SpyBot Search&Destroy (FREE) During install do NOT install TeaTimer(System Settings Protection),uses lot’s of resources and hampers clean-up.Suggest you run in safe/then normal mode.

Reminder: Safe Mode, At post beep & before windows starts tap F-8 Key, then up/Down keyboard arrows to safe(without networking)mode, hit ENTER key.
Note: Safe Mode in 98 will rearrange all desktop icons to stock install config., this is normal.

Home - Spybot Anti-Malware and Antivirus : Spybot Anti-Malware and Antivirus * Check Logs *

3: SuperAntiSpyware (FREE)After install, you may want to go to>Preferences> Scanning Control tab> uncheck, Use Direct Disk Access. May want to run normal/safe/normal mode .

http://www.superantispyware.com/ * Check Logs *

4: Avast AV (FREE) Detection is getting quite good. Suggest at install to uncheck all modules except onaccess/resident protection (your on 98 so resource’s on older pc’s are limited, if not a problem then go to add/remove programs and install webguard, etc. modules.

http://www.avast.com/ * Check Logs *

Allow all programs (except Dr. Web ) through your firewall. Update all programs after install(except DR. Web), post back with any questions/ problems or suspect log entries.

P.S Important to state OS version(i.e, 98, 98se,me, etc.) in first post, and cpu/ram so folks here know what there dealing with, and how to proceed.

HTH