Net Bios intrusion

[hass]

It appears that my Sygate Personal Firewall has let in a hack that has modified my ntoskrnl.exe. I have not accepted the changes that it has made but my security log tells me it is trying to broadcast out everyday and considers it a major security breach. It is trying to go out on my UDP ports and it is using Net Bios. I have shut off printer sharing. Can anyone tell how to rid myself of the little devil.

[huntx7]

Do you mean he/her is still in? He may have installed a trojan/backdoor on your system. If he was using NetBIOS and you turned off file and print sharing he shouldn't be using that. Get a free trial version of The Cleaner for trojans at http://www.moosoft.com
Open up dos and run netstat | more and look for a high port number, that's the port most trojans use. Remember: Password protect your C drive and other important folders. Hope I could help.

Thanks for your time~

[ammo]

What makes you say that ntoskrnl.exe has been modified?

Ammo

[hass]

Everytime I start my computer I get a dialogue box that says "The NT Kernel System has changed since last time you used it. This could happen if you updated recently. Do you want to except the changes" I always say no because details show port 137 and 138 alternately, also noting that" Browsing request of Net Bios over TCP IP". This was all started when my firewall software said in its log that ntoskrnl.exe /outgoing/udp/ severity major/ - this is on the attack log. It also reports during the day application involved ntoskrnl.exe blocked( which is what I do daily on the first dialogue box . I can't figure it out. Huntx7 told me to run Cleaner to find out if it was a Trojan and my system showed no Trojans from the process.

[ammo]

What version of windows is that NT4/w2k/XP?
Has it always done that or it's a recent thing? (Since windows install or sygate pers. fw install?)

Have you run windows update recently? (In XP I believe it runs automatically).
As for the outbound connections 137 and 138 are indeed for nbt and could be legit? Does the log show the destination IP? You mentionned you turned of printer sharing. Does that mean file sharing is left on?

Ammo

[hass]

Hey Ammo: The system is XP and I have not run an update within the last week. The ip that the exe is going to says it is my broadband connection "Cable Vision". Could my firewall be treating a communication to the cable company as an attack? I am pretting sure that file sharing is off also. There are no drive shared and I am assuming I would have to put something in the shared directory for anyone to get to it.

[nocilis]

Well I have seen similar things in other host-based firewalls on XP systems. Take a look at this and tell me what you guys think.

Windows XP default install with TCP 445 open

http://soho.sygate.com/alerts/XP_def...CP445_open.htm

http://online.securityfocus.com/archive/1/256830

I think this might be it.

good luck,
nocilis

[hass]

Nocilis: In the morning when I boot up I have had to wait an unusually long time before I can click a desktop icon to launch I.E. or Outlook. It could be that packets be sent are using all my ram. My security log always says it is outgoing only that is the breach but I deny the outgoing process every morning by not accepting the changes to the ntoskrnl.exe. I have not idea if someone has establish incoming. I do know that this is part of the detail when I backtrace the ip( which always shows up as my cable provider).
"To single out one record, look it up with "!xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first."
How do I get rid of this record?

[AngryBob]

can you shut off file sharing? that would close up those ports. but keep in mind, if you got hacked you dont know what they did. best practices is to format.

[hass]

Angry Bob: Thanks for the time. I have a good book on Windows XP and I am pretty sure I have shut off all file sharing.
I also performed a system restore on my xp system to a date
before I had my firewall alert. I was hoping that this
would replace the ntoskrnl.exe to an earlier version. The
system restore went through its process and after it did
it's auto reboot it said it was unable to restore my
system. I did this again and the same thing happened. Is
that a sign my system has truly been compromised? The people on the MS XP boards are not responding to my message that my system was unable to restore itself to a former date so I am not sure whether I was really hacked and part of the modification to the ntoskrnl.exe was not being able to restore back to former date.