babe.the_killer.bz

For a while, network performance has been erratic -- mostly web pages getting stuck while coming across, or occasionally being slow to start downloading. Windows often hangs at the "shutting down" splash screen.

Then one day I noticed that User resources on startup were 15% below normal. So I ran NETSTAT to see if my computer was talking to remote hosts behind my back. Here's what turns up:


Microsoft(R) Windows 98
(C)Copyright Microsoft Corp 1981-1999.

C:\WINDOWS>netstat

Active Connections

Proto Local Address Foreign Address State
TCP wiz2:1025 babe.the-killer.bz:40000 ESTABLISHED
TCP wiz2:40000 babe.the-killer.bz:1025 ESTABLISHED
TCP wiz2:1226 www3.telus.net:80 TIME_WAIT
TCP wiz2:1227 www3.telus.net:80 TIME_WAIT
TCP wiz2:1231 216.239.57.99:80 TIME_WAIT
TCP wiz2:1235 64.86.101.150:80 TIME_WAIT
TCP wiz2:1241 216.239.57.147:80 TIME_WAIT
TCP wiz2:1247 geek.esselbach.com:80 TIME_WAIT
TCP wiz2:1248 geek.esselbach.com:80 TIME_WAIT
TCP wiz2:1249 geek.esselbach.com:80 TIME_WAIT
TCP wiz2:1250 geek.esselbach.com:80 TIME_WAIT
TCP wiz2:1253 192.168.0.102:nbsession TIME_WAIT

C:\WINDOWS>

I've edited my hosts file and set up firewall rules to block any communication with the remote host, but my system insists on trying to set up a conversation with the host at <babe.the_killer.bz>.

Nothing is visible in the Task Manager or in Add/Remove Programs that shouldn't be there. TrendMicro PC-cillin Internet Security 2006 reports no viruses or trojans. Spybot S&D and CCleaner also report no problems. (I have those packages installed and run them regularly.) So I started in on your sticky "READ & RUN ME FIRST...".

The output from GETRUNKEY.BAT and SHOWNEW.BAT is attached as requested.

I installed and ran CounterSpy (yes, I'm running Win98SE). It found and quarantined two bugs missed by my regular searches. The log file is attached as counterspy.txt. Please note that the logfile was obtained in Normal mode. I could not get mouse support in Safe mode, so couldn't navigate in CounterSpy while in Safe mode.

I could not get a logfile from BitDefender. It seems to get confused by the way Eudora stores e-mail in its .mbx files. At any rate, it hung at the conclusion of the scan after reporting an incredible number of suspect files, most of which were contained within Eudora's .mbx files. It also generated nonsense results, like saying it had scanned 112263 files of 52794. (I have about 80,000 files on my system in all partitions.)

You suggest that I make sure that I have the latest version of Sun Java, and provide a link to download it from. I have a couple of small problems:

• I use IE only when I must, such as for on-line scans. As a result, I've no clue as to how to find out what version of Java it's using.
• And what do I do with the file I download from your link?

Continued next post -- I can't attach the next logfile.

 

Sorry -- messed up the attachments to the first post....

 

And here's the output from Panda ActiveScan...

 

I mentioned connection hiccups? Well, they got me again. Here's another try at attaching the first three files....

 

Well, that didn't work either. Let's try again....

 

And I still don't have it right. Probably had something to do with the fact that MG's server made me log in again when I was already logged in. It does that from time to time.

So -- one more time....

 

Im still going to need a Hijack This log as well (See step 7), we can't procede very well without that.

 

.... and here it is.

 

Can you tell me what you have disabled using BHO Demon ?

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (disabled by BHODemon)

 

Thanks, chaslang -- I wouldn't have been able to answer that one. I'll remove that item.

Can you see any others that could be removed on principle, or might be responsible for the backdoor to <babe.the_killer.bz>?

 

Some further info:

I had to re-configure my router. While it was unavailable (and I had no Internet connection), I ran NETSTAT again. Same results: <babe.the_killer.bz> still shows up with an ESTABLISHED connection.

Something on my system is setting up that connection. What?

 

Download, install and run Active Ports

This gives more information than netstat and updates in realtime.

Let me know the process name that is connecting to that ip/host

 

Thanks, matt.chugg -- I'd love to know what application is opening the conversation with <babe.the_killer.bz>.

But I note one small problem. The text on the download page you pointed me to says that Active Ports needs Windows NT/2000/XP. I'm running Win98SE.

Sure, the header on the download page says "Win All". But maybe that's wrong -- the publisher's site also doesn't include Win9-anything. Nor does the README.TXT file in the zipfile.

Or does MG know something the publishers don't admit?

Thanks for your help.

 

Did you try installing it ?

 

Nope.

I've been burned by just enough bad installs that I'm quite leery of trying to install software that doesn't explicitly confirm that it is intended to run on the O/S I'm actually using. Especially on a system that is getting temperamental because it's overdue for an upgrade or at least a re-install. But that's for another day.

Active Ports' publisher does not state that the product is intended for Win98SE (see <http://www.protect-me.com/freeware.html>). Maybe there's somebody else out there who is brave (or foolhardy) enough to install Active Ports on a Win98SE machine and let us know what happens. Or who has a test bed that has been set up for that kind of experimentation.

I'll grant you that some publishers no longer bother to state whether their product will run on an outdated O/S such as Win98x. But MG's own page indicates Active Ports has been around (in the current version, yet) for more than 4 years. In 2002, Win98SE wasn't quite so out of date that software publishers could ignore it.

In short, I suspect that the short description on MG's download page (the line that says "Requires: Win All") is a mistake. It should say "Requires: Windows NT/2000/XP".

 

Run netstat with the following switchs from the commandline and upload the log that it creates.

netstat -a -n -o -b > c:\netstatlog.txt

Note: This may take some time to complete, please be patient

 

Thanks, matt.chugg. Unfortunately, all I got was an empty file and the help screen for NETSTAT. I've attached that output as netstathelp.txt. I suspect it's a version problem -- the version I have doesn't list some of the switches you asked I use. netstathelp.txt therefore includes the output of the VER command.

In the hope that it will give you something you can work with, I ran NETSTAT with all of the switches that my version does support other than the -p switch. That output is in netstatlog.txt.

netstatlog.txt also contains the output from NETSTAT with no switches. It identifies active connections by domain name rather than IP address. I ran that twice: once before running NETSTAT with all the switches, and again afterwards. The respective outputs appear in the logfile in the order they were generated.

As noted in a previous post, I've firewalled the IP address associated with the <the_killer.bz> domain name. The IP address my router is blocking is 67.19.238.250. Related domain names are also in the hosts list set up by PC-cillin Internet Security 2006's software firewall, so whatever is trying to set up the connection with <babe.the_killer.bz> should only be talking to the local host at 127.0.0.1.

In case it's useful, I re-started my system before generating the NETSTAT output. I had not used either my browser or e-mail client in that session before running NETSTAT. However, my virus scanner (PC-Cillin 2006) does look for updates on startup, and I have an IM utility running on my LAN. Both of those appear to have generated some of the output in the logfile.

CounterSpy is also running -- nice program. I loaded at the request of the instructions in the READ&RUNMEFIRST file in this forum. It found two suspect items that PC-Cillin's spyware scanner missed, so I'll pay the registration fee and keep it around. However, it shouldn't have generated any output in the NETSTAT logfile -- I disabled the automatic update feature before restarting my system to run NETSTAT. Nevertheless, I think CounterSpy is responsible for the appearance of the IP address 80.15.249.150 in the last NETSTAT output.

 

Theres no need to pay the registration fee really, unless you really like it, I can instruct you on removal of these items if you can give me a log file. There are other free antispyware applications that are as good,. I forgot you were on win 98 when I gave you the netstat command.

Adding entries to the host file to redirect to 127.0.0.1 only works if the program in question is resolving a domain name to an ip in order to connect, the program doing this could be directly connecting the the ip and netstat will resolve it and show it as a domain.

What firewall are you using

 

Thanks for the comments on CounterSpy. I'll assume I won't do better with another.

As for firewalls: I've no idea how easy it is to hack a firewall, and other readers of this thread don't need that information. So if you don't mind, I won't post the details publicly. You'll find the information in a PM.

And thanks for the comment about the limitations of a hosts file. Hopefully, I've blocked the right IP address at the router.