CLOSING NETBIOS

hello all...

i'm new here and have a few questions...

first, my adventure began on monday, when my norton firewall (which is from 2004 - i haven't updated it because i use the trendmicro housecall online virus scan) gave me an alert that a trojan had been blocked. it was called DMSetup Trojan horse and it was from ip address 59.28.211.101:1103.

i did some research and found out about the netstat.txt file, so i ran it and found the following:

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 69.244.253.97:139 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1033 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:4500 *:*
UDP 69.244.253.97:123 *:*
UDP 69.244.253.97:137 *:*
UDP 69.244.253.97:138 *:*
UDP 69.244.253.97:1900 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
____________________________________________________________

last night i ran an updated trendmicro housecall scan & it came up with nothing....then i downloaded & ran "The Cleaner" - which is supposed to be specifically for trojans. the only thing it came up with were two test files from an old version of mcafee on my computer.

i ran netstat.txt again this morning & this is what it said:

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 69.244.253.97:139 0.0.0.0:0 LISTENING
TCP 69.244.253.97:1037 207.138.126.169:80 ESTABLISHED
TCP 69.244.253.97:1038 207.138.126.169:80 ESTABLISHED
TCP 69.244.253.97:1039 207.138.126.169:80 ESTABLISHED
TCP 69.244.253.97:1040 207.138.126.169:80 ESTABLISHED
TCP 69.244.253.97:1043 207.138.126.144:80 ESTABLISHED
TCP 69.244.253.97:1044 207.138.126.144:80 ESTABLISHED
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 127.0.0.1:1033 ESTABLISHED
TCP 127.0.0.1:1025 127.0.0.1:1034 ESTABLISHED
TCP 127.0.0.1:1025 127.0.0.1:1035 ESTABLISHED
TCP 127.0.0.1:1025 127.0.0.1:1036 ESTABLISHED
TCP 127.0.0.1:1025 127.0.0.1:1041 ESTABLISHED
TCP 192.168.100.11:139 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 127.0.0.1:1042 ESTABLISHED
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1033 127.0.0.1:1025 ESTABLISHED
TCP 127.0.0.1:1034 127.0.0.1:1025 ESTABLISHED
TCP 127.0.0.1:1035 127.0.0.1:1025 ESTABLISHED
TCP 127.0.0.1:1036 127.0.0.1:1025 ESTABLISHED
TCP 127.0.0.1:1041 127.0.0.1:1025 ESTABLISHED
TCP 127.0.0.1:1042 127.0.0.1:1025 ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1030 *:*
UDP 0.0.0.0:4500 *:*
UDP 69.244.253.97:123 *:*
UDP 69.244.253.97:137 *:*
UDP 69.244.253.97:138 *:*
UDP 69.244.253.97:1900 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1029 *:*
UDP 127.0.0.1:1900 *:*


WHY DOES IT SAY "ESTABLISHED" NOW? i tried to block the ip addresses 69.244.253.97 and 127.0.0.1, but i had to reinstate 69.244.253.97 so that my internet would work.
i've been doing some more research this morning & i read that it's best to shut down ports 135-139 and port 445 (the netbios?)....

what i need to know is...

1. does everyone agree that it's wise to shut down my netbios (port 445) and ports 135-139?
2. what would be the consequences, if any?
3. what are the "foreign" ip addresses in my netstat report?
4. has anyone dealt with the DMSetup Trojan horse before?

i'll follow the instructions in the "general cleaning" file since there are a couple of things i haven't done....Thank you for any help you can give!!!

 

i cant speak for everybody, but i always shutdown netbios.

i disable the service, disable it for my network adapter and use Windows Worms Doors Cleaner (WWDC) to make sure its shutdown.

i believe it negatively affects File and Print sharing.

 

1) It is wise to shutdown Netbios ports because they allow file sharing between windows computer. this means that unauthorized computers on the internet could possibly use these ports to explorer your computer, do damage, infect you, etc.

2) The consequences of disabling netbios is that you won't be able to do local filesharing via netbios and browse network places, but this can be replaced by ssh, vnc, etc.

3) The foreign ip address is actually your own. 127.0.0.1 is what is commonly referred to as localhost, and is what is called a "loopback" connection which is used by applications on your computer to communicate with themselves

4) I have never personally dealt with that trojan before, but Norman has provided a detailed procedure on how to manually remove it.

Cheers,

Alphalutra1

 

Hello,
I keep netbios open. It's useful for home networking. There's no danger as long as you have a firewall.
Mrk

 

Hi wordsmith,

I've sent a PM on a detail I noticed that may put you at increased risk which is why I've told you via Private Message rather than posting it.

I am no expert, far from it, but I do know a little about this one particular detail.

Best of luck with whatever choices you make, wish I had something to add re your questions.

~ CL

 

I once used WWDC to shut my netbios ports on port 445. But that cut off my internet connection permanently and I had to do a system restore back. I consulted my ISP's technician and he said port 445 is needed for my internet service to function.

Too much security hurts sometimes.

 

There are allways some vulnerabilities exploiting thanks to NetBIOS.
Once it is disabled, you do not need about half of Windows updates.

I allways disable it, but I have to enable it, to be able to start DHCP service.
If it is disabled, DHCP will not start. I am lucky, my IP does not change to often.

Disable NetBIOS, restart PC and if everything works, then most likely you do not need it.

 

I closed Net BIOS Control Pannel/Network conections/Properties/TCP/IP/Properties/Advanced/WINS?Disable NetBios over TCP/IP. I used WWDC for disabling DCOM (135); LOCATOR (port 445); UPNP (port 5000); Msg (Messenger).

 

If all your computer (applications, programs) can function without it and your not sharing then I suppose why not.
A firewall as said before will protect though, disabling depends on what your doing with the machine.

Sounds like your firewall is working

 

That holds true only if your firewall never fails. Specific attacks and exploits are known for many software firewalls. Viruses have been released that directly attack firewalls. Some fail from their vendors own poorly written updates. One missed firewall attacking virus is all it would take to leave you wide open to attack. Closing ports by configuration is always preferable to closing them with a firewall.
Rick

 

Hello,
Why should the firewall fail? I have never seen a firewall, of any kind, ever fail, since 1999 or so. Although it may be nice to have all ports closed by default, I prefer functionality over that - this goes for gaming, p2p, printer sharing.
Mrk

 

If it crashes, the user accidently turns it off to get rid of all of those "annoying popups", the firewall doesn't load when windows starts for some reason aka the driver wasn't installed correctly, so kind of malware goes and shuts the firewall down, etc.

Cheers,

Alphalutra1