Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Jan 8th, 2009, 12:38pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Bladerunner.080		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Bladerunner.080  (Read 1504 times)
Nervous
Newbie
*





   


Posts: 8
Bladerunner.080
« on: Aug 31st, 2006, 1:07pm »		 Quote Quote  Modify Modify
I cannot get rid of BD bladerunner.080. It appears to be active only when the dial-up accelerator is on. Norton tells me about the attack, but lets it through anyway. I have tried all the advice I have found on-line, which mostly says that anti-spyware will work. I have run the following scans; TrojanHunter, Spybot, a-squared, Ad-aware, Norton, and XoftSpy. I have also searched for the files that CA recommends. Nothing shows up anywhere. I'm new at this, until now my updated software has protected me. Any help will be appreciated. Thanks!
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5960
Re: Bladerunner.080
« Reply #1 on: Aug 31st, 2006, 2:07pm »		 Quote Quote  Modify Modify
Welcome to the forum Nervous  Wink
 
What version of Norton Internet Security are you running .... 2004...2005....2006?
 
What Windows operating system (with service pack number) are you running .... (example:  Windows XP-SP2 Home Edition)?
 
Would you please right click on the Norton icon in the lower right systray and select the Log Viewer.  Once the log viewer opens up, go to the Intrusion Prevention log and open it.  Scan down through it and see if anything concerning BladeRunner shows up in the list.  If it does, copy one of the intrusion messages for BladeRunner and post back here so I can see what it says about it.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Nervous
Newbie
*





   


Posts: 8
Re: Bladerunner.080
« Reply #2 on: Aug 31st, 2006, 7:22pm »		 Quote Quote  Modify Modify
Thanks for your quick response. I am running Windows XP Pro, on a brand new HP computer. They told me I needed XP Pro because I got a dual core processor. I have Norton Internet security 2006, which came pre-installed. I was not able to copy the log, so I'll just type it.
Attempted Intrusion "BD Blade Runner 0.80 against your machine was detected and blocked.
Intruder: local host(5400)
Risk Level: High
Protocol: TCP
Attacked IP: localhost
Attacked Port: 1083
 
Thanks.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5960
Re: Bladerunner.080
« Reply #3 on: Sep 1st, 2006, 1:04am »		 Quote Quote  Modify Modify
Okay,,,,so your machine itself is not infected because NIS blocked the attack.  
 
I suspect that whatever program you are using for a download accelerator is exhibiting characteristics of a BladeRunner attack, therefore triggering NIS to respond.  You did say that this occurs when you use the download accelerator which I assume to mean that this is the only time you get this Intrusion alert from NIS.  
 
Did this accelerator software come installed on your brand new HP?  If so, you should contact the HP tech support and ask them how to correct this problem.
 
If you installed the accelerator software yourself, then please submit a copy of this software to Mischel Internet Security for analysis.  The link below describes how to submit a file.
 
http://forum.misec.net/board/FAQ/1139308293
 
What is the name of your download accelerator?  
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Nervous
Newbie
*





   


Posts: 8
Re: Bladerunner.080
« Reply #4 on: Sep 1st, 2006, 11:56am »		 Quote Quote  Modify Modify
I do seem to have the Trojan; I cannot search for any derivative of BD BladeRunner.(BD, Blade, runner, etc.) I get PCBD, but the page is there in the address bar, and I can see the page flash briefly. I cannot even open anything in this forum if it is part of BD Bladerunner. This only happens when the accelerator is enabled. Works fine otherwise. I got my accelerator from my ISP, as best I can tell, it is from Slipstream. I'll be calling my ISP.
I found out from another forum that Norton (for an incident fee of $69.95), said to delete the detection check mark for the trojan. This does not make sense, as they call it high risk, and recommend buying a program that will remove this.
Thanks to everyone for helping me.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5960
Re: Bladerunner.080
« Reply #5 on: Sep 2nd, 2006, 5:26am »		 Quote Quote  Modify Modify
No, I don't agree either with "unchecking" the trojan in Norton.  Hopefully your ISP can provide the solution inasmuch as they supplied you the program for acceleration.  Sad
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Nervous
Newbie
*





   


Posts: 8
Re: Bladerunner.080
« Reply #6 on: Sep 2nd, 2006, 11:11am »		 Quote Quote  Modify Modify
Thanks. I have contacted my ISP, and they will get back to me, but my impression is they know less than me. Does anyone else have experience with this problem? Does anyone currently have this infection? Why is this beast so hard to remove, as it has been around for awhile? TrojanHunter Port Checker indicates that port 5400 is open and is used by Bladeruner and three other backdoors. Thanks again Siliconman. Huh
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5960
Re: Bladerunner.080
« Reply #7 on: Sep 2nd, 2006, 1:37pm »		 Quote Quote  Modify Modify
Let's do a little investigation if you want.  We can possibly tell if you are infected with something malicious that is not being detected by all the various scanners.
 
Please go to the link below and download HiJackThis. Put it in a folder of its own on your hard drive....example, put in a folder named Hijack created at C:\Program Files\Hijack.  Then open the folder and rename  Hijackthis.exe to something unique such as  AnalyzeIt.exe
 
Why rename it?  Well, there are some new infections that attack Hijackthis.exe itself....so we want to "fool" them.  
 
Once you get it installed, close all open windows and run a Hijackthis scan.  Post the log of the scan back here on the forum so I can take a look at it.
 
http://www.majorgeeks.com/download3155.html
« Last Edit: Sep 2nd, 2006, 1:38pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Nervous
Newbie
*





   


Posts: 8
Re: Bladerunner.080
« Reply #8 on: Sep 7th, 2006, 11:12am »		 Quote Quote  Modify Modify
Here is my Hijack this log. Since my last post, I have also run Kaspersky and Windows Defender, nothing shows.  
Logfile of HijackThis v1.99.1
Scan saved at 9:55:12 AM, on 9/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\TOAST.net Accelerator\toastcore.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TOAST.net Accelerator\toastgui.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\TOAST.net\dialer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack\analyze.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toast.net/start/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_U S&c=63&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_U S&c=63&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toast.net/start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toast.net/start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_U S&c=63&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_U S&c=63&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toast.net/start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_U S&c=63&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US& amp;c=63&bd=PAVILION&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\TOAST.net Accelerator\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca, C=US\plugin\WebHelper.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: TOAST.net Accelerator - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\TOAST.net Accelerator\Toolband.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\TOAST.net Accelerator\toastcore.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: TOAST.net Accelerator.lnk = C:\Program Files\TOAST.net Accelerator\toastgui.exe
O4 - Global Startup: TOAST.net Accelerator.lnk.disabled
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar4.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar4.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca, C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca, C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ wuweb_site.cab?1156601421828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1156601347046
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2D8F552-1B38-46FB-911D-B18AC84978DF} : NameServer = 205.171.3.65 205.171.2.65
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
 
Thanks for all your help.
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5960
Re: Bladerunner.080
« Reply #9 on: Sep 8th, 2006, 2:18am »		 Quote Quote  Modify Modify
In examining your HJT log, I do not see anything malicious.  
 
I assume that this entry reflects the proper IPs for your specific ISP.  Is this correct?  
 
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2D8F552-1B38-46FB-911D-B18AC84978DF}  : NameServer = 205.171.3.65 205.171.2.65  
 
Also your Java module is out-of-date and should be upgraded for security reasons.  
 
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
 
Go to the Sun Java website and get the latest version of the Java plugin.  
 
http://java.com/en/download/index.jsp
 
Install the new version and then remove the old version (jre1.5.0_05) using Add/Remove programs in the Control Panel.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Nervous
Newbie
*





   


Posts: 8
Re: Bladerunner.080
« Reply #10 on: Sep 13th, 2006, 10:09am »		 Quote Quote  Modify Modify
Thanks a lot Siliconman! This is a very frustrating Trojan. I think I know everything about Bladerunner except how to get it off my computer. There was a removal tool that specifically removed Bladerunner; unfortunately it is no longer available. If anyone might have a copy of this, please let me know. Maybe this thread will yield some results eventually. Thanks to all.
IP Logged
Nervous
Newbie
*





   


Posts: 8
Re: Bladerunner.080
« Reply #11 on: Oct 2nd, 2006, 10:38am »		 Quote Quote  Modify Modify
It's me again, Nervous. I still have bd bladerunner .080. I don't think I have missed any scan or download in the cyber-world, and nothing detects it. Is this really so sophisticated that nothing can find it? Has this old trojan beaten the world center of trojan removal brainpower? I'm still hoping someone can help. Thanks!
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5960
Re: Bladerunner.080
« Reply #12 on: Oct 2nd, 2006, 11:51am »		 Quote Quote  Modify Modify
Here is the intrusion rule from Symantec that is triggering this Norton alert.
 
"Rule Name: Default Block Blade Runner Trojan horse
Action: Block Internet access
Connections: From other computers
Computers: Any computer
Communications: TCP protocol port 5400, 5401, 5402
Tracking: Create an event log entry, Create Security Alert
Type: Admin
Description: Default Block Blade Runner Trojan horse"
 
I continue to think that your download accelerator is opening port 5400 when you run the accelerator and this is causing Norton to bark.  The old Blade Runner trojan written by Mr. Blade contained a startup program named Server.exe and your system HJT log does not indicate that this program is part of your startup list (the 04 entries).  
 
Download this .PDF file from Slipstream.  On pages 27-28, it shows how to change the port setting.  Note that it specifically displays the default port as 5400.
 
http://www.slipstream.com/assets/pdfs/SlipStream3_1Support.pdf
 
Change the port number to 5425 and see if the problem goes away.  
 
Please let me know if this works.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Nervous
Newbie
*





   


Posts: 8
Re: Bladerunner.080
« Reply #13 on: Oct 9th, 2006, 12:02pm »		 Quote Quote  Modify Modify
Dear Siliconman,
 
Thank you! I followed your instructions and changed the port to 5401, and like magic, the little monster is gone. The only thing it did was prevent me from searching for anything about Bladerunner, but I was worried that someone would do bad things since I thought the backdoor was open, and this trojan is "fully equipped" with remote access.
 
FYI, when I talked to my ISP, I asked if I could change the port, but I was told it would not work.
 
I really appreciate the extra time and thought that you gave my problem. This is a great forum! Grin
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5960
Re: Bladerunner.080
« Reply #14 on: Oct 9th, 2006, 12:29pm »		 Quote Quote  Modify Modify
U B most welcome.   Cheesy
 
Glad you are fixed up and no more Blade Runner.   Grin
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register