How to remove Bot

[jdbaok]

I have been using BotHunter to determine whether or not I have an infected PC. BotHunter appears to have identified a bot:

DECLARE BOT
    88.214.203.109 (2) (11:50:23.634 EDT)
   
   event=1:2406027 (2) {tcp} E8[rb] ET RBN Known Russian Business Network Monitored Domains (28)
       
   2208->80 (11:50:23.634 EDT)
       
   2280->80 (11:51:42.860 EDT)
       

tcpslice 1248277714.873 1248277714.874 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.2.100'


Avast has not found it...how do I go about eliminating this bot?

[nmb]

Hello jdbaok,

Get Hijack this from here: http://www.filehippo.com/download_hijackthis/download/8571e06e5eb8ab03c649f3b5d647c599/

install and run.

post the log.

[jdbaok]

Hope you are not a spammer

I ran the log but it is too big to post. What should I be looking for? Or what specific section do you want to see?

[DavidR]

Then attach the log file (Additional Options) it generates or split the contents of the log over two or more posts.

[jdbaok]

OK - here it is.

[DavidR]

First you have tools to tell if you have a bot but noting to stop one getting established, e.g. an active firewall.

You don't appear to have an active firewall - It should be capable of blocking unauthorised outbound Internet Connections.
Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

Other than that I don't see anything obvious, but there is a possibility that HJT isn't seeing everything that is running. I have no experience of BotHunter so I don't know if this is an inbound attack detection or an outbound connection attempt and it really doesn't give much information to work with, certainly not for me.

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

• 1.  MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
• 2. SUPERantispyware On-Demand only in free version.

Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

[jdbaok]

You note that I am not running a firewall - but if I go to the control panel and click on the firewall it says that it is running. I thought it was running. The bot must be spoofing me.
Thanks for your help. Looks like I'll be working on this for a while.

[spg SCOTT]

First you have tools to tell if you have a bot but noting to stop one getting established, e.g. an active firewall.

You don't appear to have an active firewall - It should be capable of blocking unauthorised outbound Internet Connections.
Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

What DavidR was saying is that the XP firewall is not capable enough to protect you and you should consider another, 3rd party one that is better at protecting you.

[DavidR]

You note that I am not running a firewall - but if I go to the control panel and click on the firewall it says that it is running. I thought it was running. The bot must be spoofing me.
<snip>

That isn't what I said (emphasis made in the quoted text), I said "You don't appear to have an active firewall - It should be capable of blocking unauthorised outbound Internet Connections."

The XP firewall doesn't have that capability as I also said "Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection."