Unknown Trojan

I am lost on what to do here. I scanned with kaspersky, ad-aware, and spybot. All latest version and latest reference files. I looked through msconfig and I see nothing that could be causing this.

When I restart I can see that a trojan or something else is injecting into my default browser. First it was injecting in Opera than when I set IE back as default browser now its injecting into IE. When I restart before I open opera or IE, I can see it running in the background. I have got the guys ip when I just recently restarted. This connection was established right on startup:

Active Connections

Proto Local Address Foreign Address State
TCP 127.0.0.1:1025 127.0.0.1:1028 ESTABLISHED
TCP 127.0.0.1:1028 127.0.0.1:1025 ESTABLISHED
TCP xxx.x.x.x:1030 81.215.32.126:1193 ESTABLISHED

His old IP was this 81.215.30.175. I put them both into the blocked zone of zonealarm, but it isn't going to be of much help since his ip is changing on restart I take it. I just now added this range to block 81.215.0.0 to 81.215.255.255. This hopefully will stop them from connecting to me. I originally only had his ip blocked.

I seen not to post Hijack this log here unless asked to, so please let me know when you want it posted. I will just put this bit in. This entry that I fix R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost comes back with a half hour or so or on reboot. I don't use proxies, so I am not sure what that is from and how to stop it from keep showing up.

 

Hi Redx113, Wilders no longer provides support for Hijack This logs, and as such you will need to download and run “Hijack This” found here and post your log at one of the forums found here.

Hope this helps...

Cheers

 

I have posted it at spywarewarrior earlier and one of the site admins said he sees nothing obvious, but he is going to alert a few other analyzers to see if it could be some kind of backdoor trojan.

What exactly could I do for you guys to take a look at this? I was aware that you guys no longer look at the hijack this logs, but I seen you solved many trojan problems and I am right now experincing one and I am not quite sure how its loading.

Is there any way you guys would be able to help me with this or any other forums that deal with viruses/trojans that will?

 

Redx113, welcome to Wilders. If your problem is Trojan or Virus related, then you will probably benefit from following the comprehensive steps found in General Cleaning.

The steps mentioned in General Cleaning use software that ought to be part of your security, as an absolute minimum.

Once your system is clean, please don’t hesitate to ask further about using this and other security to protect your computer.

Hope this helps...

Let us know how you go.

Cheers

 

WHOIS results for 81.215.32.126

Generated by www.DNSstuff.com

status = "Getting WHOIS results..."; Country: TURKEY (high)


% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

inetnum: 81.215.0.0 - 81.215.255.255
netname: TurkTelekom
descr: Turk Telekom
country: tr
admin-c: TTBA1-RIPE
tech-c: TTBA1-RIPE
status: ASSIGNED PA
mnt-by: as9121-mnt
notify: ***@telekom.gov.tr
changed: ***@telekom.gov.tr 20030930
source: RIPE

route: 81.215.0.0/17
descr: TurkTelecom
origin: AS9121
mnt-by: AS9121-MNT
changed: ***@turktelekom.com.tr 20040927
source: RIPE

role: TT Administrative Contact Role
address: Turk Telekom
address: Bilisim Aglari Dairesi
address: Aydinlikevler
address: 06103 ANKARA
phone: +90 312 313 1950
fax-no: +90 312 313 1949
e-mail: *****@ttnet.net.tr
admin-c: BADB3-RIPE
tech-c: ZA66-RIPE
tech-c: ZA196-RIPE
tech-c: LA109-RIPE
tech-c: NO638-RIPE
nic-hdl: TTBA1-RIPE
notify: ***@turktelekom.com.tr
mnt-by: AS9121-MNT
changed: ***@telekom.gov.tr 20000608
changed: ***@telekom.gov.tr 20001020
changed: ***@telekom.gov.tr 20010615
changed: ***@turktelekom.com.tr 20040903
source: RIPE


[The following lines added by www.dnsstuff.com per requirement by RIPE]
This service is subject to the terms and conditions stated in the RIPE NCC Database Copyright Notice.
Contact dnsstuff.com's 'info@' address to report problems regarding the functionality of the service.


[If E-mail address(es) were hidden on this page, you can click here to get the results with the E-mail address.


status = "Done!"; (C) Copyright 2000-2004 R. Scott Perry

The trojan on your computer is being operated by a computer from Turkey.

 

His old IP address from the same source, I believe its a zombie computer from this telecom company in Turkey.


WHOIS results for 81.215.30.175

Generated by www.DNSstuff.com

status = "Getting WHOIS results..."; Country: TURKEY (high)


% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

inetnum: 81.215.0.0 - 81.215.255.255
netname: TurkTelekom
descr: Turk Telekom
country: tr
admin-c: TTBA1-RIPE
tech-c: TTBA1-RIPE
status: ASSIGNED PA
mnt-by: as9121-mnt
notify: ***@telekom.gov.tr
changed: ***@telekom.gov.tr 20030930
source: RIPE

route: 81.215.0.0/17
descr: TurkTelecom
origin: AS9121
mnt-by: AS9121-MNT
changed: ***@turktelekom.com.tr 20040927
source: RIPE

role: TT Administrative Contact Role
address: Turk Telekom
address: Bilisim Aglari Dairesi
address: Aydinlikevler
address: 06103 ANKARA
phone: +90 312 313 1950
fax-no: +90 312 313 1949
e-mail: *****@ttnet.net.tr
admin-c: BADB3-RIPE
tech-c: ZA66-RIPE
tech-c: ZA196-RIPE
tech-c: LA109-RIPE
tech-c: NO638-RIPE
nic-hdl: TTBA1-RIPE
notify: ***@turktelekom.com.tr
mnt-by: AS9121-MNT
changed: ***@telekom.gov.tr 20000608
changed: ***@telekom.gov.tr 20001020
changed: ***@telekom.gov.tr 20010615
changed: ***@turktelekom.com.tr 20040903
source: RIPE


[The following lines added by www.dnsstuff.com per requirement by RIPE]
This service is subject to the terms and conditions stated in the RIPE NCC Database Copyright Notice.
Contact dnsstuff.com's 'info@' address to report problems regarding the functionality of the service.


[If E-mail address(es) were hidden on this page, you can click here to get the results with the E-mail address.


status = "Done!"; (C) Copyright 2000-2004 R. Scott Perry

 

I think this could be a case of computer hacking, you can report it to your ISP.

 

EDIT2: Read on for more about this. I have noticed that spool32.exe in windows/system was created and modified on dec 6th of this year. This appears to be the trojan. Can a mod or admin or someone please contact me so I can send this to you? I am not positive, but it is looking like this is the source

Its definetely a trojan of some sort that got installed somehow. I am very cautious when it comes to these things so I am at a loss how it got on. Always latest windows update and everything else. His latest ip was 81.214.x.x I blocked 81.210.0.0 through 81.220.255.255 hopefully that covers this isp's range of ips.

I posted this over at spyware warrior and instead of retyping it I will just copy paste Any suggestions?:

I figured out what is causing it to inject I believe. It has somehow taken over spool32. Right on startup I hit ctrl alt del and ended the process on it and there was no hidden Opera window on startup.

How would I go about disabling spool32 or better yet reinstalling it? This is absolutely the craziest thing I have dealt with. It would be nice to print again on 98 without booting into my win2000 partition.

I would also like to note that. TrojanHunter Process Guard crashed every program running right up to explorer when it opened. I restarted and it did the same thing. Shortly after I got webroots spysweeper and turned on the spy installation shield. It started doing the same thing.

Whatever this is seems to be very nasty and sneaky. I am going to do a bit of searching and see if I can find anything about this.

If you guys come up with any suggestions, please let me know. Thanks


EDIT What can my ISP do to help me though? Especially since this is foreign IP and ISP. I'm just wondering. If they can do something about than I will give them a call first thing tommorow

 

PROBLEM SOLVED

I renamed the spool32 that was created dec 6th and I replaced it with the one found in my options/cabs folder. I copied it from there to system and restarted.

Sure enough no injection into the browser and I could see my printers again. That explains how this was loading on startup and not showing in any startup list. This was driving me mad.

I have sent it off to kaspersky. If you guys are interested in checking it out just let me know and I will send it to you. It was definetely a trojan of some sort. TDS-3 guys.. This definetely needs to be added to detections. Seems I was one of the firsts blessed with it.

Anyway, I am now a happy man again.

 

Ok. Good to see your problem's solved.