Unknown Trojan

Discussion in 'malware problems & news' started by redx113, Dec 10, 2004.

Thread Status:
Not open for further replies.
  1. redx113

    redx113 Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    5
    I am lost on what to do here. I scanned with kaspersky, ad-aware, and spybot. All latest version and latest reference files. I looked through msconfig and I see nothing that could be causing this.

    When I restart I can see that a trojan or something else is injecting into my default browser. First it was injecting in Opera than when I set IE back as default browser now its injecting into IE. When I restart before I open opera or IE, I can see it running in the background. I have got the guys ip when I just recently restarted. This connection was established right on startup:

    Active Connections

    Proto Local Address Foreign Address State
    TCP 127.0.0.1:1025 127.0.0.1:1028 ESTABLISHED
    TCP 127.0.0.1:1028 127.0.0.1:1025 ESTABLISHED
    TCP xxx.x.x.x:1030 81.215.32.126:1193 ESTABLISHED

    His old IP was this 81.215.30.175. I put them both into the blocked zone of zonealarm, but it isn't going to be of much help since his ip is changing on restart I take it. I just now added this range to block 81.215.0.0 to 81.215.255.255. This hopefully will stop them from connecting to me. I originally only had his ip blocked.

    I seen not to post Hijack this log here unless asked to, so please let me know when you want it posted. I will just put this bit in. This entry that I fix R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost comes back with a half hour or so or on reboot. I don't use proxies, so I am not sure what that is from and how to stop it from keep showing up.
     
    Last edited: Dec 11, 2004
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Redx113, Wilders no longer provides support for Hijack This logs, and as such you will need to download and run “Hijack This” found here and post your log at one of the forums found here.

    Hope this helps...

    Cheers :D
     
    Last edited: Dec 11, 2004
  3. redx113

    redx113 Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    5
    I have posted it at spywarewarrior earlier and one of the site admins said he sees nothing obvious, but he is going to alert a few other analyzers to see if it could be some kind of backdoor trojan.

    What exactly could I do for you guys to take a look at this? I was aware that you guys no longer look at the hijack this logs, but I seen you solved many trojan problems and I am right now experincing one and I am not quite sure how its loading.

    Is there any way you guys would be able to help me with this or any other forums that deal with viruses/trojans that will?
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Redx113, welcome to Wilders. If your problem is Trojan or Virus related, then you will probably benefit from following the comprehensive steps found in General Cleaning.

    The steps mentioned in General Cleaning use software that ought to be part of your security, as an absolute minimum.

    Once your system is clean, please don’t hesitate to ask further about using this and other security to protect your computer.

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
  5. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    WHOIS results for 81.215.32.126

    Generated by www.DNSstuff.com

    status = "Getting WHOIS results..."; Country: TURKEY (high)


    % This is the RIPE Whois query server #2.
    % The objects are in RPSL format.
    %
    % Rights restricted by copyright.
    % See http://www.ripe.net/db/copyright.html

    inetnum: 81.215.0.0 - 81.215.255.255
    netname: TurkTelekom
    descr: Turk Telekom
    country: tr
    admin-c: TTBA1-RIPE
    tech-c: TTBA1-RIPE
    status: ASSIGNED PA
    mnt-by: as9121-mnt
    notify: ***@telekom.gov.tr
    changed: ***@telekom.gov.tr 20030930
    source: RIPE

    route: 81.215.0.0/17
    descr: TurkTelecom
    origin: AS9121
    mnt-by: AS9121-MNT
    changed: ***@turktelekom.com.tr 20040927
    source: RIPE

    role: TT Administrative Contact Role
    address: Turk Telekom
    address: Bilisim Aglari Dairesi
    address: Aydinlikevler
    address: 06103 ANKARA
    phone: +90 312 313 1950
    fax-no: +90 312 313 1949
    e-mail: *****@ttnet.net.tr
    admin-c: BADB3-RIPE
    tech-c: ZA66-RIPE
    tech-c: ZA196-RIPE
    tech-c: LA109-RIPE
    tech-c: NO638-RIPE
    nic-hdl: TTBA1-RIPE
    notify: ***@turktelekom.com.tr
    mnt-by: AS9121-MNT
    changed: ***@telekom.gov.tr 20000608
    changed: ***@telekom.gov.tr 20001020
    changed: ***@telekom.gov.tr 20010615
    changed: ***@turktelekom.com.tr 20040903
    source: RIPE


    [The following lines added by www.dnsstuff.com per requirement by RIPE]
    This service is subject to the terms and conditions stated in the RIPE NCC Database Copyright Notice.
    Contact dnsstuff.com's 'info@' address to report problems regarding the functionality of the service.


    [If E-mail address(es) were hidden on this page, you can click here to get the results with the E-mail address.


    status = "Done!"; (C) Copyright 2000-2004 R. Scott Perry

    The trojan on your computer is being operated by a computer from Turkey.
     
  6. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    His old IP address from the same source, I believe its a zombie computer from this telecom company in Turkey.


    WHOIS results for 81.215.30.175

    Generated by www.DNSstuff.com

    status = "Getting WHOIS results..."; Country: TURKEY (high)


    % This is the RIPE Whois query server #2.
    % The objects are in RPSL format.
    %
    % Rights restricted by copyright.
    % See http://www.ripe.net/db/copyright.html

    inetnum: 81.215.0.0 - 81.215.255.255
    netname: TurkTelekom
    descr: Turk Telekom
    country: tr
    admin-c: TTBA1-RIPE
    tech-c: TTBA1-RIPE
    status: ASSIGNED PA
    mnt-by: as9121-mnt
    notify: ***@telekom.gov.tr
    changed: ***@telekom.gov.tr 20030930
    source: RIPE

    route: 81.215.0.0/17
    descr: TurkTelecom
    origin: AS9121
    mnt-by: AS9121-MNT
    changed: ***@turktelekom.com.tr 20040927
    source: RIPE

    role: TT Administrative Contact Role
    address: Turk Telekom
    address: Bilisim Aglari Dairesi
    address: Aydinlikevler
    address: 06103 ANKARA
    phone: +90 312 313 1950
    fax-no: +90 312 313 1949
    e-mail: *****@ttnet.net.tr
    admin-c: BADB3-RIPE
    tech-c: ZA66-RIPE
    tech-c: ZA196-RIPE
    tech-c: LA109-RIPE
    tech-c: NO638-RIPE
    nic-hdl: TTBA1-RIPE
    notify: ***@turktelekom.com.tr
    mnt-by: AS9121-MNT
    changed: ***@telekom.gov.tr 20000608
    changed: ***@telekom.gov.tr 20001020
    changed: ***@telekom.gov.tr 20010615
    changed: ***@turktelekom.com.tr 20040903
    source: RIPE


    [The following lines added by www.dnsstuff.com per requirement by RIPE]
    This service is subject to the terms and conditions stated in the RIPE NCC Database Copyright Notice.
    Contact dnsstuff.com's 'info@' address to report problems regarding the functionality of the service.


    [If E-mail address(es) were hidden on this page, you can click here to get the results with the E-mail address.


    status = "Done!"; (C) Copyright 2000-2004 R. Scott Perry
     
  7. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I think this could be a case of computer hacking, you can report it to your ISP.
     
  8. redx113

    redx113 Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    5
    EDIT2: Read on for more about this. I have noticed that spool32.exe in windows/system was created and modified on dec 6th of this year. This appears to be the trojan. Can a mod or admin or someone please contact me so I can send this to you? I am not positive, but it is looking like this is the source

    Its definetely a trojan of some sort that got installed somehow. I am very cautious when it comes to these things so I am at a loss how it got on. Always latest windows update and everything else. His latest ip was 81.214.x.x I blocked 81.210.0.0 through 81.220.255.255 hopefully that covers this isp's range of ips.

    I posted this over at spyware warrior and instead of retyping it I will just copy paste Any suggestions?:

    I figured out what is causing it to inject I believe. It has somehow taken over spool32. Right on startup I hit ctrl alt del and ended the process on it and there was no hidden Opera window on startup.

    How would I go about disabling spool32 or better yet reinstalling it? This is absolutely the craziest thing I have dealt with. It would be nice to print again on 98 without booting into my win2000 partition.

    I would also like to note that. TrojanHunter Process Guard crashed every program running right up to explorer when it opened. I restarted and it did the same thing. Shortly after I got webroots spysweeper and turned on the spy installation shield. It started doing the same thing.

    Whatever this is seems to be very nasty and sneaky. I am going to do a bit of searching and see if I can find anything about this.

    If you guys come up with any suggestions, please let me know. Thanks


    EDIT What can my ISP do to help me though? Especially since this is foreign IP and ISP. I'm just wondering. If they can do something about than I will give them a call first thing tommorow
     
    Last edited: Dec 11, 2004
  9. redx113

    redx113 Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    5
    PROBLEM SOLVED

    I renamed the spool32 that was created dec 6th and I replaced it with the one found in my options/cabs folder. I copied it from there to system and restarted.

    Sure enough no injection into the browser and I could see my printers again. That explains how this was loading on startup and not showing in any startup list. This was driving me mad.

    I have sent it off to kaspersky. If you guys are interested in checking it out just let me know and I will send it to you. It was definetely a trojan of some sort. TDS-3 guys.. This definetely needs to be added to detections. Seems I was one of the firsts blessed with it. :(

    Anyway, I am now a happy man again.
     
  10. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Ok. Good to see your problem's solved.
     
Loading...
Thread Status:
Not open for further replies.