Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Poss. Trojan Adds Proxy Settings To Registry


  • Please log in to reply
1 reply to this topic

#1 AlexHarvey

AlexHarvey

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 19 February 2007 - 05:08 PM

Hi

I already asked this on another forum and didn?`t recieve any help

It is a totally weird problem. Basically someone might have hacked me some time ago
and there`s still some part of the code left.

Whenever i open any internet browser my registry gets modified , and a line for a proxy,
listening on a local network address gets added.

So someone wants ( wanted ) to turn my pc into a bot or zombie pc thats for sure.
The proxy listens on port 137 and 138 using a 192.168 address

When i boot the pc this proxy will not autorun and it`s not present.
As i said the proxy appears whenever i open a browser window .

I did panda online and several other virus scans...computer reported as clean.
The pc behaves totally normal .No suspicous network traffic on netstat.

There are no suspicious programms in my registry s "run " section. In fact it`s empty


I use win98 , java ,active x ,and visual basic disabled.

As you can see in the Hijack this log, the first line, R1, is the one, that gets added
whenever i open a browser.
This line is not present in hijack this after a reboot. it gets added later on.


Here is my log


Logfile of HijackThis v1.99.1
Scan saved at 10:56:14, on 2/19/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\PGPSDKSERV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMME\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMME\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMME\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE
C:\PROGRAMME\AGENT191\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.100.5:8080;https=192.168.100.5v:8080;ftp=192.168.100.5:8080;gopher=192.168.100.5:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\RunServices: [PGPSDKSVC] C:\WINDOWS\SYSTEM\PGPsdkServ.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - Global Startup: ZoneAlarm.lnk = C:\Programme\Zone Labs\ZoneAlarm\zonealarm.exe
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab



could you please, please enlighten me.so far nobody seems to be able to help me
regards


Edit: I did a post scan yesterday on 3 security sites
all the important ports telnet, ftp, netbios, pop3 imap,and so on came through stealthed
did a port scan for known trojan horse ports all 200 plus attacks on my pc failed
and ports got reported stealthed by the site testing me.

Edited by AlexHarvey, 19 February 2007 - 05:12 PM.


BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:35 AM

Posted 02 March 2007 - 06:16 PM

Hello AlexHarvey and welcome to the BC HiajckThis forum. I see no signs of viruses or malware in the log. It is clean.

Proxy information can come from many sources. If the computer is on a network then the network could be supplying it (or if it was once on a network then it could be left-over from those settings). The 192.168 settings would point to a local network such as a home or small business network. Since the settings only appear when a browser is open then that would be the place to start. I would check the Netscape browser since it stores it's information in a file and not the registry.

For help with checking the various settings I would suggest the Web Browsing forum here: http://www.bleepingcomputer.com/forums/f/14/web-browsingemail-and-other-internet-applications/ . The settings are stored in different locations for different versions of the browser and someone there should be able to pinpoint the location for whatever browser version you have.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users