I caught my computer making unwanted connections to a server with the IP 89.149.228.199.

What data is being sent and how to stop this?  I share my results and tips with you.

The Pattern

Any time I opened a browser, either Firefox or IE (Internet Explorer), within seconds my computer attempted to connected to the mystery server.

01b my computer connects to unwanted server - gets 404

SmartSniff tells me what my computer is doing online.

My computer attempted to get something, shown above.  Luckily, most of the time, the mystery server was offline (I guess) because I got a 404 error returned.  What is that string of characters that my computer is sending to the mystery server? Is it code being sent to a hacker, disguised as a GET request, which he can translate into something meaningful?  I don’t know, but I don’t like it, so we’re going to get this hack off my computer.

Above, we see that the mystery server is a nginx type.

The Code’s Hiding Place

I found the code making these unwanted internet connections in a file located in:

C:\Users\{your name}\AppData\Local\Temp\winbdm.dll

The code contained part of the URL request to the mystery server:

GET /mon/?d=cid=

Hacker IP’s and Location

When I looked inside the file:  winbdm.dll, I saw two IP addresses:

89.149.228.199:81 – The first time I did an IP lookup, I was told this IP is in Germany.  But the last time I checked, I’m told it’s in Russia.  Doing a trace, I see the last known stop before data gets to the final destination is:

213.59.3.102
rt-comm.ru
Moscow, 48
Russian Federation

The other IP shown in the winbdm.dll file is 95.168.185.16:81 (Hong Kong?)

The mystery IP is associated with malware, according to this source.

More searching online told me that this code is a trojan and might steal data.

A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)  Source

Another website said that this trojan…

Attempts to modify the hosts file. This could be used to map hostnames different IP addresses redirecting traffic to an alternate location.  Source

Delete the Code?

Of course, it’s not simple enough to just delete the file.  Microsoft’s Vista said I did not have permission to delete this file from my own machine!

Failed Attempts to Remove Trojan

I ran a scan using Vista’s Windows Defender.  Worthless.

Vista Finds Nothing - Let's Trojan Stay

Vista Finds Nothing - Let's Trojan Stay

Next, I download and install Comodo, and let it scan the computer.  It finds the file!

Comodo catches the file but can't remove it

Comodo correctly spotted winbdm.dll, but Comodo can’t remove it.

Comodo also says it does not recognize a couple harmless programs I’ve been using for years:  Puretext and RemindMe.  I’m not deleting those.

I uninstall Comodo.  Side note:  Days later I noticed an unsolicited connection from my machine going to crl.usertrust.com.  I checked that I had uninstalled Comodo and it does not show up under my install programs, so why is my computer still connecting to Comodo without my consent?

The Solution

Download and run Kaspersky.  I installed Kaspersky but did not register it or enter my email address.  No need to do that for a single use.  Like Comodo, Kaspersky found the trojan, but unlike Comodo, Kaspersky also offered to remove it and fix the problem.

Kapersky offers to remove trojan

Side note…After Kaspersky fixed this problem, I shut Kaspersky down and verified it did not show up as a process running in my task manager.  I wanted to see if Kaspersky would try to make any internet connections even though it was no longer visibly running on my machine.  I was surprised to see a tiny amount of data sent to a Russian server…

Last Packet Time 11/25/2010
Service Name netbios-ns
Local Address 192.168.0.17
Remote Address 81.176.230.28
Data Size 150 Bytes {150 ; 0}

When I looked up the IP my computer was connecting to without my consent, I found that IP 81.176.230.28 is in the Russian Federation and is run by an ISP named “KASPERSKY LABS”.  Hhhmm.  I don’t like the idea of any data being sent to Kaspersky when the program was supposed to be closed.  But, they did help me out, free of charge, so I can’t complain too much, and I can’t show that they did anything to harm my machine or my privacy with just 150 Bytes of data being sent without my consent.

Conclusion

Kaspersky successfully removed the trojan.  The winbdm.dll file is gone.  My computer no longer attempts to make a hosts2-ns connection to 89.149.228.199.

Open Question

How do we fight this?  Does the FBI do anything to protect us?  How about Microsoft?  Anyone responsible for keeping our computers safe?

I decided to write an email (in Russian) to the last known hop that connects to the hacker’s server.

If you would also like to write an email:  info@rtcomm.ru  Source

The company I emailed, rtcomm, claims to fight hackers, so we’ll see if they take this seriously. I will update this page based on their response or lack of response.

Here is my email to them:  Russian Email

-

Edit Dec-9-2010:  Two weeks have passed.  No Response from rtcomm.  That makes it appear they don’t take internet security as seriously as they advertise.  Disappointing.



Leave a Reply