# Outgoing Traffic to Nokia, Inc, Possible Trojan?



## Ruppetus (Sep 3, 2010)

Hiya peeps.

I've recently encountered a bit of a conundrum. I run peerblock pretty much permanently, and in the last 3 days, I've been blocking thousands of outgoing connections apparently bound for Nokia, Inc:

http://img840.imageshack.us/img840/8162/image1qh.jpg

The 'source' address is my local IP, no other machines on the network appear to be getting this. Destination checks out as Nokia's UK offices or somesuch, although the port used is apparently flagged 'red' as it's used by a Backdoor.

Before anyone mentions it, I've never installed Nokia software on my PC, owned a Nokia product, and this machine is off the wireless. I ran a Hiijack this scan after being prompted to by a friend, but couldn't make head or tail of it. Log's attached.

My AV and Spybot come clean, Firewall's not picked up anything (Running AVG Free and Zonealarm)

I'm really lost here. I can't trace the source of it, and the last thing I want to be doing at the moment is reformatting my PC. Anyone got any Ideas?


----------



## johnwill (Sep 26, 2002)

Looks like it's a connection using *Logmein*, if you have that installed, I'd remove it. It's attempting an SMB over TCP/IP connection to that site.


Whois (IDN Conversion Tool)

Express
DNS Records (Advanced Tool)
Network Lookup
Spam Blacklist Check
Convert Base-10 to IP

URL Decode
URL Encode
HTTP Headers SSL
Email Verification
212.118.234.65 is from United Kingdom(UK) in region Western Europe


TraceRoute to 212.118.234.65 [unknown.logmein.com]
Hop	(ms)	(ms)	(ms) IP Address	Host name
1	27	29	20 72.249.128.109	-
2	97	24	45 64.129.174.181	64-129-174-181.static.twtelecom.net
3	37	9	10 4.69.145.13	ae-1-60.edge4.dallas3.level3.net
4	41	36	24 64.208.27.9	te2-2-10g.ar5.dal2.gblx.net
5	180	251	126 80.91.252.217	ash-bb1-link.telia.net
6	130	151	148 212.118.240.105	border6.po2-20g-bbnet2.lon.pnap.net
7	139	160	170 212.118.242.166	logmein-36.border6.lon.pnap.net
8	136	126	120 80.91.250.210	ldn-tch-i1-link.telia.net
9	120	138	146 212.118.234.65	unknown.logmein.com

Trace complete


----------



## Ruppetus (Sep 3, 2010)

Disabled Logmein Hamachi + Quicktime on startup via msconfig and the traffic appears to have stopped. Any ideas what might've prompted all this? I've had hamachi on my machine for ages.


----------



## johnwill (Sep 26, 2002)

I have no idea, but it was going to the Logmein site, so I figured that was the root of the issue. I'd fire off Malwarebytes' Anti-Malware for a full scan and see if it turns up anything.


----------

