1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

{RESOLVED}An interesting case of Netspy

Discussion in 'Virus & Other Malware Removal' started by mark_warford, Sep 15, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. mark_warford

    mark_warford Thread Starter

    Joined:
    Aug 23, 2003
    Messages:
    20
    Every time the computer is turned on, 3 attempts are made by an outside IP to connect to me via the port used by Netspy trojan. These are all subsequently blocked by McAfee, which in turn gives me the guilty IP address, which is: 127.0.0.1. Attempting some initiative, I put this IP on the restricted users list in McAfee Firewall, therefore no more connections. However, I can no longer connect to my server to get outlook emails or to the internet, which would suggest to me that the Netspy is coming from them? or possibly someone with access through that IP? Changing server is not possible, and i am reluctant to disable the Netspy blocking rule.

    I have scanned with Norton, and tried the other tips given in the relevent threads; such as searching regedit, and the like and the things that should be there for me to delete aren't. i also can't seem to visual track it either.

    if anybody has any ideas as to what/who it is, and how i can stop it, i would be much obliged.

    Mark
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,224
    First Name:
    Derek
    127.0.0.1 is your own computer if you block it you will have all sortsd of problems

    it is probably some innocent program attempting conection
    but to check if you have a nasty

    go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please copy & paste its contents to the forum.

    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. mark_warford

    mark_warford Thread Starter

    Joined:
    Aug 23, 2003
    Messages:
    20
    thanks, blocking my own computer sounds about right .

    i've got hijack this and gone through it a couple of times already to get rid of annoying bho's and others. although no doubt i will have missed something, otherwise i wouldn't be getting these messages.
    a couple of things:
    --the O17s dont actually appear in the hijack this scan to be deleted whilst still appearing in the log. i dont quite understand this?
    ---and is it actually possible to get rid of things like C:\---rundll32 at the start up? and others like C:\---msagent?

    the hjackthis log is posted below:

    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\WINDOWS\System32\Linksts.exe
    C:\WINDOWS\SYSTEM32\USRshutA.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Common Files\Real\Update_OB\rndal.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    D:\Program Files\iMesh\v3\iMeshClient.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://emirates.net.ae/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ae
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [System Tray] C:\Documents and Settings\Graham\Local Settings\Temporary Internet Files\Content.IE5\0DYZO9IJ\screen_doc.pif
    O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] C:\Program Files\Emirates Internet\Communicator\Program\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: symsupportutil - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/symsupportutil.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{15AF1A94-6AA3-41E9-80FF-F00FFB8BF908}: NameServer = 194.170.1.6 194.170.1.7
    O17 - HKLM\System\CS1\Services\Tcpip\..\{15AF1A94-6AA3-41E9-80FF-F00FFB8BF908}: NameServer = 194.170.1.6 194.170.1.7

    any help would be welcome.
    thanks,
    Mark
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,224
    First Name:
    Derek
    run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked

    O4 - HKCU\..\Run: [System Tray] C:\Documents and Settings\Graham\Local Settings\Temporary Internet Files\Content.IE5\0DYZO9IJ\screen_doc.pif


    now empty the temporary Internet files

    that is a virus and most likely the casue of your problems

    now do an online scan at one of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/

    and make sure your antivirus is upto date
     
  5. mark_warford

    mark_warford Thread Starter

    Joined:
    Aug 23, 2003
    Messages:
    20
    thanks for the instructions, but i couldn't fulfill them completely.

    ran hijack this and removed the .ie5 file, no problems. except that i cant access favorites pages offline.
    couldn't delete the temporary internet folder, could only get rid of cookies, leaving me with around 30 items, mainly gifs and the odd html. it says that it cannot delete them because it cant read from the source file or disk. however checking under properties says that i have 70megs in there with 30 folders and 13000 files. so ??? i dont think they're hidden because i checked through folder options.

    i also have 2 folders in separate areas in local settings, with 2 history folders. i ran my norton antivirus which is up to date, along with spybot, and two links you gave (panda, and symantic), which all showed up clear.

    However I'm still getting the access attempts to explorer every time. though i am confused as to how/why my own pc is trying to connect to itself?

    any advice would be greatly appreciated,
    Mark
     
  6. normmork

    normmork

    Joined:
    Oct 4, 2002
    Messages:
    76
  7. mark_warford

    mark_warford Thread Starter

    Joined:
    Aug 23, 2003
    Messages:
    20
    thanks for the link to ad aware.

    i have up dated it then run it. and it removed a substantial amount of spyware, consdering that Spybot SD found 11, whilst Adaware6 found 82.

    unfortnately im still getting the attempts to connect. i cant seem to find any obvious buttons/boxes anywhere that say their responsable, but then again i did block my own computer, so anythings posible right?

    this is the log taken from norton, when it happens. i get 3 of these. means nothing to me, but hopefully someone understands what it says.

    Rule "Default Block Netspy Trojan horse" stealthed (localhost,1024)
    Inbound TCP connection
    Local address,service is (0.0.0.0,1024)
    Remote address,service is (localhost,3007)
    Process name is "C:\WINDOWS\Explorer.EXE"

    anybody?

    thanks again, for your help

    Mark
     
  8. normmork

    normmork

    Joined:
    Oct 4, 2002
    Messages:
    76
    It looks like a trojan that dialing out and trying to spread itself.

    Did you try to remove it.

    You could try a online virus scan here: www.trendmicro.com

    I would like to see your AA6 log file before removal of the objects
     
  9. greensleeve

    greensleeve Guest

  10. mark_warford

    mark_warford Thread Starter

    Joined:
    Aug 23, 2003
    Messages:
    20
    thanks for the tips, i have done what i could, however...

    normmork: the page you gave doesn't load up, i have tried several times at different times. ?

    greensleeve: i went and downloaded the firewall, it just ran itself lots of times before i removed it. sorry. in its brief life it didn't find anything wrong though. it didn't notice any connection either, (i know this because it takes a couple of seconds before the attempts, and i have the firewall up and running, still nothing. but norton firewall gets them).


    ok i've put the Adaware6 log (i guess this is AA6?) as an attachment. if you cant get to it, let me know and i'll paste it in. its just a bit long.
    and i haven't tried removing the explorer.exe file because it
    might be legit.

    thanks for the help, i'll keep trying,
    and if there are any more ideas, they're always welcome.

    thanks again
    Mark
     

    Attached Files:

  11. mark_warford

    mark_warford Thread Starter

    Joined:
    Aug 23, 2003
    Messages:
    20
    i would like to thank everyone who gave their advice, and for the help they gave me. i have finally manage to get rid of the warnings. it took 30 seconds of looking in the right place, which was the symantec support sight. again.

    it should please everyone to know that my computer was being vicously assulted by my fax machine! :rolleyes:. you just take your eyes off it one second and it starts causing havoc! this would explain why nothing bad came up in HJ. the solution is to just turn off the fax machine, or open the netspy port up. i highly recomend anyone about to do this to consult the symantec site first.

    for future reference to a rather large data base its www.symantec.com , and then go for the support...

    thanks again to everyone.
    Mark
     
  12. mark_warford

    mark_warford Thread Starter

    Joined:
    Aug 23, 2003
    Messages:
    20
    does anyone know how to get a 'resolved' tag for this thread?
    i just cant find it.

    mark
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,224
    First Name:
    Derek
    press report, post a short message to the admin and a moderator will do it for you
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/164924

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice