{RESOLVED}An interesting case of Netspy

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

mark_warford

Thread Starter
Joined
Aug 23, 2003
Messages
20
Every time the computer is turned on, 3 attempts are made by an outside IP to connect to me via the port used by Netspy trojan. These are all subsequently blocked by McAfee, which in turn gives me the guilty IP address, which is: 127.0.0.1. Attempting some initiative, I put this IP on the restricted users list in McAfee Firewall, therefore no more connections. However, I can no longer connect to my server to get outlook emails or to the internet, which would suggest to me that the Netspy is coming from them? or possibly someone with access through that IP? Changing server is not possible, and i am reluctant to disable the Netspy blocking rule.

I have scanned with Norton, and tried the other tips given in the relevent threads; such as searching regedit, and the like and the things that should be there for me to delete aren't. i also can't seem to visual track it either.

if anybody has any ideas as to what/who it is, and how i can stop it, i would be much obliged.

Mark
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
127.0.0.1 is your own computer if you block it you will have all sortsd of problems

it is probably some innocent program attempting conection
but to check if you have a nasty

go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 

mark_warford

Thread Starter
Joined
Aug 23, 2003
Messages
20
thanks, blocking my own computer sounds about right .

i've got hijack this and gone through it a couple of times already to get rid of annoying bho's and others. although no doubt i will have missed something, otherwise i wouldn't be getting these messages.
a couple of things:
--the O17s dont actually appear in the hijack this scan to be deleted whilst still appearing in the log. i dont quite understand this?
---and is it actually possible to get rid of things like C:\---rundll32 at the start up? and others like C:\---msagent?

the hjackthis log is posted below:

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\System32\Linksts.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\rndal.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
D:\Program Files\iMesh\v3\iMeshClient.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://emirates.net.ae/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ae
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [System Tray] C:\Documents and Settings\Graham\Local Settings\Temporary Internet Files\Content.IE5\0DYZO9IJ\screen_doc.pif
O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] C:\Program Files\Emirates Internet\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: symsupportutil - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15AF1A94-6AA3-41E9-80FF-F00FFB8BF908}: NameServer = 194.170.1.6 194.170.1.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{15AF1A94-6AA3-41E9-80FF-F00FFB8BF908}: NameServer = 194.170.1.6 194.170.1.7

any help would be welcome.
thanks,
Mark
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked

O4 - HKCU\..\Run: [System Tray] C:\Documents and Settings\Graham\Local Settings\Temporary Internet Files\Content.IE5\0DYZO9IJ\screen_doc.pif


now empty the temporary Internet files

that is a virus and most likely the casue of your problems

now do an online scan at one of the following sites
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/

and make sure your antivirus is upto date
 

mark_warford

Thread Starter
Joined
Aug 23, 2003
Messages
20
thanks for the instructions, but i couldn't fulfill them completely.

ran hijack this and removed the .ie5 file, no problems. except that i cant access favorites pages offline.
couldn't delete the temporary internet folder, could only get rid of cookies, leaving me with around 30 items, mainly gifs and the odd html. it says that it cannot delete them because it cant read from the source file or disk. however checking under properties says that i have 70megs in there with 30 folders and 13000 files. so ??? i dont think they're hidden because i checked through folder options.

i also have 2 folders in separate areas in local settings, with 2 history folders. i ran my norton antivirus which is up to date, along with spybot, and two links you gave (panda, and symantic), which all showed up clear.

However I'm still getting the access attempts to explorer every time. though i am confused as to how/why my own pc is trying to connect to itself?

any advice would be greatly appreciated,
Mark
 

mark_warford

Thread Starter
Joined
Aug 23, 2003
Messages
20
thanks for the link to ad aware.

i have up dated it then run it. and it removed a substantial amount of spyware, consdering that Spybot SD found 11, whilst Adaware6 found 82.

unfortnately im still getting the attempts to connect. i cant seem to find any obvious buttons/boxes anywhere that say their responsable, but then again i did block my own computer, so anythings posible right?

this is the log taken from norton, when it happens. i get 3 of these. means nothing to me, but hopefully someone understands what it says.

Rule "Default Block Netspy Trojan horse" stealthed (localhost,1024)
Inbound TCP connection
Local address,service is (0.0.0.0,1024)
Remote address,service is (localhost,3007)
Process name is "C:\WINDOWS\Explorer.EXE"

anybody?

thanks again, for your help

Mark
 
Joined
Oct 4, 2002
Messages
76
It looks like a trojan that dialing out and trying to spread itself.

Did you try to remove it.

You could try a online virus scan here: www.trendmicro.com

I would like to see your AA6 log file before removal of the objects
 

mark_warford

Thread Starter
Joined
Aug 23, 2003
Messages
20
thanks for the tips, i have done what i could, however...

normmork: the page you gave doesn't load up, i have tried several times at different times. ?

greensleeve: i went and downloaded the firewall, it just ran itself lots of times before i removed it. sorry. in its brief life it didn't find anything wrong though. it didn't notice any connection either, (i know this because it takes a couple of seconds before the attempts, and i have the firewall up and running, still nothing. but norton firewall gets them).


ok i've put the Adaware6 log (i guess this is AA6?) as an attachment. if you cant get to it, let me know and i'll paste it in. its just a bit long.
and i haven't tried removing the explorer.exe file because it
might be legit.

thanks for the help, i'll keep trying,
and if there are any more ideas, they're always welcome.

thanks again
Mark
 

Attachments

mark_warford

Thread Starter
Joined
Aug 23, 2003
Messages
20
i would like to thank everyone who gave their advice, and for the help they gave me. i have finally manage to get rid of the warnings. it took 30 seconds of looking in the right place, which was the symantec support sight. again.

it should please everyone to know that my computer was being vicously assulted by my fax machine! :rolleyes:. you just take your eyes off it one second and it starts causing havoc! this would explain why nothing bad came up in HJ. the solution is to just turn off the fax machine, or open the netspy port up. i highly recomend anyone about to do this to consult the symantec site first.

for future reference to a rather large data base its www.symantec.com , and then go for the support...

thanks again to everyone.
Mark
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
press report, post a short message to the admin and a moderator will do it for you
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top