Hello :)
every time i turn on my computer, my Norton FireWall alerts me that a netspy trojan horse was blocked.

here's the log my firewall saved:
Rule "Default Block Netspy Trojan horse" stealthed (localhost,1024)
Inbound TCP connection
Local address,service is (0.0.0.0,1024)
Remote address,service is (localhost,1033)
Process name is "C:\WINDOWS\Explorer.EXE"

i tried to scan my C drive, but every time i do so my computer suddenly reasart.

pleas help me. nothing i try didnt work. :-\

Hi DT;

That would appear to be just a normal use of an ephemeral port (wich are ports 1024 and above) When the OS needs a temporary port to use it will grab one starting at 1024 and each request for one will increment the port higher for that request. Also, the communication is coming from your system to your system. As well, many trojans try to use some of these lower ephemeral ports so default rules based on default trojan settings in this range (say 1024-1500) will frequently be fals positives.

That being said, it is always best to be sure. YOu should download and run an Anti-Trojan application just to be sure. I recommend TDS which can be downloaded from

http://tds.diamondcs.com.au/index.php?page=download

Once you install it and before you launch it you should manually download the updated radius file (definitions) and put it in the tds folder. Then launch TDS and set all settings to highest sensitivity and scan your local drives.

HTH,

Dan

when i said that i scan my computer i ment with TDS ;)

about 5 minutes after its start to scan, my computer suddenly restart without asking me. so that i cant know if i have a trojan or not.

i hade this firewall for a long time, but just in the last few weeks this happens. an alerts on netspy a get only whan i turn on my computer.


thanks for helping :)

Have you tried to scan in safe mode?
Dolf

Hey DT,

Can you please download and run DCS's AutostartViewer from

http://www.diamondcs.com.au/downloads/asviewer.zip

Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

Unfortunately I have to step out for a bit but I should be back within 2 hours and hopefully other input will be placed here in the meantime.

Regards,

dan

here's the file i created using DCS's AutostartViewer:

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for ---@P9F47AG5XFB13FZ, 08-22-2003
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
nwiz.exe /install
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SoundMan
C:\WINDOWS\SOUNDMAN.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccRegVfy
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Advanced Tools Check
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\System32\ctfmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Babylon Translator
d:\babylon\Babylon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\STYLEXP
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ICQ
E:\ICQ\ICQ.exe -trayboot
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\System32\ctfmon.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\RunNarrator
C:\WINDOWS\system32\Narrator.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
C:\PROGRA~1\NORTON~1\NAVW32.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office10\OSA.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
C:\WINDOWS\INF\unregmp2.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINDOWS\system32\ie4uinit.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\C-DillaSrv\
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
HKLM\System\CurrentControlSet\Services\ccEvtMgr\
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
HKLM\System\CurrentControlSet\Services\ccPxySvc\
D:\Norton Personal Firewall\ccPxySvc.exe
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\dmserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\ERSvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\Fax\
C:\WINDOWS\system32\fxssvc.exe
HKLM\System\CurrentControlSet\Services\helpsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\navapsvc\
C:\Program Files\Norton AntiVirus\navapsvc.exe
HKLM\System\CurrentControlSet\Services\NISUM\
D:\Norton Personal Firewall\NISUM.EXE
HKLM\System\CurrentControlSet\Services\NProtectService\
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
HKLM\System\CurrentControlSet\Services\NVSvc\
C:\WINDOWS\System32\nvsvc32.exe
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RemoteRegistry\
C:\WINDOWS\system32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\SAVRTPEL\
\??\C:\WINDOWS\System32\Drivers\SAVRTPEL.SYS
HKLM\System\CurrentControlSet\Services\SBService\
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\StyleXPService\
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\uploadmgr\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\W32Time\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WZCSVC\
C:\WINDOWS\System32\svchost.exe -k netsvcs


Are you sure that's what you wanted? :P

Lol, well I didn't really *want* it ::) but I thought it might point to something (but didn't :P )

However, since Explorer is the process that is apparently initiating the "bogus" activity we can do something else.

Can you please download ProcessView from

http://www.xmlsp.com/pview/PrcView.zip

and extract the pv.exe file into your Windows directory. Open up your Command Prompt and type

pv -m explorer.exe > modules.txt

and hit "Enter". Then type

modules.txt

and hit "Enter" and copy the contents from Notepad and paste here so we can review the modules loaded within the Explorer process.

Thanks!

Dan

Are you sure it's necessary? i dont want extract unknoun files (to me) at my windows directory....

what is the purpose of it? for the netspy trojan or the unwanted restars?


thanks again, DT. :)

I suppose Dan asked you to extract it in your Windows directory, because it is in your path then, and you can execute the file from anywhere without having to type the full pathname, but you can place the file everywhere you want.
Dolf

well, i did exactly what Dan Perez wrote, and i saw the process of it, but no file was created... ??? i dont know what i did wrong...

pv -m explorer.exe > modules.txt ??
during the process you shouldn't see anything because it should write to the file instead of the screen

Also, the main purpose is to see if there are any signs of trojanous modules that run within the explorer.exe process space. A good number of trojans will do this. The pv.exe file though does not need to be in the system directory I usually instruct people to put it there to make it easier for them to run the utility from the commandline and redirect it to a text file. If you put it in another folder then either specify the path to the pv file in the commandline or first change to that directory first before running the program.

HTH,

Dan

In this case also type the > which means to write the output in a textfile with the name yiou just specified there.


If you feel more comfortable with this:
In c:\ create a folder named "Console"
in the autoexec.bat add that c:\console to the path
Now you can use the files you place inside that console folder from everywhere.
So if you now open the MSDOS prompt you can type the line Dan just gave and you should get the results.
Hope this helps!

Error: "Rule Default Block Netspy Trojan Horse Matched" when you start the computer (http://service1.symantec.com/SUPPORT/nip.nsf/735050b77b1fcece88256bc7005c3bc6/713afacbd4135e0a88256c77007e526f?OpenDocument&prod=&ver=&src=&pcode=&svy=&csm=no)

This article from the Symantec KB deals with this common false alarm. It sometimes is associated to the Fax Service if you have than running on start up.

Regards,

CrazyM

That's a great find CrazyM !
As this fits the situation.

The process might show up in Port Explorer too as a loopback, so you still know what happens on it.

:) thanks a lot CrazyM for the link, i tried to search on symantec web site but i didnt see this article... thanks!

now, to my second problem > how can i scan with TDS-3 without unwanted restarting?


thanks for all the help! ;D

no one? ???


:-\

Have you tried to scan a single file and did that work?
Dolf

Are you sure you did not see the info on the link CrazyM gave you? i just clicked on it and was there???
Does the symantec siet have online scanning?
Get one there or at any of the other known sites like www.ravantivirus.com or www.pandasoftware.com or www.bitdefender.com to name a few.
With the recent Blaster of course that could be some to think of, and always better get another scan (second opinion) to make sure nothing is the matter in that part.
Does the restart only happen with TDS scans, and if so with every or just special or full system scans?
Have seen the problem mentioned before must try to find it back in the threads here if there was a configuration thing, missing or overwritten required system files or an infection. So i always first look at the greatest danger, a possible infection to make sure that is not the cause here and no harm can be done.


Some more questions:
--which windows version do you have?
--do you have TDS longer time and registered version or recently an evaluation version?
--was scanning with TDS before normal possible?
--are there more occasions when the system restarts?
--do you mean a reboot or TDS restart?
For instance with XP systems there was some issue possible (not for everybody) with the rightclick scanning for exe files and those people are instructed to delete those registry keys. Must find that part back.
Not exactly sure if this fits your problem.

Hi DT,

In addition to Dolf's and Jooske's questions, I'm curious if you see any consistency on what directory TDS is currently scanning when your system forces a reboot?

In addition to Dolf's suggestion of scanning a file, you might also try a larger directory (and subs) such as your Windows (or winnt) directory.

I'm very sorry that i didn't answering so far... i didn't have access to read in..... anyway, some answers:

Have you tried to scan a single file and did that work?
yes, i tried that, and it worked well.

which windows version do you have?
Windows XP Professional + sp1.

do you have TDS longer time and registered version or recently an evaluation version?
i have the last evaluation version.

was scanning with TDS before normal possible?
since the first time i tried to scan i hade this problem (if I understand the question correctly).

are there more occasions when the system restarts?
:o actually, it did happen sometimes, but since i update my graphic adapter it seems to work good... but the specific problem with tds-3 still occur :-\ .

do you mean a reboot or TDS restart?
i mean that the windows restart... the whole system reboot.


Jooske - I dont think that the Blaster virus is related, I did'nt infected by it.
for the exe files issue - i try to scan an exe file and it worked well.


Dan Perez - no, i didnt see any consistency on what directory TDS is currently scanning. i tried a lot of scans on a different partition.
I didn't try to scan my Windows directory by separate, i will.



Thanks a lot for helping! :D

Hi DT,

I'm not sure I understand, the graphic adapter driver update resolved the reboot issue? So what is the remaining issue with TDS? (I thought that the issue was a reboot while scanning.)

I know there was some issue regarding strangely constructed archives but I want to make sure I understand the current TDS issue before I look for it :)

Thx,

Dan

Hello,

Whan i answered Jooske's question ("are there more occasions when the system restarts?") i ment that it happened while I *didn't* use TDS-3. The problem that has solved is the sudden reboots that not related to TDS-3.

I hope that now I make my self clear. :)