Bassbag started a thread at Agnitum about Naviscope.
http://www.agnitum.com/forum/showthread.php?s=&postid=28950#post28950

It would seem that Tom Cat has determined, thru use of a packet sniffer, that that Naviscope sends a windows id key to this address IP 216.157.91.36.
http://www.tom-cat.com/cgi-bin/spybase/spybase.cgi?view_records=1&name=^N|^N&re=1&sb=4&so=ascend&nh=1&mh=1

I could not find Naviscope on any other spyware list.

Does anybody know anything more about this? ::)

Man spyware people must hate packet sniffers eh? LOL

One of our own members has a solution to this problem. Check out javacool's IDBlaster 1.0! I have both Naviscope and IDBlaster. ;D


http://www.wilderssecurity.com/showthread.php?t=2173;start=15

That should help you get started! ;)

P_S - So, you're saying that as long as ID-B is started before Naviscope, that Naviscope doesn't know the correct ID # to use?

Are you sure that Naviscope didn't record the correct ID # of the OS (if, indeed, that's what's actually going on) as soon as you installed it - and keeps it somewhere?

Can someone with the actual know-how please use a sniffer on the naviscope packet, sort it out and tell us what, exactly , is being transmitted? Someone with a sniffer and a text-editor? (So that they'll be able to read in English whatever the heck is there?).

I'd really like to be able to put this Naviscope thing to bed, one way or the other - wouldn't y'all? Pete

Will this work for you Pete? Bassbag got a reply.
update on naviscope

I posted on another newsgroup about naviscope and
concers raised..I was given some info and a link

http://groups.google.com/groups?oi=...corridor.net%3E

It seems that that naviscope does send info back
to ip address 216.157.91.36.Apparently it contains windows id key , and was
used by naviscope (when it wasnt freeware) to check whether it was
registered or not.I checked myeslf using debug feature in outpost firewall
which among other things also shows packets sent.It showed packets being
sent to that ip address.In view of this I am continuing to use naviscope as
I think its an excellent programme but I have blocked 3 ip addresses using dmuts "blockpost"which
are...
212.100.224.102
202.84.198.59
216.157.91.36
This has effectively stopped the packets being sent , and Im happy with that
,though on reflection I wont recommend naviscope in future unless the person
is aware of how it behaves.
me

i shut naviscope off completely when i realized all pages requested go through naviscope first. i don't trust anyone with my surfing habits. it's not just a ping, they have to get your page for you and direct it back. i don't think most naviscope users realize that. it's all done quickly, but it's not anything i want to do with. now with this - i really don't trust them.

I just uninstaleed Naviscope and right after I hit, and hard, "remove" it tried to set something new in my startup.

Not.

was it in one of the "runonce" keys? If so, that is just to delete locked files at the next reboot. The added key will be removed after it is run once (coincedental eh) If all that is true, no worries. If it is something else then maybe concern is necessary.

I thought that was the program, reporting back to NaviscopeHQ "Help! he's un-installing mEEEEEEEEEEEE..."

Pete ;D

:) Hi Pete and everybuddy! I am working on becoming proficient in Packet Sniffing and Text Editing. Never done it before. This is how I have learned how to do stuff all my life. Jump in with both feet and never mind the rocks! I got Sniff 'em and NoteTab. Will put 'em to work on Naviscope. I have blocked the addresses as suggested by root. I suppose I'll have to unblock them to do the sniffing. Will keep you apprised. ;D

Good show! keep us up to date. Packet sniffing can get boring after 1000 packets or so. Try to stay enthusiastic!

P_S - Thank you! Pete

;D I got about halfway through the config in about four hours with Sniff 'em! Aye! Joomp in wit' bot' feet! Aye! It's beginning to make sense now. Thought I'd provide the download link for it here. It appears you may not need a text editor with this program.

http://www.sniff-em.com/

or

http://www.sniff-em.com/download.shtml

The trial period is 100 days for the Outgoing Packets only version. It's 30 days for the full duplex. It is a pretty comprehensive, well-thoughtout app! ;)

::) New problem! I believe that my ZA firewall is blocking the Packet Sniffer. It's no go. I suppose I'll have to turn it off but I'm reluctant to do that. There's no entry on the Programs Box. Now what? Suggestions are solicited.

;D It's not the firewall. Tried turning it off. Back to the Config Lists. ;D

PS,

Keep going ;) You'll get to it in the end. And keep us posted 8).

regards,

paul

:) Thank you Paul, sincerely, for the encouragement. I'll keep at it. In the deep past when I played Rugger (soccer with no rules) my team had a sure fire way to score. I grabbed the ball and no one could ever take it away from me. They just carried me over to the goal. Score! Course I had the crap kicked out of me but we rarely ever lost a match.

I did some checking at D-Shield on the addresses given at the beginning of this topic. It adds an extra confirmation and reveals that one of the addresses (for RIPE) may be okay.

IP Address: 216.157.91.36 (The address for Naviscope's messages.)
HostName: northeasthomes.com
DShield Profile:
Country:***US***
Contact E-mail:***arin-swip@maxim.net***
Total Records against IP:***23***
Number of targets:***16***
Date Range:***2002-07-04 to 2002-07-04***
Whois:
Web2010 Inc (NETBLK-WEB2010-BLK-1)
20 Park Ave Suite B
Apopka, 32703
US

IP Address: 212.100.224.102
HostName: ra1.ultsearch.com
DShield Profile:
Country:***US***
Contact E-mail:***pfroutan@rackspace.com***
Total Records against IP: none******
Number of targets: none******
Date Range:***to ***

Whois:
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum: 212.100.224.0 - 212.100.231.255
netname: RSPC-UK-NET-1
descr: Rackspace.com
descr: Outsourced Server Provider
descr: Berkshire, UK
country: US
admin-c: SB9442-RIPE
tech-c: PF3772-RIPE
status: ASSIGNED PA
notify: hostmaster@rackspace.com
mnt-by: RIPE-NCC-NONE-MNT
changed: hostmaster@ripe.net 20000524 source: RIPE


IP Address: 202.84.198.59 HostName: 202.84.198.59
DShield Profile:
Country:***HK***
Contact E-mail:***noc@hkt.net***
Total Records against IP: none******
Number of targets: none******
Date Range:***to ***

Whois:

% How to use the APNIC Whois Database www.apnic.net/db/
% Upgrade to Whois v3 on 20 August 2002 www.apnic.net/whois-v3
% Whois data copyright terms www.apnic.net/db/dbcopyright.html

inetnum: 202.84.198.0 - 202.84.198.255
netname: PINGAN-HK
descr: Pingan.com Ltd
descr: Rm 1302, CRC Protective Tower,
descr: 38 Gloucester Rd,
descr: Wanchai
country: HK
admin-c: PHNO1-AP
tech-c: PHNO1-AP
rev-srv: ns2.hkt.net
rev-srv: ns1.hkt.net
notify: dbmon@apnic.net
mnt-by: MAINT-HKT
changed: hostmaster@apnic.net 20010109
source: APNIC

role: PCCW HKT Network Operation Center
address: 2/F Telecom House,
address: 3 Gloucester Rd., Wanchai, Hong Kong.
phone: +852-2888-2887
fax-no: +852-2519-7233
e-mail: noc@hkt.net
admin-c: CN98-AP
tech-c: CC318-AP
tech-c: RK48-AP
tech-c: NH28-AP
nic-hdl: PHNO1-AP
notify: carmenc@hkt.net
mnt-by: MAINT-HKT
changed: carmenc@hkt.net 20010109
source: APNIC

The address of 216.157.91.36 has not shown up in my ZoneLogs. I was wondering if ZA might block it, as an outgoing message??

Hi, P_S!

If you're running ZAP, you may be able to do that if you have super-configured ZAP in that respect - otherwise, if you simply have NS in there as an allowed app, it's just going to communicate since it has permission.

Have you put anything in the 'Components' tab for your ZA regarding NS? (Don't use ZA-anything here, so I can't help you with that part, sorry). Pete

Hi spy1/Pete! I have my ZA (freeware version) set on medium security for Intranet and High for Internet. Naviscope is listening on Port 81. See below:

-{ Quote: "High Security

Recommended setting for all configurations.

Strong Security

- Enforces application privileges.
- Internet lock blocks all traffic.
- Blocks Internet access to all Windows services and shares.
- Stealth mode: firewall hides all ports not in use by a program." }-

The Medium Security setting has the same stuff except it allows local network access to Windows services and shares and the computer is visible to the local network. (If I put the Intranet on High, everything stops working. I cannot connect to anything, so it's on medium.) I've had programs try to use ports that are available but the firewall blocks them--even pings from my Ethernet Program to my ISP.

I wanted so much to check out the Naviscope with a sniffer. I am having a problem getting through my D-link Router. I've tried 3 different sniffer apps, each giving zero captures. ::) Any ideas guys? Can TDS-3 do sniffing? It can get through. Thanks.

:) I was getting hits on Port 6346 from gnutella-svc (for the IP assigned by my ISP), so I had to reconfigure my Enternet Program. It has a Packet Recording feature! I enabled it. I'll then analyse the results with my sniffers. Will keep you posted, but I can see this might take quite awhile.

Hats off, PS ;) You don't give up that easily, don't you?

We have all the patience in the world 8)

regards.

paul

www.ethereal.com has a fine sniffer for free. It doesn't need permission from your firewall to do what it needs to do. I used it all the time behind a router, makes no difference. It requires the feared "raw socket" libraries of winPcap to function. The link is on the Etheral site.

PM me if you need help setting it up

:) Thanks for the Link, UNICRON! It really is a big help. More than I expected; what I'd hoped. Right now I am in the process of downloading what I need. Do I need all the rpm's or only the latest one? They're all the same size so I figured it would be just the most recent one (otherwise there is a lot to download there). Do you have any tips for a basic starting setup? I'd appreciate them. Thanks. ;D

In case you need to know: Win98se Celeron, 128 Mb Ram (I need and will get more), 700 Mhz, 20 Gb HD (65% free).

make sure you download the window binary. RPM's are not likely to be of value to you.

http://prdownloads.sourceforge.net/ethereal/ethereal-setup-0.9.5.exe

is all you should need from there.

then get:

http://winpcap.mirror.ethereal.com/install/bin/WinPcap_2_3.exe

run those two and go.

:) Thanks! Got 'em. Now I can go 'kick some ahss!' It said to delete any packet.dll's before loading the Ethereal + WinPcap. My DLS Program has a packetlog.dll. Can't get rid of it as it belongs to my ISP's app. Hope it will be okay. I'll keep you informed. ;D

Nice, clean and fast links there. Most pleasureable! Thanks again. :)

I had no problem setting up WinPcap 2.1, but when I tried to open Ethereal setup 0.9.5 exe I got an error message that says that it is not a valid Win32 application. It won't open it. My OS is Win98se 4.10.2222 A.

I then downloaded it again, from the Local Archive for Win 98 etc., Win32 Binary. When I tried to open it, got the same error message again. Is this one of those weird things where it must have Microsoft's Seal of Approval or it won't open it? I understand that Microsoft helped develop it in the first place! I use Star Downloader and it hasn't made any errors in its downloads. (Excuse my language but this is a bummer!) ::)

Any help with this will be most graciously accepted, valued and appreciated. Thank you. :)

Also, I will continue until I get what I need for this. As Paul said, I don't give up easily. snowman suggested XPsniffer, but he had no url for it. I'll search for it. ;D

;) Almost there! I got a link to sourceforge from Tom Porterfield at Aumha/Windows Support Center.
-{ Quote: "Tom Porterfield AH-VSOP & MS-MVP
I wasn't able to get it using Star Downloader either. I did get it successfully from http://telia.dl.sourceforge.net/sourceforge/ethereal/ethereal-setup-0.9.5.exe but first disable browser integration for Star Downloader.
" }-
I did as instructed and downloaded it. I also got some info from TomCat, very useful!
-{ Quote: "Subject:Re: tom-cat.com - Subject: Trying to do a Sniffing of Naviscope.

Regarding packet sniffers, Ethereal is just about the simplest to use, plus it is freeware. If you are having difficulty, you may want to give Atelier Ports Traffic Analyzer a try - http://atelierweb.com/PTA/index.htm. You will get a free, fully-functional evaluation copy. We also highly recommend "Packet Sniffing - A Crash Course" by D.i.ck Hazeleger. It is a free download which can be found at http://www.hazeleger.net/Crash_Course_Packet_Sniffing_100.zip. You will also need to download the sample "CC capture files" from http://www.hazeleger.net/PS-CC_Files.zip.

Good luck! ...and thank you for complimenting our cat pictures. We're always pleased to hear when someone likes them.

Regards,
Support Team
TomCat Internet Solutions
" }-

Ethereal also responded.
-{ Quote: "http://www.ethereal.com/faq.html#q2.1
http://www.ethereal.com/faq.html
" }-
I will load it all up first thing tomorrow morning!

I put all these links here in case anyone else wants to take a shot at this. (And also to show I've been doing my homework!) ;D

Ahh..good old Dick Hazeleger! Migrated and married some weeks ago over in the USA. Dearly wished him back, in spite of frequent contact..

(disregard all this ;) )

regards.

paul

(Sorry. I fixed it.) Better D.i.ck than Dick!

TomCat also responded about the (possible?) connection to Northeasthomes.com.
-{ Quote: " I do, however, recall an e-mail addressing Naviscope and contact with northeasthomes.com. My response to this e-mail included no confirmation by us that Naviscope contacts the northeasthomes.com servers. The IP address found in our Spyware List database is 216.157.91.36. This IP belongs to naviscope.com which can be simply verified by entering the IP into any browser address bar. The issue of Naviscope's contact with Northeasthomes did not originate with us - this was suggested by a user who contacted us, therefore I am afraid I am unable to assist you with this particular matter.
" }-
A red-herring? We'll know soon enough! ;D

**an off-topic note **


Prince......noticed your statement about med and high settings in ZA........imo you should be able to set everything to "High" an never experience any problems....I've used the high setting for years under all sorts of circumstances...with all sort of programs...both with dial-up and cable.....never had any problem..........as you know I just went with cable..the cable provider can't "find" me according to their tech support.....silly people....the ports are simply stealth...nothing complicated about that....personally if I have to lower my setting to use a product..that in itself puts my red flags flying...

snowman

I think the problem is the way my ISP set up our Intranet. If I put my Local Settings to High, they are blindfold and so am I. Nothing happens. Cannot make connections. I tried it. It was agony. I played and fiddled with all my settings until I was satisfied. I'd like it to all be on high, but it just doesn't work with our LAN/Intranet.

Houston? We have lift-off! The SourceForge Link Ethereal really works! Opened and loaded it this morning. Now...what does this do?...??...OOPS...oh-oh... ;D

:) Hi all! It's working at last! I'm so happy! I discovered that my instructions were wrong. I was searching for the .inf file so I could link the WinPcap per "Crash Course in Packet Sniffing" and this is completely unnecessary! I have often said that I like programs which are designed for usefulness without me having to program them. This feature has been included in the latest release of WinPcap. It no longer needs to be installed in the Network Connections List of Adapters. It's automatic. Yes! (So, for two weeks I banged head on wall for nothing!) Next time I will be more likely to toss the intructions. Now begins the arduous task of filtering. 8)

Glad to hear it, P_S! Please keep us informed! Pete

Hi All! Just to update you. I am now sniffing at regular intervals for TCP/IP info between my Naviscope 8.70 and their website (216.157.91.36). I could sure use a lot of help interpreting the data. I know how to set up filters on it (mostly). It takes out the drudgery. I will keep you posted as soon as anything develops. :)

Hi PS,

-{ Quote: "I could sure use a lot of help interpreting the data." }-

Feel free to post a screen shot!

regards.

paul

Thank you for allowing me to post a sample, Paul! Ethereal is like a spreadsheet. I have two shots, kinda big. I hope that's alright. (Check out the Test Forum. I made some new and small postings.) Cannot do it yet. Bigger than 100 Kb. I'll try to shrink it or add smaller shots. A few moments...

I really like Irfan Viewer! Fast!

Page 2 (other half on right, same lines, resized to 65%):

Note: In this capture there were 5342 packets. Of those, 159 were packets with 216.157.91.36. Also, Atomic Nist Clock is turned off in Naviscope. These shots are filtered.

Hi Guys and Wilders Women! ;D

I am an unabashed beginner at packet-sniffing. I am gradually learning how and what to do with the Ethereal Program. Naviscope 8.70 does communicate with 216.157.91.36. How do I discern the Windows ID or Registry number in the packets? (If it's there!)

I tried asking TomCat but they said they had already given that info to three people at Wilders. Could one of them please step forward and lend a hand?

TIP: If you have a firewall that lets you make changes then BLOCK communications with 216.157.91.36 if you also use Naviscope any version. It will then be unable to phone-home!

Thanks in advance! :)

I finally tried Naviscope

and the addy it tries to connect to on my computer is.

time-b.nist.gov

It seems to have some issues with Outpost Firewall also.

Is this software still being developed or has development stopped?
I see no new posts at the sites forum.

Hi contoler! Turn off your Naviscope Atomic Clock (NIST) and try again. I checked your addy up there and found this site:

http://nist.time.gov

You want to have a good time, eh? LOL! ;D

Interesting sidelight. If you put 216.157.91.36 into your address bar you get the Naviscope site offering v8.69 (the one that phones home to that address). However, if you do a whois search of the same address at D-Shield you are told it belongs to northeasthomes.com. When I tried putting northeasthomes in my address bar I get a FORBIDDEN page. Interesting, yes?

However, you can't get anything but Naviscope v8.70 from the d/l page.

As an aside, I get this when running 'northeasthomes.com' through Karens URL Dis cumbobulator:

http://2130706433/

but I don't know where the periods go on that since it's not displaying them to check that one out further.

I've already blocked the other three given on the first page of this thread, but that's not one of them. Pete

If this is correct we get

213.070.64.33

** 8/12/2002 8:05:14 AM - Lookup Started **
1 address
mailhost.seab-mura.com

Hi spy1! Is the opening download page for v8.69 just a dummy? I find v8.70 is also now available on that site but at further pages (click on left menu). Be that as it may, is it possible that there are two addresses, one in IIEv4 and the other in v6?

P_S - They never updated the main page. It says v8.69 on the main page, but you actually get v8.7 for the d/l.

Or at least that's the way it worked for me. Pete