Every time I boot up, Norton Internet security warns me " Attempt to connect to local computer using Netspy Trojan Horse blocked ". I'm getting three warnings every time I boot up now ! I called Symantec, and they said it wasn't a Trojan. Anyone have any suggestions about how to get rid of it ??
Hi Joe Wood, Welcome at Wilders. I´d like to get a look at what you have starting up. Could you post your HijackThis log Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post. Don´t fix anything yet. Most of what it finds is harmless. Regards, Pieter
Hi Joe, In the "save box" set the Type to "All Files" and change the extension to .txt Or "select all" in the log file and copy&paste it into your next post. Regards, Pieter
Logfile of HijackThis v1.97.2 Scan saved at 2:51:13 PM, on 9/27/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Internet Security\NISUM.EXE C:\WINDOWS\BCMSMMSG.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\Program Files\Norton Internet Security\ccPxySvc.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Outlook Express\msimn.exe C:\unzipped\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: Real.com (HKLM) O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/download/tgctlcm.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37844.7361342593 O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Hi Joe, Nothing wrong with your log. Did Symantec mention what they thought it was? I'm guessing something is coming in on port 1024, but I can't find very much that would do that. Regards, Pieter
No Pieter, they didn't mention what it could be. There is a www.netspysoftware.com/ website that looks like it could be some of their software. I'm getting this everytime I boot up ! I'm sure relieved that it isn't anything bad, but it sure is annoying. How can I get rid of it ? I've run AdAware, and Spybot Search and Destroy. Nothing showing up with these either. Hey man! Thankyou for taking the time for me !
Pieter, I'm on Win XP, with Norton Internet Security, and I'm sitting behind a Router/Firewall. I'm getting a little paranoid these days ! Could you suggest a good anti-trojan ? What else should I do ??
Hi Joe, A good AntiTrojan: http://www.wilders.org/anti_trojans.htm In alphabetical order: BoClean, TDS-3 or Trojan Hunter. I'll move this one to the firewall forum. Maybe one of the wizards there can help you get rid of the (IMO) false alarms. Regards, Pieter
Norton is highly known for false alarms due to blocking ports in the range 1024-5000 just because a trojan *Might* use the port, but just interfere with other programs you run. How about some firewall logs? From what you said its probably just a program trying to communicate with the localhost loopback(127.0.0.1), and in that case you can disable the rule. I don't run NetSpy, and haven't used any recent versions of Norton so I can't tell you how to do what I said. It has really changed since the days of AtGuard....
Zeus ! I like that ! You want to look at some firewall logs ? How do I do that ? Excuse me, but I'm pretty new to computing.
CrazyM has a site that might help Customizing AtGuard/NIS Rules Otherwise hopefully someone who has used a recent version of Norton can help you.
This is a common false alarm with NIS and is sometimes associated with the fax service. Error: "Rule Default Block Netspy Trojan Horse Matched" when you start the computer If it is the above error/false alarm, there is nothing to get rid of. Regards, CrazyM
Hhmmmmm ... You know, I did start to enable the fax service on my computer ... but never completed doing it ! I still would like to hook up the fax service. What should I do now ?
If you don't need the fax service at boot Start > Run > type or copy&paste services.msc > OK Find the Fax Service, rightclick it and choose Properties. Behind Startuptype choose Manual and confirm by clicking Apply. If you do need it, follow the instructions at the site CrazyM linked to: To disable the Netspy Trojan Horse rule: Open NIS or NPF. Click Personal Firewall, and then click Configure. Click the Advanced Tab. Click Trojan Horse Rules. Click the entry "Default Block Netspy Trojan horse." Uncheck the rule. -------------------------------------------------------------------------------- Note: Unchecking the "Default Block Netspy Trojan horse" rule does not create a security hole. NIS will alert you when a real Trojan tries to access your computer. -------------------------------------------------------------------------------- Click OK, and then OK again. HTH, Pieter
Got it Pieter. OK everyone, let's see if this all works ! Hey, thankyou All for this wonderful assistance ! You are all a bunch of good people for helping me out with this top knotch information.