NetSpy !

Every time I boot up, Norton Internet security warns me " Attempt to connect to local computer using Netspy Trojan Horse blocked ". I'm getting three warnings every time I boot up now ! I called Symantec, and they said it wasn't a Trojan. Anyone have any suggestions about how to get rid of it ??

 

Hi Joe Wood,

Welcome at Wilders.

I´d like to get a look at what you have starting up.
Could you post your HijackThis log
Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet. Most of what it finds is harmless.

Regards,

Pieter

 

Hey ! That was quick ! OK, I did that, but it gets saved as a log file. How do I save it as a txt ??

 

Hi Joe,

In the "save box" set the Type to "All Files" and change the extension to .txt
Or "select all" in the log file and copy&paste it into your next post.

Regards,

Pieter

 

Logfile of HijackThis v1.97.2
Scan saved at 2:51:13 PM, on 9/27/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37844.7361342593
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Hi Joe,

Nothing wrong with your log. Did Symantec mention what they thought it was?
I'm guessing something is coming in on port 1024, but I can't find very much that would do that.

Regards,

Pieter

 

No Pieter, they didn't mention what it could be. There is a www.netspysoftware.com/ website that looks like it could be some of their software.

I'm getting this everytime I boot up ! I'm sure relieved that it isn't anything bad, but it sure is annoying. How can I get rid of it ?

I've run AdAware, and Spybot Search and Destroy. Nothing showing up with these either.

Hey man! Thankyou for taking the time for me !

 

Pieter, I'm on Win XP, with Norton Internet Security, and I'm sitting behind a Router/Firewall.
I'm getting a little paranoid these days ! Could you suggest a good anti-trojan ? What else should I do ??

 

Hi Joe,

A good AntiTrojan: http://www.wilders.org/anti_trojans.htm
In alphabetical order: BoClean, TDS-3 or Trojan Hunter.

I'll move this one to the firewall forum. Maybe one of the wizards there can help you get rid of the (IMO) false alarms.

Regards,

Pieter

 

Norton is highly known for false alarms due to blocking ports in the range 1024-5000 just because a trojan *Might* use the port, but just interfere with other programs you run.

How about some firewall logs? From what you said its probably just a program trying to communicate with the localhost loopback(127.0.0.1), and in that case you can disable the rule.

I don't run NetSpy, and haven't used any recent versions of Norton so I can't tell you how to do what I said. It has really changed since the days of AtGuard....

 

Zeus ! I like that ! You want to look at some firewall logs ? How do I do that ? Excuse me, but I'm pretty new to computing.

 

CrazyM has a site that might help
Customizing AtGuard/NIS Rules

Otherwise hopefully someone who has used a recent version of Norton can help you.

 

This is a common false alarm with NIS and is sometimes associated with the fax service.

Error: "Rule Default Block Netspy Trojan Horse Matched" when you start the computer

If it is the above error/false alarm, there is nothing to get rid of.

Regards,

CrazyM

 

Hhmmmmm ... You know, I did start to enable the fax service on my computer ... but never completed doing it ! I still would like to hook up the fax service. What should I do now ?

 

If you don't need the fax service at boot Start > Run > type or copy&paste services.msc > OK

Find the Fax Service, rightclick it and choose Properties. Behind Startuptype choose Manual and confirm by clicking Apply.

If you do need it, follow the instructions at the site CrazyM linked to:

To disable the Netspy Trojan Horse rule:

Open NIS or NPF.
Click Personal Firewall, and then click Configure.
Click the Advanced Tab.
Click Trojan Horse Rules.
Click the entry "Default Block Netspy Trojan horse."
Uncheck the rule.

--------------------------------------------------------------------------------
Note: Unchecking the "Default Block Netspy Trojan horse" rule does not create a security hole. NIS will alert you when a real Trojan tries to access your computer.
--------------------------------------------------------------------------------

Click OK, and then OK again.

HTH,

Pieter

 

OK, I've chosen manual for the Fax service.

Excuse me, but, what are NIS and NPF ?

 

N(orton) I(nternet) S(ecurity) and N(orton) P(ersonal) F(irewall)

Regards,

Pieter

 

Got it Pieter. OK everyone, let's see if this all works !

Hey, thankyou All for this wonderful assistance ! You are all a bunch of good people for helping me out with this top knotch information.

 

Just booted up, and, Success !! No Netspy !!!

Many thanks again folks !

 

Great !!

CrazyM did the crucial part in finding that link.

Regards,

Pieter