123.spywar.com

Discussion in 'other security issues & news' started by True Orient, Feb 21, 2008.

Thread Status:
Not open for further replies.
  1. True Orient

    True Orient Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    88
    What is 123spywar.com?
     
  2. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Looks like it's associated with some rogue app's.
    From SpywareWarrior's web site.

    2008-02-21_055939.jpg

    Spyware Warrior
     
  3. True Orient

    True Orient Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    88
    Thanks.
    "netstat -a" indicates that it embedded itself in the Microsoft-DS (port 445?). How does one safely remove/close it safely?
     
  4. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    What's your firewall? Your firewall should have closed/stealthed port 445. See if port 445 is open by taking this test. You can manually close port 445 using this. It might be possible that you are also infected; read this.

    thanatos
     
  5. True Orient

    True Orient Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    88
    Thanks for the WWDC link. Port 445 has now been safely closed. However, it seems that 123Spyware.com is now "Listening" at the following ports: 1034, 1039, 44334, 44501 & epmap.

    By the way, my friend's infected PC uses Sunbelt PF. IMO, closing the ports is a temporary workaround. Fixing/cleaning this infection would be preferable....
     
  6. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    A suggestion would be scanning with an AV or AS product.
     
  7. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Has this machine been scanned with any AV or AS.
    If so which one's?
    Did they discover any infections?
     
  8. True Orient

    True Orient Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    88
    The machine has been scanned with updated versions of AVG Pro, PrevxCSI, Trojan Remover, Gmer, CureIT and has BOClean installed in it. An Online scan by HouseCall was also done. All scans were negative yet "netstat -a" shows several instances of 123spywar "listening."

    There are no discernable effects of this infection and in fact was only uncovered through a cursory use of "netstat -a." I guess the question is "how does one get rid of 123spywar.com?"
     
  9. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Try Superantispyware
     
  10. True Orient

    True Orient Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    88
    Any more suggestions from the regulars? Answers to questions as to how the PC was infected, kind of infection category it falls under, what it does and how to fix it would be appreciated...
     
  11. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    True Orient, tell your friend to choose 1 hijackthis forum from here.

    EDIT:

    Before posting a log see if these solve the issue,

    1. Scan with Rogue Remover, SmitFraudFix and MBAM.
    2. Block 123spywar.com in host file. Refer to this post, alternative download link for HostFileReader.
    3. Turn off Sunbelt PF, turn on Windows Firewall.

    Related:

    http://forums.whirlpool.net.au/forum-replies-archive.cfm/814645.html - MS-IME
    http://forums.pcpitstop.com/index.php?showtopic=152852 - Verizon Internet Security Suite

    thanatos
     
    Last edited: Feb 23, 2008
  12. True Orient

    True Orient Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    88
    Hi Thanatos,

    I actually did a thorough Hijackthis analysis of his PC. Suffice it to say that I have had adequate/sufficient experience in doing Hijackthis logs. Nevertheless, I will submit a log in one of the recommended forums in the event that I may have missed something.

    I also ran an updated version of Rogue Remover v1.19 as recommended and came up with negative results. In fact, 123spywar.com is not in the targetted program list of RR.

    Restoration to Microsoft's original Host file seems to have helped. Thanks....

    Now the only questions that remain to be answered are: What is the category of this malware infection and how was the PC infected? There appears to be a dearth of data on this specific infection.
     
  13. True Orient

    True Orient Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    88
    FYI, although restoration of the original MS Hostfile seems to have fixed the problem, there was no indication of any Hostfile hijack or 01 entries in the Hijackthis log.
     
  14. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    I'm glad you were able to solve the problem. Your friend is lucky to have someone like you :).

    As what LoneWolf posted, 123spywar.com (site is alive) is related to ad-eliminator.com (dead). Ad-Eliminator was first seen in 2004. Malwarebytes was established in 2004 as well. I don't know why Ad-Eliminator is not in RR's database (or in Rogue.NET).

    Rogues pose as legitimate apps. Once installed they download and install other nasties. Maybe he (friend) had a rogue (Ad-Eliminator) infection in the past which was partially removed (modified host file left alone) or he has a new/old undetected variant of the rogue :ninja:. Let's see what the experts will say about his hjt log.

    thanatos
     
    Last edited: Feb 23, 2008
Thread Status:
Not open for further replies.