Discussion in 'other security issues & news' started by True Orient, Feb 21, 2008.
What is 123spywar.com?
Looks like it's associated with some rogue app's.
From SpywareWarrior's web site.
"netstat -a" indicates that it embedded itself in the Microsoft-DS (port 445?). How does one safely remove/close it safely?
What's your firewall? Your firewall should have closed/stealthed port 445. See if port 445 is open by taking this test. You can manually close port 445 using this. It might be possible that you are also infected; read this.
Thanks for the WWDC link. Port 445 has now been safely closed. However, it seems that 123Spyware.com is now "Listening" at the following ports: 1034, 1039, 44334, 44501 & epmap.
By the way, my friend's infected PC uses Sunbelt PF. IMO, closing the ports is a temporary workaround. Fixing/cleaning this infection would be preferable....
A suggestion would be scanning with an AV or AS product.
Has this machine been scanned with any AV or AS.
If so which one's?
Did they discover any infections?
The machine has been scanned with updated versions of AVG Pro, PrevxCSI, Trojan Remover, Gmer, CureIT and has BOClean installed in it. An Online scan by HouseCall was also done. All scans were negative yet "netstat -a" shows several instances of 123spywar "listening."
There are no discernable effects of this infection and in fact was only uncovered through a cursory use of "netstat -a." I guess the question is "how does one get rid of 123spywar.com?"
Any more suggestions from the regulars? Answers to questions as to how the PC was infected, kind of infection category it falls under, what it does and how to fix it would be appreciated...
True Orient, tell your friend to choose 1 hijackthis forum from here.
Before posting a log see if these solve the issue,
1. Scan with Rogue Remover, SmitFraudFix and MBAM.
2. Block 123spywar.com in host file. Refer to this post, alternative download link for HostFileReader.
3. Turn off Sunbelt PF, turn on Windows Firewall.
http://forums.whirlpool.net.au/forum-replies-archive.cfm/814645.html - MS-IME
http://forums.pcpitstop.com/index.php?showtopic=152852 - Verizon Internet Security Suite
I actually did a thorough Hijackthis analysis of his PC. Suffice it to say that I have had adequate/sufficient experience in doing Hijackthis logs. Nevertheless, I will submit a log in one of the recommended forums in the event that I may have missed something.
I also ran an updated version of Rogue Remover v1.19 as recommended and came up with negative results. In fact, 123spywar.com is not in the targetted program list of RR.
Restoration to Microsoft's original Host file seems to have helped. Thanks....
Now the only questions that remain to be answered are: What is the category of this malware infection and how was the PC infected? There appears to be a dearth of data on this specific infection.
FYI, although restoration of the original MS Hostfile seems to have fixed the problem, there was no indication of any Hostfile hijack or 01 entries in the Hijackthis log.
I'm glad you were able to solve the problem. Your friend is lucky to have someone like you .
As what LoneWolf posted, 123spywar.com (site is alive) is related to ad-eliminator.com (dead). Ad-Eliminator was first seen in 2004. Malwarebytes was established in 2004 as well. I don't know why Ad-Eliminator is not in RR's database (or in Rogue.NET).
Rogues pose as legitimate apps. Once installed they download and install other nasties. Maybe he (friend) had a rogue (Ad-Eliminator) infection in the past which was partially removed (modified host file left alone) or he has a new/old undetected variant of the rogue . Let's see what the experts will say about his hjt log.
Separate names with a comma.