NetSpy !

Discussion in 'other firewalls' started by Joe Wood, Sep 27, 2003.

Thread Status:
Not open for further replies.
  1. Joe Wood

    Joe Wood Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    26
    Location:
    San Diego
    Every time I boot up, Norton Internet security warns me " Attempt to connect to local computer using Netspy Trojan Horse blocked ". I'm getting three warnings every time I boot up now ! I called Symantec, and they said it wasn't a Trojan. Anyone have any suggestions about how to get rid of it ??
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Joe Wood,

    Welcome at Wilders. :)

    I´d like to get a look at what you have starting up.
    Could you post your HijackThis log
    Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.

    Regards,

    Pieter
     
  3. Joe Wood

    Joe Wood Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    26
    Location:
    San Diego
    Hey ! That was quick ! OK, I did that, but it gets saved as a log file. How do I save it as a txt ??
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Joe,

    In the "save box" set the Type to "All Files" and change the extension to .txt
    Or "select all" in the log file and copy&paste it into your next post.

    Regards,

    Pieter
     
  5. Joe Wood

    Joe Wood Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    26
    Location:
    San Diego
    Logfile of HijackThis v1.97.2
    Scan saved at 2:51:13 PM, on 9/27/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/download/tgctlcm.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37844.7361342593
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Joe,

    Nothing wrong with your log. Did Symantec mention what they thought it was?
    I'm guessing something is coming in on port 1024, but I can't find very much that would do that.

    Regards,

    Pieter
     
  7. Joe Wood

    Joe Wood Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    26
    Location:
    San Diego
    No Pieter, they didn't mention what it could be. There is a www.netspysoftware.com/ website that looks like it could be some of their software.

    I'm getting this everytime I boot up ! I'm sure relieved that it isn't anything bad, but it sure is annoying. How can I get rid of it ?

    I've run AdAware, and Spybot Search and Destroy. Nothing showing up with these either.

    Hey man! Thankyou for taking the time for me !
     
  8. Joe Wood

    Joe Wood Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    26
    Location:
    San Diego
    Pieter, I'm on Win XP, with Norton Internet Security, and I'm sitting behind a Router/Firewall.
    I'm getting a little paranoid these days ! Could you suggest a good anti-trojan ? What else should I do ??
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Joe,

    A good AntiTrojan: http://www.wilders.org/anti_trojans.htm
    In alphabetical order: BoClean, TDS-3 or Trojan Hunter.

    I'll move this one to the firewall forum. Maybe one of the wizards there can help you get rid of the (IMO) false alarms.

    Regards,

    Pieter
     
  10. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Norton is highly known for false alarms due to blocking ports in the range 1024-5000 just because a trojan *Might* use the port, but just interfere with other programs you run.

    How about some firewall logs? From what you said its probably just a program trying to communicate with the localhost loopback(127.0.0.1), and in that case you can disable the rule.

    I don't run NetSpy, and haven't used any recent versions of Norton so I can't tell you how to do what I said. It has really changed since the days of AtGuard....
     
  11. Joe Wood

    Joe Wood Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    26
    Location:
    San Diego
    Zeus ! I like that ! You want to look at some firewall logs ? How do I do that ? Excuse me, but I'm pretty new to computing.
     
  12. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    CrazyM has a site that might help
    Customizing AtGuard/NIS Rules

    Otherwise hopefully someone who has used a recent version of Norton can help you.
     
  13. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    This is a common false alarm with NIS and is sometimes associated with the fax service.

    Error: "Rule Default Block Netspy Trojan Horse Matched" when you start the computer

    If it is the above error/false alarm, there is nothing to get rid of.

    Regards,

    CrazyM
     
  14. Joe Wood

    Joe Wood Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    26
    Location:
    San Diego
    Hhmmmmm ... You know, I did start to enable the fax service on my computer ... but never completed doing it ! I still would like to hook up the fax service. What should I do now ?
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    If you don't need the fax service at boot Start > Run > type or copy&paste services.msc > OK

    Find the Fax Service, rightclick it and choose Properties. Behind Startuptype choose Manual and confirm by clicking Apply.

    If you do need it, follow the instructions at the site CrazyM linked to:

    To disable the Netspy Trojan Horse rule:

    Open NIS or NPF.
    Click Personal Firewall, and then click Configure.
    Click the Advanced Tab.
    Click Trojan Horse Rules.
    Click the entry "Default Block Netspy Trojan horse."
    Uncheck the rule.

    --------------------------------------------------------------------------------
    Note: Unchecking the "Default Block Netspy Trojan horse" rule does not create a security hole. NIS will alert you when a real Trojan tries to access your computer.
    --------------------------------------------------------------------------------

    Click OK, and then OK again.

    HTH,

    Pieter
     
  16. Joe Wood

    Joe Wood Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    26
    Location:
    San Diego
    OK, I've chosen manual for the Fax service.

    Excuse me, but, what are NIS and NPF ?
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    N(orton) I(nternet) S(ecurity) and N(orton) P(ersonal) F(irewall)

    Regards,

    Pieter
     
  18. Joe Wood

    Joe Wood Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    26
    Location:
    San Diego
    Got it Pieter. OK everyone, let's see if this all works !

    Hey, thankyou All for this wonderful assistance ! You are all a bunch of good people for helping me out with this top knotch information.
     
  19. Joe Wood

    Joe Wood Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    26
    Location:
    San Diego
    Just booted up, and, Success !! No Netspy !!!

    Many thanks again folks !
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Great !! :D

    CrazyM did the crucial part in finding that link.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.