someone trying to spy on my socks!

Discussion in 'other security issues & news' started by lynchknot, Feb 24, 2005.

Thread Status:
Not open for further replies.
  1. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    the sicko - sorry. Anyway does anyone know what this means? Should I allow this app to make changes? Thanks for your help.(I don't have bitdefender)

    Screenshot:http://img222.exs.cx/img222/9229/socks7cp.jpghttp://img222.exs.cx/img222/9229/socks7cp.jpg

    I just ran a search and found no sockspy.dll. o_O
     
    Last edited: Feb 24, 2005
  2. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Are you using DCS' PortExplorer, by chance?
     
  3. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    I have it. Is that the problem? Why, when running search, the DLL is not found?
     
  4. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I'll have to look when I get home, but I thought it sounded like it belonged to PE.. it would be for the SocketSpy function. AppInitDlls injects a DLL into every process on start, so it must do that to monitor what it's sending.
     
  5. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Hey! I have seen this exact thing in my event viewer (have not seen it recently though):

    http://www.winguides.com/forums/showflat.php?Board=secwinnt&Number=100681

    I could not find sockspy under normal search - should I search registry and delete?

    **edit = I found sockspy.dll in several locations - but here's the one in question I think: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows - shows this:

    http://img238.exs.cx/img238/9712/sock5hb.jpg
     
    Last edited: Feb 25, 2005
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    It's probably a better idea to figure out what it belongs to before deleting it from the registry.

    First, when you do a Windows search, make sure to tick "advanced options", then select "search system folders" and "search hidden files and folders"

    When you did the search with SysInternal's RootkitRevealer, did it show up in there anywhere?
     
  7. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    those advanced options are selected as default already. I'll retest with RKR.
     
Loading...
Thread Status:
Not open for further replies.