Netspy Trojan 3

[shazza1]

Hi,

I seem to be having trouble when first connecting to internet.
I have recently installed Nortons AV 2003 and Nortons Personal Firewall 2003.
When connecting the firewall pops up saying it has found a NETSPY TROJAN trying to connect to internet.
Netspy Trojan C:\Windows\Explorer. exe
I have checked and scanned the computer and found nothing.
I have done a search on the web, but get very little help with solution. Could I have this Trojan on my computer but somehow it has been hidden?
I have always used Nortons previous versions and this has never come up before.
Using XP Home, and yes I have disabled XP Firewall.
Also done a scan using the Nortons Home site scanners, says I am safe in all sections.
Shazza1

 

[gargouille]

Not familiar with Norton firewall, but Zone Alarm alerts you to the ip address of the intended hookup. Not so with Norton?

Go to grc.com and do the scans and probes under Shields Up...it'll discover shortcomings in the firewall settings. Port 1024 is the one that may show as open...
There is indeed a Netspy Trojan and it uses this port to access/or get your machine to access it.
With the machine running and online (especially after getting the message) go to a Command Prompt and type
netstat(space)-an
and hit enter.

It'll return the connected/requested ip addresses.
The one that's asking for :1024 (at the end of the entry)
is trying to phone home or go somewhere else.)

Once you get the ip address of where it's trying to go, again open the CP...type in
tracert(space)and then the ip address and hit enter.

When it starts the routine, it may return the resolved name of the address. If not it can be searched with arin.whois tools from geektools.com.

The firewall will have to let both netstat and tracert to access the internet.

 

[gargouille]

Should have added that you may try running either Adaware or SpyBot...free downloads from
lavasoft.de
and
kolla.de

I'd be very disappointed that Norton sees it but can't deal with it...course I got complete disenchantment with Norton years ago. (he says, ducking) LOL

 

[linney]

Some more Ports used by NetSpy or NetSpy 2


1024 = OLD_FINGER - old_finger, RAT: Psyber Streaming Server, NetSpy, R.A.T, Alex
1033 = RAT: Netspy
1111 = LMSOCIALSERVER - LM Social Server, RAT: RemoteXS, Nemesis, X-Filer, NetSpy II, Way, Rths, Dzyckz
6711 = RAT: SubSeven, BackDoor-G, VP Killer, LittleWitch, Kilo, Girlboy, Sociable 2000, Sweetheart, NetSpy II, NetKey, Brouser, NMKB
6712 = RAT: SubSeven, Funny trojan, NetSpy II, Spadeace, LYB
31338 = RAT: Back Orifice, Butt Funnel, DK32 NetSpy, DeepBO
31339 = RAT: DK32 NetSpy, LittleWitch, Kiss

You could start your Anti Trojan research at this site and while you are there check out Port Explorer too

http://tds.diamondcs.com.au/

Most Anti Virus programs as the name suggests concentrate on virus infection with some detection of Trojans included as a secondary purpose. A proper Anti Trojan software package is recommended for protection against Trojans.

 

[shazza1]

Ok thanks guys I will look into everthing above.

Nortons Firewall does show attackers IP and I have quite a few attacks a week.

Nortons even has a tracer by clicking onto the Ip address, which I have just discovered.

I did a quick check on one of my port attacks just then and it was From 203.69.120.231 Lingsen Precision Industries (Taiwan) dns1.lingsen.com.tw

I have a few port blocks as well, from austria to Ephens ave Missoula Montana US.
I'm not that clever so might take me little time to get back to you.
Shazza1 from downunder

 

[shazza1]

Ok guys here it goes.

I Have tried doing a trace using Nortons tracer and trying Geektools which is a cool site I must say from GARGOUILLE.
No luck (unknown) both say, I them went to the site Linney had given I downloaded the Port Explorer which I am looking at now. I have two lines which is in red Isass.EXE Process ID 500 UDP.
Not sure If I should Kill Process? I have also downloaded a Trojan Remover which states I am clean.I have Adaware and its scan reads I am clean.
I found that I do not have to connect to internet at all but Modem is on not online and within a few seconds of turning the computer on the firewall reads Netspy trojan found.
As well Gargouille I tried exactly what you said In Command prompt But nothing happened, no Ip or nothing.
Unless I'm that stupid..lol

Shazza1

 

[gargouille]

Hi Shazza:
Did you do the scan at grc.com?
Should tell you 1st of all if you are vulnerable to such attacks. IF you check Stealth on all ports scanned, there's even a better chance that you're immune to it, even if it is on your system.
You need to look at (get someone to help you if you feel like you can't do it alone) the registry and see if there's a value with the trojan's name...netspy...at
HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
OR start regedit and then from the menu at the top search for netspy. You're bound to find the registry wide search references to it, now, 'cause the record of your searcing will be there, too. IT supposedly adds a registry entry at the above reference and deleting it by highlighting the netspy part of it and hitting the delete will do wonders for your confidence, no?
Could there be someone trying to track what you're doing on the computer?

Copied from elsewhere:
[[ Netspy is a downloadable shareware program that allows a remote user to have uauthorised access to a PC. It can be used by parents to monitor what their children are seeing on the internet (it has what is called an Internet Cache Viewer). It comes as a single .exe file called
"SysProtect" or "SP_ClLIENT.EXE". It was designed by a man named Frank Kusluski who adds his e-mail address (kusluski@mail.ic.net) to his ads for the program. It has an uninstall feature but if its hidden I don't know where to find it. Once executed it will add itself to Windows autostart and will start with windows all the time. ]]

Look for it in msconfig and disable it. (Start/Run
type
msconfig and hit enter and then click on the Startup tab and see if anything with the above mentioned names is there. If it is uncheck it from the startup....then reboot and see if you get the message.

 

[gargouille]

Just noticed in the next paragraph where I was quoting from, the gentleman corrected the spelling of the exe...
to SP_CLIENT.EXE.

 

[shazza1]

Thanks Gargouille,
Yes I went into msconfig and startup saw nothing in the above mentioned,yes I did do the scan on grc.com.
And here was results all was safe..


Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.

Then did the Port Scan..
All ports closed and stealth, 5000 UpnP closed. Your computer has responded that this port exists but is currently closed to connection.
Thanks for all your help so far, I'm not that worried about it just annoying with it popping up everytime I turn on. I know Firewall blocks it, thank god.
I will keep on searching.
Shazza1

 

[cruiserweight]

My two cents worth: Windows Explorer regularly tries to phone home to microsoft. Port 1024 is typically the first port used by your computer for any process not defined in the Well known ports of 1-1023( 21 ftp, 80 http, etc.). So this process could be completely non-malicious. Somewhere, your firewall should tell you what IP address this process is trying to connect to. If your firewall and/or netstat cannot tell you where the connection is going I would be suspicious. But I'm paranoid. If your really curious try a packet sniffer (like Ethereal) to catch the outgoing packet and see what it's all about. HTH.

 

[linney]

Isass.EXE or lsass.exe (I or L)? lsass.exe is a system process and should not be deleted. It is highlighted in Port Explorer because it is using a hidden window.

The Port Explorer forum at Wilders Security (as are their other forums are a wealth of Security information and worth a visit).

http://www.wilderssecurity.com/index.php

Which anti Trojan program did you use? If it was one you just downloaded, did you make sure its definitions were up to date and everything configured correctly.

 

[shazza1]

Well Cruiserweight, I myself knew of microsofts trying to dial,I found out here over 9 months ago looking through forum on that such subject. A I stated above Cruiserweight Firewall does not show the IP, all is 0.0.0.0 and so on.
I'm also very Paranoid person when it comes to my computer.
As for packet sniffer I did see that, but at moment I have this Trojan Remover/Port Explorer/firewall/AV/Adaware. How much more do I need? But I will try anything.

Linney thanks for your alert,this is why I came back to ask if I should kill it. I had that gut feeling not to get rid of it.
As for the Trojan Remover\Rmv Trjan.exe
As for doing an update after downloading, well UM UM no I didn't silly me, ok I will do right now, then scan all again. Thanks Guys

 

[shazza1]

Well Guys went through it all and Linney when I did update the Trojan Remover then scanned computer again no trojans found but from then on I have not the warning ever since.I think XP has a mind of its own, things come then disappear..lol

My last thread did the same just vanished.
But I do have another that took it's place which I am reading up on now, the "WAN (PPP/SLIP) Interface" (IP Address 202.6.137.200.

Anyway thanks for all your help Guys this is a wonderful site which I have mentioned to many of my friends.
WELL DONE....
Shazza1