Solved

SP.EXE Security Hole and the Sound of Dripping Water....

Posted on 2004-10-20
12
364 Views
Last Modified: 2013-12-04
I think that I have a security vulnerability, but I don't know where!

On five separate occaisions recently, the file sp.exe has appeared on my computer (spooner-B trojan/virus).  I am running up-to-date virus checking software (Sophos) that does not seem to notice the file being created and I am not agreeing to any file download.  Zone alarm does not block the download, even though I cannot see how I could initiate the download and therefore I suspect this to be some form of attack on my PC.  I have even installed a Draytek 2600 series router with firewall, but the file has appeared on the computer since doing this.

Oddly, I also frequently get a sound like dripping water when browsing web pages.  It always seems to be a different site that makes the sound first, but once it starts, it reappers at irregular intervals (and is so annoying, I often resort to turning off the speakers).

I don't think that the problem is unique to my computer as it has also found its way on to my work computer - running Sophos AV that is updated by the Enterprise server hourly and behind a Linux based firewall (Navaho systems).

Has anyone got any suggestions ho this file keeps on getting on to my computer?
0
Comment
Question by:williamz_net
  • 8
  • 3
12 Comments
 
LVL 18

Expert Comment

by:luv2smile
Comment Utility
Hmmm....have you transferred any files from your home machine to your work machine or used any disks on both? That would explain in passing to your work computer.

A search on symantec revealed sp.exe as adware.....maybe this is why your antivirus didn't find it?

http://securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.b.html

I would download and install Spybot and Adaware- making sure they are both up to date before running them, run them in safe mode, and turning off system restore before you do.

If that didn't help then I would download hiJackThis

http://www.spychecker.com/program/hijackthis.html

And then post the log to:

http://www.hijackthis.de/index.php?langselect=english

0
 
LVL 16

Expert Comment

by:robrandon
Comment Utility
Looks like you got a bit of scary spyware.

http://www.liutilities.com/products/wintaskspro/processlibrary/sp/

I would change your admin passwords after removing it with some type of spyware tool, such as Adaware or Spybot.

0
 
LVL 18

Expert Comment

by:luv2smile
Comment Utility
Before deleting anything found in the log, make sure you research to make sure it is safe to delete.
0
 
LVL 18

Expert Comment

by:luv2smile
Comment Utility
Also, if you any accounts that you have typed a password for then I would change those passwords. Such as if you check your bank account online, etc.  With the keylogger, there is risk that all your information has been transferred to someone else.
0
 

Author Comment

by:williamz_net
Comment Utility
Thanks for the suggestions, I will give adaware etc a go, but I already run pest patrol which ignores it - I think you are right about it being spy ware, but when I have tried to contact zone labs about the non-blocking/detection issues, they have ignored me!

What still worries me is that how the file is getting on to my computer.  Although I do regularly transfer files from one computer to another, they are all Office documents and the transfers are done by briefcase.  I am extremely careful not to run untrusted executables -to the point of moving away from Outlook to a web based company solution (that runs Sophos AV for Linux on the mail server) and unless my web browser is executing some code to download the file without my knowledge, I cannot see how the file is arriving on my HD...
0
 
LVL 18

Expert Comment

by:luv2smile
Comment Utility
There seems to be different listings for what sp.exe exactly is....is this showing up as a process running or where is it showing up at?
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 18

Expert Comment

by:luv2smile
Comment Utility
"my web browser is executing some code to download the file without my knowledge"

This is how most spyware gets onto a computer. You don't have to open anything or download anything...a lot of spyware uses active x controls and scripts to execute.
0
 
LVL 18

Expert Comment

by:luv2smile
Comment Utility
Found this on pest patrol:

http://www.pestpatrol.com/PestInfo/s/spy_passkiller.asp

So if that is what you have, then if pest patrol is up to date then it should have caught it.

So possibly it is the thing that symantec listed as being adware, not a virus.
0
 

Author Comment

by:williamz_net
Comment Utility
I am pretty sure that this is spooner-b sp.exe

On the occaisions that I have not spotted it in time and it has run (I have recently written a simple VB prog to detect when it arrives!), web links such as e-mail have been redirected to ntsearch.com
0
 

Author Comment

by:williamz_net
Comment Utility
Further to comment posted at 12:12pdt:

How do I secure against this web based code running (sorry if this a dumb question!)? I thought that AV + firewall should protect against this.  Right after the first time the file arrived, I didi an immediate update of sophos AV, zone alarm and pest patrol but none of them seem to be spotting the file.  Before installing the updates, I deisconnected from the net, killed the sp.exe registry entry, rebooted and killed the file, so it shouldn't have affected the install of the updates...

NB: Before submitting, I have just been into the IE Security settings and changes a couple of Active X permissions to prompt instead of run.
0
 
LVL 18

Expert Comment

by:luv2smile
Comment Utility
Unfortunately there is no one solution to fighting spyware and no....AV + firewall is not enough. The easy solution is to get rid of IE and use a browser like Firefox....this elimanates a lot of it.

You need programs like AdAware and Spybot Search and Destroy to run regularly to check for spyware. In worst case scenerios hijackthis is a huge help. Unfortunately no one spyware product will catch everything. I
0
 
LVL 18

Accepted Solution

by:
luv2smile earned 250 total points
Comment Utility
You have pest patrol, but there is stuff that won't catch. I personally think Adaware and Spybot are the two best programs to use (and they are free for personal use, but you can buy pro versions of them....if you buy anything, I would recommend the pro versions of those). But there are things that Spybot catches that Adaware doesn't, and vice versa. Then there is stuff that neither of them catch and this is where HiJackThis comes in handy.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now