Solved

SP.EXE Security Hole and the Sound of Dripping Water....

Posted on 2004-10-20
12
367 Views
Last Modified: 2013-12-04
I think that I have a security vulnerability, but I don't know where!

On five separate occaisions recently, the file sp.exe has appeared on my computer (spooner-B trojan/virus).  I am running up-to-date virus checking software (Sophos) that does not seem to notice the file being created and I am not agreeing to any file download.  Zone alarm does not block the download, even though I cannot see how I could initiate the download and therefore I suspect this to be some form of attack on my PC.  I have even installed a Draytek 2600 series router with firewall, but the file has appeared on the computer since doing this.

Oddly, I also frequently get a sound like dripping water when browsing web pages.  It always seems to be a different site that makes the sound first, but once it starts, it reappers at irregular intervals (and is so annoying, I often resort to turning off the speakers).

I don't think that the problem is unique to my computer as it has also found its way on to my work computer - running Sophos AV that is updated by the Enterprise server hourly and behind a Linux based firewall (Navaho systems).

Has anyone got any suggestions ho this file keeps on getting on to my computer?
0
Comment
Question by:williamz_net
  • 8
  • 3
12 Comments
 
LVL 18

Expert Comment

by:luv2smile
ID: 12361758
Hmmm....have you transferred any files from your home machine to your work machine or used any disks on both? That would explain in passing to your work computer.

A search on symantec revealed sp.exe as adware.....maybe this is why your antivirus didn't find it?

http://securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.b.html

I would download and install Spybot and Adaware- making sure they are both up to date before running them, run them in safe mode, and turning off system restore before you do.

If that didn't help then I would download hiJackThis

http://www.spychecker.com/program/hijackthis.html

And then post the log to:

http://www.hijackthis.de/index.php?langselect=english

0
 
LVL 16

Expert Comment

by:robrandon
ID: 12361768
Looks like you got a bit of scary spyware.

http://www.liutilities.com/products/wintaskspro/processlibrary/sp/

I would change your admin passwords after removing it with some type of spyware tool, such as Adaware or Spybot.

0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12361836
Before deleting anything found in the log, make sure you research to make sure it is safe to delete.
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12361872
Also, if you any accounts that you have typed a password for then I would change those passwords. Such as if you check your bank account online, etc.  With the keylogger, there is risk that all your information has been transferred to someone else.
0
 

Author Comment

by:williamz_net
ID: 12361956
Thanks for the suggestions, I will give adaware etc a go, but I already run pest patrol which ignores it - I think you are right about it being spy ware, but when I have tried to contact zone labs about the non-blocking/detection issues, they have ignored me!

What still worries me is that how the file is getting on to my computer.  Although I do regularly transfer files from one computer to another, they are all Office documents and the transfers are done by briefcase.  I am extremely careful not to run untrusted executables -to the point of moving away from Outlook to a web based company solution (that runs Sophos AV for Linux on the mail server) and unless my web browser is executing some code to download the file without my knowledge, I cannot see how the file is arriving on my HD...
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12361964
There seems to be different listings for what sp.exe exactly is....is this showing up as a process running or where is it showing up at?
0
Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

 
LVL 18

Expert Comment

by:luv2smile
ID: 12361983
"my web browser is executing some code to download the file without my knowledge"

This is how most spyware gets onto a computer. You don't have to open anything or download anything...a lot of spyware uses active x controls and scripts to execute.
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12361997
Found this on pest patrol:

http://www.pestpatrol.com/PestInfo/s/spy_passkiller.asp

So if that is what you have, then if pest patrol is up to date then it should have caught it.

So possibly it is the thing that symantec listed as being adware, not a virus.
0
 

Author Comment

by:williamz_net
ID: 12361998
I am pretty sure that this is spooner-b sp.exe

On the occaisions that I have not spotted it in time and it has run (I have recently written a simple VB prog to detect when it arrives!), web links such as e-mail have been redirected to ntsearch.com
0
 

Author Comment

by:williamz_net
ID: 12362072
Further to comment posted at 12:12pdt:

How do I secure against this web based code running (sorry if this a dumb question!)? I thought that AV + firewall should protect against this.  Right after the first time the file arrived, I didi an immediate update of sophos AV, zone alarm and pest patrol but none of them seem to be spotting the file.  Before installing the updates, I deisconnected from the net, killed the sp.exe registry entry, rebooted and killed the file, so it shouldn't have affected the install of the updates...

NB: Before submitting, I have just been into the IE Security settings and changes a couple of Active X permissions to prompt instead of run.
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12362248
Unfortunately there is no one solution to fighting spyware and no....AV + firewall is not enough. The easy solution is to get rid of IE and use a browser like Firefox....this elimanates a lot of it.

You need programs like AdAware and Spybot Search and Destroy to run regularly to check for spyware. In worst case scenerios hijackthis is a huge help. Unfortunately no one spyware product will catch everything. I
0
 
LVL 18

Accepted Solution

by:
luv2smile earned 250 total points
ID: 12362303
You have pest patrol, but there is stuff that won't catch. I personally think Adaware and Spybot are the two best programs to use (and they are free for personal use, but you can buy pro versions of them....if you buy anything, I would recommend the pro versions of those). But there are things that Spybot catches that Adaware doesn't, and vice versa. Then there is stuff that neither of them catch and this is where HiJackThis comes in handy.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now