Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 384
  • Last Modified:

SP.EXE Security Hole and the Sound of Dripping Water....

I think that I have a security vulnerability, but I don't know where!

On five separate occaisions recently, the file sp.exe has appeared on my computer (spooner-B trojan/virus).  I am running up-to-date virus checking software (Sophos) that does not seem to notice the file being created and I am not agreeing to any file download.  Zone alarm does not block the download, even though I cannot see how I could initiate the download and therefore I suspect this to be some form of attack on my PC.  I have even installed a Draytek 2600 series router with firewall, but the file has appeared on the computer since doing this.

Oddly, I also frequently get a sound like dripping water when browsing web pages.  It always seems to be a different site that makes the sound first, but once it starts, it reappers at irregular intervals (and is so annoying, I often resort to turning off the speakers).

I don't think that the problem is unique to my computer as it has also found its way on to my work computer - running Sophos AV that is updated by the Enterprise server hourly and behind a Linux based firewall (Navaho systems).

Has anyone got any suggestions ho this file keeps on getting on to my computer?
0
williamz_net
Asked:
williamz_net
  • 8
  • 3
1 Solution
 
luv2smileCommented:
Hmmm....have you transferred any files from your home machine to your work machine or used any disks on both? That would explain in passing to your work computer.

A search on symantec revealed sp.exe as adware.....maybe this is why your antivirus didn't find it?

http://securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.b.html

I would download and install Spybot and Adaware- making sure they are both up to date before running them, run them in safe mode, and turning off system restore before you do.

If that didn't help then I would download hiJackThis

http://www.spychecker.com/program/hijackthis.html

And then post the log to:

http://www.hijackthis.de/index.php?langselect=english

0
 
robrandonCommented:
Looks like you got a bit of scary spyware.

http://www.liutilities.com/products/wintaskspro/processlibrary/sp/

I would change your admin passwords after removing it with some type of spyware tool, such as Adaware or Spybot.

0
 
luv2smileCommented:
Before deleting anything found in the log, make sure you research to make sure it is safe to delete.
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
luv2smileCommented:
Also, if you any accounts that you have typed a password for then I would change those passwords. Such as if you check your bank account online, etc.  With the keylogger, there is risk that all your information has been transferred to someone else.
0
 
williamz_netAuthor Commented:
Thanks for the suggestions, I will give adaware etc a go, but I already run pest patrol which ignores it - I think you are right about it being spy ware, but when I have tried to contact zone labs about the non-blocking/detection issues, they have ignored me!

What still worries me is that how the file is getting on to my computer.  Although I do regularly transfer files from one computer to another, they are all Office documents and the transfers are done by briefcase.  I am extremely careful not to run untrusted executables -to the point of moving away from Outlook to a web based company solution (that runs Sophos AV for Linux on the mail server) and unless my web browser is executing some code to download the file without my knowledge, I cannot see how the file is arriving on my HD...
0
 
luv2smileCommented:
There seems to be different listings for what sp.exe exactly is....is this showing up as a process running or where is it showing up at?
0
 
luv2smileCommented:
"my web browser is executing some code to download the file without my knowledge"

This is how most spyware gets onto a computer. You don't have to open anything or download anything...a lot of spyware uses active x controls and scripts to execute.
0
 
luv2smileCommented:
Found this on pest patrol:

http://www.pestpatrol.com/PestInfo/s/spy_passkiller.asp

So if that is what you have, then if pest patrol is up to date then it should have caught it.

So possibly it is the thing that symantec listed as being adware, not a virus.
0
 
williamz_netAuthor Commented:
I am pretty sure that this is spooner-b sp.exe

On the occaisions that I have not spotted it in time and it has run (I have recently written a simple VB prog to detect when it arrives!), web links such as e-mail have been redirected to ntsearch.com
0
 
williamz_netAuthor Commented:
Further to comment posted at 12:12pdt:

How do I secure against this web based code running (sorry if this a dumb question!)? I thought that AV + firewall should protect against this.  Right after the first time the file arrived, I didi an immediate update of sophos AV, zone alarm and pest patrol but none of them seem to be spotting the file.  Before installing the updates, I deisconnected from the net, killed the sp.exe registry entry, rebooted and killed the file, so it shouldn't have affected the install of the updates...

NB: Before submitting, I have just been into the IE Security settings and changes a couple of Active X permissions to prompt instead of run.
0
 
luv2smileCommented:
Unfortunately there is no one solution to fighting spyware and no....AV + firewall is not enough. The easy solution is to get rid of IE and use a browser like Firefox....this elimanates a lot of it.

You need programs like AdAware and Spybot Search and Destroy to run regularly to check for spyware. In worst case scenerios hijackthis is a huge help. Unfortunately no one spyware product will catch everything. I
0
 
luv2smileCommented:
You have pest patrol, but there is stuff that won't catch. I personally think Adaware and Spybot are the two best programs to use (and they are free for personal use, but you can buy pro versions of them....if you buy anything, I would recommend the pro versions of those). But there are things that Spybot catches that Adaware doesn't, and vice versa. Then there is stuff that neither of them catch and this is where HiJackThis comes in handy.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 8
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now