Solved

SP.EXE Security Hole and the Sound of Dripping Water....

Posted on 2004-10-20
12
370 Views
Last Modified: 2013-12-04
I think that I have a security vulnerability, but I don't know where!

On five separate occaisions recently, the file sp.exe has appeared on my computer (spooner-B trojan/virus).  I am running up-to-date virus checking software (Sophos) that does not seem to notice the file being created and I am not agreeing to any file download.  Zone alarm does not block the download, even though I cannot see how I could initiate the download and therefore I suspect this to be some form of attack on my PC.  I have even installed a Draytek 2600 series router with firewall, but the file has appeared on the computer since doing this.

Oddly, I also frequently get a sound like dripping water when browsing web pages.  It always seems to be a different site that makes the sound first, but once it starts, it reappers at irregular intervals (and is so annoying, I often resort to turning off the speakers).

I don't think that the problem is unique to my computer as it has also found its way on to my work computer - running Sophos AV that is updated by the Enterprise server hourly and behind a Linux based firewall (Navaho systems).

Has anyone got any suggestions ho this file keeps on getting on to my computer?
0
Comment
Question by:williamz_net
  • 8
  • 3
12 Comments
 
LVL 18

Expert Comment

by:luv2smile
ID: 12361758
Hmmm....have you transferred any files from your home machine to your work machine or used any disks on both? That would explain in passing to your work computer.

A search on symantec revealed sp.exe as adware.....maybe this is why your antivirus didn't find it?

http://securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.b.html

I would download and install Spybot and Adaware- making sure they are both up to date before running them, run them in safe mode, and turning off system restore before you do.

If that didn't help then I would download hiJackThis

http://www.spychecker.com/program/hijackthis.html

And then post the log to:

http://www.hijackthis.de/index.php?langselect=english

0
 
LVL 16

Expert Comment

by:robrandon
ID: 12361768
Looks like you got a bit of scary spyware.

http://www.liutilities.com/products/wintaskspro/processlibrary/sp/

I would change your admin passwords after removing it with some type of spyware tool, such as Adaware or Spybot.

0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12361836
Before deleting anything found in the log, make sure you research to make sure it is safe to delete.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 18

Expert Comment

by:luv2smile
ID: 12361872
Also, if you any accounts that you have typed a password for then I would change those passwords. Such as if you check your bank account online, etc.  With the keylogger, there is risk that all your information has been transferred to someone else.
0
 

Author Comment

by:williamz_net
ID: 12361956
Thanks for the suggestions, I will give adaware etc a go, but I already run pest patrol which ignores it - I think you are right about it being spy ware, but when I have tried to contact zone labs about the non-blocking/detection issues, they have ignored me!

What still worries me is that how the file is getting on to my computer.  Although I do regularly transfer files from one computer to another, they are all Office documents and the transfers are done by briefcase.  I am extremely careful not to run untrusted executables -to the point of moving away from Outlook to a web based company solution (that runs Sophos AV for Linux on the mail server) and unless my web browser is executing some code to download the file without my knowledge, I cannot see how the file is arriving on my HD...
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12361964
There seems to be different listings for what sp.exe exactly is....is this showing up as a process running or where is it showing up at?
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12361983
"my web browser is executing some code to download the file without my knowledge"

This is how most spyware gets onto a computer. You don't have to open anything or download anything...a lot of spyware uses active x controls and scripts to execute.
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12361997
Found this on pest patrol:

http://www.pestpatrol.com/PestInfo/s/spy_passkiller.asp

So if that is what you have, then if pest patrol is up to date then it should have caught it.

So possibly it is the thing that symantec listed as being adware, not a virus.
0
 

Author Comment

by:williamz_net
ID: 12361998
I am pretty sure that this is spooner-b sp.exe

On the occaisions that I have not spotted it in time and it has run (I have recently written a simple VB prog to detect when it arrives!), web links such as e-mail have been redirected to ntsearch.com
0
 

Author Comment

by:williamz_net
ID: 12362072
Further to comment posted at 12:12pdt:

How do I secure against this web based code running (sorry if this a dumb question!)? I thought that AV + firewall should protect against this.  Right after the first time the file arrived, I didi an immediate update of sophos AV, zone alarm and pest patrol but none of them seem to be spotting the file.  Before installing the updates, I deisconnected from the net, killed the sp.exe registry entry, rebooted and killed the file, so it shouldn't have affected the install of the updates...

NB: Before submitting, I have just been into the IE Security settings and changes a couple of Active X permissions to prompt instead of run.
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12362248
Unfortunately there is no one solution to fighting spyware and no....AV + firewall is not enough. The easy solution is to get rid of IE and use a browser like Firefox....this elimanates a lot of it.

You need programs like AdAware and Spybot Search and Destroy to run regularly to check for spyware. In worst case scenerios hijackthis is a huge help. Unfortunately no one spyware product will catch everything. I
0
 
LVL 18

Accepted Solution

by:
luv2smile earned 250 total points
ID: 12362303
You have pest patrol, but there is stuff that won't catch. I personally think Adaware and Spybot are the two best programs to use (and they are free for personal use, but you can buy pro versions of them....if you buy anything, I would recommend the pro versions of those). But there are things that Spybot catches that Adaware doesn't, and vice versa. Then there is stuff that neither of them catch and this is where HiJackThis comes in handy.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now