| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 69563 | 2006-06-05 13:04:00 | ScreenSpy on my Computer? | cjdnzl (10234) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 460786 | 2006-06-05 13:04:00 | I run a more or less regular scan for ad/spyware on my machine, using several utilities for the purpose, including Ad-Aware SE personal, Spybot Search & Destroy, Windows defender, ZoneAlarm Pro, and a controversial program, NoAdware. Recently, NoAdware supposedly found ScreenSpy on my computer, a nasty program that records screenshots every 30 seconds or so, and transmits them to the hacker that put it on my machine. I baled out of NoAdware without allowing it to remove the spyware, and ran the other programs in turn to see if they could find this ScreenSpy spyware. None of the other programs found anything at all. I perused the net to see what I could find, and found that at least some versions of ScreenSpy are legit in that they are sold for covert surveillance of kid's, spouse's, or employee's use of the computer - underhand to say the least, in my book. Symantec says that it takes a direct installation to put it on a computer, implying that it can't be delivered over the net. I was leaning toward accepting that NoAdware was mistaken, since none of the other programs found anything, but just on impulse I decided to search the registry. I ran Regedit, and entered "screen spy" as a search key - and there it was. Under HKEY\Current User\Software\Microsoft\Internet Explorer\Explorer Bars\C4EE31F3-4758-11D2-BE5C-00A0C9A8\FilesNamed MRU\ was REG_SZ win16dll, 'copdad', 'screenspy', and 'screen spy' 3 times. Symantec mentioned win16.dll and the copdad folder as items belonging to ScreenSpy, but I did not find the actual copdad folder or win16.dll, presumably removed earlier by one of the antispyware programs, but the registry entries were found by NoAdware but not removed. If anyone has more information on this situation I would like to know please. |
cjdnzl (10234) | ||
| 460787 | 2006-06-05 15:23:00 | ScreenSpy captures screenshots of a remote computer running Windows95/98/ME/NT3 . 5x/NT4 . x/2000/XP/2003 . ScreenSpy accesses the remote computer through any Internet web browser, as long as the computer is not running behind a firewall . Because of these features, ScreenSpy may be utilized as a lightweight solution for technical support and assistance over the Internet . OK . . . so you are missing a firewall? Shame! Post a HiJackThis scan from Safe Mode and let's see what you've got running . . majorgeeks . com/download3155 . html" target="_blank">www . majorgeeks . com is the place I get HiJackThis . |
SurferJoe46 (51) | ||
| 460788 | 2006-06-06 01:09:00 | NoAdware was a known rip off antispyware. i wouldn't trust it with a 20ft barge pole | tweak'e (69) | ||
| 460789 | 2006-06-06 01:43:00 | Ok, thanks for the replies there. Firstly, to Surfer Joe, thank you for the offer to look at a HJT scan, which is listed below. I do have a firewall, ZoneAlarm Pro, and I am behind a router with NAT as well, and I have read that SS won't work behind a firewall, so I have more questions than answers. I could find no trace of files associated with SS, but the entries were definitely in the registry as in my first post. BTW this is a recent clean install, about 3 weeks old, with all service packs and updates current. I normally use Opera for browsing, but had to use IE for a site that won't work in Opera (Photodex). To Tweak'e, I know that NoAdware was controversial, but the version 3 is said to be ok, by SpywareWarriors.com (I think that's the name). It did find SS entries in the registry, which no other program did. Ok, here's the HJT log: Logfile of HijackThis v1.99.1 Scan saved at 12:27:41 p.m., on 6/06/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\WINNT\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINNT\system32\stisvc.exe C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe C:\WINNT\system32\Tablet.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINNT\system32\internat.exe C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\WINNT\system32\Wtablet\TabUserW.exe C:\Program Files\VCOM\PowerDesk\pddlghlp.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN C:\Program Files\Opera\Opera.exe C:\Program Files\VCOM\PowerDesk\PDExplo.exe F:\HiJackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: Implements TweakBHO - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [Acronis*True*Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - Startup: Dialog Helper.lnk = C:\Program Files\VCOM\PowerDesk\pddlghlp.exe O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com en/x86/client/wuweb_site.cab?1148706262015 O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: SystemSuite Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe |
cjdnzl (10234) | ||
| 1 | |||||