Spyware found

banzibaby

banzibaby

1
Hi folks :)

I always run a spybot scan at minimum twice a week, nevdr finds much (yup it updated regularly)

Have been tryin Webroots SpySweeper 2.6 & it found three things, the Alexia toolbar (removed it), Eacceleration (something to do with NOD, last time i removed it on win98, NOD's IMON wouldnt start & i had to reinstall it) & the one below (info copied from Webroots site) removed it as well, it was mostly reg keys :(

SYSTEM MONITOR Description:

Name:

WinWhatWhere

Author:

TrueActive Software

Category:

System Monitor

Threat Assessment:

High



Description:

WinWhatWhere monitors all of your computer activity including keystrokes typed, Web sites visited, chat room conversation, and programs run.

Characteristics:

WinWhatWhere is a surveillance tool that records keystrokes, visited Web sites, both sides of chat room conversation, emails, clipboard contents, file activity and active applications. The program also captures screenshots and fields from online forms. The collected data is stored into a log file that can be secretly emailed to a remote address. WinWhatWhere runs in the background, so it is invisible to the user. In addition, the program can move and rename itself in order to hide itself from spyware detection programs.

Method of Infection:

WinWhatWhere can be installed by someone with administrative access to your computer, such as a system administrator or someone that shares your computer.

I have never ever installed anything like that & am very wary while online, this worries me cause it says it logs all info i type as well as chat room text & other stuff, does anyone here know more about it or what kind of software would install it??

Thx in advance :)

BaNzI :D
 
NoSpam

NoSpam

1
Time to change the passwords for any system you logged onto between now and the last time you ran the scanner and didn't find anything. Or better yet, change ALL your passwords.

NoSpam
 
banzibaby

banzibaby

1
Think i will do that NoSpam, just wondering how it got on there, im always carefull online & no exe or dll files were found, just 2 reg keys :(

Will scan today with Avast pro & NOD & also Tauscan, the only thin i can think of is twice i downloaded a rar & a zip file that had a file in it called pscan.exe (didnt run or open it). but Avast warned me about it (NOD didnt) so i let Avast delete it :(

BaNzI :D
 
Duracell

Duracell

1
banzibaby said:
just wondering how it got on there, im always carefull online
Click to expand...
suspicious warez/patches/porn/scam sites may implement automatically dowload and install scripts for such things via Java or ActiveX;


Greetings from
Duracell
 
banzibaby

banzibaby

1
Cheers Duracell :)

But i use Opera as main browser, only use IE for windowsudpdates, for other sites i use Firefox, Opera is set to identify as Opera

Have done a Boot time scan with Avast pro (thourgh with archives) nothing found, full scan with NOD 2.0.0.9 (all settings high) nothing found & also a full scan with Tauscan, again nothing found

The only new progs i have on are Getsmile 1 & updated Trillian pro to 2.0.11, im thinkin it might have been put there by Trillian as it monitors Ur keystrokes for idle status

But if anyone else has other advice or ideas, please post :)

BaNzI :D
 
banzibaby

banzibaby

1
@Duracell, Opera use Suns java, not the M$ one :)

@Roady, i not married m8, no one other than me uses the pc so it must have been installed remotely or as part of some other software :( My guess might be Trillian

I can assure U i will be checking with the girlfriend, but she knows absolutely zip about puters, besides when she here, the pc the last thing on my mind & it stays OFF :D:D:D

I'll keep in SpySweepers quarentine folder the now till i know more or find a prog that doesnt work as it used to :)

BaNzI :D

EDIT i also noticed that i getting a lot of port scans from Outpost 2.1, sometimes just one at a time, other times up to 5-6 at same time, i have it set to block IP for 60 mins & subnet mask, this is on a blueyonder 1mb line, are any of the other UK'rs here having the same?
 
Last edited:
NoSpam

NoSpam

1
If you haven't already, install Ad-aware and Spybot Search and Destroy:

http://www.lavasoftusa.com/support/download/ and
http://www.safer-networking.org/index.php?page=download

and update them before you scan. I'd scan with both, the price is right :)

You might also want to try TrojanHunter 3.8, you can run a trial of that for 30 days, and run TrojanHunter Guard for a while (resident looking for stuff all the time). That's always a good idea after finding something, and TrojanHunter does find keyloggers. Rember again to update before scanning. Through Scheduled Tasks I have mine check for updates each night, and then run a quick scan after that, and a full scan one a weeknight. There are some command lines needed for that:
Update:
"C:\Program Files\TrojanHunter 3.8\Tools\LiveUpdate\LiveUpdate.exe" /auto
Quickscan:
"C:\Program Files\TrojanHunter 3.8\TrojanHunter.exe" /quickscan /autoclose
and for a full scan:
"C:\Program Files\TrojanHunter 3.8\TrojanHunter.exe" /scanfile c: /autoclose

NoSpam
 
dax300

dax300

1
NoSpam said:
If you haven't already, install Ad-aware and Spybot Search and Destroy:

http://www.lavasoftusa.com/support/download/ and
http://www.safer-networking.org/index.php?page=download

and update them before you scan. I'd scan with both, the price is right :)

You might also want to try TrojanHunter 3.8, you can run a trial of that for 30 days, and run TrojanHunter Guard for a while (resident looking for stuff all the time). That's always a good idea after finding something, and TrojanHunter does find keyloggers. Rember again to update before scanning. Through Scheduled Tasks I have mine check for updates each night, and then run a quick scan after that, and a full scan one a weeknight. There are some command lines needed for that:
Update:
"C:\Program Files\TrojanHunter 3.8\Tools\LiveUpdate\LiveUpdate.exe" /auto
Quickscan:
"C:\Program Files\TrojanHunter 3.8\TrojanHunter.exe" /quickscan /autoclose
and for a full scan:
"C:\Program Files\TrojanHunter 3.8\TrojanHunter.exe" /scanfile c: /autoclose

NoSpam
Click to expand...
where to get troganhunter3.8 :p
 
NoSpam

NoSpam

1
dax300 said:
where to get troganhunter3.8 :p
Click to expand...
You can get it from the author's site at _http://www.misec.net/trojanhunter/. There's a download link at the bottom of the page, and it's a 30 day trial. Current version is 3.85.

NoSpam
 
banzibaby

banzibaby

1
Cheers NoSpam :)

I always use Spybot 1.2, it didnt notice it despite being updated as soon as they have a update there, tried Ad-Aware as well, all that found was a tracking cookie lol, no wonder i stopped using it :p

I emalied their support dept, here is the reply

You can?t always believe what the ?spy detector? programs tell you. We are 99.99999% certain that WinWhatWhere is not on your computer.



We have had numerous false reports from these types of products and Spy Sweeper is one of these offenders. Many detector programs report the presence of our software when, in fact, it is not there. This is because our program uses some files that are common to many other Windows applications. The detector is giving you a "false positive" based on the presence of one of these commonly used files. Spy Sweeper has been known to report our software based on the presence of a file named ?dwshk36.ocx?. However, hundreds of other programs also use this file.



Our software cannot be installed via email or via the Internet without your participation. It does not tag along with other downloads.



We suggest you ask the makers of Spy Sweeper what specific evidence they found to indicate the presence of our software on your computer. If you will pass their response on to us, we can try to assist you.



Please let us know if you have any questions.



Sincerely,



TrueActive Support

509-585-9293

Looking in the (XP) Windows\System32 folder i find rhese files, one is the one the ocx file they mention


Right clicking & getting the properties for them they say this in order they are in pic

DWEASY36 - Easy Subclassing Control for SpyWorks
Desaware SpyWorks 6 Subclassing Control - Special analyzed build
Desaware SpyWorks 6 Windows Hook Control
Desaware Winsock Library - SpyWorks vb6 editon.
DWSPY32 SpyWorks subclassing engine DLL
SpyWorks support library.

I have never installed anything called that :confused: :confused: Maybe it would be better to format, they say their soft doesnt get installed without U being told of it, i can assure U, i didnt see anything in any EULA saying it contained it, i still have a hunch it might be Trillian pro though, but aint sure

BaNzI :D

EDIT: Have downloaded TrojanHunter ( i have Tauscan installed & it doesnt pick anything up)

Another thing that might be related to this is i seem to be losing my cable net connection, happened when i first tried to edit this post, Opera just sat there sayin "connecting to remote host dvdrbase.com, it not the firewall blocking it ( i have Outpost 2.1 attack detection plugin set to block attackers IP, i know it not that cause it blocks it for 60 mins, when i lose my connection i have to reboot to get it back :confused: :confused:
 
Last edited:
NoSpam

NoSpam

1
Its strange that SpySweeper would report this, and none of the other programs you've tried do. This may sound simple, but does the keylogger show up in Control Panel/Add or Remove Programs list? Or do you see it in the run section of your registry? I'd also check for program directories either in the root of your hard drive, or under C:\program files (be sure you can view hidden files and folders).

NoSpam
 
banzibaby

banzibaby

1
Cheers NoSpam :)

I have checked all the run sections in registry, nothing is listed there for it, all i have is Avast mail scanner, Avast Antivirus, 2 nvidia thingys, Nod (disabled) & Outpost firewall, nothing in root of drive apart from one file i not sure about, name of it is APCOALEE (no extention), nothing else where either, just those files i posted in screengrab, i always turn off hide known file extentions & turn on show system files & hidden folders, starting to think that maybe it a false positive from SpySweeper, but as U can see form spysweer's description, who wouldnt be worried after reading it :confused:

BaNzI :D
 
You must log in or register to reply here.
Top