PDA

View Full Version : ScreenSpy on my Computer?



cjdnzl
06-06-2006, 12:04 AM
I run a more or less regular scan for ad/spyware on my machine, using several utilities for the purpose, including Ad-Aware SE personal, Spybot Search & Destroy, Windows defender, ZoneAlarm Pro, and a controversial program, NoAdware.

Recently, NoAdware supposedly found ScreenSpy on my computer, a nasty program that records screenshots every 30 seconds or so, and transmits them to the hacker that put it on my machine. I baled out of NoAdware without allowing it to remove the spyware, and ran the other programs in turn to see if they could find this ScreenSpy spyware. None of the other programs found anything at all.

I perused the net to see what I could find, and found that at least some versions of ScreenSpy are legit in that they are sold for covert surveillance of kid's, spouse's, or employee's use of the computer - underhand to say the least, in my book. Symantec says that it takes a direct installation to put it on a computer, implying that it can't be delivered over the net.

I was leaning toward accepting that NoAdware was mistaken, since none of the other programs found anything, but just on impulse I decided to search the registry. I ran Regedit, and entered "screen spy" as a search key - and there it was. Under HKEY\Current User\Software\Microsoft\Internet Explorer\Explorer Bars\C4EE31F3-4758-11D2-BE5C-00A0C9A8\FilesNamed MRU\ was REG_SZ win16dll, 'copdad', 'screenspy', and 'screen spy' 3 times.

Symantec mentioned win16.dll and the copdad folder as items belonging to ScreenSpy, but I did not find the actual copdad folder or win16.dll, presumably removed earlier by one of the antispyware programs, but the registry entries were found by NoAdware but not removed.

If anyone has more information on this situation I would like to know please.

SurferJoe46
06-06-2006, 02:23 AM
ScreenSpy captures screenshots of a remote computer running Windows95/98/ME/NT3.5x/NT4.x/2000/XP/2003.

ScreenSpy accesses the remote computer through any Internet web browser, as long as the computer is not running behind a firewall. Because of these features, ScreenSpy may be utilized as a lightweight solution for technical support and assistance over the Internet.

OK...so you are missing a firewall? Shame!

Post a HiJackThis scan from Safe Mode and let's see what you've got running.

http://www.majorgeeks.com/download3155.html is the place I get HiJackThis.

tweak'e
06-06-2006, 12:09 PM
NoAdware was a known rip off antispyware. i wouldn't trust it with a 20ft barge pole

cjdnzl
06-06-2006, 12:43 PM
Ok, thanks for the replies there. Firstly, to Surfer Joe, thank you for the offer to look at a HJT scan, which is listed below. I do have a firewall, ZoneAlarm Pro, and I am behind a router with NAT as well, and I have read that SS won't work behind a firewall, so I have more questions than answers. I could find no trace of files associated with SS, but the entries were definitely in the registry as in my first post. BTW this is a recent clean install, about 3 weeks old, with all service packs and updates current. I normally use Opera for browsing, but had to use IE for a site that won't work in Opera (Photodex).

To Tweak'e, I know that NoAdware was controversial, but the version 3 is said to be ok, by SpywareWarriors.com (I think that's the name). It did find SS entries in the registry, which no other program did.

Ok, here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:27:41 p.m., on 6/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common

Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Executive

Software\Diskeeper\DkService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
C:\WINNT\system32\Tablet.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common

Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINNT\system32\internat.exe
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINNT\system32\Wtablet\TabUserW.exe
C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Opera\Opera.exe
C:\Program Files\VCOM\PowerDesk\PDExplo.exe
F:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard -

{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -

C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Implements TweakBHO -

{7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} -

C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: PCTools Browser Monitor -

{B56A7D7D-6927-48C8-A975-17DF180C71AC} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint -

{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program

Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe

/logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI

Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program

Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program

Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Acronis*True*Image Monitor]

"C:\Program

Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service]

"C:\Program Files\Common

Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program

Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program

Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program

Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program

Files\Corel\WordPerfect Office

2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program

Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager]

C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program

Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Dialog Helper.lnk = C:\Program

Files\VCOM\PowerDesk\pddlghlp.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program

Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk =

C:\Program Files\Common Files\Adobe\Calibration\Adobe

Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk =

C:\WINNT\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print

List - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed

Print - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview -

res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print -

res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor -

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/

en/x86/client/wuweb_site.cab?1148706262015
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) -

Acronis - C:\Program Files\Common

Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINNT\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software

International, Inc. - C:\Program Files\Executive

Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative

Service (dmadmin) - VERITAS Software Corp. -

C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG -

C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero

AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R)

Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program

Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC

Tools Research Pty Ltd - C:\Program Files\Spyware

Doctor\sdhelp.exe
O23 - Service: SystemSuite Task Manager - Ontrack Data

International - C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
O23 - Service: TabletService - Wacom Technology, Corp. -

C:\WINNT\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) -

Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe