dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3289
anthrorules
Premium Member
join:2003-09-14
Rollinsville, CO

anthrorules

Premium Member

SpySweeper: E-Surveiller: Inaccurate?

Click for full size
Screenshot #1
Click for full size
Screenshot #2
Hello all,

I updated the new definitions for Webroot's SpySweeper this evening and ran a scan.

It came up with E-Surveiller with six traces found in my computer (See Screenshot #1).

Here is the description of E-Surveiller provided by Webroot:
========================================================
SYSTEM MONITOR Description:

Name:
E-Surveiller

Author:
E-Surveiller.com

Category:
System Monitor

Threat Assessment:
High

Description:

E-Surveiller is a keystroke monitoring program that records all keystrokes typed and stores them in an encrypted log file for later retrieval.

Characteristics:

E-Surveiller is a monitoring tool capable of viewing your desktop in real time and recording all computer activity. The program logs keystrokes, system activity, window titles and file changes. E-Surveiller runs in the background, so it is invisible to the user. Log files documenting your computer activity are sent to the attacker via email or ftp.

Method of Infection:

E-Surveiller can be installed by someone with administrative access to your computer, such as a system administrator or someone that shares your computer. An attacker also can install E-Surveiller through 3rd party chat programs, dependent upon your security settings. For more information about Window security settings, please visit Microsoft’s Security page at »www.microsoft.com/security/home.

Additional Comments:

None
========================================================
I researched this finding further:

»www.e-surveiller.com/
»www.google.com/search?so ··· rveiller
»www.pestpatrol.com/PestI ··· ller.asp

Based on PestPatrol's explanation, the following processes would be running:

27e60777d4f54ad1a32c24fc87292594.exe
esread.exe
estation.exe
esurveiller.exe
makensis.exe

None of these processes are running in my computer:
=====================================================
Process PID CPU Description Company Name
AdMunch.exe 3736
agentsvr.exe 1952 Microsoft Agent Server Microsoft Corporation
alg.exe 1492 Application Layer Gateway Service Microsoft Corporation
Apache.exe 1504
Apache.exe 1992
avgamsvr.exe 1516 AVG Alert Manager GRISOFT, s.r.o.
avgcc.exe 3160 AVG Control Center GRISOFT, s.r.o.
avgemc.exe 3168 AVG E-Mail Scanner GRISOFT, s.r.o.
avgupsvc.exe 1536 AVG Update Service GRISOFT, s.r.o.
bdmcon.exe 2896 BitDefender Management Console SOFTWIN S.R.L.
bdss.exe 2700
cfexec.exe 1588 ColdFusion Executive Macromedia Inc.
cfrdsservice.exe 1608 ColdFusion Remote Data Services Macromedia Inc.
cfserver.exe 1548 ColdFusion Server Macromedia Inc.
CoolMon.exe 924 CoolMon Executeable The CoolMon Project
csrss.exe 752 Client Server Runtime Process Microsoft Corporation
dllhost.exe 2344 COM Surrogate Microsoft Corporation
dpcnav.exe 880 Navigator Hughes Network Systems
dpcproxy.exe 1720 Webcast Proxy Server Hughes Network Systems
DPCs 0 2 Deferred Procedure Calls
dpcstart.exe 3944 Startup Utility Hughes Network Systems
DUMeter.exe 3144 DU Meter Hagel Technologies
explorer.exe 3036 Windows Explorer Microsoft Corporation
fapmon.exe 3056 FAPMon for DirecWay Internet TecnoApoyo Group
hotsync.exe 948 HotSync® Manager Application Palm Computing, Inc., a 3Com Company
hpoant07.exe 836 HP OfficeJet COM Device Objects Hewlett-Packard Co.
hpoevm07.exe 3352 HP OfficeJet COM Event Manager Hewlett-Packard Co.
hpofxm07.exe 3176 HP OfficeJet G Series Fax Manager Hewlett-Packard Co.
hpoipm07.exe 3896 PML Driver HP
hposts07.exe 3276 HP OfficeJet Status Hewlett-Packard Co.
IEXPLORE.EXE 1396 Internet Explorer Microsoft Corporation
inetinfo.exe 1792 Internet Information Services Microsoft Corporation
Interrupts 0 Hardware Interrupts
jrun.exe 1648
lsass.exe 832 LSA Shell (Export Version) Microsoft Corporation
msdtc.exe 3188 MS DTC console program Microsoft Corporation
mysqld-nt.exe 528
named.exe 2104
NOTEPAD.EXE 3908 Notepad Microsoft Corporation
ntConsoleJava.exe 1752
nvsvc32.exe 624
PDSched.exe 2096 PDSched Module Raxco Software, Inc.
procexp.exe 3816 3 Sysinternals Process Explorer Sysinternals
regprot.exe 3744 DiamondCS RegistryProt Diamond Computer Systems Pty. Ltd.
Remind32.exe 3712 Remind32.exe IntelliQuest Communications, Inc.
schedhlp.exe 3436 Acronis Scheduler Helper Acronis
schedul2.exe 1464 Acronis Scheduler 2 Acronis
services.exe 820 Services and Controller app Microsoft Corporation
smss.exe 460 Windows NT Session Manager Microsoft Corporation
spoolsv.exe 1364 Spooler SubSystem App Microsoft Corporation
SpySweeper.exe 3904 Spy Sweeper Webroot Software, Inc.
sqlservr.exe 1816 SQL Server Windows NT Microsoft Corporation
StartupMonitor.exe 3120
svchost.exe 1008 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1092 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1236 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1132 2 Generic Host Process for Win32 Services Microsoft Corporation
System 4
System Idle Process 0 94
tds-3.exe 1252 TDS-3 Professional Diamond Computer Systems Pty. Ltd.
TrueImageMonitor.exe 3320 TrueImage Acronis
VisualZone.exe 2056 VisualZone Visualize Software
vsmon.exe 1188 TrueVector Service Zone Labs Inc.
wcescomm.exe 3868 Connection Manager Microsoft Corporation
WCESMgr.exe 968 ActiveSync Application Microsoft Corporation
weatherpulse.exe 2784
winampa.exe 3444
winlogon.exe 776 Windows NT Logon Application Microsoft Corporation
wwDisp.exe 3756 Window Washer hard disk cleaning utility Webroot Software
xcommsvr.exe 3216 BitDefender Communicator Server Softwin
zlclient.exe 3196 Zone Labs Client Zone Labs Inc.
=====================================================
Based on PestPatrol's explanation, Registry key installed:

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\e-surveiller station

Not installed in my computer (Screenshot #2).

Anyone else see this show up when they run the SpySweeper scan with the newest definitions?

If not, would someone explain to me what is going on?

Thanks in advance.

jmn1207
Premium Member
join:2000-07-19
Sterling, VA

jmn1207

Premium Member

It has to be a false positive. I had the same results after updating the definitions. If e-Surveiller was on this machine, it wasn't working as advertised.

I'm almost certain this is an error on Spy Sweeper's side.
bibbe
join:2003-09-20
SE

bibbe to anthrorules

Member

to anthrorules
I have the same problem after last update

bibbe

muf9
Captain of the axe
Premium Member
join:2003-01-04
uk

muf9 to anthrorules

Premium Member

to anthrorules
What program/location is SS picking this detection up from? It looks quite obviously like a FP and you need to let Webroot know what file on your pc is triggering this response from SS.

Any FP's i've found i always send via the built-in 'Report spyware'. Webroot then send an e-mail asking for a copy of the file.

muf

Buddel-
@t-dialin.net

1 edit

Buddel- to anthrorules

Anon

to anthrorules
Click for full size
Spy Sweeper also found "e-surveiller" on my computer after yesterday's update. What should I do with the two files that are in the Spy Sweeper quarantine folder? Should I just delete them or should I keep them in the quarantine folder? TIA.

Mod Note: Contents of zip file correctly converted from BMP format to JPEG format and posted... this was a Bitmap incorrectly named as a JPEG ... converted and reposted ~G~

Sparrow
Crystal Sky
Premium Member
join:2002-12-03
Sachakhand

1 edit

Sparrow

Premium Member

Getting paranoid in my old age, that's all.
B04
Premium Member
join:2000-10-28

B04

Premium Member

said by Sparrow:
May I ask the reason for uploading them here?

Hey Mods!

Uh, Crystal Sky, he just uploaded a zipped JPEG...



-- B

Buddel
If it ain't broke, don't fix it.
Premium Member
join:2004-03-06
EU

Buddel to anthrorules

Premium Member

to anthrorules
I wanted to upload a JPEG file, but it was too large. This is the reason why I zipped it. What's wrong with it?
Buddel

Buddel to Buddel-

Premium Member

to Buddel-
quote:
Mod Note: Contents of zip file correctly converted from BMP format to JPEG format and posted... this was a Bitmap incorrectly named as a JPEG ... converted and reposted ~G~

Thanks for converting my file.:)

kcazzie
One Of Jerry's Kids
Premium Member
join:2000-08-13
Morton Grove, IL

kcazzie to anthrorules

Premium Member

to anthrorules
I ran Spy Sweeper, Spyaudit and it to found a keystroke application on my PC... I've looked and looked and I'm pretty sure there isn't one... I'm thinking is this a scam to get me to buy the application or just a false positive... I use Window Washer and seems like a good product the company seems to be on the up and up...But if I didn't know better I may have paid 30 bucks for it ...

Buddel
If it ain't broke, don't fix it.
Premium Member
join:2004-03-06
EU

Buddel to anthrorules

Premium Member

to anthrorules
Since Spy Sweeper detected "e-Surveiller" on so many computers, I do think it is a false positive. But I can't be sure about it. So what am I supposed to do with the files that are now in the Spy Sweeper quarantine folder? Should I simply restore them? What did you do with the files that Spy Sweeper detected on your computers?

jmn1207
Premium Member
join:2000-07-19
Sterling, VA

jmn1207

Premium Member

said by Buddel:
Since Spy Sweeper detected "e-Surveiller" on so many computers, I do think it is a false positive. But I can't be sure about it. So what am I supposed to do with the files that are now in the Spy Sweeper quarantine folder? Should I simply restore them? What did you do with the files that Spy Sweeper detected on your computers?

There was no file, and no such registry keys existed on my computer. I let Spy Sweeper delete...what wasn't there. I've had no problems since.
anthrorules
Premium Member
join:2003-09-14
Rollinsville, CO

anthrorules

Premium Member

I've emailed WebRoot about this issue. Ran another scan this evening and this Monitor program was again reported. Deleted the dat files, I assume that this program will continually show up until WebRoot releases an update that eradicates this very annoying false positive.

jmn1207
Premium Member
join:2000-07-19
Sterling, VA

jmn1207

Premium Member

Ok, I had to double check and find out exactly what was causing this false positive.

What Spy Sweeper is seeing is a function of Zone Alarm's Mail Safe utility. Zone Alarm, with Mail Safe activated, will convert any file that has an extension ".lnk" to ".zlg" for protection against potential exploits. The problem is that a file with the extension ".zlg" corresponds to a 3 year old, nasty little tool that can be used to spy on us, e-Surveiller.

The references to ".zlg" that Spy Sweeper sees are simply the registry entries that Zone Alarm uses to secure files with the extension ".lnk". If you delete these files, Zone Alarm will create these when it restarts.
anthrorules
Premium Member
join:2003-09-14
Rollinsville, CO

anthrorules

Premium Member

Thanks for the follow-up! I appreciate it.

I wonder if this this glitch has anything to do with the fact that since I deleted those items via SpySweeper that I no longer get inbound events logged in Zone Alarm (well, one UDP scan since I removed the items on Friday evening)?

Buddel
If it ain't broke, don't fix it.
Premium Member
join:2004-03-06
EU

1 recommendation

Buddel to jmn1207

Premium Member

to jmn1207
said by jmn1207:
Ok, I had to double check and find out exactly what was causing this false positive.

What Spy Sweeper is seeing is a function of Zone Alarm's Mail Safe utility...
Hm... I wonder what Spy Sweeper is seeing on my computer. I don't use Zone Alarm, so it must be something different here.:(
anthrorules
Premium Member
join:2003-09-14
Rollinsville, CO

anthrorules

Premium Member

May be your AV or other security product that changes file extensions? Some AV programs do the same thing as ZA+ and ZAP MailSafe feature.

jmn1207
Premium Member
join:2000-07-19
Sterling, VA

jmn1207 to Buddel

Premium Member

to Buddel
said by Buddel:
said by jmn1207:
Ok, I had to double check and find out exactly what was causing this false positive.

What Spy Sweeper is seeing is a function of Zone Alarm's Mail Safe utility...
Hm... I wonder what Spy Sweeper is seeing on my computer. I don't use Zone Alarm, so it must be something different here.:(

I'm not sure how Spy Sweeper discovered e-Surveiller on your computer; however, I will tell you that the quarantined items that you show are much different than the one that anthrorules and I had. I had 6 registry key entries all relating to Zone Alarms Mail Safe *.ZLG extensions. You are showing something a bit different from the attachment you posted above.

Buddel
If it ain't broke, don't fix it.
Premium Member
join:2004-03-06
EU

1 edit

Buddel

Premium Member

said by jmn1207:
I'm not sure how Spy Sweeper discovered e-Surveiller on your computer; however, I will tell you that the quarantined items that you show are much different than the one that anthrorules and I had. I had 6 registry key entries all relating to Zone Alarms Mail Safe *.ZLG extensions. You are showing something a bit different from the attachment you posted above.

Yes, you're right, the items you are talking about are a bit different from the stuff Spy Sweeper detected on my computer. That's why I wrote that "it must be something different here". Anyway, I sent the Webroot guys an email, hoping that they will be able to tell me what I should do with the files that are now situated in the Spy Sweeper quarantine folder. I do think the detected items are false positives, but I would like to be 100 per cent sure about it.

jmn1207
Premium Member
join:2000-07-19
Sterling, VA

jmn1207

Premium Member

I will continue to post anything new that I discover or hear about concerning this issue. I also sent Spy Sweeper support an email describing the problem I was having. Please keep us all informed if you learn anything new.

Thanks.

Buddel
If it ain't broke, don't fix it.
Premium Member
join:2004-03-06
EU

Buddel

Premium Member

said by jmn1207:
... Please keep us all informed if you learn anything new...

I will post back as soon as I get a reply from Webroot.:)
anthrorules
Premium Member
join:2003-09-14
Rollinsville, CO

anthrorules

Premium Member

Well, that makes at least three of us who've emailed WebRoot, so hopefully at least one of us will post replies we receive.

Rifleman
Premium Member
join:2004-02-09
p1a

Rifleman to anthrorules

Premium Member

to anthrorules
I bought Spysweeper and just updated and ran a scan--guess what? E-Surveiller. AVG,TDS,Adaware,Trojan Hunter,Spybot SaD---all say clean. Must be a bug. I will mail Webroot also.
Spooky88
join:2001-01-02
Crestview, FL

Spooky88 to anthrorules

Member

to anthrorules
After reading this thread I feel much better. I too started getting the e-Surveiller found syndrome. I used a Ghost backup form Oct, then updated Spysweeper and it "found" it again. I became so paranoid that I reformatted and reinstalled my Win2K OS. Spent almost the entire day getting everything back to "normal". I also ran Pest Patrol and Spybot which did not find e-Surveiller. After doing a search on google I found this thread. I am now going to monitor it to see what Webroot has to say.

But this is a BIG relief. Hopefully it will be cleared up.

Buddel
If it ain't broke, don't fix it.
Premium Member
join:2004-03-06
EU

Buddel

Premium Member

said by Spooky88:
...Hopefully it will be cleared up.

I'm convinced it will soon be cleared up. Webroot probably got lots of emails from their customers, so they should be aware of this problem now. If you get a reply from their support team, please let us know.

Rifleman
Premium Member
join:2004-02-09
p1a

1 recommendation

Rifleman to anthrorules

Premium Member

to anthrorules
I got an answer from Webroot today. Here is the text: Update your definitions. The issue has been resolved.
B04
Premium Member
join:2000-10-28

B04

Premium Member


That's the whole text? They've got the whole touchy-feely compassionate business partner mea culpa vision thing down pat, haven't they.

-- B

jmn1207
Premium Member
join:2000-07-19
Sterling, VA

jmn1207 to Rifleman

Premium Member

to Rifleman
said by Rifleman:
I got an answer from Webroot today. Here is the text: Update your definitions. The issue has been resolved.

That does seem a bit terse and impersonal. Oh well, I'll check with the new definitions when I get home.

Buddel
If it ain't broke, don't fix it.
Premium Member
join:2004-03-06
EU

Buddel

Premium Member

said by jmn1207:
said by Rifleman:
I got an answer from Webroot today. Here is the text: Update your definitions. The issue has been resolved.

That does seem a bit terse and impersonal. Oh well, I'll check with the new definitions when I get home.

I'm still waiting for an answer from Webroot. The one Rifleman got is really a bit impersonal, but as long as they offer a solution to this problem I shouldn't complain.
anthrorules
Premium Member
join:2003-09-14
Rollinsville, CO

anthrorules to Rifleman

Premium Member

to Rifleman
That is a bit impersonal and I've still yet to receive a reply to the email I sent to WebRoot over the weekend.