Screenshot #1 |
Screenshot #2 |
Hello all,
I updated the new definitions for Webroot's SpySweeper this evening and ran a scan.
It came up with
E-Surveiller with six traces found in my computer (See Screenshot #1).
Here is the description of E-Surveiller provided by Webroot:
========================================================
SYSTEM MONITOR Description:
Name:
E-Surveiller
Author:
E-Surveiller.com
Category:
System Monitor
Threat Assessment:
High
Description:
E-Surveiller is a keystroke monitoring program that records all keystrokes typed and stores them in an encrypted log file for later retrieval.
Characteristics:
E-Surveiller is a monitoring tool capable of viewing your desktop in real time and recording all computer activity. The program logs keystrokes, system activity, window titles and file changes. E-Surveiller runs in the background, so it is invisible to the user. Log files documenting your computer activity are sent to the attacker via email or ftp.
Method of Infection:
E-Surveiller can be installed by someone with administrative access to your computer, such as a system administrator or someone that shares your computer. An attacker also can install E-Surveiller through 3rd party chat programs, dependent upon your security settings. For more information about Window security settings, please visit Microsofts Security page at »
www.microsoft.com/security/home.
Additional Comments:
None
========================================================
I researched this finding further:
»
www.e-surveiller.com/»
www.google.com/search?so ··· rveiller»
www.pestpatrol.com/PestI ··· ller.aspBased on PestPatrol's explanation, the following processes would be running:
27e60777d4f54ad1a32c24fc87292594.exe
esread.exe
estation.exe
esurveiller.exe
makensis.exe
None of these processes are running in my computer:
=====================================================
Process PID CPU Description Company Name
AdMunch.exe 3736
agentsvr.exe 1952 Microsoft Agent Server Microsoft Corporation
alg.exe 1492 Application Layer Gateway Service Microsoft Corporation
Apache.exe 1504
Apache.exe 1992
avgamsvr.exe 1516 AVG Alert Manager GRISOFT, s.r.o.
avgcc.exe 3160 AVG Control Center GRISOFT, s.r.o.
avgemc.exe 3168 AVG E-Mail Scanner GRISOFT, s.r.o.
avgupsvc.exe 1536 AVG Update Service GRISOFT, s.r.o.
bdmcon.exe 2896 BitDefender Management Console SOFTWIN S.R.L.
bdss.exe 2700
cfexec.exe 1588 ColdFusion Executive Macromedia Inc.
cfrdsservice.exe 1608 ColdFusion Remote Data Services Macromedia Inc.
cfserver.exe 1548 ColdFusion Server Macromedia Inc.
CoolMon.exe 924 CoolMon Executeable The CoolMon Project
csrss.exe 752 Client Server Runtime Process Microsoft Corporation
dllhost.exe 2344 COM Surrogate Microsoft Corporation
dpcnav.exe 880 Navigator Hughes Network Systems
dpcproxy.exe 1720 Webcast Proxy Server Hughes Network Systems
DPCs 0 2 Deferred Procedure Calls
dpcstart.exe 3944 Startup Utility Hughes Network Systems
DUMeter.exe 3144 DU Meter Hagel Technologies
explorer.exe 3036 Windows Explorer Microsoft Corporation
fapmon.exe 3056 FAPMon for DirecWay Internet TecnoApoyo Group
hotsync.exe 948 HotSync® Manager Application Palm Computing, Inc., a 3Com Company
hpoant07.exe 836 HP OfficeJet COM Device Objects Hewlett-Packard Co.
hpoevm07.exe 3352 HP OfficeJet COM Event Manager Hewlett-Packard Co.
hpofxm07.exe 3176 HP OfficeJet G Series Fax Manager Hewlett-Packard Co.
hpoipm07.exe 3896 PML Driver HP
hposts07.exe 3276 HP OfficeJet Status Hewlett-Packard Co.
IEXPLORE.EXE 1396 Internet Explorer Microsoft Corporation
inetinfo.exe 1792 Internet Information Services Microsoft Corporation
Interrupts 0 Hardware Interrupts
jrun.exe 1648
lsass.exe 832 LSA Shell (Export Version) Microsoft Corporation
msdtc.exe 3188 MS DTC console program Microsoft Corporation
mysqld-nt.exe 528
named.exe 2104
NOTEPAD.EXE 3908 Notepad Microsoft Corporation
ntConsoleJava.exe 1752
nvsvc32.exe 624
PDSched.exe 2096 PDSched Module Raxco Software, Inc.
procexp.exe 3816 3 Sysinternals Process Explorer Sysinternals
regprot.exe 3744 DiamondCS RegistryProt Diamond Computer Systems Pty. Ltd.
Remind32.exe 3712 Remind32.exe IntelliQuest Communications, Inc.
schedhlp.exe 3436 Acronis Scheduler Helper Acronis
schedul2.exe 1464 Acronis Scheduler 2 Acronis
services.exe 820 Services and Controller app Microsoft Corporation
smss.exe 460 Windows NT Session Manager Microsoft Corporation
spoolsv.exe 1364 Spooler SubSystem App Microsoft Corporation
SpySweeper.exe 3904 Spy Sweeper Webroot Software, Inc.
sqlservr.exe 1816 SQL Server Windows NT Microsoft Corporation
StartupMonitor.exe 3120
svchost.exe 1008 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1092 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1236 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1132 2 Generic Host Process for Win32 Services Microsoft Corporation
System 4
System Idle Process 0 94
tds-3.exe 1252 TDS-3 Professional Diamond Computer Systems Pty. Ltd.
TrueImageMonitor.exe 3320 TrueImage Acronis
VisualZone.exe 2056 VisualZone Visualize Software
vsmon.exe 1188 TrueVector Service Zone Labs Inc.
wcescomm.exe 3868 Connection Manager Microsoft Corporation
WCESMgr.exe 968 ActiveSync Application Microsoft Corporation
weatherpulse.exe 2784
winampa.exe 3444
winlogon.exe 776 Windows NT Logon Application Microsoft Corporation
wwDisp.exe 3756 Window Washer hard disk cleaning utility Webroot Software
xcommsvr.exe 3216 BitDefender Communicator Server Softwin
zlclient.exe 3196 Zone Labs Client Zone Labs Inc.
=====================================================
Based on PestPatrol's explanation, Registry key installed:
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\e-surveiller station
Not installed in my computer (Screenshot #2).
Anyone else see this show up when they run the SpySweeper scan with the newest definitions?
If not, would someone explain to me what is going on?
Thanks in advance.