SpyWare / Remote Monitors w/ hidden files

KnowPeace01 · ‎09-08-2008

I have discovered the presence of a remote monitoring software program on my personal computer. Norton did not discover this program, though it is listed in your database with known registry keys and files. I downloaded other software as suggested in a prior post and both programs identified the remote monitoring program, though Norton still had not.

Is there a way to specify several files that you wish to block? The special circumstance here is that the files are hidden and I was only able to view them in the registry. You can not select them from a list of running processes because they aren't listed there. You would have to manually enter the file name and ask Norton to block it.

Any ideas?

(I am using Windows XP, disabled Windows Firewall and use Norton's, automatic live updates, automatic microsoft updates)

Message Edited by KnowPeace01 on 12-03-2008 11:35 AM

Quads · ‎07-21-2008

Hi

Do you have the name given for your infection??

Also tick the "show hidden files and folders" and the one for "protected system files". Now you will be able to see hidden folders.

Quads

KnowPeace01 · ‎09-08-2008

Yes - It's WebWatcher (UltraView).

KnowPeace01 · ‎09-08-2008

I found dtor.exe in HKEY_USERSS-1-5-21-3749964529-1770875063-495757756-1008 Software Microsoft Search Assistant ACMru5604

Class Name: <No Class>

Last Write Time: 12/2/2008 - 7:39 PM

Value 0

Also listed

Name: 001 dtor.exe

Name: 002 file backup

Name: 003 msfilea

Name: 004 mssk

Name: 005 aa81232

Name: 006 zw

Name: 007 sem.exe

Name: 008 orlmkpl

Name: 009 isgt

Name: 010 .tps

Name: 011 Record Extract

Name: 012 VIRTUAL PRIVATE NETWORK

Name: 013 SPN

Name: 014 calendar creator

Name: 015 1910938

Name: 016 greeting card

Name: 017 'net conferencing'

Name: 018 conference

Name: 019 isass

Name: 020 iss

Name: 021 avserve

Name: 022 isserv

Why were these not detected?? Is it still running?

There is another subfolder that uses registrar.exe and includes the following:

atuvp

front

director

registrar.exe

atuvp (one space before the name)

ccp.dll (one space before the name)

xpre

dattab.dll

3DCAT

log

hallmark

pandora

Archie

outlook

.tps

Defender

temporary internet

cache

Norton

msconf.exe

1910938

mcdonald

'HP Photo' (quotes intentional)

HP

Quads · ‎07-21-2008

It is an actual product, by Awareness Tech.

In the Taskmanager in the processes tab stop these 2 processes.

dtor.exe,

registrar.exe

Delete Registry entries ( make sure you have the right numbers)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\atuvp
HKEY_CLASSES_ROOT\AOLMonitorDGC.AOLMonitor
HKEY_CLASSES_ROOT\AOLMonitorDGC.AOLMonitor.1
HKEY_CLASSES_ROOT\CommonCommandProcessor.CommandProcessor
HKEY_CLASSES_ROOT\CommonCommandProcessor.CommandProcessor.1
HKEY_CLASSES_ROOT\DataProxy.MonitorDataProxy
HKEY_CLASSES_ROOT\DataProxy.MonitorDataProxy.1
HKEY_CLASSES_ROOT\DataProxy.PostData
HKEY_CLASSES_ROOT\DataProxy.PostData.1
HKEY_CLASSES_ROOT\IEMonitorDGC.IEMonitor
HKEY_CLASSES_ROOT\IEMonitorDGC.IEMonitor.1
HKEY_CLASSES_ROOT\KeyLoggerDGC.KeyLogger
HKEY_CLASSES_ROOT\KeyLoggerDGC.KeyLogger.1
HKEY_CLASSES_ROOT\MSNMonitorDGC.MSNMonitor
HKEY_CLASSES_ROOT\MSNMonitorDGC.MSNMonitor.1
HKEY_CLASSES_ROOT\OutlookExpressDGC.OEMonitor
HKEY_CLASSES_ROOT\OutlookExpressDGC.OEMonitor.1
HKEY_CLASSES_ROOT\OutlookMonitorDGC.OutlookMonitor
HKEY_CLASSES_ROOT\OutlookMonitorDGC.OutlookMonitor.1
HKEY_CLASSES_ROOT\ScreenCaptureDGC.ScreenCapture
HKEY_CLASSES_ROOT\ScreenCaptureDGC.ScreenCapture.1
HKEY_CLASSES_ROOT\YahooMonitorDGC.YahooMonitor
HKEY_CLASSES_ROOT\YahooMonitorDGC.YahooMonitor.1
HKEY_CLASSES_ROOT\AppID\Registrar.EXE
HKEY_CLASSES_ROOT\AppID\{38352016-D06D-41DF-8B5F-1269A59D0096}
HKEY_CLASSES_ROOT\CLSID\{00b7e0ab-817a-44ad-a04b-d1148d524136}
HKEY_CLASSES_ROOT\CLSID\{27B5E5C3-775A-4870-9BD3-B49694524CFD}
HKEY_CLASSES_ROOT\CLSID\{2FF1ACE6-7599-4079-A70E-7E83B0267624}
HKEY_CLASSES_ROOT\CLSID\{3C311150-55BF-4FBD-AFE0-7091E1D2D32B}
HKEY_CLASSES_ROOT\CLSID\{3C8EFE7C-42B3-44B4-B0A8-1261A49D6426}
HKEY_CLASSES_ROOT\CLSID\{45E922A0-0CD5-4A7B-BD35-44CA52B8390D}
HKEY_CLASSES_ROOT\CLSID\{615EB7A2-E5F7-4500-80B7-9F1E72BEC678}
HKEY_CLASSES_ROOT\CLSID\{67654448-42AD-4097-87AA-BAC1BFDA92B6}
HKEY_CLASSES_ROOT\CLSID\{891CA317-EB89-4025-ABB8-0C1D1472E4E5}
HKEY_CLASSES_ROOT\CLSID\{99947C9C-ACC7-4075-8261-0F586026EF52}
HKEY_CLASSES_ROOT\CLSID\{C0D0F71C-6812-4D95-9C4E-015D45A57803}
HKEY_CLASSES_ROOT\CLSID\{F8A0020A-2C78-47CD-AB7B-CE4181BE2628}
HKEY_CLASSES_ROOT\Interface\{0142B9E1-8F28-474B-AFF1-B41811384D70}
HKEY_CLASSES_ROOT\Interface\{1DAA2A2C-BBB9-4CF4-8D9C-757B61D09FD4}
HKEY_CLASSES_ROOT\Interface\{2430F873-EF85-4ED1-A25A-D3E0D629270A}
HKEY_CLASSES_ROOT\Interface\{309C886A-03B6-4098-B693-40034DFC6622}
HKEY_CLASSES_ROOT\Interface\{3FCDAE39-B685-42B3-AC10-EE04C1781652}
HKEY_CLASSES_ROOT\Interface\{408B762E-A8B3-4BB9-984B-3833FBDA2BCE}
HKEY_CLASSES_ROOT\Interface\{4CDDCA57-3DDE-40C7-A589-018E2DBD9CCA}
HKEY_CLASSES_ROOT\Interface\{571904ED-58B8-4CE6-A213-646B5D9A655A}
HKEY_CLASSES_ROOT\Interface\{595EA054-3660-483C-8A79-0166D4D4702E}
HKEY_CLASSES_ROOT\Interface\{6D9D5ED0-757B-4C9E-BB04-CCF5B036E349}
HKEY_CLASSES_ROOT\Interface\{77585A46-EB87-4517-A0BF-170B678A232E}
HKEY_CLASSES_ROOT\Interface\{82AA44FA-00C1-4A10-BE09-D3B10B9E7F68}
HKEY_CLASSES_ROOT\Interface\{8320962F-305F-4F80-AFBF-427556EB385B}
HKEY_CLASSES_ROOT\Interface\{874FAFF4-CA08-4AD8-A2D1-A6D3322205E7}
HKEY_CLASSES_ROOT\Interface\{8A680A04-51D6-4EBA-A35E-DBBAF0D54525}
HKEY_CLASSES_ROOT\Interface\{9154BB18-A295-45A1-8146-EBA4F0EC1B6D}
HKEY_CLASSES_ROOT\Interface\{98732B25-9BD7-4E90-B8E6-9A709EC60058}
HKEY_CLASSES_ROOT\Interface\{B0F03211-099C-45C5-B638-647E7DC731E7}
HKEY_CLASSES_ROOT\Interface\{BA4CF93B-BEDB-4C19-97AF-C39C1B31A848}
HKEY_CLASSES_ROOT\Interface\{C4655209-406D-49BA-9622-AE0410F50D0E}
HKEY_CLASSES_ROOT\Interface\{CC25F4C6-3227-45FA-8FDB-0E291EDB5742}
HKEY_CLASSES_ROOT\Interface\{D330D322-F5EE-4938-8B5F-3F4650F98BB9}
HKEY_CLASSES_ROOT\Interface\{F2168B0C-2381-42E5-A0C1-3B3D6D5AB60E}
HKEY_CLASSES_ROOT\TypeLib\{024CD98B-C982-46BA-A721-29CB460F33B8}
HKEY_CLASSES_ROOT\TypeLib\{16EB59FA-8710-430F-922D-67A8EFC74C18}
HKEY_CLASSES_ROOT\TypeLib\{3222FE43-306C-4831-B46B-A157B2986DD0}
HKEY_CLASSES_ROOT\TypeLib\{4AEDB174-8B9C-4DE7-8276-C7B60E0F6896}
HKEY_CLASSES_ROOT\TypeLib\{682DC0F3-19A4-450A-97FF-EEEB81554ED5}
HKEY_CLASSES_ROOT\TypeLib\{75BC0CC2-74B3-46A5-BDC5-2D311D479049}
HKEY_CLASSES_ROOT\TypeLib\{77CADC3F-6244-44DD-96E9-C3D84C0686D1}
HKEY_CLASSES_ROOT\TypeLib\{80519B95-F63A-4F69-AAEE-D5BB9ACBA0B2}
HKEY_CLASSES_ROOT\TypeLib\{8C023226-642E-43D0-8D64-BD6E628CB012}
HKEY_CLASSES_ROOT\TypeLib\{D2C2BC73-37AC-4F34-8C1C-8688C3DFAD7A}

HKEY_CLASSES_ROOT\TypeLib\{E9A68ED9-D34F-4F41-91ED-ACC4370DE537}

And then with Show Hidden files and folders etc selected find these files.

C:\Documents and Settings\(All Users or individual)\Local Settingslocal_settings\ temp\ atww_340_693a.exe C:\WINDOWS\SYSTEM\ config\ atuvp\ ccp.dll

C:\WINDOWS\SYSTEM\ config\ atuvp\ dprx.dll

C:\WINDOWS\SYSTEM\ config\ atuvp\ dtor.exe

C:\WINDOWS\SYSTEM\ config\ atuvp\ filesvc.sys

C:\WINDOWS\SYSTEM\ config\ atuvp\ mca.dll

C:\WINDOWS\SYSTEM\ config\ atuvp\ mcie.dll

C:\WINDOWS\system\ config\ atuvp\ mck.dll

C:\WINDOWS\system\ config\ atuvp\ mcmsg.dll

C:\WINDOWS\system\ config\ atuvp\ mco.dll

C:\WINDOWS\system\ config\ atuvp\ mcoexp.dll

C:\WINDOWS\system\ config\ atuvp\ mcsc.dll

C:\WINDOWS\system \ config\ atuvp\ mcy.dll

C:\WINDOWS\system \ config\ atuvp\ procdrv.sys

C:\WINDOWS\system \ config\ atuvp\ regfil.sys

C:\WINDOWS\system\ config\ atuvp\ registrar.exe

C:\WINDOWS\system\ config\ atuvp\ shellservice.dll

C:\WINDOWS\system\ config\ atww\ ccp.dll

C:\WINDOWS\system\ config\ atww\ dprx.dll

C:\WINDOWS\system\ config\ atww\ dtor.exe

C:\WINDOWS\system\ config\ atww\ mca.dll

C:\WINDOWS\system\ config\ atww\ mcie.dll

C:\WINDOWS\system \ config\ atww\ mck.dll

C:\WINDOWS\system\ config\ atww\ mcmsg.dll

C:\WINDOWS\system\ config\ atww\ mco.dll

C:\WINDOWS\system\ config\ atww\ mcoexp.dll

C:\WINDOWS\system\ config\ atww\ mcsc.dll

C:\WINDOWS\system\ config\ atww\ mcy.dll

C:\WINDOWS\system\ config\ atww\ ShellService.dll

Try that

Quads

Message Edited by Quads on 12-04-2008 08:31 AM

KnowPeace01 · ‎09-08-2008

Thank You! I will attempt at home this evening.

Do you know why Norton would not have identified this?

Is there any way to tell when it was installed?

Thank You for all of your help and your promptness!!

KnowPeace01 · ‎09-08-2008

I contacted Awareness Technology. The program was installed without my knowledge or consent. They want $79 to investigate and will refund if they find that the program should not have been installed. Way to go

Quads · ‎07-21-2008

The " Config" folder like in this entry

"C:\WINDOWS\system \ config\ atuvp\ procdrv.sys " could be C:\WINDOWS\system32\config, instead of the "system" folder.

KnowPeace01 wrote:
Thank You! I will attempt at home this evening.

Do you know why Norton would not have identified this?
Is there any way to tell when it was installed?

Thank You for all of your help and your promptness!!

Alot of security products for the home don't detect this legit type of software, as people complain that it's detecting it when they don't want it to. If the Company that makes the software was doing some sort of under handed things via the software then it would probably be added to the likes of Norton detection as unwanted software etc..

It's like Counterspy Home does not detect this, but Counterspy Enterprise does.

Unsure if you would be able to find when it was installed, maybe if you find a file, right click it and click properties.

Quads

Message Edited by Quads on 12-04-2008 09:57 AM