Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Spy Recon

  • Please log in to reply
2 replies to this topic

#1 Anonix


  • Members
  • 188 posts
  • Local time:01:50 AM

Posted 24 January 2008 - 09:54 PM

I recently learned about the existence of SpyRecon Complete and similar programs. If it I understand SpyRecon's claims correctly, this is a keylogging and 'total capture' program that can be installed remotely on someone else's computer merely by sending that someone an email (presumably, with an attachment that they then open which downloads the program).

In mid-November, I received an email that had a file attached. The options to view were a) click on the paperclip; :thumbsup: view as a google document; and c) view as a Word doc. I don't recall exactly how I viewed the document, but I believe I clicked on the paperclip to open it, then cut and pasted the text into a new Word doc and saved it (on the half-baked theory this would be safer than downloading the document). I still have concderns about this email (which I have saved) and whether I inadvertently gave someone remote access to my computer.

Can someone describe to me exactly how this works? Without going into details, I have reason to be concerned about this particular email, from this particular person.

Around that time, my computer seemed to slow up a lot. One time I hit 'control, alt, delete' to see what was happening. Unfortunately, I am not very versed in what all the processes mean, but I am learning (and know much more today than just a few months ago -- I also google any processes I have questions about and the results are usually helpful). Anyway, I saw one process that was taking up something like 64,000 memory usage, and I recall specifically that that process started with an "s". Unfortunately, I did not write the item down. But I recall it was something along the lines of 'svr' something or other. I have since read up on what kind of files SpyRecon installs, and srvrecon, etc. was one of them. The other thing I noticed about that particular process was that it would not 'stop running' when I clicked on 'end task' in Task Manager. It just stayed there. I finally gave up and shut down Task Mgr. and restarted my computer. I don't remember what happened after that (this was a few months ago). I haven't since seen any process that uses up that amount of CPU. I have checked my program files and do not see a SpyRecon folder; I have looked at the registry and do not see changes that would indicate that SpyRecon has changed the registry (following advice that Symantec posted online for how to remove SpyRecon).

Question: Is there anyway at this late date (two months after I opened the suspicious email) whether I can tell if anyone at any time ran SpyRecon for a period of time before instructing it to unstall itself? Would there be any trace of the activity? If so, how would I see that.

Secondly, I have not deleted the email with the attachment, because of my suspicions. I thought at some point I might figure out how to scan it or check it for SpyRecon? The email is in a gMail account. I think my anti-virus (AVG) only scans my Outlook email.

Thanks in advance for any suggestions.

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,769 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:50 AM

Posted 25 January 2008 - 09:43 AM

"Using Caution with Email Attachments"
"Email Attachments: How to Protect Yourself"
"What Kind of Attachments Can Contain Viruses?"

What OS (Win XP, XP SP1, XP SP2/2000, etc) are you using? What type of anti-virus are you using? Have you performed any anti-spyware scans? Have you tried doing your scans in "Safe Mode"?

Download and scan with Dr.Web CureIt. Follow the instructions here for performing a scan in "safe mode".

If you don't know what a process is or you come across a suspicious file, search the name using Google or the following links:
BC's File Database
BC's Startup Programs Database
File Research Center
ThreatExpert Malware Search
If no search results are found, you are given the option to "Submit a New Sample".

Note: Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs). It is not unusual for multiple instances of Svchost.exe running at the same time. How to determine what services are running under a Svchost.exe process.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click on the file, Properties and examine the General and Version tabs.

You can download and use Proces Explorer, AnVir Task Manager Free or System Explorer to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Anonix

  • Topic Starter

  • Members
  • 188 posts
  • Local time:01:50 AM

Posted 25 January 2008 - 10:52 AM

OK, lots to follow-up on. WinXP with SP2 btw, and AVG Free Edition anti-virus which updates daily. I also run SpyBot and keep that updated as well. I use CCleaner too, and AVG's anti-rootkit.

SpyBot may well have notified me about registry changes at that time, but not knowing what they were I probably OK'd the changes. As i said, I am learning as I go.

Thanks again.

Mod Edit: Edited to remove unnecessary quote. ~TMacK

Edited by TMacK, 25 January 2008 - 01:26 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users