Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot Detect Surveilstar, et al? - DDS log


  • This topic is locked This topic is locked
11 replies to this topic

#1 Physics-is-Phun

Physics-is-Phun

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 05 September 2011 - 06:06 PM

I'm in a particularly vexing situation, here. I don't actually know if I'm infected or not, I only have the suspicion that I am.

There are four people in my house- myself, my twin brother, and my parents. I know, for a fact, that one of my parents has "broken into" all of the other parent's computers, and all of the other parent's e-mail addresses. Obviously, the capability does not stop at this parent's computer, and- not unconcerned- I'm trying to take every single precaution that I can to protect my own security and privacy in what I do on the internet and with my own computer as well as the home network in general.

Ironically, the parent who's conducted all the break-ins accused the other parent of using a specific software, named "SurveilStar Any Activity Monitor," to monitor all the computers on the network. More information about Surveilstar here: http://www.any-activity-monitor.com/ I've combed my computer as best I can for any sign of this software, as my Event Viewer did record some login attempts while I was away from the computer before this allegation. But based on its description, it is supposed to be incredibly difficult to detect. So either it's actually there and I haven't detected it yet (or anything like it), or I am just suffering from incredibly heightened paranoia by all of the things that are going on with the one parent having the ability to simply break in to any computer or e-mail inbox, and the apparent lack of compunction this parent has about using these tools repeatedly.

I'm also concerned about what our router can and cannot do, but I will post concerning issues about that elsewhere.

So, obviously, what I need to know is whether or not there is any kind of spyware such as Surveilstar or anything else on my computer. Regardless of the answer there, I also need to know recommendations (short of physically moving out of the house) to keep my computer free from any kind of monitoring spyware such as this one.

For reference, I'm running the 64-bit version of Windows 7 Home Premium. Setting all personal problems that are going on in the family aside, I really just want to make sure my laptop is as guarded, safe, and private as it can be.

Thank you very much in advance- the DDS log should be posted below!

Attached Files

  • Attached File  DDS.txt   17.4KB   3 downloads


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 PM

Posted 10 September 2011 - 06:10 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/417649 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Physics-is-Phun

Physics-is-Phun
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 10 September 2011 - 10:42 PM

I have been able to confirm that Surveilstar is not on my computer, but I am unsure of the steps needed to stop any kind of external monitoring of my computer, or how to detect a monitor if there is one already on my computer that's currently evading protection. (Attached should be a current DDS log.)

Here's the stuff I have:

- Windows 7 Home Premium (64-bit)
- AVG Free 2011 (daily updated, weekly scans)
- Malwarebytes Anti-Malware (daily updated, weekly scans)
- Comodo firewall (newly-installed as of yesterday, set to max security settings on everything (it calls it "Paranoid Mode," appropriately enough))

I've taken the following additional steps:

- Stopped sharing folders/printers of any kind with anyone on my home network
- Disabled all other user accounts, save for mine.
- Migrated to using Comodo's DNS servers instead of my router's.
- Disabled "homegroup"

I plan to see if there's any kind of way to set a password in my BIOS, and have installed WinDirStat at the suggestion of a friend to try and track the log files created by monitoring software (if any of it is stored locally, at any rate). I still have no idea whether I'm not detecting any spy/monitor software on my computer because it actually isn't there, or if the stuff I have just isn't seeing it. There's also the real possibility that it's somehow being pulled from the router, but I've asked what to do about that in a thread elsewhere on this site.

Attached Files

  • Attached File  DDS.zip   8.39KB   0 downloads


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:07 PM

Posted 12 September 2011 - 05:46 PM

Hi,

You look locked down. I would run a couple of good antispyware tools to be sure you haven't been hacked. I'm kind of wondering what kind of parent hacks their own kid's networks. What skills do they have?

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then SAS

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image
m0le is a proud member of UNITE

#5 Physics-is-Phun

Physics-is-Phun
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 13 September 2011 - 01:19 PM

Thank you very much for the reply, m0le!

I am indeed trying to lock down as much as I possibly can until I know my computer is safe. I know why my mom is doing this to my dad (even though I think her reasons are absolutely ludicrous), but since I don't know what her tools are, I don't feel like my stuff is safe. As I've said, it's not even that there's anything to find, it's just an invasion of privacy.

I scanned again with Malwarebytes, and it came up blank (see below). I scanned with SuperAntiSpyware, however, and came up with a whole bunch of cookies that AVG apparently keeps missing, along with two Security.HiJack files (seen in the log below).

I don't know if they were the things that would be monitoring, but at least, according to SAS, they're gone.

Are there any other precautions you can advise or tools you can suggest that might a) lock down my computer even tighter and/or B) be able to detect anything on currently on my computer or (MUCH more preferably) on my network router that is logging traffic/etc? Like I said, because I don't know what she is actually using or has at her disposal, I really feel more and more paranoid every time something is found (or not found- funny how psychology works that way).

Thank you very much for your help thus far!

EDIT: I know my mom was very much not technologically savvy in the past, and she's admitted to me that she has used a "friend" who has "tools" (including, but not limited to, a CD password-cracker to log on to any account) to get into my dad's computers (even his work laptops- BIG HEAP NONO). I know she's very e-mail savvy, but beyond that, I don't know where she learned how to do the stuff she is able to do, or how much is simply automated because of the programs she has (which still remain unknown to me, my brother, or my dad). As I posted up at the top, I'd originally thought it was Surveilstar Any Activity Monitor, but after talking to their tech support about detection methods, I've determined it's not on mine, my brother's, or dad's computers.

So as far as her skills are concerned, I believe her skills to be somewhat limited, though somewhat savvy- certainly above the average mom-who-uses-computers. As for her anonymous friend, I'm just considering the sky to be the limit- I'd rather assume this person knows and has as much at his/her disposal as they're able to get than assume this person only has a cd cracker and one or two surveillance programs. (Assume the worst, hope for the best, right?)

Attached Files


Edited by Physics-is-Phun, 13 September 2011 - 09:47 PM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:07 PM

Posted 13 September 2011 - 08:02 PM

Security.HiJack[ImageFileExecutionOptions]
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TASKMGR.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TASKMGR.EXE#Debugger


SAS finds something which kind of shows the sort of process you believe might be being used. This can also be something completely harmless but be used to aid malware.

MBAM found nothing.

Please run OTL, this is a deep scanner. I can look manually for anything placed in your system which might be able to corroborate the finding above.

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE

#7 Physics-is-Phun

Physics-is-Phun
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 13 September 2011 - 09:41 PM

The two logs are attached to this response.

I think it's possible that the things that SAS removed were related to Process Explorer- if you're not familiar with it, it's a freeware version of Windows Task Manager that displays more information and has more practical functionality, including displaying process trees (which process spawned which other process(es) that are running). I had set it so that Process Explorer would "replace" Windows Task Manager, meaning that whenever I told Windows to open up the task manager, Process Explorer would open. Now, however, the regular task manager opens up. It's a possibility, anyway.

Are there additional steps I can/should take to locking down my computer even tighter from monitoring? And is it truly so dead-end-like that if I don't know what she or her friend are using or have at their disposal, I can't assume anything on my computer is safe?

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:07 PM

Posted 14 September 2011 - 06:12 PM

I don't see any surveillance kit on the log.

I assume your user account has a password so use a safe PC to change it. It seems unlikely that you have been hacked but without knowing what expertise this other person has it's difficult to tell.


Let's get a definitive list of programs

Visit this site: http://billsway.com/vbspage/
Scroll down to the section that says "List Installed Programs" and download it, by using this icon: Posted Image
Save it to your Desktop, then right-click and select Extract all.
A folder should open, double click on the file inside called InstalledPrograms.vbs.
Press OK at the prompt, then Yes to view the results.
A text file will open, copy and paste this in your next reply.


Now run Autoruns

Download Autoruns for Windows

No installation required.

Simply unzip Autoruns.zip file, and double click on autoruns.exe file to run the program.

Go File and Save, and save it as AutoRuns.txt file to know location.

You must select Text from drop-down menu as a file type:

Posted Image

Attach the file to your next reply.
Posted Image
m0le is a proud member of UNITE

#9 Physics-is-Phun

Physics-is-Phun
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 14 September 2011 - 07:14 PM

The two logs for those should be attached to this post!

I'm still not sure if my question about the router is being addressed... assuming everything checks out a-ok on my computer, I'm still not certain that my mom's laptop isn't interacting in some way with the router for her to be able to pull and print out e-mails directly from my dad's inbox. The only answer I have to that is that dad hasn't taken the steps I have to find any kind of monitor and there is something there only on his computer (which is possible- he doesn't want to be bothered to take the steps that I've taken because he's reached a breaking point where he's said that he "doesn't care anymore" whether she keeps spying on him or not, since there's nothing to find). Of course, I have no idea if that may allow my mom to look in on my computer in some way from his, though since I've left the homegroup and stopped all sharing, I don't think that's the case.

So I think the only possibilities are: 1) that it truly is dad's and only dad's computers that are being monitored; or 2) that there is something on the router and/or modem that allows my mom to monitor virtually any network traffic. Would there be a way to find and detect such monitoring, or is there no way without breaking into my mom's laptop (which I don't think I can do, because I have morals) to know the nature of the monitoring over the router/modem, and the only solution is a reset to factory defaults of both?

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:07 PM

Posted 14 September 2011 - 07:43 PM

I'm also concerned about what our router can and cannot do, but I will post concerning issues about that elsewhere.


That made me think you were posting the router questions elsewhere.


I would reset your router. I think there's nothing to worry about but I would urge your dad to take the same steps as you have.

Traffic can be monitored but in most cases the logs don't tell the person monitoring the traffic very much. You have locked down the machine as best you can; removing options to share and checking for keyloggers or spyware is a good indicator of whether anything is happening. If you reach a point where you think there's a possibility of hacking then the last resort would be to reformat and reinstall.

How do you know that they had broken into emails?
Posted Image
m0le is a proud member of UNITE

#11 Physics-is-Phun

Physics-is-Phun
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 15 September 2011 - 10:49 AM

That made me think you were posting the router questions elsewhere.


I am, on the Networking forum on this site. I don't think I'm getting particularly far, though. You can take a look here, if it will help clarify what I'm talking about!

I'm almost fully convinced that there's no monitoring on my computer (which it's kinda crazy that I had to go through these kinds of hoops to even reassure myself of that- that I couldn't trust my mom when she said so. But that's a psychological problem, and not a computer one, I suppose!). While I still don't know who her friend is or what the friend knows/etc, by the sound of it, they would pretty much have to be Jeff Goldblum in Independence Day, hacking into an alien mothership with Windows 95... am I reading that right?

I know for a fact that my mom has broken into dad's e-mails because she was able to print one off of his inbox to take into one of their therapy sessions. It was an e-mail addressed to me and my brother, so I know the content- the e-mail itself was fairly honest and not at all particularly hurtful in nature, so I don't know why she "had to get it." But more technically, she won't admit how she got it. She's also finally openly admitted to breaking into dad's computers and every one of his e-mail accounts (even the dopey ones he set up to soak up the shopping spam).

Hence all the paranoia on my part of "if she can get in there, what guarantees she can't get into other places?" Which led me to here in the first place, because I didn't know how to solve the problem from a technological standpoint. Coupled with a friend that I know who's really into computers/computer security, I've gotten to where I am now.

I know a format is a last resort, and if feelings of paranoia spike again, I feel like I may actually resort to it, but for now, it seems like my initial concerns are somewhat unfounded- at least with regards to my personal computer. (It's also somewhat impractical as I don't have a boot disc.) I don't feel like I'm gonna roll back any of the precautions I've taken until the whole mess blows over, though, just to be on the safe side.

I have tried going into the router's logs a little bit from our router to see what can be seen, but it doesn't seem like there's anything meaningful (just as you said!). It almost reads like a Twitter feed from the router (i.e. "Blocked an outgoing packet from ____ because there was no active connection." "Above message repeated 5 times." etc)

Oddly enough, earlier today, my mom asked me to help make her computer faster. On a hunch, I started running through her program files and installed programs looking for anything I could find- there was a lot of programs that she apparently downloaded for free to try and get rid of an apparently-stubborn piece of spyware. However, I also found Windows Family Safety installed, as well as some of its Remote Access features installed and active. I'm looking into that program's capabilities now to figure out if it could very well explain all the symptoms that have been exhibited by my dad's computer (the apparent knowing of where he goes on the computer, the ability to read his inbox, etc).

If it's really something so simple and so stupid as that, I'm going to kick myself.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:07 PM

Posted 15 September 2011 - 06:07 PM

Okay, we're going to wrap this up now. I am summarising this as follows:

1) You are not being hacked

2) It's possible that your mum is not breaking into his email, she may have known or guessed the password. Or...

3) The program you found has that capability

4) What you have surmised and explained via a Jeff Goldblum reference is right. Hacking into email accounts is really hard and only made easier by the user or the software developer.

Anyway, this discussion is becoming very personal and this thread is no longer a help to others. If you wish to continue talking about this then please PM me.

I have now closed the topic
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users