Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How can you see if someone is watching your monitor?


  • Please log in to reply
9 replies to this topic

#1 kingprince

kingprince

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 25 April 2012 - 09:28 PM

recently i have felt that our computer is being watched. i can't load netstat on command prompt(it says it cannot load dll because of an xpsp2res.dll error), which has led me to believe my computer is corrupted.

do you have any ways i can find out if our computer is being monitored?

BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 26 April 2012 - 02:32 AM

That can be a difficult question to answer.

Do you have any other issues than running netstat?

You can try TCPView in stead.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 kingprince

kingprince
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 26 April 2012 - 06:38 AM

running netstat is the only issue i've encountered so far.

#4 kingprince

kingprince
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 26 April 2012 - 02:32 PM

there isn't much of note, but there are 5 svchost.exe processes running. could hacking take place here, or would there be a file name of the hack process?

there are two pairs of svchost.exe files that are identical except one part of the pair is located in mycomputer and the other part is located in mycomputer.gateway

Edited by kingprince, 26 April 2012 - 02:34 PM.


#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 26 April 2012 - 02:46 PM

It's normal that you have several svchost.exe processes running, these host the different Windows services.

Have you reviewed your established connections?
Is there a process that connects to a remote location that you can't explain?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 kingprince

kingprince
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 26 April 2012 - 07:14 PM

there are several unidentified ip addresses established that are near my area connected without any host names

(by unidentified, i mean that only the ip addresses are shown)

also, a german website called svr6.paul.activeminds.net is connected but quickly disappears. we have not recently visited any german websites. we found that it was connected with some RAT programs (one called Spynet) but that is it.

Edited by kingprince, 26 April 2012 - 08:01 PM.


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 27 April 2012 - 09:18 AM

You can reverse lookup IP addresses with nslookup.

Which process is connecting to svr6... ?

we have not recently visited any german websites.

That's not unusual, your webbrowser will connect to many websites you don't visit directly, because of all the embedded objects in the pages you view stored on many different webservers. For example ad servers.

we found that it was connected with some RAT programs (one called Spynet) but that is it.

What do you mean, how did you find this? Do you mean you identified a RAT process running on your machine?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 27 April 2012 - 11:02 AM

Maybe we should take a step back.

When you asked about netstat, I assumed you were familiar with the command and that's why I mentioned an alternative, TCPView.
But now I get the feeling that you are not that familiar with the commands, and that maybe you are overwhelmed and confused by the data presented to you.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 kingprince

kingprince
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 27 April 2012 - 02:42 PM

sorry about this, this has been making us paranoid recently and im not being very rational at the moment, so my posts are confusing.

in terms of the svr6.paul.activeminds.net,we were curious because this connection appeared and then quickly disappeared when we looked it up on TCPView, so we looked it up, and somebody on another forum talked about how, when they had an RAT watching their computer, one of the files listed was "svr6.paul.activeminds.net". we have not found an RAT file yet.

and no, we have never had to use programs like netstat before,so im very poor with these sorts of programs. i tried to use it first but, as i said, there was an error with the netstat program.

#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 27 April 2012 - 03:19 PM

OK, no problem, these things can be quite confusing.

What actually happened that made you feel your computer is monitored?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users