PleaseHELP Monitoring Software on my machine!

July 16, 2009 at 11:01:30
Specs: Windows Server 2003, Athlon 3000+ 2.1gig, 1gig ram
I am certain that my computer has had a monitoring/tracking application placed on it remotely.
Up to this point the application's location remains unknown. I used a packet sniffer to determine that packet are being sent out to an IP address that is registered to a company that provides several different types of software, the main one is used to monitor where your children go on the web. They also have one that is used to snoop if you think your spouse is cheating on you. The later is the one that I believe has been installed.

The IP address is specifically owned by the website that the snooper uses to view the data that is gathered.

The company/software is called Awareness Technologies/Webwatcher. They claim that once installed the Webwatcher is absolutly invisible.

I have determined that one of the processes that it is hiding behind, is a copy of svchost.
I observed that, one of the copies of svchost was hogging the resources, when I kill that process, the packets cease being transmitted to the IP address.

I believe also, that it is running under the guise of iexplore. I used a process analyzer to show what processes were assigned to what applications etc. Under a process that was named "atisvc_fbajdc.exe" there was an entry for iexplore. Of course, Internet Explore was not running during the analysis. The path for the oddly named executeble is:
The process analyzer could not provide any information as to the company that file was created by, or any other of the normal details that one could see with the other processes.
I would like input about my current problem as follows:

Is it possible to clean the machine without reformating the drive?

Can I obtain a firewall product that will allow me tell me each application that is trying to send packets and give me the option of allowing or not? And, in a perfect world, give me the true path to that application?

Any other help or suggestions are appreciated!
Thank you in advance!

See More: PleaseHELP Monitoring Software on my machine!

Report •

July 16, 2009 at 11:13:20
Mind posting some logs?

Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode and make sure you are connect to internet. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

ExecuteAVUpdateEx( '', 1, '','','');

Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called inside. Upload that file to and paste the link here.

Image Tutorial
2) Download OTL to your Desktop

1) Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted (for Vista, right click the icon and Run as Administrator).

2) When the window appears, underneath Output at the top change it to Standard Output.

3) Click the "Scan All Users" checkbox.

4) In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".

5) Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

i) When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.

ii) Upload both the files to and post download links.
3) Follow these steps in order numbered:

1) Download GMER:
[This version will download a randomly named file (Recommended).]

2) Disconnect from the Internet and close all running programs.

3) Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

4) Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

5) GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)

6) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your NO.

7) Now click the Scan button. If you see a rootkit warning window, click OK.

8) When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log and upload it Post the download link to the uploaded file in your post.

9) Exit GMER and re-enable all active protection when done.

Note: Please give me the exact name of the file you downloaded in step 1 + post your log from step 8 in your next post.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 16, 2009 at 11:56:45
Yes, I can post logs. And yes, I can download and run the avz app. It may take me a day or so.

Do you what the file run while the machine is activly sending packets? I normally leave it disconnected from the network, unless I choose to use it. The packets are not being sent, but all apps have been loaded.

Thank you in advance!

Report •

July 16, 2009 at 12:44:21
Not untill you post the logs. Generating logs doesn't take more then few minutes.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

Related Solutions

July 17, 2009 at 17:42:34
Hi jdk (neoark)

I've have run the AVZ.
Here is the link:

There are a couple of things that I noted when I looked at the analysis.... The oddly named files is still there, along with another entry at the end of the line which includes Director.
Director is my propriatory database application. NOT a place or entry that I would normally give a second glance. The person that I believe place monitoring software on my machine would know this.
Second, is that there is a reference to jre or jre6. I do not have a user id in my domain of that name. those are the initials of the person who I believe place software on my machine.

I am sorry, but I could not run the dds.scr file. It does not support my os, which is windows 2003 server.

Please let me know when you have snaged the file so that I can delete it.

Thank you for you help!

Report •

July 17, 2009 at 17:53:52
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

SearchRootkit(true, true);

2) After reboot execute following script in AVZ:


A file called should be created in C:\. Upload that file to and Private message me download link.

3) Then redo Response Number 1 (changed).

PS: It does look like some sort of spyware. Next set of logs will decide on best possible removal process for it.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 17, 2009 at 19:08:20
Will do.

Thank you for your help

Again, it make take me a day or so.

Report •

July 20, 2009 at 10:01:04
Hi jdk

can I following the additional steps with out the machine connected to my network? If I'm connected it will be sending the packets with screenshots, keystrokes etc. I don't really want that. So, I need to know if I can leave it disconnected from the network.

Thank you.

Report •

July 20, 2009 at 10:10:12
Yes as long as you have copy of AVZ.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

Ask Question