PDA

View Full Version : Why does Spybot View my screen



Sirtokalott
2008-06-19, 23:44
I am running SnoopFree and when I start Spybot it advises that it is trying to view my screen. Can anyone please tell me why Spybot is viewing my screen or explain why I am getting this warning

drragostea
2008-06-19, 23:51
It looks to me that you are running the anti-keylogger program SnoopFree (http://www.snoopfree.com/).

I haven't tested the program yet, but I'll give it a run in the next half-an-hour. I'll tell you the results.

By the way, what version of Spybot-SD (HELP>ABOUT) are you running? I'm assuming you are running Windows XP OS.

drragostea
2008-06-20, 00:07
Tested.

In my personal opinion, SnoopFree isn't even a good program at all.

I've tested... it was a small file, however it prompted me to reboot after installation and removal.

I executed Spybot-SD and as you said, SF alerted me of a moderate level risk. I see that as a false positive. Spybot-SD is NOT a keylogger and is NOT bundled with spyware or anything associated with that. SaferNetworking is dedicated to remove malware.

SF was lasted updated in 2004 (1.0.7). It acts more like SpywareGuard. Even though with definitions from 2004, SG is robust and offers spyware and hijack protection.
--
http://forums.spybot.info/showpost.php?p=203157&postcount=3
--

If you would like an alternative to SF, use SG.

Sirtokalott
2008-06-20, 00:29
The version I am running is 1.5.2.0.

I am more than happy with Spybot and think it is an excellent programme. I also am aware that there are ligitimate reasons that a programme may screen view. I very much doubt there is anything dodgy going on with Spybot. I'm just curious to see if anyone knows why Spybot causes this alert

Sirtokalott
2008-06-20, 00:58
Based on reviews by Cnet and also the users of both programmes, I would have to conclude that SnoopFree is the better software. Yes it had quite a few bad reviews but almost all related to problems running the software. It looks like it's not compatible with Vista. As it runs fine on my PC (XP), I think it will be worthwhile.

I would however still like to hear from anyone who can explain why SpyBot causes a screen viewing alert.

Does it scan what's currently running in the memory?
Does it do some form of initial check as it loads?

Certainly when I block it from screen viewing, it still works fine

drragostea
2008-06-20, 01:03
I believe it is a false positive. I use other monitoring programs, and none of them have alerted me of a screenview from Spybot. However, I have seem "keyboard" views from Comodo's DEFNESE + (HIP application).

What I don't like about SF's site is that it generates a sense of paranoia. Correct me if I'm wrong...

I can believe it is a false positive and you can safely ignore the warning.

The reviews from Cnet aren't really that recent/modern.

The bars you see on Spybot, indicates a boot up (Spybot is loading).

ChrisWarFi
2008-06-20, 01:06
Drrrag, not just a boot-up, it -does- do other things as well (plays around with the hosts file, for one. not sure why but it does!) - Chris

Sirtokalott
2008-06-20, 01:09
I haven't ever looked at SF's website I just downloaded from Cnet. As I say I trust Spybot and have had great results using it with AVG and Glary Utilities. I'm just after an explanation as to why it provides the false positive. As I say once I block the viewing, Spybot continues as ussual. So what process has caused the alert and what have I blocked?

drragostea
2008-06-20, 01:11
You may as well ask SF about this. As far as I know... there hasn't been a update in some time.

@Chris: Really? I think you mean "verifying" the HOSTS file?

Sirtokalott
2008-06-20, 01:15
From what I understand updates are pretty irrelevant due to the way in which the software works. It isn't simply searching for items it has on a blacklist but is scanning for activity. I dare say this is why it is flagging Spybot, as this is a monitoring tool.

I would however still like to know what Spybot is doing that causes this alert

ChrisWarFi
2008-06-20, 01:20
Hmm... *peeks out over Windows Defender's battlements*

Descrição: Description:
Este programa apresenta comportamento potencialmente indesejado.
This program presents potentially unwanted behaviour.

Conselho: Advice:
Permitir item detectado somente se você confiar no programa ou no editor do software.
Permit the detected item only if you trust the program or the software editor (maker?).

Recursos: Resources:
file:
C:\Windows\system32\drivers\etc\hosts

This is what the log/history tells me. Now, when the actual alert comes up, it does say old data: sites sites sites & new data: sites sites sites. As far as I can tell the data are exactly the same, but i haven't experimented to see if it -does- change anything. But if it didn't change anything, surely it's a bit pointless showing the entire contents of the file, twice? - Chris

Sirtokalott
2008-06-20, 01:22
Sorry to be a pain in the arse but what is a host file?

ChrisWarFi
2008-06-20, 01:27
Sorry Sirtokalott, i sort of hi-jacked your thread, didn't i(we?) :oops:

a hosts file is where windows keeps information on where to find some sites. It's used in spybot to block known bad sites (i think), but can be used by malware to redirect legitimate sites to fakes, and also be used by admins to block user's access to sites. More here:
http://en.wikipedia.org/wiki/Hosts_file

- Chris

drragostea
2008-06-20, 01:31
From what I understand updates are pretty irrelevant due to the way in which the software works...

You are right... I was wrong about the update part. Thanks.

I define an update as a... more like a code or file to "upgrade" sort of a way the current program or application. This includes tweaks and performance improvements. But not all updates are like that... a update might be just a minor tweak.

Sirtokalott, a HOSTS file is more like your first defense... like a barrier. I would call it the first line of defense, because it sorta "blocks" the connection of a malicious site to reaching your computer. In other words, say like you visit that site by accident... your browser will say "the site was not found" or the page could not load. This means that the connection was "redirected" back to your computer. So it's more like you're not going anywhere.
--
http://en.wikipedia.org/wiki/Hosts_file
--

The stupid question is the one not asked ; )

Sirtokalott
2008-06-20, 01:34
Hi-jack away my friend, I'm always up for a bit of learning. Allow me to go way off subject. Should I see any running processes relating to Live Messenger when I do not have it running.

I am unsure about 2:

Explorer.EXE apparently safe but does the capital E mean it is a different process to the one that begins with a lower case e

WLLoginProxy.exe This one just popped up and as I say, I don't have Live Messenger running at the moment.

Any help appreciated.

Sirtokalott
2008-06-20, 01:36
Hi-jack away my friend, I'm always up for a bit of learning. Allow me to go way off subject. Should I see any running processes relating to Live Messenger when I do not have it running.

I am unsure about 2:

Explorer.EXE apparently safe but does the capital E mean it is a different process to the one that begins with a lower case e

WLLoginProxy.exe This one just popped up and as I say, I don't have Live Messenger running at the moment.

Any help appreciated.

Oh yes this one as well:

usnsvc.exe

Sirtokalott
2008-06-20, 01:37
Oh yes this one as well:

usnsvc.exe

Now this one has just popped up:

msn_sl.exe

ChrisWarFi
2008-06-20, 01:45
Hi, nothing -strictly- wrong with these, just not needed:

WLLogin = an installation of any windows live software will install this software, apparently used for multiple logins..
http://www.technixupdate.com/what-is-wlloginproxyexe-and-why-it-is-running/
usnsvc = Again windows live messenger, this time a journal reader service
http://www.processlibrary.com/directory/files/usnsvc/
msn_sl.exe = MSN toolbar? if you have it then it may explain the above 2
http://www.liutilities.com/products/wintaskspro/processlibrary/msn_sl/

here's praying that drrag hasn't beaten me! - Chris

drragostea
2008-06-20, 02:42
@ChrisWarFi, oh don't worry Chris. I'll beat you anyday ;).

Sirtoka, the process "Explorer.EXE" is the Windows Explorer. In other words, it's the window in which you view your documents, music, photos, etc.

Problem is that many malicious processes can pose as "explorer.exe".
--
http://www.processlibrary.com/directory/?files=Explorer.EXE
--

"explorer.exe" would be the Windows Explorer (eg: My Documents). Don't confuse it with "iexplore.exe" which is Internet Explorer.

Sirtokalott
2008-06-20, 03:59
Just to confirm there is no difference in the processes:

Explorer.EXE

&

explorer.exe

drragostea
2008-06-20, 04:17
Hm. I'm not so sure about that *scratches head.

I opened "My Documents" and there was no change in my Task Manager. Even with no Windows Explorer open, "explorer.exe" was still active.

I recall that should you "kill" the explorer.exe process, then you'll lose your desktop and all the items associated with it. I do not mean literally, but it will be restored with a reboot.

Sittoka, do you have "Explorer.EXE" running?

ChrisWarFi
2008-06-20, 04:18
*goes into corner and cries* what a drrag..... :eek:

I wouldn't imagine there's too much difference between E and e, but it's always best to check out things (try googling the filename/following the links provided; i think it's more important to check the location, size, etc.) - Chris

Edit: after killing explorer.exe i think you can also restart it on it's own, using START+R, which will bring up the run prompt, then type explorer/explorer.exe

drragostea
2008-06-20, 04:20
I'm a drag, Chris?!

Crying in the corner should do you good sir.

Google engine searches are not case sensitive. I've tried it. As long you don't see explorer.exe or Explorer.EXE taking up 100% of the CPU then there shouldn't be a problem.

Sirtokalott
2008-06-20, 08:12
Here's the details:

Created 02 January 2003
Date modified: 14 April 2008
size: 0.98Mb
Version: 6.0.2900.5512

All seems well except when I look at the file in the windows folder, it shows as explorer.exe

I may be splitting hairs but all the other applications I have seem to have the extension exe not EXE and this just makes me think this has been modified in some way.

By the way what did I miss, who was crying in da corner and why?

Sirtokalott of the round table is always here to help!!

Sirtokalott
2008-06-20, 08:15
Here's the details:

Created 02 January 2003
Date modified: 14 April 2008
size: 0.98Mb
Version: 6.0.2900.5512

All seems well except when I look at the file in the windows folder, it shows as explorer.exe

I may be splitting hairs but all the other applications I have seem to have the extension exe not EXE and this just makes me think this has been modified in some way.

By the way what did I miss, who was crying in da corner and why?

Sirtokalott of the round table is always here to help!!


P.S. I just terminated the process and it didn't make a blind bit of difference everything works fine.

Sirtokalott
2008-06-20, 08:18
Well Donald Duck me, after I terminated Explorer.EXE a new process appeared.

Can you guess what it was called?

explorer.exe

Any ideas people?

ChrisWarFi
2008-06-20, 17:08
Hi Sirtokalott,
Here: http://support.microsoft.com/kb/888162 microsoft also reference Explorer.EXE, just trying to find the size of the file so you can rest assured (don't think there's any problem really)

I was crying in the corner because drrag will always beat me :( (joking :P) - Chris

Edit: "it's 1.032.192 bytes on a fully up to date xp, that's about 1008kb, file hash: A0732187050030AE399B241436565E64
On xp sp2, with no patches, the file size is 1.000.960 bytes, 977 KB, file hash 5A26FC6010886D25B3E412493DD95ED8
The xp file size differs depending on what patches you have on the pc and on the language."
977kB = 0.98 mB. info from http://forum.kaspersky.com/lofiversion/index.php/t42634.html

drragostea
2008-06-21, 00:13
I was crying in the corner because drrag will always beat me :( (joking :P) - Chris

Not always, we're both climbing the same ladder. ; )

Sirtokalott, does "Explorer.EXE" come back on the Task Manager after a reboot?

On a clean PC, my Windows XP Home does not seem to show Explorer.EXE running as a task. How about you Chris?

ChrisWarFi
2008-06-21, 01:11
*looks to the skies* the same ladder... but a long distance :P
I have vista, but it shows explorer.exe. Just a thought, if a startup file wrote ExPlOrEr.ExE instead of explorer.exe, how would the name be displayed? The 'actual' filename or the referred name? - Chris

drragostea
2008-06-21, 01:47
In other words... we started on the same road.
If your Vista shows "explorer.exe" then you are fine.

It would be unusual for a start-up entry named "explorer.exe".

However, if a start-up process was name, for example, cTfMON.eXE, then after a boot, cTfMON.eXE would be seen running in the Task Manager. Problem is that when you search in a search engine, it is not case sensitive. If it was then it would make searching a lot more tedious for many other people, but easier for us ;0. Maybe?

Chris=Last place.
drragostea=Champ. Lols.

ChrisWarFi
2008-06-22, 15:36
Mmm, looks like you're right drrag, spybot doesn't -modify- the hosts file, but windows defender detects it as such:
Resumo:
Alteração de Configuração do Sistema.
(Alteration of the system configuration.)

Mmm, then it's probably just a case of an old filename style (weren't they commonly written like that a long time ago? Or am I just clutching at straws?)

Maybe an option for case-sensitive searching? Imagine the resourcehog!! Strange but I think i saw an option for this the other day, in an academic search.... or maybe i'm losing (more of?) my mind! :) - Chris

drragostea
2008-06-22, 17:52
If Windows Defender detects such change, eg. HOSTS FILE, then it would be better to allow it. Thing is that if you did not immunize, and there was a change in the HOSTS file it would be better to deny it.

I have WinPatrol '08+ to alert me of that change. So Scotty alerts me everytime I immunize. Well it looks like entries are being added to the HOSTS file after every immunize.