Expert: James Filmer - 7/17/2010

Question
Hi, I have a question regarding finding WebWatcher on my computer. I think my ex-husband installed WebWatcher on my laptop and want to know if there is any way to 1) find the program on the computer; and 2) find where it is sending data to (some kind of username would be great for a subpoena). I am running Symantec NIS 2010, which keeps finding and quarantining a file named atisvc_jekgblrof.exe for "suspicious behavior", but the file seems to keep reappearing. I have also tried XoftSpySE, which didn't find anything. I have poured over the HijackThis logs hoping to find something suspicious but can't find anything (I am NOT a programmer though so I may not know what to look for - just an ordinary run-of-the-mill computer user).
Is there any way to find out definitively whether it's on the computer and where it's sending data to?

Answer
Cassandra,

You might get confused a little, but please review the following posts. You'll be able to find out (manually) if you have it installed, but because you're not experienced you may decide you don't want to try.

About finding where it's sending data or username, you'd definitely need to be an expert. Can't find anything about the exe file you mentioned; best to ask on the a Symantec forum if it reappears after installing and running Spybot.

1. forums.spybot.info/showthread.php?t=39778

This page shows how to find a remove manually. If you do this and find it, and you'll be able make copy for a record of it.

2. forums.spybot.info/downloads.php?id=8
This is the description page of Spybot's RootAlyzer. Essentially, Spybot should detect and remove it, but scanning with RootAlyzer is an additional rootkit checking tool.

Click the Spybot link on the home page of http://Enrgy21.com and get Spybot Search and Destroy AND RootAlyzer. Note: S&D should be checked for updates at least once a week.

3. www.ehow.com/how_5020305_remove-webwatcher.html

This is an instruction page on how to remove it - if it's there. It doesn't mention RootAlyzer, just Spybot.
About opening in Safe Mode and running Spybot, to download and install the updates, you need to connect to the internet -  Safe Mode with "Networking" - but I'm don't believe opening in Safe Mode is necessary.


To sum up and keep things simple, download and install Spybot, get the updates, scan, remove what you find and reboot. Follow instructions in the first link above, or #3 (step 4 and 5 but I don't think opening in Safe Mode is necessary), or see if it's there first. If it isn't, I still believe you should have at least Spybot (one more antispyware app would be good too).

As far as XoftSpySE, I'd uninstall it (Add/Remove Programs) and reboot. It's known for a relatively high number of false positives and misses some spyware and adware.

There's also -
www.superantispyware.com and
www.malwarebytes.org
Either one should find and remove it (if it's there).

For maximum detection ability, "temporarily" Show Hidden Files and Folders

1. Click Start, and then click Control Panel.

2. Click Appearance and Themes, and then click Folder Options.

3. On the View tab, under Hidden files and folders, click "Show hidden files and folders", and clear(uncheck) the "Hide protected operating system files" check box.

Please turn the protection back on when you have finished cleaning your system.


-----------------------------"...now am going to shell out the big bucks to hire a forensic computer tech to hunt down the source."
You may not have to do that - Note the Awareness Technologies Webwatcher http://www.webwatchernow.com/tandc.html Terms of Use and End User Licensing Agreement that requires that it be installed only on computers that the person owns or has permission to monitor and all users of those computer are informed that they are being monitored. Taken from the web site: "Failure to do so may result in breaking of Federal and State laws. Awareness Technologies will cooperate with authorities in investigation of any allegations of misuse. Consult legal counsel if you have questions regarding your specific circumstances."