NetObserve infection

[Guest]

I have have found a threat called NetObserve being scanned.
Can anybody tell me what it is, what it does, is it harmful and how do I get
it.
Are there special sites to avoid or what can I do to not getting infected.
Thanks
Willem

 

[Guest]

Download the following and run a thorough scan in safe mºde:

NOTE: Make certain to update every app before booting into Safe Mode since
you WILL NOT have access to the Internet from Safe Mºde.

Ad-Aware - http://www.lavasoftusa.com
http://www.bleepingcomputer.com/forums/tutorial48.html

Spybot S&D - http://www.safer-networking.org/
http://net-integration.net/index.html
http://www.bleepingcomputer.com/forums/tutorial43.html
Make certain to not to select any of the pernament protection for Spybot and
DO NOT immunize the system, as this can interfere with WD' Real-tme
Protectiºn.

CWShredder - http://www.intermute.com/products/cwshredder.html

SpywareBlaster - www.javacoolsoftware.com/sbdownload.html
JavaCool's free SpywareBlaster automatically adds a lengthy list of
dangerous addresses to IE's Restricted sites. SpywareBlaster is compatible
with AOL's browser; it also works with current versions of the Netscape,
Firefox, and Mozilla browsers. Its most recent iteration is SpywareBlaster
3.4.
http://www.bleepingcomputer.com/forums/tutorial49.html

Spy Sweeper - http://www.webroot.com

WinPatrol - http://www.winpatrol.com

Ccleaner - http://www.ccleaner.com

Also check windows updates for your OS to make sure you have the latest
security patches and service packs instªlled :
http://windowsupdate.microsoft.com/

Good luck

Engel

 

[Guest]

Thanks so far.
I am regularly running a program called Hitmanpro. This includes most of the
programs mentioned by you (CW Shredder, Lavasoft Ad-Aware, Spybot S&D,
Webroot Spy Sweeper, Spyware Doctor, NOD 32 Antivirus, SpywareBlaster,
SpywareBlockList, Spybot S&D Immunize, and some extra programs). That is the
reason why I found the infection in the first place.
I try to find out what programs like NetObserve do, where does it come from
and how do you get it as an infection. Is it part of another program dowload?

Willem

 

[Guest]

Hi Willem

NetObserve is a commercial spying program so it is a threat to your privacy
if you didnt install it yourself, It must be manually installed so its
possible that a family member or someone else who has accesss to your pc has
installed it. ,

here's the link from the makers of this which gives a desciption of its
features:

http://www.exploreanywhere.com/no-features.php

And here's more info and removal instructions from AV companies

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453073490

http://securityresponse.symantec.com/avcenter/venc/data/spyware.netobserve.html

Note* Symantec does show it can be removed from the add/remove screen but
Its possible to install this without an uninstaller, There is also a hotkey
combination to bring it out of stealth mode, This could of been changed by
whoever installed it but the default combination is Ctrl+Alt+Shift+F12.

If someone installed NETObserve without an uninstaller (they clicked the
"No" button when prompted during the installation process), you can locate
the NETObserve files in the directory that they chose the files to be
installed into - The default location is
C:\ProgramFiles\ExploreAnywhere\NETObserve\) and delete them manually. This
would remove NETObserve off the system but Symantec does have extra files
listed such as the dll files in the windows folder which are worth checking
for. To make sure all NETObserve files are completely removed , ensure that
netobserve.exe & broadcast.exe is NOT running when you delete the NETObserve
files by first trying to bring it out of hidden mode and then use Task
Manager (Control-Alt-Delete) and check the running processes, end the process
for both of them if found.

If you are sure this is on your system and you didnt install it yourself or
share your pc with another user then contact the makers, This is a commercial
program so its safe to use their site and hopefully the support desk will be
helpfull and make it easy for you to remove it and also answer any questions
about how it got there. Also change all the passwords on your system and for
sites you use, MSN Messenger etc.. once you get this removed.

http://www.exploreanywhere.com/supportdesk/

All The Best

Andy

 

[Bill Sanderson]

It'd be interesting to know what the details of the detection are, and which
product is making the detection. I'm wondering whether this might be a
false positive?

 

[Guest]

Hello Bill,
I do not recall which program made the call for NetObserve. As I already
told in one of the earlier messages Hitmanpro is a program (run from the
Netherlands where I live) that combines the use of several other programs in
one big setup to check on virusses, trojans, adaware, spyware etc. The
NetObserve program is not on my computer anymore. The Hitmanpro program got
it out of the system.
Extra: following the steps Symantec gives on the subject I have checked te
register and there is no sign whatsoever.
I make you a promis: next time it shows up I will tell you for sure.
What is a false positive?
Regards
Willem

 

[Bill Sanderson]

A false positive is when some entirely innocent bit of code is mistaken for
a particular threat. This happens sometimes when a virus or whatever is
compiled using a freeware toolset of some kind--when that is added to the
definitions, other code compiled using that same toolset may be mistaken for
the real threat. It can be more subtle or simpler as well--but basically,
there's a risk with antispyware applications--all of them--that something
innocent is mistaken for something bad. So it is worth looking carefully at
the lowest level of detail you can see about what has been detected as a
sanity check--is this really something unexpected--like an oddly named .EXE
in \windows\system32, or is it some component of a program I've knowingly
installed.

--

 

[Guest]

Hi Bill,
Just runned Spyware Doctor and NetObserve was found again!!!
It is very difficult for me to find out if I am running another program that
is starting NetObserve automatically or that is a false positive.
Maybe you can help me.
Willem

 

[Dave M]

Hi Willem;
Just a comment about Spyware Doctor (even though it's on the short list of
recommended A-S products):

SpywareDoctor has a reputation for false positives. It doesn't use a very well
updated database and actually depends more on heuristics for detection. Using
heuristics means that it looks for resemblances to spyware activity and only
serves as a guide. The concept of using heuristics for detection is great, it
means the product should be able to detect as yet un-written spyware, it's their
implementation that seems less than perfect. We have seen a large number of
these false positives reported even in this non-SpywareDoctor forum, although to
be fair ALL anti-spyware applications do produce some false positives.

The bottom line is unless it's detected by other A-S programs as well, the odds
are good that it's another FP, in that case, you should report the FP to the
author.

How do you like HitmanPro? Seems popular in the NL, but it's not used much in
the States. I like the idea of having multiple layers of protection
automatically handled for me. Sometimes I get the feeling that maintaining all
these A-Vs, A-S, Trojan detectors, Hosts file updates, and Restricted Sites
lists is turning into a full time job.

 

[Guest]

To Dave and Bill,
First of all about the NetObserve problem. Just before running Spyware
Doctor I did Lavasoft AdAware. No signal whatsoever. What other program do
you advice to run besides Spyware Doctor to find out if it is really a FP. Is
it possible to have NetObserve installed on your machine without you knowing
it or do you have deliberately have to do it. So give a full 'yes' when it
wants to install. Because I never did that.
Hitmanpro is pretty good. One big problem is: not all the programs that are
used have a free license. Spysweeper comes only for 14 days or so and NOD32
only 1-2 months I think. So the writer of Hitmanpro has to find new solutions
all of the time. Having a program that runs all the other check-ups
automatically is a pretty nice piece of software.
Regards
WIllem

 

[Dave M]

Hi,
Symantec Norton's AV can detect it as Remacc.Netobserv

You can run an online Symantec scan for free here:

http://tinyurl.com/dggwh

Thanks for the HitmanPro info, now I understand how he can offer it as freeware.

 

[Bill Sanderson]

I like Dave M's advice--you need another scanner known to detect this
particular item. Then if they disagree, you can decide who to
believe......life is never simple!

 

[Guest]

Bill/Dave,
If Norton AV is detecting it does this mean that if it is going to be
installed secretly that my Norton AV will alarm me?
Question: Do I have to agree before NetObserve is installed or can it come
'secretly' with another program or cookie or something like that. So, without
me knowing it.
Thanks
Willem

 

[Dave M]

If it's really installed on your system Norton's should detect it, unless
someone specifically excluded NetObserve from the AV scan or the author tried
and succeded in hiding it from Norton's through modification of the code
signature. Andy Manchesta indicated in his earlier post that this Commercial
Keylogger must be installed manually. There is NO chance of a driveby download
type of install or piggybacked on something else, so the installing person would
have had to agree to the installation via an EULA or something similar and set
up the connection to a remote computer and password. The person that installed
it would know they installed it. Has Norton's also detected it's presence? See
here:

http://www.norton.com/avcenter/venc/data/spyware.netobserve.html
-and-
http://www.exploreanywhere.com/no-intro.php
-and-
http://exploreanywhere.net/support/category.php?catId=5

A side note... from the psychological perspective. Because keyloggers are so
invasive of privacy, you can easily make some assumptions and arouse some
suspicions that may prove to be as false as any false positive. So, if this is
where your headed... be Really Really sure it's not a False Positive first,
before you make any "inquiries".

 

[Guest]

Dave/Bill,
Had a positive NetObserve identification again with Spyware. It is giving
the hint: file: C:\Windows\unvise32.exe. That file is uninstall for uninstall
"nik ColorEfexPro 2.0" which are fotofilters for Nikon software and Adobe
Photoshop.
What does this mean?
Willem

 

[Dave M]

A little hard to say, but remember NetObserve is in "stealth" mode and is
designed to hide from you. That's an unusual place for an product uninstaller
to be located, most are located in the program file for the product involved, I
doubt it has anything to do with photofilters. Also remember that someone could
be reading all these forum posts from you, and might be trying to uninstall
NetObserve remotely. While the install must be done at your computer, an
un-install is probably available remotely. Do this, send any files detected as
NetObserve off immediately following the detection for analysis on these
multi-scanner sites:

http://virusscan.jotti.org/
http://www.virustotal.com/flash/index_en.html

Also you might try scanning any file identified as NetObserve with Norton's
after identification and before you re-boot your computer, because the
filename/location could change during the reboot. Have you had a positive
identification of NetObserve in Norton's as well as Spyware Doctor? Have you
removed or quarantined anything yet?

 

[Guest]

After the scan with Spyware Docter I did not let the program fix the problem,
but I use Webroot Spyware Sweeper. No identification at all, while the
"thing" was still in my computer. This morning I runned the Norton online
scan as adviced by you and had no identification on problems with
unvise32.exe, while the program was on the computer.
When I let Spyware Docter fix the problem and immediately run Norton System
Works systemcheck I get a notification for a missing link with unvise32.exe
for the program Nik etc. (fotofilter). When NWS has fixed the problem I am
als so missing the Uninstall part of the Nik-program in my Program-section.
When I reinstall the filters (so unvise32.exe is there again) and I run
Spyware Docter I get the message that NetObserve is found again at the same
place.
On the Internet I found a link with Spybuddy, but there is no sign for
SPybuddy on my machine. So I am somewhat confuse now. Is it an infection?
Should I take action or is it flase alarm?
Sorry for being so persisting but I want to know what is going on and want
to know if somebody is stealth checking on me.
Regards
Willem

 

[Dave M]

It's yet another False Positive from Spyware Doctor. SpySweeper is fully
capable of correctly detecting NetObserve, as is Norton's AV. Your erroneous
detection should be reported as such to PCTools the author, so they might
correct their miss-identification.

http://www.pctools.com/contact/support/guide/site/

Spybuddy, by the way, is from the same lovely company that produces NetObserve

 

[Bill Sanderson]

I agree. It'd be good to have done the scans at virustotal and jotti.org,
but this looks like a false positive to me. Rest easier, and get the
feedback to the Spyware Doctor folks.

--

 

[Guest]

Dave,Bill
Thanks. I already notified PCTools. In their reaction they announce a new
definition list that should solve the problem.
Question: can I reinstall my Nikon-filters (including unvise32.exe) withour
problems? I uninstalled the program to be sure.
Regards
Willem