Jump to content
Sign in to follow this  
Mangar

Spyware At Work

Recommended Posts

What kinds of things can a person look for if they think that their office network is spying on you? Like what are some of the most used packages and how do they show up, and where?

 

Thanks in advance :)

Edited by Mangar

Share this post


Link to post
Share on other sites
Guest Flashstar

Check the processes that are running in the background, or use hijack this to look for suspicious things.

Share this post


Link to post
Share on other sites

I have looked at the processes running, and I think they are ok, but every so often I get this process named "userinit" that kicks of twice when I login ( I dont power off my desktop) and at certian times throught out the day it kicks off again. I can tell because the pointer turns to an arrow w/an hour glass. I always end these processes as soon as I notice them. Sometimes my Outlook will take up all of the available CPU, this is straange also.

Share this post


Link to post
Share on other sites

Userinit.exe is a key process in the Windows operating system. On boot-up it manages the different start up sequences needed, such as establishing network connection and starting up the Windows shell.

 

thank you google.

Share this post


Link to post
Share on other sites

This rig seems to run better if I cancel these? it is a AMD/64 3000 Asus M/B. I get "bog downs" if I let them run, or at least I don't get "bog downs" as much. Anything else to check for, I realize that these "spy bots" could hide or something.

 

PS: I also goggled it, but I wondered if something is common to disguise itself as that.

Edited by Mangar

Share this post


Link to post
Share on other sites

The biggest thing to look for is SMS. With that, they don't really need to do much to "spy" on you.

 

If they're after a process name (sol.exe) or the amount of time an app has been open (firefox.exe), or the label of the last disc in your CD drive (Audio CD: Korn), or the amount of CPU time used (mplayer2.exe - 4:20:01), SMS can get it easily. If they want to monitor your network traffic, all they need is to set up an network monitoring system (sometimes an IDS), or do data mining on the firewall / web proxy logfiles.

 

Like you mentioned, there are apps that can hide themselves VERY well that track your system usage. For example, System Sleuth or Spy4PC will watch you kinda close, but there are similar ones that will do this but not have their exe names listed in task manager (forgot which ones - used them though).

 

If you're worried about someone watching remotely, then you'll need to fine-tune your firewall and system services. Also, the userinit.exe bogging down your machine occasionally could be your system firing up the WMI hooks so remote systems can run queries on your machine. Unless you have reason to be watched, it's most likely automated jobs that run to query all the machines in userland, and are usually done to check hotfix levels (patch compliance), software assurance checks, etc...

 

Before you get too paranoid though, don't forget the contract(s)/usage agreements that you (most likely) signed when you started at the company. Most likely, there were clauses in there that said "You computer usage can and will be monitored, and you can be 'disciplined' if you are found to be breaking any rules. The computer assets belong to the company, and you should have no illusion of privacy while using company equipment."

Share this post


Link to post
Share on other sites
Userinit.exe is a key process in the Windows operating system. On boot-up it manages the different start up sequences needed, such as establishing network connection and starting up the Windows shell.

 

thank you google.

555344[/snapback]

 

Thanks cybergrunt69, you know your shiRt, this was what I was looking for. I do know about "agreements signed" but how far is too far? I don't browse anything unacceptable at work, but I wonder if they are trying "program launches" or "Key strokes" tracking. I am in the I.T. department, but the network folks I wonder about.

 

Not that I have a bad image of "network folks" but these are strange?

Edited by Mangar

Share this post


Link to post
Share on other sites

I don't have access to a windows computer right now, so I looked around a bit. I wasn't sure if userinit.exe was supposed to stay resident - and it's not.

 

If it keeps coming back, it could be that there's another app (spyware) that's running occasionally, and restarting it. userinit is supposed to set up your initial environment (nework drives, run logon scripts, start shell, etc), then exit. If it's coming back, it's most likely because something else is telling it to. If it isn't spyware that's doing it, your computer may actually be partially crashing (can it???), so it's re-running the session start-up steps. Try checking your registry for userinit key (in "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ), RUN, RUNONCE, and RUNSERVICES keys. Also try looking for any eventlog entries that seem suspicious, as well as any dump files (from dos prompt: dir /s *.dmp )

 

 

Since you're in the IS dept, I don't think there would be that type of spy apps on people's machines without you or your co-workers knowing about it, but there's always the possibility. I kinda doubt that the networking people would have that type of access, and if they were to do any type of "spying" it would be on the network side, and you'd never even know about it. Usually I see the spy apps used on non-geeks who are suspected of always slacking...

Share this post


Link to post
Share on other sites
Thanks cybergrunt69, you know your shiRt, this was what I was looking for. I do know about "agreements signed" but how far is too far? I don't browse anything unacceptable at work, but I wonder if they are trying "program launches" or "Key strokes" tracking. I am in the I.T. department, but the network folks I wonder about.

 

Not that I have a bad image of "network folks" but these are strange?

555354[/snapback]

 

 

that process should dissapear maybe 2-3 mins in, if it doesn't then i dunnue.

Share this post


Link to post
Share on other sites
I don't have access to a windows computer right now, so I looked around a bit.  I wasn't sure if userinit.exe was supposed to stay resident - and it's not.

 

If it keeps coming back, it could be that there's another app (spyware) that's running occasionally, and restarting it.  userinit is supposed to set up your initial environment (nework drives, run logon scripts, start shell, etc), then exit.  If it's coming back, it's most likely because something else is telling it to.  If it isn't spyware that's doing it, your computer may actually be partially crashing (can it???), so it's re-running the session start-up steps.  Try checking your registry for  userinit key (in "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ), RUN, RUNONCE, and RUNSERVICES keys.  Also try looking for any eventlog entries that seem suspicious, as well as any dump files (from dos prompt:  dir /s *.dmp )

Since you're in the IS dept, I don't think there would be that type of spy apps on people's machines without you or your co-workers knowing about it, but there's always the possibility.  I kinda doubt that the networking people would have that type of access, and if they were to do any type of "spying" it would be on the network side, and you'd never even know about it.  Usually I see the spy apps used on non-geeks who are suspected of always slacking...

 

You don't know this copmany ,i would not put it pass them. Very good sug's I will do more reseaching. With Sarbanes-Oxley audits B:)  you never know?

555367[/snapback]

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...