Andreas Perfora’tus [Stu] wrote:
> adaware doesn't flag it, but...
>
> there is a "webeye.inf" file with the following contents...
>
> ++++++++++++++++++++++++++++++++++++++
> [Version]
> Signature="$CHICAGO$"
> AdvancedINF=2.0
> [Add.Code]
> webeye.ocx=webeye.ocx
> webeyeaudio.ocx=webeyeaudio.ocx
> adv6api.dll=adv6api.dll
> msvcrt.dll=msvcrt.dll
> mfc42.dll=mfc42.dll
> olepro32.dll=olepro32.dll
> [webeye.ocx]
> file-win32-x86=thiscab
> clsid={A8739816-022C-11D6-A85D-00C04F9AEAFB}
> FileVersion=1,0,1,24
> RegisterServer=yes
> [webeyeaudio.ocx]
> file-win32-x86=thiscab
> clsid={317AC6BB-6E8E-11D4-9BF0-005004BBFC86}
> FileVersion=1,0,1,6
> RegisterServer=yes
> [adv6api.dll]
> file-win32-x86=thiscab
> FileVersion=1,0,0,1
> [msvcrt.dll]
> FileVersion=4,20,0,6164
> hook=mfc42installer
> [mfc42.dll]
> FileVersion=4,2,0,6256
> hook=mfc42installer
> [olepro32.dll]
> FileVersion=4,2,0,6068
> hook=mfc42installer
> [mfc42installer]
> file-win32-x86=http://activex.microsoft.com/controls/vc/mfc42.cab
> run=%EXTRACT_DIR%\mfc42.exe
> +++++++++++++++++++++++++++++++++
>
> file properties for webeye.ocx are:
> ver 1.0.1.24 WebGate, Inc. R&&D Center
> ImageViewer for Network Web Camera Server
> Web Camera Server ActiveX Control Module
>
>
> file properties for webeyeaudio.ocx are:
> ver 1.0.1.6 WebGate Inc. R&D Center
> Web Camera Server Audio ActiveX Control Module
> WebEye Audio Player
>
> adv6api.dll has no details, and a google turns up nothing either.
>
> The files are found in "C:\WINDOWS\Downloaded Program Files". They showed
> up just today.
>
> I need to know how to remove it completely, and imunize myself against it
> in future. For now, I've deleted the offending files, and the corresponding
> CLSIDs, and scrubbed my registry clean of any additional entries and links.
>
> The worst part is, the very old version of msvcrt.dll seems to have been
> playing havoc with my system - giving me "access violation" errors.
>
> Any ideas what I've run into, and how, or why?

Looks like ActiveX control loading info, the MS archive it's after
contains a VeriSign cert; I downloaded it and had a look. 7zip can open
those damn "CAB" files that MS likes to hide stuff in. Actually,
they're a MS-dependant archive. I don't belive it to be spyware, but if
you ask me, anything Micro$oft is Spyware....there's just so much
mystery stuff on a Windows machine it's almost impossiple to determine
what's third-party spyware and what's MS's own stuff.

But I'd _never_ allow ActiveX on my machine.



--

=-=-Mod_SSL/GPG/OpenSSL=-==-=-=-=-=-=-=-=Atr2-WBS=-=-=-=-
jayjwa(){
Spam listme@listme.dsbl.org;
MS "Micro$oft has preformed an illegal operation and
will be shutdown. Install Linux or BSD to close.";
domain atr2.ath.cx; contact finger me@domain;
}
=-=-=Linux Tough.Powered By Slackware=-=HTTPS/FTP=-RLF#37=