Horrible monitoring program

Discussion in 'malware problems & news' started by cba321, Jan 11, 2009.

Thread Status:
Not open for further replies.
  1. cba321

    cba321 Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    48
    About a year ago I ran spysweeper on my computer and found something called "spector pro". I shrugged and quarantined it, as I've seen a lot of spyware. However, as I go through the records and look at what this thing actually was, I'm terrified.

    Its a super stealth survellance/spy program that costs money, and records literally everything that goes on on the computer. Companies use it to moniter their computers, parents for kids, etc. This looks like it is no mere trojan that you get from surfing around on the web.

    I asked everyone in my house, and none of them installed this thing. So my question is, how would this have gotten on my computer in the first place? Could I honestly have gotten this from surfing the web? It seems highly unlikely...perhaps a hacker?

    Looking in my spysweeper quarantine (where I had put away the spector pro), it says under "spector pro" that one file was found, and very interestingly, it is a component of spy sweeper itself: ztvunrar3.dll.

    Does that mean that spector pro corrupted spy sweeper, or disguised/mutated itself to look like spysweeper? Could the real thing still be on my computer?
     
    Last edited: Jan 12, 2009
  2. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,910
    Location:
    U.S.A.
    cba321, first, welcome to Wilders! Here's more info on ztvunrar3.dll to help you determine if the dll is fake or not. If you can't find Spector Pro in the Add/Remove Programs via the Control Panel, you should contact Webroot's Technical Support Staff and ask them your question.
     
  3. cba321

    cba321 Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    48
    Hi JRViejo, thanks for the link on ztvunrar3.dll. I need all the info I can get on this file, because all my web searches seem to come up with close to nothing.

    Unfortunately I cant get much of an idea on the file still, as I'm not great with computers and thus am hesitant to explore deeper into the "infected" file, as I dont want to potentially open Pandora's box.

    I plan to call Webroot tommorrow, hopefully they have an answer.

    Another unfortunate thing is that add/remove programs doesn't apply to Spector Pro, as SP is *very* good at hiding itself on a system. The vast majority of anti-spyware programs will pass right over it, as I believe SP has no solid location or files on a computer (something along those lines).

    I've been trying to think of what the causes could be. The "good" cases would be that it is some strange, exotic type of false positive from spy sweeper, or that a virus (one that is less harmful than Spector Pro spyware, though thats not saying much) is screwing around with my computer and setting off false alarms and spreading misinformation.

    The worst case, and probably more likely, option would be that this is the real Spector Pro and a hacker decided to somehow put it inside my spy sweeper as some sort of extra trick, or something similar.
     
  4. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Hi.

    First of all Spector PRO is NOT a malware of any kind.
    you can find out more on their homepage:

    http://www.spectorsoft.com/products/SpectorPro_Windows/entry.asp?refer=12078 <<

    Spector PRO is a monitoring software for example corporation,
    but even for home users as you.

    For example if you think that you husband is having an affair :D
    then you can install spector pro and be able to see all keystrokes etc..
    and see what he is doing while he is on the computer.

    And NO spector Pro does not install by itself.
    Wich means that Someone in your house or anyone that have access to the computer have installed spector without you knowing it!

    But just so you know Spector Pro does NOT install by itself!

    SweX
     
  5. cba321

    cba321 Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    48
    Hi Swex. I asked everyone in my house, none of them installed this. I can gurantee that 100%.

    The only option would be that, if this is indeed the real Spector Pro, would be a hacker did it:gack:
     
  6. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Hi again,

    well if you can gurantee to 100% that no one inside your house that have access to your computer did install it, then it may be a fake Spector Pro.
    But i have NEVER heard of a fake spector pro ever.

    Well if you got hacked, maybe. Don't you have a firewall installed of anykind?

    MY suggestion is acctually that you call the developer company,
    and tell them that you can guarantee to 100% that no one in your house have installed it, and ask them how to uninstall it completely.
    And they say on their website that you can call them 24/7 all days a week.
    So do that so you get rid of it ones and for all.
    Number: 1-888-598-2788 <<.

    And i doubt that since it is a monitoring software that it would be added to the add/remove program list. Since it purpose is to be invisible to everyone else except to the person who did install it.
    But if you find it there, then try to uninstall it form there.

    Good-luck, please report back and say what they said if you decide to call them.

    SweX
     
  7. cba321

    cba321 Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    48
    Hey again,

    I actually called Spectorsoft earlier today. They told me Spector Pro does not use the ztvunrar3.dll file so it probably isnt actually SP.

    While I appreciate their courtesy, I'm not really convinved. Can't a hacker put Spector Pro wherever he wants to? The fact that it was supposedly inside my Spy Sweeper itself is pretty suspicious I think, like a hacker figured it could never be detected there?

    Spy Sweeper only found 1 file (ztvunrar3.dll) as Spector Pro, and I know SP uses more than 1 file (though the files are invisible).

    The evidence says it could either not be Spector Pro at all or it could very well be a hacker installed Spector Pro, possibly still on my system.
     
  8. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,910
    Location:
    U.S.A.
    cba321, your best bet is still contacting Webroot because they might ask you to send them the dll file for further evaluation. Keep us posted.
     
  9. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,976
    Location:
    Eastern PA, USA
    This all smells quite like a false positive to me. You REALLY ought to report this to Spy Sweeper's tech support - if they can confirm it as a false positive, you can rest SO much easier. SP people cannot tell you what "name".dll to look for on your computer because, in my direct personal experience, the install generates a RANDOMLY named .dll file to do it's job.

    One thing you can do is to search for a randomly named folder attached to c:\windows\system32 with a slew of files all with the same extension. I think the extension is "opm", but my memory could be faulty there - these are the data files, holding everything recorded. Then there may be one file with a .xml extension in there with them.

    BUT, I hope Spy Sweeper's folks can clear this up as an FP.
     
  10. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Regarding my experience with on-demand scans by the Spy Sweeper (older version without antivirus): the frequency of detecting false positives is equal to or greater than finding real malware.
     
  11. cba321

    cba321 Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    48
    I would be thrilled if this was a false positive. I'm so tense right now over the possibility of this system moniter being used for malicious purposes.

    The fact that Spy Sweeper detected one of its own files (or a clone at least?) as Spector Pro seems almost too weird to be a false positive to me. Like SP was hidden in the last place someone would think Spy Sweeper would look (if thats even possible to do). But my fingers are crossed.

    Right now I have SW with antivirus, but I honestly forget what I had back when I first detected "Spector Pro".

    I tried calling webroot, but got disconnected. I'll try again tomorrow.
     
  12. cba321

    cba321 Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    48
    Called webroot, I dont think they really understood me. Maybe I'll try again.

    I guess I'll need to look into the suspicious file itself more. Maybe I could send it somewhere to be analyzed?
     
  13. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,910
    Location:
    U.S.A.
  14. cba321

    cba321 Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    48
    Thanks again, I'll look into those as soon as I start tinkering with that file.


    BTW, does anyone think spectorsoft has a mass database with all the ip addresses that their products are installed on? Or that they could do remote removal/detection? Far fetched I know, but I'm grasping at anything at this point.
     
  15. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,910
    Location:
    U.S.A.
    cba321, not as far fetched as you think and you should ask Spectorsoft both questions. Do run the file though, via those online scanners, for another opinion.
     
  16. faterider

    faterider Registered Member

    Joined:
    Nov 6, 2004
    Posts:
    64
    Spector can easily be detected with Filemon from Sysinternals. Just fire it up and see if there are reading and writings of long and garbled files in windows system directory. It should be pretty often, so you can't miss them ;)
     
  17. cba321

    cba321 Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    48
    Interesting, thanks for the help:) .

    Meanwhile I did a scan with spycop, which says it will detect Spector (and by many accounts really can), and found nothing. Its most advanced settings were NOT on, so I'll configure it for an even better scan later today.

    I'm going to conclude that either:

    a) Spysweeper gave me an unusual false positive or misdiagnosed something else as Spector and spector wasn't ever on my machine

    b) The hacker saw I was onto him (as he easily could with his Spector tool:mad: ) and got rid of Spector, or he got rid of it earlier for unrelated reasons

    c) The hacker did some extreme tinkering or reverse-engineering with Spector to make it unstoppable (probably the most unlikely scenario lol)
     
  18. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Hey,
    when i used to use spysweeper 5.0 to 5.1 it produced alot of fp's pof dangerous malware similar to that.
    i surgest you run superantispyware to get a third opinon
     
  19. cba321

    cba321 Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    48
    Interesting. Did it detect any keyloggers on your system that turned out to be FP's?
     
  20. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    yes infact it did. the same discripsion as the FP you got.
     
  21. cba321

    cba321 Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    48
    Really?! Do elaborate please! You found spector pro or something as ztvunrar3.dll?

    If this is indeed a FP webroot really should look into this, as finding a super tough keylogger program is not a very pleasant experience!
     
  22. cba321

    cba321 Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    48
    Well Webroot FINALLY gave me an adequete response, saying they have never heard of a Spector false positive or a FP involving ztvunrar3.

    BUT, that doesnt necessarily mean this isnt a FP correct?
     
  23. faterider

    faterider Registered Member

    Joined:
    Nov 6, 2004
    Posts:
    64
    If you don't feel confident in this matter just give us FileMon log (~20 seconds max) with filtered obvious entries (like browsers, mail clients and other programs) and we'll tell you right away if there is Spector on your PC ;)
     
  24. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,910
    Location:
    U.S.A.
    faterider, no logs can be posted, as per this Wilders policy and they would be removed. These days, only a Moderator can ask for a log.

    cba321, faterider is talking about this: FileMon for Windows, which has been replaced by Process Monitor, which is updated frequently. I'm sure you would be able to determine if Spector shows up in PM's GUI.
     
  25. faterider

    faterider Registered Member

    Joined:
    Nov 6, 2004
    Posts:
    64
    That's why I didn't wrote "post it" :) I meant to give it by PM to me or someone he knows better.
     
Loading...
Thread Status:
Not open for further replies.