TDS3 doesn't detect Spector Pro 5

actualy most people the common usser has a antivirus that they dont update at all

kinda scary i use to be like that

 

Hey Blaze (thanks for your kind words ! ).

OK, you asked:
"Will a good file integrity checker spot Spector 5 pro?"
At the moment I don't know because I don't have that nasty...
BUT:
if
1. it puts some new files on your system (or deletes some files or changes some files)
and if
2. you had already a database made by a good file integrity checker on a clean machine,
then your file integrity checker would have warned you about those changes once you run that file integrity checker on-demand.

For example the file integrity checker ADinf32 (not free) can be run using its so-called bios-mode in which it completely bypasses Windows.
I have never seen that it would not detect a file change (but of course I don't have run all nasties in the world).

Again :
I would be very surprised if ProcessGuard on a 2000/XP system would not warn you about changes made by this nasty.
But I have to leave that topic to others

 

Yes John. Valid points, and regardless, no matter what 'Licence Agreements' may be in use by any proggy, a program like TDS still "reserves the right" IMO, to detect one of the above mentioned files/programs. No different to you searching through the folders yourself looking.

It's then up to the user [as TDS does not auto delete/quarantine/disable] to act upon any findings, so TDS itself is blame free.
The user can decide. It's their PC and I personally don't care what licence blurb is in, if I want to then delete the said detection I shall do so, period.

My PC, My Decision, My Privacy is My Motto regarding that.

TAS

 

Hi John

I understand what you're saying !!!!!
Valid points as Tassie too already said !

(And BTW, of course (!!!!!), a file integrity checker is most definetely NOT the end-and-all solution, certainly not!!).

Good weekend to you too John !!!

Warm regards, Jan.

 

i seem to remember that spector does require admin rights to install?? its just that my memory is not what it used to be... can some one confirm??

controler, you're the expert on commercial keyloggers...

 

Greetings

Wow me an expert on something? Thank you illukka

Yes in fact I did some testing of a couple commercial key loggers.
If I can find some of those posts here I will post the links.
In those posts I gave info received from a few companies. I however didn’t keep the old mail. I do remember that I could not get KAV to tag Starcmd.
The reasons are pretty much the same from all the venders. If you look at Boclean you see the option for Backorfice because of a legal battle that took place.
It appears the reasoning is that commercial key loggers are legit pieces of software installed by an ADMI and we know it is perfectly legal for companies to spy on their workers here in the USA. Their attorneys however DO recommend the company advice their workers that they have the right and might be spying on them. The fact is most companies DO monitor their workers activities. This is why commercial key loggers are not tagged by a lot of venders.

Now as you can see from reading the manual from the link below, you will see there are only three files that need to be deployed with this key logger.
Scroll down to the manual and click on that, then look at Chapter 9.
In the mean time, I will get another cup a java and look for my old posts.
None of the commercial key loggers I tested used any form of injection.
In the day I was working with them, I used an older version of Anti-Key logger.
They now have a newer version. In the new version you can exclude file and turn the thing on and off and that’s about it.
The good Key loggers are all password protected and completely configurable.
You can chose to capture screenshots ect. In my tests, I used a yahoo pop account before they made them a buyable only option.




http://www.keylogger.net/


Bruce

 

Hi

This is the only thread I found for now, I could not find the one on Ghost Key Logger. It may be in a KAV post or something.

https://www.wilderssecurity.com/showthread.php?t=17255


Bruce

 

Ok, here's why I started this thread. I fix computers for a living for many years now. The other day I had a client with an infected machine (trojans and spyware) that he bought very cheap from his office, and he was telling me he will pay me extra to make sure there is no keylogger running on it (formatting the drive was completely out of question since he had a bunch of programs installed that he didn't have the install CD for ...). When I have something like that to fix on my table, I usually keep the machine in the shop for one day and I run the following (from a CD that I keep updated regularly): antivirus : F-Prot (if it's FAT32), NOD32, Kaspersky, Trend Sysclean, Avert Stinger, McAfee CleanBoot, A2, antispyware : Ad-aware, SpySweeper and Spybot, antitrojan : TDS-3, then I finish with Hijack This, startup utilities and registry cleaners. In this particular case, since my guy mentioned the keyloggers, altough I was 100% sure the system was clean (especially since I expected TDS to flag anything suspicious), I ran Keylogger Killer (which didn't detect anything of course) and Anti-Keylogger (which died with an error message immediately - but I didn't pay too much attention to it). So I returned the machine, which was running great, and I charged the guy my usual fee assuring him 10 times that it's completely impossible to have a keylogger running (he knew the company's administrator used to have it installed on all the machines, but he wasn't sure whether he uninstalled it before he got it). After a couple of days, he shows up again with his machine, puts it on the table and shows me that SPECTOR 5 was running on there all this time !!! The administrator returned from a vacation and told him that he forgot to take out the keylogger. So he logs on with a combination of keys, and I could see everything I did few days ago with screenshots and everything!!! I saw every key that I typed, all these programs I used to clean it up, everything !!! It was incredible! No traces in task manager, no suspicious services, no traces in the registry!
Bottom line is, I think TDS should be able to detect its presence on a machine. It's a keylogger, so it should be detected no matter how popular it is, and no matter that it's a comercial software or not ...

 

why isnt big G or W here to answer this and put an end to all disbelivers lol

 

To see WHICH keyloggers TDS3 will detect, it's only necessary to go to the main TDS screen interface, click on "Help", then highlight "Primary List" and click on that. Scroll down to the "Keylog" entries in the list (there's a bunch) - none of which are named "Spector".

If someone reading actually OWNS a copy of this program (you have to purchase it, you can't simply trial it) you could always send a copy of it to DCS and I'm sure they'd add it - the program IS a keylogger, and I can't really conceive of any possible legal ramifications of calling a spade a spade.

 

Yes, I feel we do indeed need to await a DCS response but this may not be until Monday morning Perth time so further speculation should be avoided

Nearly all AV /AT & spyware companies rely on samples sent to them and hunting for them using in house resources, all commercial keyloggers require a payment, I doubt they give free samples to AV / AT companies on request. This in itself could cause a considerable monetary strain on the AV/AT companies as their must be many of this type of program available.

This particular program Spector Pro 5 appears not to be detected by many AT/AVs etc. Many of which claim to catch this type of program so IMHO this is not necessarily a TDS3 specific issue but a much wider concern.

 

Hi all,

Just my small contribution to this thread. ElbTecScan can be downloaded here:
http://www.elbtec.de/download/elbtecscan.php4?PHPSESSID=191fb161eb61540bab2db5f439653bb8

Description
Spector, eBlaster and Orvell Monitoring are small, unnoticeable PC programs, especially designed to list all computer activities. These programs allow unwanted persons to read everything you have on your computer and even to see what is on your screen. There's no use to point out that credit card numbers, secret numbers or passwords can be read. EBlaster makes it also possible, people via internet to spy!

ElbTecScan is a free program for all those who want to find out if they are being spyied with these surveillance programs.

 

Out of curiosity, I checked an ElbTecScan scan with Regmon and Filemon. Regmon didn't log anything. Filemon showed ElbTecScan looking for:

C:\WINDOWS\system32\MSWNSRVX.EXE
2 C:\WINDOWS\system32\MSWNSRVX.CNT
3 C:\WINDOWS\system32\MSWNSRVX.HLP
4 C:\WINDOWS\system32\SHMSWNMP.DLL
5 C:\WINDOWS\system32\WEBEBOT.EXE
6 C:\WINDOWS\system32\MSNWINNET.DLL
7 C:\WINDOWS\system32\TUDMDXIUFRM.DRV
8 C:\WINDOWS\system32\XMSSYSMRU.CNT
9 C:\WINDOWS\system32\XMSSYSMRU.EXE
10C:\WINDOWS\system32\XMSSYSMRU.HLP
11C:\WINDOWS\system32\MSKERNEL32HLP.DLL
12C:\WINDOWS\system32\SPADMIN.EXE
13C:\WINDOWS\system32\WSWINNTFP.EXE
14C:\WINDOWS\system32\MSNETKERNEL32.DLL
15C:\WINDOWS\system32\MSWEBHLP.DLL
16C:\WINDOWS\system32\URLMKPL.DLL
17C:\WINDOWS\system32\MSSKFZWIN.DLL
18C:\WINDOWS\system32\KRNLED.EXE
19C:\WINDOWS\system32\OCXDRV32.DLL
20C:\WINDOWS\system32\MSACRARA.EXE
21C:\WINDOWS\system32\MSACRARA.CNT
22C:\WINDOWS\system32\MSACRARA.DLL
23C:\WINDOWS\system32\EXE2BIN16.EXE
24C:\WINDOWS\system32\MSUNI32B.EXE
25C:\WINDOWS\system32\WINCMD32.EXE
26C:\WINDOWS\MSWNSRVX.EXE
27C:\WINDOWS\MSWNSRVX.CNT
28C:\WINDOWS\MSWNSRVX.HLP
29C:\WINDOWS\SHMSWNMP.DLL
30C:\WINDOWS\WEBEBOT.EXE
31C:\WINDOWS\MSNWINNET.DLL
32C:\WINDOWS\TUDMDXIUFRM.DRV
33C:\WINDOWS\XMSSYSMRU.CNT
34C:\WINDOWS\XMSSYSMRU.EXE
35C:\WINDOWS\XMSSYSMRU.HLP
36C:\WINDOWS\MSKERNEL32HLP.DLL
37C:\WINDOWS\SPADMIN.EXE
38C:\WINDOWS\WSWINNTFP.EXE
39C:\WINDOWS\MSNETKERNEL32.DLL
40C:\WINDOWS\MSWEBHLP.DLL
41C:\WINDOWS\URLMKPL.DLL
42C:\WINDOWS\MSSKFZWIN.DLL
43C:\WINDOWS\KRNLED.EXE
44C:\WINDOWS\OCXDRV32.DLL
45C:\WINDOWS\MSACRARA.EXE
46C:\WINDOWS\MSACRARA.CNT
47C:\WINDOWS\MSACRARA.DLL
48C:\WINDOWS\EXE2BIN16.EXE
49C:\WINDOWS\MSUNI32B.EXE
50C:\WINDOWS\WINCMD32.EXE
51C:\WINDOWS\System\MSWNSRVX.EXE
52C:\WINDOWS\System\MSWNSRVX.CNT
53C:\WINDOWS\System\MSWNSRVX.HLP
54C:\WINDOWS\System\SHMSWNMP.DLL
55C:\WINDOWS\System\WEBEBOT.EXE
56C:\WINDOWS\System\MSNWINNET.DLL
57C:\WINDOWS\System\TUDMDXIUFRM.DRV
58C:\WINDOWS\System\XMSSYSMRU.CNT
59C:\WINDOWS\System\XMSSYSMRU.EXE
60C:\WINDOWS\System\XMSSYSMRU.HLP
61C:\WINDOWS\System\MSKERNEL32HLP.DLL
62C:\WINDOWS\System\SPADMIN.EXE
63C:\WINDOWS\System\WSWINNTFP.EXE
64C:\WINDOWS\System\MSNETKERNEL32.DLL
65C:\WINDOWS\System\MSWEBHLP.DLL
66C:\WINDOWS\System\URLMKPL.DLL
67C:\WINDOWS\System\MSSKFZWIN.DLL
68C:\WINDOWS\System\KRNLED.EXE
69C:\WINDOWS\System\OCXDRV32.DLL
70C:\WINDOWS\System\MSACRARA.EXE
71C:\WINDOWS\System\MSACRARA.CNT
72C:\WINDOWS\System\MSACRARA.DLL
73C:\WINDOWS\System\EXE2BIN16.EXE
74C:\WINDOWS\System\MSUNI32B.EXE
75C:\WINDOWS\System\WINCMD32.EXE


Nick

 

ElbTecScan does not detect Spector 5.0 either. According to ElbTecScan it only dtects up to Spector 4.0 pro. Does anyone know of any software that detects Spector 5.0?




Starrob

 

Although I have never used it, SpyCop claims to detect Spector and other commercial surveillance software. It has a spot on DSLReports security updates page.

Nick

 

i most likely coud get a sector 5 pro but i dont want that hell raiser on my pc while trying to submit it lol

that a bad ass buger

 

the problem i have is home ussers arnt part of company i seen comerchial keylogers basicly to be used any way you feel lol

one even hides it in any carrier

gives you access to any pc infected


so im thinking it should not be an issue

if the friend spouse has tds and is smart enough to catch some one in the cookie jar its the damn stalkers fault lol

 

I dont know for which version of Spector, but give it a try. Bazooka Adware and Spyware scanner:

http://www.kephyr.com/spywarescanner/index.html

It only detects but they give removal instructions:

http://www.kephyr.com/spywarescanner/library/spector/index.phtml

Gerard

 

Bazooka explains on their site:
- "Spector stores the logs in "%SystemDir%\netext\"."
Actually, you can choose the folder during install or anytime afterwards.
- "Files: wswinntfp.exe, winnetcl.exe, winnetcl.exe, spsetup.exe, spector_eval.exe, webebot.exe, spadmin.exe, sp40setup.exe, netknl.dll, netknlhm.dllmsurlbot.dll, abfrnex.dll, netknlhm.dll, mstfgher.dll, wmhshell.dll"
AFAIK, the names are chosen randomly.
Uninstall procedures:
- "Delete 'HKEY_LOCAL_MACHINE\SOFTWARE \ Classes \ CLSID \ {89044184-F260-4FDD-8FAB-2662814846E5}', if it exists.
Delete 'HKEY_LOCAL_MACHINE\SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer\Browser Helper Objects \ {89044184-F260-4FDD-8FAB-2662814846E5}', if it exists"
The keys don't exist. I'm not sure whether Spector even touches the registry.
- "Browse to the key: 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'. In the right pane, delete the value called 'Sysbot', if it exists."
Actually, it doesn't start from any of the autorun sections in the registry or windows file ...

All the above may have been true for Spector 4 or older.

 

Hi,

I don't like it to post this on the TDS-3-forum (a program which I very much like a lot!!!!!).
I have to apologize to Wayne for this!!!

I got a reply from SpyCop:
"Yes, SpyCop detects all Spectorsoft's products."

I have NOT checked this statement (meaning: installing that nasty and see what would happen).

As I said:
I DO apologize to Wayne !
I didn't know where to post this reply.
We are here in the TDS-3 forum, but there have been already so much talked about other programs in this thread...

 

Jan, you might want to write back to them to ask how they obtained their samples of Spectorsoft's products.

We do not and will not pay for malware. If we started doing that kids everywhere would be modifying existing open source keyloggers and essentially try to extort us for money. You don't even know if the anonymous guest that started this thread has a financial tie to the software he mentioned, so as to get us to purchase it to add detection. Maybe he's the author of the Spectorsoft keylogger, who's to know. He seems to have a copy of the keylogger in question, so why doesn't he send it to submit@diamondcs.com.au so we can immediately add detection for it? There's also moral issues - we don't believe virus detection companies should be paying virus authors for writing malware. Afterall, we're trying to keep your systems clean - paying virus developers does not do anything to help keep your system clean, all it does is encourage the virus developer to keep developing.

You've got to keep track of the big picture - losing sleep over one individual keylogger that's tame compared to other keyloggers is just a waste of everyones time, yours and mine included. At the end of the day, TDS3 is the only database with daily database updates (and just look at how many new samples are added with each update), and detects more individual trojans than any scanner, keyloggers included. So don't lose sleep over one program that's "just another keylogger" (insert yawn here), and if somebody really wanted to get a keylogger on your machine they wouldnt bother paying for one when there are so many free ones out there that are even more powerful anyway. There's a lot more dangerous things to worry about out there such as kernel-mode rootkits, and that's where we're concentrating - the real nasties - the things you really should be concerned about.

Anyway, back to work.

 

What I would like to know is why a company like SpyCop can feel free to detect these programs and many AV/AT do not like to detect these.

Couldn't there be a option in TDS3/TDS4 that would detect commercial keyloggers in addition to trojans? Another question is exactly how hard is it to modify some product from Spector to be used maliciously? If it is relatively easy to do then if I wanted to get into someone computer for information, I would not use a Trojan, I would simply modify a commercial product since no one detects these. Why use things that all the AV/AT's target? So my question is again is it relatively easy or hard to modify a commercial product like Spector?

Maybe I will start a thread in Process Guard on this but I was also wondering if Process Guard prevent installation of Spector Pro 5 if someone else has physical access to the computer and Process Guard had the password protection on.

I would like to know there was some product that DCS has that could either block the installation of programs by someone that gains Administration access to the computer or detect the presence of these programs or preferably both.


Starrob

 

Wayne, you got the installer in the email. Check it out and let us know what you think ...

 

Starrob,

We add detection for any keylogger we come across, whether we find it or we're sent a sample, but to add detection for something you need a sample of it first. If it's a commercial program we either have to pay for it or wait for somebody to send us a sample. My previous post explains why such software should never be paid for.

No harder and no easier than any other program.

The only difference between a 'commercial keylogger' and an 'underground keylogger' is the pricetag - detection is no harder for either one once a sample has been obtained, and seeing as it's actually easier to obtain commercial ones their underground counterparts (not to mention they're free) it actually makes more sense for hackers to use free underground keylogger rather than paying for commercial one.

Cheers,
Wayne

 

Thankyou kindly sfax, we'll analyse it and have detection built in for tonights database update in about 5 hours from now. It will also be possible to add generic detection which should catch most if not all future builds, but again I must stress that this should be considered a low-level threat.

Cheers,
Wayne