Jump to content


Photo

SPECTOR PRO


  • Please log in to reply
9 replies to this topic

#1 Shadow Warrior

Shadow Warrior

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 01 July 2004 - 09:44 PM

I have read your FAQ, run SpyBot and tried to comply with your other instructions to post here. I am not going to try to trick anyone here or anywhere else. This post is the result of a situation that grows out of my job at work. I am the company Network Administrator. I am not formally trained in computers, but have some skill, apptitude and a keen interest. I do know alot about the hardware operation, troubleshooting and configuration of single computers from working on my own computer for many years at home. I am learning Networking by leaps and bounds. I have downloaded and learning to use network analysis tools on the company network. I have been discovering "extra" network activity that should not be there, but did not know what it was. Recently, at the suggestion of one of the email network administration forums I subscribe to, I downloaded Earthlink's free toolbar to block popups and spyware. I ran the anti-apyware module and much to my shock I found that Spector Pro was loaded on every computer in the company. I went to the Spectorsoft website and a few others. This is nasty spyware! Armed with that information I then traced the activity back to the owner's computer and on Monday confirmed that Spector CNE was present on his computer while I was completing some routine software maintenence on his computer. It was not hidden at all and in the programs listing I had to access to do my job. Below I have attached the HijackThis log from my computer at work. I believe this is illegal to install without informing employees. Some people in the way they treat people, should watch their backs, but they never see their own behavior as the cause of having to watch so closely. I will understand if the consensus of the forum Administration is not to get involved in this, but please at least post something to that effect in reply to this request to look at the log. Thank you in advance for your time, effort and consideration.


Logfile of HijackThis v1.97.7
Scan saved at 12:22:14 PM, on 7/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Winnt\System32\smss.exe
C:\Winnt\system32\winlogon.exe
C:\Winnt\system32\services.exe
C:\Winnt\system32\lsass.exe
C:\Winnt\system32\svchost.exe
C:\Winnt\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mnmsrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NMapWin\bin\nmapserv.exe
C:\Winnt\system32\regsvc.exe
C:\Winnt\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Winnt\system32\msrptsrv.exe
C:\Winnt\System32\WBEM\WinMgmt.exe
C:\Winnt\system32\svchost.exe
C:\Winnt\Explorer.EXE
C:\Winnt\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PDF Complete\pdfsaver.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Winnt\system32\igfxtray.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Quicknote\quicknote.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\CodeStuff\Starter\Starter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\OmniCom\AlphaCom\Alpha.exe
C:\Program Files\OmniCom\AlphaCom\Alpha.exe
C:\Program Files\Common Files\symantec shared\CCLGVIEW.EXE
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Documents and Settings\davidr\DOWNLOADS\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...DT/0409/bl8.asp
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink Toolbar\Pnel.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {89044184-F260-4FDD-8FAB-2662814846E5} - C:\Winnt\system32\getvvnd.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MapQuest - {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - C:\Winnt\DOWNLO~1\mqgold1.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink Toolbar\Pnel.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HotKeysCmds] C:\Winnt\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Winnt\system32\igfxtray.exe
O4 - HKCU\..\Run: [Quicknote] C:\Program Files\Quicknote\quicknote.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest....bar/mqgold1.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.msn.a...ll/MFImgVwr.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7915.4164351852
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Comet.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0BFF640-3438-4840-BA86-E2A0FC111539}: NameServer = 192.168.115.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Comet.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Comet.local

END LOG

The computer is an HP-Compaq d330 with W2K fully patched and Norton 2003 IS with firewall up and has the latest virus signatures. I have used MSBA to get things updated the MS autoupdater won't update. I ran SpyBot and cleaned out everything I can find. I know from what I read it is almost impossible to find Spector Pro installed on a computer. This is not cool...

#2 Mike

Mike

    Dark Lord of SWI

  • Emeritus
  • PipPipPipPipPip
  • 514 posts

Posted 03 July 2004 - 11:44 AM

I would advise talking to management about it before trying to remove it. That employee might be under suspicion of selling company information or doing some other undesirable thing. It seems unlikely that only one employee in an office full of people would have spyware installed unless that employee was under investigation.

It might also be some outside party stealing information from the company without that employee's knowledge, in which case they might want the authorities involved.

As for it being illegal, that depends on which state you are in. Some states require employers to disclose it, some don't.
SpywareInfo: How are you gentlemen?? All your base are belong to us!!
Spyware: What you say!!
SpywareInfo: You have no chance to survive. Make your time!

#3 Shadow Warrior

Shadow Warrior

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 03 July 2004 - 03:08 PM

Mike
Thank you for your reply. Management put the program on every computer. I found it on all of them and I found the command console on the owner's computer while doing routine software maintenance. I send the HijackThis log to you for two reasons. To try to find out if it can be seen for BOTH of us. Since you are in the business you are in. I thought you could use the information for the future, because as you noted in your post, the same guys you are fighting against can use Spector Pro to do their dirty work. As far as I am concerned in this case there is no excuse for the owner in this action. There is no suspicion of the employees other than the imaginings of someone (the owner) who has trouble at times just being a decent human being and treats everyone like garbage. As I said in my intitial post. This is not cool...
As far as what I intend to do, I am here to learn. I recognize the extreme danger of Spector Pro. If used by the bad guys, trojaned into a computer, it is unlikly the users who write into this forum would ever find it. I imagine that I was lucky I found it at all with the Earthlink toolbar. I have not been able to find it anyother way, as it is almost invisible. Most spyware checkers either miss it entirely or at very best will act like they have encountered an error if they get too close to Spector. The one on this Forum is one, X-Cleaner. This is one nasty program for stealing personal information. I hope for all our sakes you guys can sork to counter it before too many bad guys get ahold of it. My boss is a jerk, but he is not going to use credit card and banking info and passwords to steal from the employees. He has easier, less illegal ways of stealing from them.

#4 Shadow Warrior

Shadow Warrior

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 03 July 2004 - 03:16 PM

Mike
Oh by the way the HijackThis log is from MY computer at work. The only thing that I am under suspicion for is working hard, trying to do my job...

#5 Shadow Warrior

Shadow Warrior

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 13 July 2004 - 07:50 PM

SWI Defenders of Cyberspace!
I know you are very busy doing good deeds for all sorts of people. I read the posts every day and I am so very glad you are there for us. Thank you all.
I have not just waited for you to do your thing with this. I have been busy myself in helping my own cause here. I have not found a way to shut Spector Pro down but I have found several things to assist in indicating what is going on in the computer. There is a command line program run in an MSDOS window called netstat -an. It will give the connections on your computer by IP addresses and port numbers. If you do not recognize the IP address, there is always Whois to help figure it out. You should be able to recognize any connections on your internal network and know what other internal computers are connecting to yours. This will also help with other trojans as if you find a connection on your IP address on port 6667 or some other common trojan communication port you will know you have something going on that shouldn't be there. I also found two websites that helped me alot in understanding this and other attacking nasties. I will share them with you here. Gibson Research. Steve Gibson has quite a few utilitiies and links to things to help in the cause you are fighting the good fight. Another one I found through GRC is Foundstone Inc This website also has some really good freeware tools to poke, probe and generally help with the cause. Foundstone brought me a program called SuperScan4 a program that is the only scanner/sniffer that would operate. Spector Pro will not let any of these type progams run so it is hard to find out what is going on. SuperScan will let you know what is running and communicating on what port your computer. Again at least you know what is going on and where it is going on. That is the weakness of trojans. They have to communicate to be any good. So if you can get something to tell you what is going on you are at least have a start on fixing things.
I still have not been able to locate the beast, but in time, in time. I hope you find the information helpful. I just what to share the fruits of my research for the cause. Thank you again for all your good works. May a Star shine upon all your journeys and may the Great Spirit bless you all!

#6 howardjdh

howardjdh

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 13 July 2004 - 08:03 PM

From what it sounds like this Specter Pro program isn't exactly spyware. It sounds like a network traffic monitoring suite. Most people at companies are under the mistaken impression that what they do on their computers is private business. But this isn't true. Because you don't actually own the computer the company 99% of the time has the right to do whatever they want to it. I once had to help set up a system to track user's surfing habits and block certain pages. Also users are usually not supposed to install any of their own software. This tracking software is a form of monitoring. If you owned the computers and the network in question and somebody were monitoring you, it might be considered illegal. But as both the computers and the network and the internet connection are most likely company property they have every right, and some may say responsibility, to monitor how their resources are used.

#7 Shadow Warrior

Shadow Warrior

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 13 July 2004 - 08:48 PM

Howard
This I know. The problem I see with this is not so much from what I found at work as, what can happen to the very same people who post here. I read the details on the SpectorSoft website, so I know what the deal is there. Spector Pro is a nasty program, full of features and all but invisible. In the wrong hands, ugly things happen. The program is only $100.00, so it is not beyond the realm of possibility that it is already where it should not be.
A company has every right to protect its investment. You will get no arguement from me there. I would like to think the company would do the right thing in implementing their program to do that, but such is not always the case. Just as there are bad employees, there are also bad employers. That having been said, the reason I post the details of what I have found here is in the same spirit as the rest of the postings here. There is also alot of good things to combat Adware, Spyware and Trojans in general as well. Which is the direct purpose of this forum. May a Star shine on all your journeys and may the Great Spirit bless you.

#8 Shadow Warrior

Shadow Warrior

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 14 July 2004 - 09:37 PM

SWI Defenders of Cyberspace!
OK I may have found the magic bullet. Another program on Foundstone Inc called Vision does some pretty amazing things. First and unfortunately it onlly works on W2k and NT4, but secondly it is a a great port mapper. It captures the activity on your computer's ports AND connects them with the program on your computer causing the ruckus, as well as the FULL path of the program. I now know Spector Pro is mimicing Outlook and where it is in the file stucture. Vision has a feature to kill the process as well. So Vision is a very good trojan hunter, looking for activity, telling you where the program is that is causing the activity and allowing you to immediately kill the process. This has to be a good thing. Foundstone needs to expand the operating platform to XP though.
It appears to me that what SpectorSoft has done is take hacker trojans and adapt them to their use to resell to corporations to monitor (spy on) their employees and parents to monitor their children's computer use. The program detects with SuperScan4 (Foundstone) as SubSeven and Netbus2 Pro trojans. Without these programs, there would be no way to know Spector Pro was active on your computer. The only thing I could tell in hindsight (after knowing it was there) was Outlook takes a little longer to load (I thought I was just being impatient) and I had occasional mysterious rebootings in working with Outlook that were not there when the computers were first put in. It is not listed in any task manager listing or any of the usual places even a well above average computer user would know. It does not detect with anti-virus or Ad-Aware/Spybot S&D.
I hope this helps the cause and there is some value added in my post. I am still wondering if there is anything in the HijackThis log above. Again, this is a hacker program that has been improved and stealthed to the point it is all but impossible to find. Except for my job and working hard to learn it, I would never have known Spector Pro was installed on the computer I use at work.
Thank you for being there and fighting the good fight. May a Star shine upon all your journeys and may the Great Spirit bless you all.

#9 Bobt230

Bobt230

    Member

  • New Member
  • Pip
  • 1 posts

Posted 18 October 2004 - 10:27 AM

Shadow, I've read your posts but I don't see where (if any) resolution was found. I am currently trying to completly remove SpectorPro v.4.0. I had uninstalled it however (no surprise) there is residual components left behind in the registry. Also, of interest was your comment talking of the relationship between Spector and Microsoft Outlook. Could you elaborate on that?

#10 Shadow Warrior

Shadow Warrior

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 14 November 2004 - 02:00 PM

I thought I found a relationship between Spector Pro and Outlook, but as it turned out, I did not see what I thought I saw. The problem is that Spector Pro does not show up in any diagnostic or monitoring software if you go looking for it. You can see additional network activity, but you only really notice that if you have a baseline you are aware of. There is no identifiable activity that is directly attributable to Spector Pro by name. This is nasty stuff and if I was a bad guy once I got on someone's system I would be using this as there is no evidence that it is there at all and it does all the things I would want it to do to compromise the system, except send spam.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button