Spector Professional Edition v5.0 Build 1167

G

Guest

SPYWARE PROGRAM INFORMATION:
-----------------------------------------------------
Name: Spector Professional Edition
Version: 5.0 Build 1167
URL: http://www.spectorsoft.com


PURPOSE:
-----------------------------------------------------
Stealth Surveilence Software
Keylogger


SETUP FILES:
-----------------------------------------------------
sd50setup.exe
Size: 2,959,088 bytes
Created: 6/27/2006 5:49:AM
Modified: 6/27/2006 5:49:AM


PROCESSES:
-----------------------------------------------------
Explorer.EXE (C:\Windows\system32\lanonbas.dll)


FILES:
-----------------------------------------------------
exetepop.dll
Location: C:\Windows\system32\exetepop.dll
Size: 851,968 bytes
Created: 9/23/2001 8:00:00 AM
Modified: 8/4/2004 12:56:44 AM

lanonbas.dll
Location: C:\Windows\system32\lanonbas.dll
Size: 757,760 bytes
Created: 9/23/2001 8:00:00 AM
Modified: 8/4/2004 12:56:44 AM

3degbio.dll
Location: C:\Windows\system32\3degbio.dll
Size: 143,360 bytes
Created: 9/23/2001 8:00:00 AM
Modified: 8/4/2004 12:56:44 AM

inompat.exe
Location: C:\Windows\system32\inompat.exe
Size: 3,280,896 bytes
Created: 9/23/2001 8:00:00 AM
Modified: 8/4/2004 12:56:44 AM

dotenset.exe (Spector Pro Viewer shortcut points to this file)
Location: C:\WINDOWS\system32\dotenset.exe
Size: 3,522,560 bytes
Created: 9/23/2001 8:00:00 AM
Modified: 8/4/2004 12:56:44 AM


TPR FILES (Clarion Data???):
-----------------------------------------------------
C:\B2293227A96DE89BA4EE79FA27A137ECC480B9E5.tpr (random name)
C:\14FEC30AC7273A1C8C647F70A9CA3EBC09EB1CEC.tpr (random name)


REGISTRY KEYS:
-----------------------------------------------------
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}##
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\InprocServer32
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\InprocServer32##
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\InprocServer32##ThreadingModel
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\ProgID
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\ProgID##
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}##
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\InprocServer32
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\InprocServer32##
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\InprocServer32##ThreadingModel
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\ProgID
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\ProgID##
HKCR\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}
HKCR\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}##
HKCR\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}\InprocServer32
HKCR\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}\InprocServer32##
HKCR\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}\InprocServer32##ThreadingModel
HKLM\Software\Classes\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}
HKLM\Software\Classes\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}##
HKLM\Software\Classes\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}\InprocServer32
HKLM\Software\Classes\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}\InprocServer32##
HKLM\Software\Classes\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}\InprocServer32##ThreadingModel


NOTES:
-----------------------------------------------------
1. (.tpr) file gets a new random name each time windows is booted
2. (.tpr) file was in another folder but after I deleted the folder in safe
mode the file was recreated in the root of C:
3. (.tpr) file is always locked and traced back to the process Explorer.exe
4. Files are always back-dated to (Modified: 8/4/2004 12:56:44 AM)
5. Program runs in stealth mode and is difficult to detect
6. Does not appear in task list
7. Remains resident in memory


ADDITIONAL NOTES:
-----------------------------------------------------
Previous versions of this program phoned home to: U2A1376GF-43TY-245B.com


Whois lookup for U2A1376GF-43TY-245B.com
Whois Server Version 2.0

<SNIP>

Domain Name: U2A1376GF-43TY-245B.COM
Registrar: DSTR ACQUISITION VII, LLC
Whois Server: whois.dotregistrar.com
Referral URL: http://www.dotregistrar.com
Name Server: NS1.SPECTRESOFT.COM
Name Server: NS2.RACKSPACE.COM
Name Server: NS.RACKSPACE.COM
Status: REGISTRAR-LOCK
EPP Status: clientDeleteProhibited
EPP Status: clientTransferProhibited
EPP Status: clientUpdateProhibited
Updated Date: 21-Feb-2006
Creation Date: 01-Apr-2001
Expiration Date: 01-Apr-2008

<SNIP>

Registrant:
Spectorsoft Corp. (U2A1376GF-43TY-245B-COM-DOM)
1555 Indian River Blvd
Bldg B-210
Vero Beach, FL 32960
U.S.
+001.7727705670
(e-mail address removed)

Domain Name: U2A1376GF-43TY-245B.COM
Status: PROTECTED

Administrative Contact:
Doug Fowler (e-mail address removed)
1555 Indian River Blvd
Bldg B-210
Vero Beach, FL 32960
U.S.
+001.7727705670

Technical Contact, Zone Contact:
Ron Chesley (e-mail address removed)
1555 Indian River Blvd
Bldg B-210
Vero Beach, FL 32960
U.S.
+001.7727705670

Record last updated on 21-Feb-2006.
Record expires on 01-Apr-2008.
Record created on 01-Apr-2001.

Domain servers in listed order:

Name Server: ns.rackspace.com
Name Server: ns2.rackspace.com
Name Server: ns1.spectresoft.com
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Anti-virus, anti-spyware freezing in Win XP 9
Rootkit findings 3
Problems with WINAVXX.exe - PRINTER.exe - HANONVT.ini 2
Cross referencing Sony rootkit cloaked CLSID WinXP registry keys 16
Spywarte Found even after Microsoft AntiSpyware Said it was Clean 1
Continued spyware problems 5
The Movies - Won't install! 12
Trouble with Direct3D 0

Top