Thursday, April 5, 2007

How To Remove Spector Pro 6.0 Keylogger

Update - June 9, 2009:

  1. There is a new version of Spector Pro called "Spector Pro 2009" available now. It appears to have been released around February of this year. This article refers only to the previous version, 6.0. I have no information about whether the specific procedure described here will still be useful in removing Spector Pro 2009. But the basic techniques should still help you indentify any unwanted software on your computer -- look for suspicious system files and registry entries.
  2. I have updated the link to the automated removal tool below, it works now. Note that it has not been tested with Spector Pro 2009, but it seems likely it won't work with the new version. I will post any updates to the software or other information as provided by the author.



Update - March 27, 2008:



One of the commenters (below) has agreed to have his Spector Pro 6 detection/removal tool made available to the public here. Download it. I provide no guarantees as to it's useability, but I have run it, and it seems legitimate. Since I have long since wiped this off my machine I also can't say how well it works (that is, it didn't find anything on my PC to remove), but I welcome feedback from others here.

The author has expressed an interest in continuing development on this application to support future releases of Spector Pro if there's enough interest. So if it works or doesn't work, let us know.




Original Article - April 5, 2007:

Recently, I was faced with removing an unwanted spyware program, Spector Pro 6.0, from a computer. For some reason, there is very little good information about recent versions of Spector Pro on the internet. It's not really that hard to detect and remove, but google turns up a lot of very old and not relevant data. I had to figure it out the hard way.

Here are the forensics:

1) You can access Spector using a multiple key combination. CTRL-ALT-SHIFT-S is the default, but it can be changed. Just try CTRL-ALT-SHIFT-[everything else] and you should get a dialog that ways "Logon - Password" and "Enter Password". It is possible to change the keys used to any combination of CTRL, SHIFT, ALT or WINDOWS, so this might not be the best use of time if nothing comes easily. So read on..

2) Check in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad

This key contains services that will start upon boot (in addition to Run and RunOnce, the usual places). Look for any values with unusual names. I suspect these will be random, in my case there were two suspicious looking keys: "olekenot" and "sapumtab". Both turned out to be offenders. Search the registry for the hex CLSID (minus the curly braces) to find out what processes these things start. Expand the key, and in the InprocServer32 subkey you will see the default value with a process name. In my case these were:

"C:\windows\system32\audotend.dll" and "c:\windows\system32\calitzip.dll"

3) Sort C:\windows\system32 by date. There were a bunch of files with the same modification date (7/5/2006 6:55:01 AM). This happens to be the same date as kernel32.dll. It seems likely that this is intentional, to distract attention from the files. Here are the files I found:

audotend.dll 794,624 bytes
calitzip.dll 802,816 bytes
cmdurnt.dll 1,171,456 bytes
comupcpy.dll 180,224 bytes
engudmag.dll 1,183,744 bytes
erruvbin.dll 274,432 bytes
faxemjob.dll 294,912 bytes
imefuser.exe 970,752 bytes
logundoc32.dll 130,437 bytes
mp4inav.dll 44,018 bytes
sqlipdel32.dll 150,012 bytes
svranbot.exe 6,176,768
vocetbro.dll 598,016 bytes


To get rid of this thing, just delete the registry keys you found, and delete ALL the files modified on this date except kernel32.dll. You will need to boot in safe mode to do this if the keylogger is running.

Being the curious type, I didn't actually delete these files, but moved them so they couldn't be run if I had missed another process that would try to restore the registry entries. I ran the two EXEs.

"svranbot.exe" is the main Spector viewer GUI application. Upon running, it said "Spector serial number has become corrupt, please reinstall the application" but still took me to the very interesting control panel:



But it didn't show me any of the data files - so the configuration must have gotten screwed up, or it didn't work in it's "corrupted" state. The online help is here: http://www.spectorsoft.com/products/SpectorPro_Windows/help/v60/webhelp/

The manual shows how to change the data storage file extensions and locations. It wasn't that hard to find the data files; they all have that same timestamp and were in a subfolder of c:\windows\system32. I preserved them also and will check them out later.

36 comments:

Jesse Griffin said...

My computer too has been infected by Spector Pro 6.0. I did a Google search and your blog was the only result containing "Spector Pro 6.0" that wasn't trying to sell it to me.

I followed your instructions, but they didn't produce the same results. This is because Spector is randomized (the name atleast) during each install.

I did find the .exe, though. Just go into C:\WINDOWS\system32 and sort all the files by type and find the "Applications". Then, just click on each one until a dialog box asking for a password appears. After that, do what ever you want with it. Delete it, guess the password, or leave it be and continue to be spied upon.

While your tutorial didn't quite produce the results that I wanted, it did "inspire" me to find the heinous application. For that, thank you.

Nameless Wanderer said...

Thank you so much for this post... I'm concerned about the possiblity of Spector being installed on my computer in the near future, so I'll keep this as a reference... Again, thank you tons.

Thanks! said...

Thank you so much for this!

the code was (CNTRL+ALT+SHIFT+d)

and the password was my name!

my parents are so stupid =,=

Thanks for this i was spyed upon for over 2 years, and then i was lookin for a solution and found this, this is my lucky day!

Anonymous said...

you are my hero

Anonymous said...

I installed SP6 in a chroot jail and wrote a program to help you remove it. I don't remember if I ever got around to having it delete the registry entries, but it finds the files. It will even find the data files for you. It takes 10 minutes or so on a Pentium 4 2.4Ghz machine with a 30GB hard drive. You'll have to remove the files yourself, but it will find them. morgrum@gmail.com

Donna Ohl said...

Given that Spector disables itself if it feels it is being run on a second computer, I would think we can spoof a second computer and then Spector would disable itself.

Does anyone know what Spector keys off of to determine which computer it's running on?

If so, let me know!

morgrum said...

Donna, someone with advanced debugging skills could figure that out, but the quickest/easiest way to disable SP6 would be to find an unexplained entry in:
HKLM\
software\
microsoft\
Windows\
CurrentVersion\
ShellServiceObjectDelayLoad

...and then locate all instances of the CLSID to which it points in:
machine\
software\
Classes\

In at least one of those CLSID keys or their subkeys, you should find a reference to a binary (in my case, M:\WINDOWS\system32\drvolmax.dll).

I would delete the CLSID reference from ShellServiceObjectDelayLoad and the file referenced in that CLSID key (or remove all read/write/execute permissions from it), then for safe measure either delete or remove write permissions from that CLSID key for all users.

After rebooting, since that binary will no longer load, the rest of the Spector software should also fail to load.

morgrum said...

Not to shoot down your idea though, Donna. It's an interesting concept. It's just that it could be very difficult to assess what it's doing with the information it gathers while installing, so trying to spoof it might take considerable effort.

If you somehow got your hands on the serial that was used though, you could just install it somewhere...

Infected said...

Hi everyone,

Thanks for the useful info about Spector. I'm in the process of rooting it out of my system. One thing I would like to know is when it was installed on my pc, whether information was sent out and if information was sent, where it did go to. Any suggestions on how to find that out?

Anonymous said...

Pretty sure I have this blasted thing on my computer, I'm not very good with comps, if anyone would care to help me babystep through this it would be greatly appreciated.

Anonymous said...

After catching my teenage daughter doing everything she was told not to do, on the computer, I decided to install this type of software in the event that I ever give her the chance to use my computer again. Because of your posts on how to get rid of it, it must be a pretty good one. Thanks for the help.

Anonymous said...

I did what Jesse did, worked ! Thanks. I was lucky that the .exe file started with a "b", so did not take me that long. To speed up the process, in explorer you make the name of company that made the software appear, lots of "microsoft", files which I skipped. Can hardly imagine Spector would go that far to name their software as made by MS.

Anonymous said...

I spent two days trying to figure out how to get rid of Spector Pro. All sorts of guides, hotkey program so that Ctrl+Alt+Shift+S would open something else, and even System Restore, wiping out lots of valuable data on my computer (yet sadly, Spector Pro survived that.)

I spent hours trying to do what the original post said, even wikied some information on how registeries worked; though I gaved up when I couldn't figure out how to expand the LSID code thingy. The post by an Anonymous on February 6th, 2009 (not me, before me), helped me out the most, along with Jesse's post recommended by it. The "search for anything without Microsoft" bit is what ultimately helped me find it. Here's what I, a tiny man with little computer experience on Windows XP, had to do:

1) Go to My Computer, "C" drive, WINDOWS, then system32.
2) Right click. On View, choose 'Details'. On Arrange Icons By, choose 'Type' and 'Show In Groups'.
3) Go to the part with the bold heading "Applications."
4) Keep scrolling for a file at 6,400 KB or possibly more (depending on whether SpectorPro is updated in the future to become larger.) The comma makes it stand out. Also, the file will have a blue-white tile icon, so as not to stand out and stay hidden. If you find a large file size you suspect is Spector Pro, try opening it. If it asks for a password (like Jesse said), it's the one you'll want to delete.


Though actually, when I was searching for the file, I was actually looking through each of the file's individually for the Company name, and if it wasn't Microsoft (following Anonymous's advice to the best I could, as I didn't know how to filter results by Company name), I'd try to open it. When I finally found the file that was Spector, I realized its large file size compared to everything else, wishing I had known the size to search for, which may have saved me a few hours.

Unlike file name, company name, or the icon, file size isn't superficial, but an actual attribute of what the file is. Even if in the future Spector changes one of the superficial properties of the file to be hidden further, the file size will either stay obviously large or get even more obvious to notice. Arranging the icons by Size may also be a good idea.

Now that I try Ctrl+Alt+Shift+S, and see that no password dialogue box appears, I am soooo relieved! I just wish I had found this guide before I tested system restore, losing all the photos, art, and downloads I had added onto this computer...

Anonymous said...

Same anonymous here as the last poster. Apparently, my method did no good, as after I restarted, Ctrl+Alt+Shift+S worked again. It was still really obvious finding the file again and deleting it (only took 3 seconds this time), though it's no doubt gonna recreate itself the next time I restart. I'm gonna have to find a way to kill whatever is recreating it...

Anonymous said...

To complete my comment trilogy, I followed Morgrum's comment and found the key-thingy that seemed suspicious, and delete it along with the recreated file-thingy in My Computer according to my first comment's method. When I restarted my computer now, the Logon dialogue box didn't reappear, and when I checked the register and My Computer, the two I deleted failed to reappear. And as for the values with suspicious names, in the registry, every time I saw a name it was 8 letters, could be pronounced (not like xlmp8a2z), and didn't seem to stand for anything. And if looking for the thingy (I don't know much of this computer-jargon) in the C:/Windows/System32, looking for the large file size of 6400'ish when organized by "Type" and "Groups" was a lot easier for me than figuring out what to do with the LCSID-thinger.

Thanks, I wouldn't have been able to get rid of Spector without this blog.

THoK said...

I installed Spector Pro 6.0 as I thought I would be getting some nifty network spying tools to see what was coming in to and going out of my system.

It did not perform as expected, and this was one of a few sites I visited which provided instructions that were completely ineffective in removing this garbage.

It's one thing to mask software from prying eyes, but to prevent an Administrator from uninstalling it? That's just gross negligence.

So, I found that the best way to remove it from your computer, assuming that the suggestions here did not work, is to reformat the partition on which Windows resides.

This appears to be the only sure-fire way of removing this pig, unless you keep really good logs of what was installed or uninstalled.

I figured this was a good chance to perform a clean XP+SP3 install anyway, and tweak the heck out of it.

Liz said...

I bought Spector Pro 5 with eBlaster in 2004 and it worked okay - we only needed it for a couple of years - and spent about $180. I had to download them, and they came with no manual or documentation. Just receipts in my email.

Just after a year, I had some trouble with accessing Spector Pro, and customer service could not have been more rude. Furthermore, they wouldn't answer my question unless I bought the latest version...with no price break! $99.95 would be the cost, and I had only owned it a little more than a year.

And they wouldn't tell me how to uninstall, of course...nothing, unless I upgraded. I couldn't access it, so I couldn't uninstall it and I couldn't use it. And they were SO rude.

Now the PC is old and I need to get some files off before I format the hard drive. But it's at a standstill...always at 100%. I've removed everything I can, but it still has those two apps running. I need to remove them so that it won't take me weeks to copy some documents.

Thank you so much for this information! I hope that SpectorSoft Corp. is suffering. Customer service and technical support are rock bottom.

Anonymous said...

Unfortunately, the link to the removal tool is now a 404. Can we please have a repost? Thanks so much!

Jamie said...

Crap. That server went offline a month ago, it's unplugged and sitting in my basement. I will try to get it online again or at least pull a copy down in the next few days. Email me directly if you don't hear back soon on this post, but I can't think where else I have a copy.

Anonymous said...

I would love to get a copy of the removal tool as well.

Seems it has found it's way onto my wife's laptop without her or my knowledge. I followed the guide, seem ot have gotten some of it out of there, but would like to see if I have missed anything.

Thanks!

Tim

Thank You!!! said...

I too, would like the link. My computer is infected with this from my parents, and I would like to know how to remove it without hurting my registry.

I was easily able to find the .exe file under C:/WINDOWS/system32 and delete it.

What processes does Spector run in

-CTRL+ALT+DELETE/Processes?

Thanks a lot for this! It's helpful!

Jamie said...

"What processes does Spector run"

Spector Pro hides itself in the task list, so you won't see it there at all.

Jamie said...

The link to download the automated removal tool has been updated, it works now.

coastalprinting said...

I need Spector Pro v4.
Had it stored on a server that went south and the backup is corrupt.
I bought and paid for 4 licenses and have the valid serial number etc.
Just need the app.
Can you help?
emp@coastalprint.com

Anonymous said...

Jamie is right. The download link worked. Thanks Jamie

G. said...

I currently have spector 6.0 installed on my computer; i have followed Jamie's instructions and accesssed the registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad
there I have found these registries:
Ansarzip
CDBurn
PostBootReminder
SysTray
WebCheck
WPDShServiceObj
I have yet to delete any of these files because I have absolutely no idea which one could possibly be Spector's resistry. I am quite afraid that i may delete something that is neccessary for my computer to function. I would greatly appriciate it if someone were to tell me which file to delete so that I may finally rid my computer of this accursed Spector 6.0.

Arben said...

Go to system32 and sort the files by size, u will find it easily as it is big in size, was 4mb for me. anyway this app caused me black screen of death in windows 7 and it took me 2 hours to realize how to delete it.

Anonymous said...

once you delete the actual application file does that mean you have screwed up the program to the point of no return?

ps THANK YOU! i will be forever grateful.... =)

kaareeenftw said...

Alright, I've tried all this.. One problem..... I'm not administrator on this computer, so I cant delete any of the files in this windows32 folder.. Am I out of luck?

Jamie said...

@kaareeenftw...

Yes. There are ways to access a windows machine's hard disk without being an administrator, though, such as boot from a bootable CD. Google around for that.

But if you aren't the administrator, most likely the person who owns the machine (er, your employer?) put the software there so they could monitor you, and would know if you removed it. If you don't think the machine owner installed it, then ask them to deal with it.

inplainsight said...

I have Spector Pro installed but the subscription ran out...... can not get the program to open using the control del alt + key..... any suggestions>

inplainsight said...

I put spector pro on home laptop and our pc- subscription ran out sometime ago - works fine on the pc but the laptop I cant get the program to open - when i key in the command to open up the password - nothing happens.......... can u help so i can the sites and people blocked? I am more then willing to purchase a new subscription, but need the info

Caleb said...

I know this is an old post, but I can't find anywhere else about a topic like this! My parents have spector pro on my laptop and I've been trying for months to get it off, now I'm buying a new laptop BUT i have to transfer all of my files from one to the other for school. In doing so, will this disable spector pro since it is being put on two computers? Or will it stay on one of the two computers? Or will it just copy over and stay on both?

Anonymous said...

Sometimes spector pro needs to stay on computer .. My son was hanging around someone I did not trust and I confronted him several times ..Have you ever tried stopping one of your kids from not doing something when they are out of sight ? If you say you can stop them from not doing something away from home your lying..Anyway I was sitting on his bed talking to him while he was on his computer and all of a sudden a message came up on his monitor from this boy I don`t care for ( I know it was him because he told me it was ) I decided to search around for software to check on him and came up with Spector Pro ..I am so glad I did ..I found out that when my son was chatting online he had got a girl pregnant My son and the other boy where threatening this girl if she said anything .. They where even planning on hurting her to cause a miscarriage...So thank you spector pro for saving God knows what would have happened. I pray that no son or daughter finds this site because it may someones life. Without all this crap your writing spectorsoft via email after i contacted them suggest reformatting your drive and they wold be more than happy to walk me though it and suggest freeware to back up files so I think a lot of you lie when you say spectorsoft are rude.

Anonymous said...

Sometimes spector pro needs to stay on computer .. My son was hanging around someone I did not trust and I confronted him several times ..Have you ever tried stopping one of your kids from not doing something when they are out of sight ? If you say you can stop them from not doing something away from home your lying..Anyway I was sitting on his bed talking to him while he was on his computer and all of a sudden a message came up on his monitor from this boy I don`t care for ( I know it was him because he told me it was ) I decided to search around for software to check on him and came up with Spector Pro ..I am so glad I did ..I found out that when my son was chatting online he had got a girl pregnant My son and the other boy where threatening this girl if she said anything .. They where even planning on hurting her to cause a miscarriage...So thank you spector pro for saving God knows what would have happened. I pray that no son or daughter finds this site because it may someones life. Without all this crap your writing spectorsoft via email after i contacted them suggest reformatting your drive and they wold be more than happy to walk me though it and suggest freeware to back up files so I think a lot of you lie when you say spectorsoft are rude.I am sure most of the posts on here are from kids that found out the parents had put it on there computer.

Jamie said...

@Anon: before computers, kids had secrets. Deal with it. People should know how to remove spyware from their computers.