How To Remove Spector Pro 6.0 Keylogger
Update - June 9, 2009:
- There is a new version of Spector Pro called "Spector Pro 2009" available now. It appears to have been released around February of this year. This article refers only to the previous version, 6.0. I have no information about whether the specific procedure described here will still be useful in removing Spector Pro 2009. But the basic techniques should still help you indentify any unwanted software on your computer -- look for suspicious system files and registry entries.
- I have updated the link to the automated removal tool below, it works now. Note that it has not been tested with Spector Pro 2009, but it seems likely it won't work with the new version. I will post any updates to the software or other information as provided by the author.
Update - March 27, 2008:
One of the commenters (below) has agreed to have his Spector Pro 6 detection/removal tool made available to the public here. Download it. I provide no guarantees as to it's useability, but I have run it, and it seems legitimate. Since I have long since wiped this off my machine I also can't say how well it works (that is, it didn't find anything on my PC to remove), but I welcome feedback from others here.
The author has expressed an interest in continuing development on this application to support future releases of Spector Pro if there's enough interest. So if it works or doesn't work, let us know.
Original Article - April 5, 2007:
Recently, I was faced with removing an unwanted spyware program, Spector Pro 6.0, from a computer. For some reason, there is very little good information about recent versions of Spector Pro on the internet. It's not really that hard to detect and remove, but google turns up a lot of very old and not relevant data. I had to figure it out the hard way.
Here are the forensics:
1) You can access Spector using a multiple key combination. CTRL-ALT-SHIFT-S is the default, but it can be changed. Just try CTRL-ALT-SHIFT-[everything else] and you should get a dialog that ways "Logon - Password" and "Enter Password". It is possible to change the keys used to any combination of CTRL, SHIFT, ALT or WINDOWS, so this might not be the best use of time if nothing comes easily. So read on..
2) Check in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad
This key contains services that will start upon boot (in addition to Run and RunOnce, the usual places). Look for any values with unusual names. I suspect these will be random, in my case there were two suspicious looking keys: "olekenot" and "sapumtab". Both turned out to be offenders. Search the registry for the hex CLSID (minus the curly braces) to find out what processes these things start. Expand the key, and in the InprocServer32 subkey you will see the default value with a process name. In my case these were:
"C:\windows\system32\audotend.dll" and "c:\windows\system32\calitzip.dll"
3) Sort C:\windows\system32 by date. There were a bunch of files with the same modification date (7/5/2006 6:55:01 AM). This happens to be the same date as kernel32.dll. It seems likely that this is intentional, to distract attention from the files. Here are the files I found:
audotend.dll 794,624 bytes
calitzip.dll 802,816 bytes
cmdurnt.dll 1,171,456 bytes
comupcpy.dll 180,224 bytes
engudmag.dll 1,183,744 bytes
erruvbin.dll 274,432 bytes
faxemjob.dll 294,912 bytes
imefuser.exe 970,752 bytes
logundoc32.dll 130,437 bytes
mp4inav.dll 44,018 bytes
sqlipdel32.dll 150,012 bytes
svranbot.exe 6,176,768
vocetbro.dll 598,016 bytes
To get rid of this thing, just delete the registry keys you found, and delete ALL the files modified on this date except kernel32.dll. You will need to boot in safe mode to do this if the keylogger is running.
Being the curious type, I didn't actually delete these files, but moved them so they couldn't be run if I had missed another process that would try to restore the registry entries. I ran the two EXEs.
"svranbot.exe" is the main Spector viewer GUI application. Upon running, it said "Spector serial number has become corrupt, please reinstall the application" but still took me to the very interesting control panel:
But it didn't show me any of the data files - so the configuration must have gotten screwed up, or it didn't work in it's "corrupted" state. The online help is here: http://www.spectorsoft.com/products/SpectorPro_Windows/help/v60/webhelp/
The manual shows how to change the data storage file extensions and locations. It wasn't that hard to find the data files; they all have that same timestamp and were in a subfolder of c:\windows\system32. I preserved them also and will check them out later.
