G
Guest
SPYWARE PROGRAM INFORMATION:
-----------------------------------------------------
Name: Spector Professional Edition
Version: 5.0 Build 1167
URL: http://www.spectorsoft.com
PURPOSE:
-----------------------------------------------------
Stealth Surveilence Software
Keylogger
SETUP FILES:
-----------------------------------------------------
sd50setup.exe
Size: 2,959,088 bytes
Created: 6/27/2006 5:49:AM
Modified: 6/27/2006 5:49:AM
PROCESSES:
-----------------------------------------------------
Explorer.EXE (C:\Windows\system32\lanonbas.dll)
FILES:
-----------------------------------------------------
exetepop.dll
Location: C:\Windows\system32\exetepop.dll
Size: 851,968 bytes
Created: 9/23/2001 8:00:00 AM
Modified: 8/4/2004 12:56:44 AM
lanonbas.dll
Location: C:\Windows\system32\lanonbas.dll
Size: 757,760 bytes
Created: 9/23/2001 8:00:00 AM
Modified: 8/4/2004 12:56:44 AM
3degbio.dll
Location: C:\Windows\system32\3degbio.dll
Size: 143,360 bytes
Created: 9/23/2001 8:00:00 AM
Modified: 8/4/2004 12:56:44 AM
inompat.exe
Location: C:\Windows\system32\inompat.exe
Size: 3,280,896 bytes
Created: 9/23/2001 8:00:00 AM
Modified: 8/4/2004 12:56:44 AM
dotenset.exe (Spector Pro Viewer shortcut points to this file)
Location: C:\WINDOWS\system32\dotenset.exe
Size: 3,522,560 bytes
Created: 9/23/2001 8:00:00 AM
Modified: 8/4/2004 12:56:44 AM
TPR FILES (Clarion Data???):
-----------------------------------------------------
C:\B2293227A96DE89BA4EE79FA27A137ECC480B9E5.tpr (random name)
C:\14FEC30AC7273A1C8C647F70A9CA3EBC09EB1CEC.tpr (random name)
REGISTRY KEYS:
-----------------------------------------------------
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}##
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\InprocServer32
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\InprocServer32##
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\InprocServer32##ThreadingModel
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\ProgID
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\ProgID##
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}##
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\InprocServer32
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\InprocServer32##
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\InprocServer32##ThreadingModel
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\ProgID
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\ProgID##
HKCR\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}
HKCR\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}##
HKCR\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}\InprocServer32
HKCR\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}\InprocServer32##
HKCR\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}\InprocServer32##ThreadingModel
HKLM\Software\Classes\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}
HKLM\Software\Classes\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}##
HKLM\Software\Classes\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}\InprocServer32
HKLM\Software\Classes\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}\InprocServer32##
HKLM\Software\Classes\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}\InprocServer32##ThreadingModel
NOTES:
-----------------------------------------------------
1. (.tpr) file gets a new random name each time windows is booted
2. (.tpr) file was in another folder but after I deleted the folder in safe
mode the file was recreated in the root of C:
3. (.tpr) file is always locked and traced back to the process Explorer.exe
4. Files are always back-dated to (Modified: 8/4/2004 12:56:44 AM)
5. Program runs in stealth mode and is difficult to detect
6. Does not appear in task list
7. Remains resident in memory
ADDITIONAL NOTES:
-----------------------------------------------------
Previous versions of this program phoned home to: U2A1376GF-43TY-245B.com
Whois lookup for U2A1376GF-43TY-245B.com
Whois Server Version 2.0
<SNIP>
Domain Name: U2A1376GF-43TY-245B.COM
Registrar: DSTR ACQUISITION VII, LLC
Whois Server: whois.dotregistrar.com
Referral URL: http://www.dotregistrar.com
Name Server: NS1.SPECTRESOFT.COM
Name Server: NS2.RACKSPACE.COM
Name Server: NS.RACKSPACE.COM
Status: REGISTRAR-LOCK
EPP Status: clientDeleteProhibited
EPP Status: clientTransferProhibited
EPP Status: clientUpdateProhibited
Updated Date: 21-Feb-2006
Creation Date: 01-Apr-2001
Expiration Date: 01-Apr-2008
<SNIP>
Registrant:
Spectorsoft Corp. (U2A1376GF-43TY-245B-COM-DOM)
1555 Indian River Blvd
Bldg B-210
Vero Beach, FL 32960
U.S.
+001.7727705670
(e-mail address removed)
Domain Name: U2A1376GF-43TY-245B.COM
Status: PROTECTED
Administrative Contact:
Doug Fowler (e-mail address removed)
1555 Indian River Blvd
Bldg B-210
Vero Beach, FL 32960
U.S.
+001.7727705670
Technical Contact, Zone Contact:
Ron Chesley (e-mail address removed)
1555 Indian River Blvd
Bldg B-210
Vero Beach, FL 32960
U.S.
+001.7727705670
Record last updated on 21-Feb-2006.
Record expires on 01-Apr-2008.
Record created on 01-Apr-2001.
Domain servers in listed order:
Name Server: ns.rackspace.com
Name Server: ns2.rackspace.com
Name Server: ns1.spectresoft.com
-----------------------------------------------------
Name: Spector Professional Edition
Version: 5.0 Build 1167
URL: http://www.spectorsoft.com
PURPOSE:
-----------------------------------------------------
Stealth Surveilence Software
Keylogger
SETUP FILES:
-----------------------------------------------------
sd50setup.exe
Size: 2,959,088 bytes
Created: 6/27/2006 5:49:AM
Modified: 6/27/2006 5:49:AM
PROCESSES:
-----------------------------------------------------
Explorer.EXE (C:\Windows\system32\lanonbas.dll)
FILES:
-----------------------------------------------------
exetepop.dll
Location: C:\Windows\system32\exetepop.dll
Size: 851,968 bytes
Created: 9/23/2001 8:00:00 AM
Modified: 8/4/2004 12:56:44 AM
lanonbas.dll
Location: C:\Windows\system32\lanonbas.dll
Size: 757,760 bytes
Created: 9/23/2001 8:00:00 AM
Modified: 8/4/2004 12:56:44 AM
3degbio.dll
Location: C:\Windows\system32\3degbio.dll
Size: 143,360 bytes
Created: 9/23/2001 8:00:00 AM
Modified: 8/4/2004 12:56:44 AM
inompat.exe
Location: C:\Windows\system32\inompat.exe
Size: 3,280,896 bytes
Created: 9/23/2001 8:00:00 AM
Modified: 8/4/2004 12:56:44 AM
dotenset.exe (Spector Pro Viewer shortcut points to this file)
Location: C:\WINDOWS\system32\dotenset.exe
Size: 3,522,560 bytes
Created: 9/23/2001 8:00:00 AM
Modified: 8/4/2004 12:56:44 AM
TPR FILES (Clarion Data???):
-----------------------------------------------------
C:\B2293227A96DE89BA4EE79FA27A137ECC480B9E5.tpr (random name)
C:\14FEC30AC7273A1C8C647F70A9CA3EBC09EB1CEC.tpr (random name)
REGISTRY KEYS:
-----------------------------------------------------
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}##
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\InprocServer32
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\InprocServer32##
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\InprocServer32##ThreadingModel
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\ProgID
HKCR\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\ProgID##
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}##
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\InprocServer32
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\InprocServer32##
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\InprocServer32##ThreadingModel
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\ProgID
HKLM\Software\Classes\CLSID\{D849DA39-4F5D-40DB-9821-F0350BFED493}\ProgID##
HKCR\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}
HKCR\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}##
HKCR\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}\InprocServer32
HKCR\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}\InprocServer32##
HKCR\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}\InprocServer32##ThreadingModel
HKLM\Software\Classes\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}
HKLM\Software\Classes\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}##
HKLM\Software\Classes\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}\InprocServer32
HKLM\Software\Classes\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}\InprocServer32##
HKLM\Software\Classes\CLSID\{3CFA9736-31D5-47D3-A5D5-B6C8C21B7607}\InprocServer32##ThreadingModel
NOTES:
-----------------------------------------------------
1. (.tpr) file gets a new random name each time windows is booted
2. (.tpr) file was in another folder but after I deleted the folder in safe
mode the file was recreated in the root of C:
3. (.tpr) file is always locked and traced back to the process Explorer.exe
4. Files are always back-dated to (Modified: 8/4/2004 12:56:44 AM)
5. Program runs in stealth mode and is difficult to detect
6. Does not appear in task list
7. Remains resident in memory
ADDITIONAL NOTES:
-----------------------------------------------------
Previous versions of this program phoned home to: U2A1376GF-43TY-245B.com
Whois lookup for U2A1376GF-43TY-245B.com
Whois Server Version 2.0
<SNIP>
Domain Name: U2A1376GF-43TY-245B.COM
Registrar: DSTR ACQUISITION VII, LLC
Whois Server: whois.dotregistrar.com
Referral URL: http://www.dotregistrar.com
Name Server: NS1.SPECTRESOFT.COM
Name Server: NS2.RACKSPACE.COM
Name Server: NS.RACKSPACE.COM
Status: REGISTRAR-LOCK
EPP Status: clientDeleteProhibited
EPP Status: clientTransferProhibited
EPP Status: clientUpdateProhibited
Updated Date: 21-Feb-2006
Creation Date: 01-Apr-2001
Expiration Date: 01-Apr-2008
<SNIP>
Registrant:
Spectorsoft Corp. (U2A1376GF-43TY-245B-COM-DOM)
1555 Indian River Blvd
Bldg B-210
Vero Beach, FL 32960
U.S.
+001.7727705670
(e-mail address removed)
Domain Name: U2A1376GF-43TY-245B.COM
Status: PROTECTED
Administrative Contact:
Doug Fowler (e-mail address removed)
1555 Indian River Blvd
Bldg B-210
Vero Beach, FL 32960
U.S.
+001.7727705670
Technical Contact, Zone Contact:
Ron Chesley (e-mail address removed)
1555 Indian River Blvd
Bldg B-210
Vero Beach, FL 32960
U.S.
+001.7727705670
Record last updated on 21-Feb-2006.
Record expires on 01-Apr-2008.
Record created on 01-Apr-2001.
Domain servers in listed order:
Name Server: ns.rackspace.com
Name Server: ns2.rackspace.com
Name Server: ns1.spectresoft.com