[W-Unit]

The reason I'm asking this is because I think the person I share my computer with may have installed a keylogger called Spector Pro. The only evidence I have of this possibility is physical, not electronic, and has nothing to do with any activity on the computer itself.

I have googled as much information on this as possible, but none of the processes that it supposedly runs under appear on my process list. I cannot find any associated registry values either, and I get an error message if I try to un-register the associated DLLs saying that the specified module couldn't be found.
SUPERAntiSpyware doesn't find it either.

So.. I'm just making sure.. with all of this going on, I'm definitely clean, right?

Just in case it's relevant, both myself and the person I think may have installed the keylogger are system admins.
Both of us are quite computer literate, so no matter how obscure the method, I'd like to know of any way there is that he could've done this as it's always a possibility.

Then again, there's also the possibility I'm wrong and there's no keylogger installed at all. But I need to be sure.

Thanks

Edited by W-Unit, 06 December 2007 - 07:44 PM.

[Advertisements]

GET IT OFFFFFF!!!!

So i did some reading ... this guy made the mistake of leaving his mailbox logged in so I checked the confirmation mail from Spector Pro and found that the default keystroke for bringing up the configuration of the program is CTRL+ALT+SHIFT+S ... so I tried this keystroke and sure enough THERE IT IS asking me for the password.

This is scary. How is it *so* invisible?
I even removed the password from my friend's Windows account once I found out for sure that it was installed and it was no more visible from there than from my account.

How the *heck* do I get rid of this????
HOW DOES IT HAVE NO REGISTRY INFO AARLASEHORHWEIH

Also noteworthy: when I perform this keystroke, my password is requested through a process called endebras.exe
A search reveals that this executable is located in the system32 directory.
I have used the CACLS command from the command prompt to deny the other guy access... that should prevent any immediate reading of the logs and stuff hopefully.
Cancelling or closing the password request ends this process
Google has zero search results for this file as well...
ugh.

Oh, just one more thing I noticed: whenever I log on, an illegible little window gets minimized. I'm pretty sure it has to do with this Spector program. It looks like it's being minimized into the "start" button itself.

And if you're wondering why I'm sharing a computer with this guy, well, it's a long story, but in short, it's his computer, but he's also a controlling and possessive freak. HE owes ME for something huge a long time ago, so it's not his place to be doing stuff like this behind my back. No idea what he plans to do with this program, but at the least it's insulting to my intelligence.

Edited by W-Unit, 06 December 2007 - 10:53 PM.

[W-Unit]

GET IT OFFFFFF!!!!

So i did some reading ... this guy made the mistake of leaving his mailbox logged in so I checked the confirmation mail from Spector Pro and found that the default keystroke for bringing up the configuration of the program is CTRL+ALT+SHIFT+S ... so I tried this keystroke and sure enough THERE IT IS asking me for the password.

This is scary. How is it *so* invisible?
I even removed the password from my friend's Windows account once I found out for sure that it was installed and it was no more visible from there than from my account.

How the *heck* do I get rid of this????
HOW DOES IT HAVE NO REGISTRY INFO AARLASEHORHWEIH

Also noteworthy: when I perform this keystroke, my password is requested through a process called endebras.exe
A search reveals that this executable is located in the system32 directory.
I have used the CACLS command from the command prompt to deny the other guy access... that should prevent any immediate reading of the logs and stuff hopefully.
Cancelling or closing the password request ends this process
Google has zero search results for this file as well...
ugh.

Oh, just one more thing I noticed: whenever I log on, an illegible little window gets minimized. I'm pretty sure it has to do with this Spector program. It looks like it's being minimized into the "start" button itself.

And if you're wondering why I'm sharing a computer with this guy, well, it's a long story, but in short, it's his computer, but he's also a controlling and possessive freak. HE owes ME for something huge a long time ago, so it's not his place to be doing stuff like this behind my back. No idea what he plans to do with this program, but at the least it's insulting to my intelligence.

Edited by W-Unit, 06 December 2007 - 10:53 PM.

[Gravity Gripp]

The good news is that it should be easy to remove. Go into your control panel and open up "Add/Remove Programs". There should be any entry in there for Spector there. Then just click the "Change/Remove" button. Remember, if your account is a limited account, you may not be able to remove it. If for what ever reason Spector does not show up on that list, we can go from there.

You could also try and guess the password.

Edited by Gravity Gripp, 06 December 2007 - 11:56 PM.

[dsenette]

http://www.spectorsoft.com/products/ <--that's their website....might want to try to read some of the manuals or contact support

i've got the enterprise edition at work...and you can run the prduct COMPLETELY invisible to the user on the other end

unfortunately this bugger can be pretty complicated to remove and i believe you can only remove the logging through the spector console...which should only be available on your friend's account since he installed it....

[W-Unit]

Nope, no icon in Add/Remove programs, as advertised on the Spector site...

I can get into the console from either account, however to do this I must enter the secret keystroke (which I know to be CTRL+ALT+SHIFT+S), at which point I am prompted to enter the password.

I could crack the password I suppose (I've already tried guessing to no avail).. but I would have to find where it's stored and what hash was used to encrypt it. Let's hope for MD5 or something easy like that...

Man, this is incredible. Windows shouldn't let you do stuff like this. I now fail to see how AntiVirus is useful since apparently programs can install themselves to be so invisible Windows itself doesn't even think it's there. Unbelievable.