PDA

View Full Version : How to determine if Spector Pro Spyware is running on my computer?



Donna
05-18-08, 02:57 AM
I found a receipt in my husband's credit card bill for something I think
might be something called Spectre Pro Spyware wireless keylogger.

I presume the software must "phone home" somehow the keylogging activity.

Is there any way, perhaps by looking at network activity, that I can tell
if my husband bought it for use on my winxp computer?

J S
05-18-08, 03:18 AM
Donna wrote:
> I found a receipt in my husband's credit card bill for something I think
> might be something called Spectre Pro Spyware wireless keylogger.
>
> I presume the software must "phone home" somehow the keylogging activity.
>
> Is there any way, perhaps by looking at network activity, that I can tell
> if my husband bought it for use on my winxp computer?

Dear, Dear, Dear - you don't trust him - he doesn't trust you
......suggest the answer lies not in the Software - but in a heart to
heart talk?

..or even a Marriage Guidance Counsellor ...

best wishes for the future

aljuhani
05-18-08, 05:15 AM
On May 18, 10:57*am, Donna <donnaoh...@yahoo.com> wrote:
> I found a receipt in my husband's credit card bill for something I think
> might be something called Spectre Pro Spyware wireless keylogger.
>
> I presume the software must "phone home" somehow the keylogging activity.
>
> Is there any way, perhaps by looking at network activity, that I can tell
> if my husband bought it for use on my winxp computer?

It is all suspicions but anyway;

To elminate keyloggers, download and install "Spybot search and
destroy" to scan your system.
To sniff network activities, download and install "Ethereal"
http://www.ethereal.com

For other issues above, Ask Dr. Phil http://www.drphil.com ....!!

all the best.

-aljuhani

Sebastian G.
05-18-08, 06:42 AM
aljuhani wrote:


> To elminate keyloggers, download and install "Spybot search and
> destroy" to scan your system.


A lot of people still believe in scanning. Quite sad. Even further,
considering what Spybot S&D claims about a provably clean and secured
system, it would be even more useless on a surely infected system.

But what qualification of security expertise should we expect from someone
who's abusing MSIE as a webbrowser...

aljuhani
05-18-08, 07:07 AM
On May 18, 2:42*pm, "Sebastian G." <se...@seppig.de> wrote:
> aljuhani wrote:
> > To elminate keyloggers, download and install "Spybot search and
> > destroy" to scan your system.
>
> A lot of people still believe in scanning. Quite sad. Even further,
> considering what Spybot S&D claims about a provably clean and secured
> system, it would be even more useless on a surely infected system.
>
> But what qualification of security expertise should we expect from someone
> who's abusing MSIE as a webbrowser...

We can only suggest available tools.

Donna
05-18-08, 07:57 AM
On Sun, 18 May 2008 05:07:31 -0700 (PDT), aljuhani wrote:

> We can only suggest available tools.

Hi everyone,

I agree that scanning probably won't work because the software runs on a
windows system.

Looking at the disk from another system might work but that would take
daily removal of the hard drive and I'd have to know what to look for
anyway.

I was asking here because I am assuming that the network activity back to
the mother ship would be the weak point in detecting this software.

I'm still convinced there will likely be signature network activity
pinpointing the use of this software - which - by the way - all of you
should also check for. But, what do we check specifically for? And how?

Googling for "Spector network activity" I found this article
http://www.interhack.net/pubs/spector/ which said there is a certain
connection to the domain U2A1376GF-43TY-245B.COM with this software.

May I ask how you would recommend a novice look for connections (perhaps in
the past) to this domain and how to block them moving forward?

Sebastian G.
05-18-08, 07:59 AM
aljuhani wrote:

> On May 18, 2:42 pm, "Sebastian G." <se...@seppig.de> wrote:
>> aljuhani wrote:
>>> To elminate keyloggers, download and install "Spybot search and
>>> destroy" to scan your system.
>> A lot of people still believe in scanning. Quite sad. Even further,
>> considering what Spybot S&D claims about a provably clean and secured
>> system, it would be even more useless on a surely infected system.
>>
>> But what qualification of security expertise should we expect from someone
>> who's abusing MSIE as a webbrowser...
>
> We can only suggest available tools.


No, we can also suggest methods and procedures. That is, ensuring that
there's no keylogger in first place.

VanguardLH
05-18-08, 08:48 AM
"Donna" wrote in <news:TiRXj.8983$nl7.1206@flpi146.ffdc.sbc.com>:

> I found a receipt in my husband's credit card bill for something I think
> might be something called Spectre Pro Spyware wireless keylogger.
>
> I presume the software must "phone home" somehow the keylogging activity.
>
> Is there any way, perhaps by looking at network activity, that I can tell
> if my husband bought it for use on my winxp computer?

If this is a shared computer, save all your data files to removable
media. Then reformat the drive. When the husband asks, say you don't
know why the drive got erased except for some strange error message that
popped up saying "Critical system error: Spectre Pro buffer overrun
generated raw disk error." Maybe he'll think twice before he tries to
install it again. In the meantime, get your own computer and lock it
up.

Steve B.
05-18-08, 08:52 AM
On Sun, 18 May 2008 00:57:41 -0700, Donna <donnaohl26@yahoo.com>
wrote:

>I found a receipt in my husband's credit card bill for something I think
>might be something called Spectre Pro Spyware wireless keylogger.
>
>I presume the software must "phone home" somehow the keylogging activity.
>
>Is there any way, perhaps by looking at network activity, that I can tell
>if my husband bought it for use on my winxp computer?

I would visit there website
http://www.spectorsoft.com/products/SpectorPro_Windows/systemrequirements.asp
and call the support department to find out what the key sequence is
to bring up the application. If it works then you know it is there.

Also you could install and run
Windows Defender (from Microsoft website)
Ad-Aware
SpyBot Search and Destroy.

One of the three should find it if it is there.


You could also get your own copy and put on your husbands computer so
you can monitor his e-mail to see if he is monitoring yours.

Steve B.

aljuhani
05-18-08, 08:53 AM
On May 18, 3:59*pm, "Sebastian G." <se...@seppig.de> wrote:
> aljuhani wrote:
> > We can only suggest available tools.
>
> No, we can also suggest methods and procedures. That is, ensuring that
> there's no keylogger in first place.

Absolutely agree but needed to define an initial start point.

Now given the nature of such software, monitoring Network traffic
would be the appropriate method to start with.

G. Morgan
05-18-08, 03:56 PM
Donna wrote:

>I found a receipt


Sure you did.....

Going for a new trolling record, "Donna"?

--

I kill all Google Group posts, you can too.
Take back Usenet <--> http://improve-usenet.org

Donna
05-19-08, 03:05 AM
On Sun, 18 May 2008 09:52:54 -0400, Steve B. wrote:

> http://www.spectorsoft.com/products/SpectorPro_Windows/systemrequirements.asp
> and call the support department to find out what the key sequence is
> to bring up the application. If it works then you know it is there.

When I pressed CTRL-ALT-SHIFT-S, nothing happened (that is the default
method of bringing up the program) but according to what I read, the
Spector program can be configured to bring it up using any other key
combination.

I also checked the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad and C:\windows\system32 as described at
http://www.farmfreshmeat.com/2007/04/removing-spector-pro-60-keylogger.html

It doesn't seem to be here. That's good. I'll go to the Spector web site to
see what I can find out about disabling the program anyway, just to be
sure.

Donna
05-19-08, 03:09 AM
On Sun, 18 May 2008 09:52:54 -0400, Steve B. wrote:

> You could also get your own copy

In the spirit of the best defence is a good offense, I went to the Spector
web site to find out something very interesting.

They disable the keylogging software remotely if they find you using it on
another machine. Hmmm... how do they know if you've used it on another
machine.

Taking advantage of that 'feature', all we'd have to do is make our
machines "look" like another machine and the software would disable itself.

Pretty simple. Now, the question is, how does Spector "know" what machine
it's running on? And, how would we spoof that item?

Does anyone know what to do to "spoof" another computer?









Note: Here is their license information saysing what I summarize above:
http://www.spectorsoft.com/support/SpectorPro_Windows/faq.html
The Spector Pro software license agreement allows a user to install on an
additional computer, if the new installation is being done to a computer
that is replacing the original computer which Spector Pro was installed.
The original computer must be taken out of service.

This policy allows customers who are upgrading to newer computers the
ability to continue to use their Spector Pro license with their new
computer. This transfer of the license from an old computer to a new
computer can only be done once. Any installations of a Spector Pro serial
number on more than two computers or on 2 or more computers simultaneously,
will result in the Spector Pro serial number being disabled and the
software being deactivated.

Jim Watt
05-19-08, 03:26 AM
On Sun, 18 May 2008 20:56:58 +0000 (UTC), G. Morgan <no_em@il.invalid>
wrote:

>Going for a new trolling record, "Donna"?

It seems to be a reasonable topic for discussion
and is hardy promoting the product.

What might be nice would be to see some helpful
comments instead of the usual sniping.
--
Jim Watt
http://www.gibnet.com

VanguardLH
05-19-08, 08:55 AM
"Donna" wrote in <news:AAaYj.9093$nl7.7023@flpi146.ffdc.sbc.com>:

> In the spirit of the best defence is a good offense, I went to the Spector
> web site to find out something very interesting.
>
> They disable the keylogging software remotely if they find you using it on
> another machine. Hmmm... how do they know if you've used it on another
> machine.
>
> Taking advantage of that 'feature', all we'd have to do is make our
> machines "look" like another machine and the software would disable itself.
>
> Pretty simple. Now, the question is, how does Spector "know" what machine
> it's running on? And, how would we spoof that item?
>
> Does anyone know what to do to "spoof" another computer?

Oh, so the "problem" wasn't what you claimed it to be in your first
post.

G. Morgan
05-19-08, 12:53 PM
Jim Watt wrote:

>>Going for a new trolling record, "Donna"?
>
>It seems to be a reasonable topic for discussion
>and is hardy promoting the product.
>
>What might be nice would be to see some helpful
>comments instead of the usual sniping.


I've seen this individual trolling in several other NG's including
alt.comp.freeware, news.software.readers, and alt.home.repair.

Same Modus operandi is taking shape here already. Don't let me stop y'all
from replying - this one has the potential for 300+ deep.



--

I kill all Google Group posts, you can too.
Take back Usenet <--> http://improve-usenet.org

David H. Lipman
05-19-08, 03:23 PM
From: "G. Morgan" <no_em@il.invalid>


| I've seen this individual trolling in several other NG's including
| alt.comp.freeware, news.software.readers, and alt.home.repair.

| Same Modus operandi is taking shape here already. Don't let me stop y'all
| from replying - this one has the potential for 300+ deep.


Thanx!

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

execadmin158@gmail.com
05-19-08, 04:30 PM
On May 19, 1:23*pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:
> | I've seen this individual trolling in several other NG's including
> | alt.comp.freeware, news.software.readers, and alt.home.repair.

G. Morgan is an idiot.
He can't stand it when people have manners and use the groups
properly.
I googled for these posts and found them all to be reasonable and
informative with pictures and URLs and phone numbers all.
They are limited to certain newsgroups. They are all on topic. They
all are cheerful and attentive.
What Morgan doesn't like is the system working. He really can't stand
when it works well.
Look up HIS posts for example.
He's got nothing to offer except to malign good people's reputations.
Idiot.
G. Morgan is an idiot.

Someone Else
05-19-08, 04:55 PM
In
Message-ID:<092cc84cbdcfe0e01a12937085a5afdbnp@goofysplace.com>,
G. Morgan <no_em@il.invalid> wrote:

>I've seen this individual trolling in several other NG's

You claim this person is the same as you've seen elsewhere. You
claim this person is not Donna. What do you see in the headers
that matches the troll you've seen?

David H. Lipman
05-19-08, 05:02 PM
From: <execadmin158@gmail.com>



| G. Morgan is an idiot.
| He can't stand it when people have manners and use the groups
| properly.
| I googled for these posts and found them all to be reasonable and
| informative with pictures and URLs and phone numbers all.
| They are limited to certain newsgroups. They are all on topic. They
| all are cheerful and attentive.
| What Morgan doesn't like is the system working. He really can't stand
| when it works well.
| Look up HIS posts for example.
| He's got nothing to offer except to malign good people's reputations.
| Idiot.
| G. Morgan is an idiot.

The information I have seen "G. Morgan" post is contrary to what you state.

You both have rights to your respective opinions.

The difference is Google Groupers don't have the credence of those who use News Clients.

BTW: Keylogger questions are indeed OT for alt.internet.wireless which negates your
statement.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

G. Morgan
05-19-08, 07:41 PM
Someone Else wrote:

>>I've seen this individual trolling in several other NG's
>
>You claim this person is the same as you've seen elsewhere. You
>claim this person is not Donna. What do you see in the headers
>that matches the troll you've seen?

Do your own research if you're that interested. Use 'her' old nym for
Google's archive though.

<donna.ohl@sbcglobal.net>

http://groups.google.com/groups?as_q=&num=100&scoring=d&as_epq=&as_oq=&as_eq=&as_ugroup=&as_usubject=&as_uauthors=donna.ohl%40sbcglobal.net&lr=&as_drrb=q&as_qdr=&as_mind=1&as_minm=1&as_miny=1981&as_maxd=19&as_maxm=5&as_maxy=2008&safe=off
--

I kill all Google Group posts, you can too.
Take back Usenet <--> http://improve-usenet.org

G. Morgan
05-19-08, 07:46 PM
David H. Lipman wrote:

>The information I have seen "G. Morgan" post is contrary to what you state.
>
>You both have rights to your respective opinions.


Thanks David, on a side note... I bookmarked one of your pages just yesterday
on the topic of security. Thanx for that>>
http://www.claymania.com/removal-trojan-adware.html


--

I kill all Google Group posts, you can too.
Take back Usenet <--> http://improve-usenet.org

Sebastian G.
05-19-08, 07:50 PM
G. Morgan wrote:

> David H. Lipman wrote:
>
>> The information I have seen "G. Morgan" post is contrary to what you state.
>>
>> You both have rights to your respective opinions.
>
>
> Thanks David, on a side note... I bookmarked one of your pages just yesterday
> on the topic of security. Thanx for that>>
> http://www.claymania.com/removal-trojan-adware.html


If you carried these out, then... well... you spent a lot of time for
achieving absolutely nothing.

G. Morgan
05-19-08, 09:24 PM
Sebastian G. wrote:

>G. Morgan wrote:
>
>> David H. Lipman wrote:
>>
>>> The information I have seen "G. Morgan" post is contrary to what you state.
>>>
>>> You both have rights to your respective opinions.
>>
>>
>> Thanks David, on a side note... I bookmarked one of your pages just yesterday
>> on the topic of security. Thanx for that>>
>> http://www.claymania.com/removal-trojan-adware.html
>
>
>If you carried these out, then... well... you spent a lot of time for
>achieving absolutely nothing.

Ahh Sebastian, I've read your stuff. Your the one who thinks a clean
re-install is the only way to remove crapware, eh?

--

I kill all Google Group posts, you can too.
Take back Usenet <--> http://improve-usenet.org

Sebastian G.
05-20-08, 12:31 AM
G. Morgan wrote:


>> If you carried these out, then... well... you spent a lot of time for
>> achieving absolutely nothing.
>
> Ahh Sebastian, I've read your stuff. Your the one who thinks a clean
> re-install is the only way to remove crapware, eh?


Not if you have a decent backup. At any rate, this is not a matter of
opinions, but simple scientific facts.

Kayman
05-20-08, 12:31 AM
On Tue, 20 May 2008 02:24:41 +0000 (UTC), G. Morgan wrote:

> Sebastian G. wrote:
>
>>G. Morgan wrote:
>>
>>> David H. Lipman wrote:
>>>
>>>> The information I have seen "G. Morgan" post is contrary to what you state.
>>>>
>>>> You both have rights to your respective opinions.
>>>
>>>
>>> Thanks David, on a side note... I bookmarked one of your pages just yesterday
>>> on the topic of security. Thanx for that>>
>>> http://www.claymania.com/removal-trojan-adware.html
>>
>>
>>If you carried these out, then... well... you spent a lot of time for
>>achieving absolutely nothing.
>
> Ahh Sebastian, I've read your stuff. Your the one who thinks a clean
> re-install is the only way to remove crapware, eh?

Just ignore this person! He has wealth of knowledge but is incapable to
pass it on to those in need. He does not believe that newsgroups should be
used as a vehicle to provide (specific) assistance, go figure.

Reformatting of HDD is the preferred course of action!

"The only way to clean a compromised system is to flatten and rebuild.
ThatĒs right. If you have a system that has been completely compromised,
the only thing you can do is to flatten the system (reformat the system
disk) and rebuild it from scratch (re-install Windows and your
applications)..."
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

There are however a number of reasons where this may not be possible and/or
achievable. Not everybody is technically apt to so or has an 'savvy'
acquaintance who may be able to assist. There are many users who don't live
in cities but reside in less developed environments where professional help
just does not exist. They may find the procedures as per:
http://michaelstevenstech.com/cleanxpinstall.html
too overwhelming and shy away from the perceived complexity.
The procedures as per:
http://www.claymania.com/removal-trojan-adware.html
(especially David's MULTI_AV Tool) have had helped solving uncountable
users over many years. And is IMO the next best thing to flatten and
rebuild an operating system. Moreover, the best to my knowledge, David
never has never denied anybody reasonable assistance figuring out malware
challenges.

Jim Watt
05-20-08, 06:24 AM
On Tue, 20 May 2008 00:41:01 +0000 (UTC), G. Morgan <no_em@il.invalid>
wrote:

<snip>

Albeit the bitching is interesting, nobody seems to
have actually answered the original question ...
--
Jim Watt
http://www.gibnet.com

Bill Kearney
05-20-08, 08:16 AM
> Not if you have a decent backup. At any rate, this is not a matter of
> opinions, but simple scientific facts.

Your advice is bogus, at best. If this is all you have to offer perhaps
shutting up would be better.

G. Morgan
05-20-08, 02:50 PM
[alt.internet.wireless] removed from x-post

Sebastian G. wrote:

>>
>> Ahh Sebastian, I've read your stuff. Your the one who thinks a clean
>> re-install is the only way to remove crapware, eh?
>
>
>Not if you have a decent backup. At any rate, this is not a matter of
>opinions, but simple scientific facts.

Well I would have to argue that it *is* a matter of opinion. I have
personally resurrected many a machine from the brink of uselessness by
applying (freeware) solutions. The one-two punch of Adaware, and SpyBot S&D
is often all it takes to clean an infected PC.

While I do agree that a re-format/install is best, it's not always feasible to
do so. There is nothing wrong with David L's techniques as a first step.
"Flattening" the system is a last resort.




--

I kill all Google Group posts, you can too.
Take back Usenet <--> http://improve-usenet.org

G. Morgan
05-20-08, 02:55 PM
[alt.internet.wireless] removed from x-post

Kayman wrote:

>> Ahh Sebastian, I've read your stuff. Your the one who thinks a clean
>> re-install is the only way to remove crapware, eh?
>
>Just ignore this person! He has wealth of knowledge but is incapable to
>pass it on to those in need. He does not believe that newsgroups should be
>used as a vehicle to provide (specific) assistance, go figure.

Of course not, everybody knows that newsgroups are for downloading porn. ;-)

>Reformatting of HDD is the preferred course of action!
>
>"The only way to clean a compromised system is to flatten and rebuild.
>That’s right. If you have a system that has been completely compromised,
>the only thing you can do is to flatten the system (reformat the system
>disk) and rebuild it from scratch (re-install Windows and your
>applications)..."
>http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
>
>There are however a number of reasons where this may not be possible and/or
>achievable. Not everybody is technically apt to so or has an 'savvy'
>acquaintance who may be able to assist. There are many users who don't live
>in cities but reside in less developed environments where professional help
>just does not exist. They may find the procedures as per:
>http://michaelstevenstech.com/cleanxpinstall.html
>too overwhelming and shy away from the perceived complexity.
>The procedures as per:
>http://www.claymania.com/removal-trojan-adware.html
>(especially David's MULTI_AV Tool) have had helped solving uncountable
>users over many years. And is IMO the next best thing to flatten and
>rebuild an operating system. Moreover, the best to my knowledge, David
>never has never denied anybody reasonable assistance figuring out malware
>challenges.

Agreed. Another reason not to re-build is when the client does not have the
installation media for everything needing to be re-installed.



--

I kill all Google Group posts, you can too.
Take back Usenet <--> http://improve-usenet.org

jim
05-20-08, 04:55 PM
Jim Watt wrote:
> On Tue, 20 May 2008 00:41:01 +0000 (UTC), G. Morgan <no_em@il.invalid>
> wrote:
>
> <snip>
>
> Albeit the bitching is interesting, nobody seems to
> have actually answered the original question ...
> --
> Jim Watt
> http://www.gibnet.com

This is great... alt.comp.sec... where have you been all my life?

Sebastian G.
05-20-08, 06:47 PM
Bill Kearney wrote:

>> Not if you have a decent backup. At any rate, this is not a matter of
>> opinions, but simple scientific facts.
>
> Your advice is bogus, at best.


Calling trivial facts bogus is the reason why you should better shut up.

Sebastian G.
05-20-08, 06:48 PM
G. Morgan wrote:

> [alt.internet.wireless] removed from x-post
>
> Sebastian G. wrote:
>
>>> Ahh Sebastian, I've read your stuff. Your the one who thinks a clean
>>> re-install is the only way to remove crapware, eh?
>>
>> Not if you have a decent backup. At any rate, this is not a matter of
>> opinions, but simple scientific facts.
>
> Well I would have to argue that it *is* a matter of opinion. I have
> personally resurrected many a machine from the brink of uselessness by
> applying (freeware) solutions.


No, you didn't. In fact, it's likely that they're still compromised.

> The one-two punch of Adaware, and SpyBot S&D
> is often all it takes to clean an infected PC.


Gotta laugh even more. These tools are absolutely useless, since even at
perfectly clean machines they're claiming a lot of nonsense. How should they
even provide any useful information about a system that actively lies to them?

Kayman
05-20-08, 07:13 PM
On Wed, 21 May 2008 01:48:40 +0200, Sebastian G. wrote:

> G. Morgan wrote:
>
>> [alt.internet.wireless] removed from x-post
>>
>> Sebastian G. wrote:
>>
>>>> Ahh Sebastian, I've read your stuff. Your the one who thinks a clean
>>>> re-install is the only way to remove crapware, eh?
>>>
>>> Not if you have a decent backup. At any rate, this is not a matter of
>>> opinions, but simple scientific facts.
>>
>> Well I would have to argue that it *is* a matter of opinion. I have
>> personally resurrected many a machine from the brink of uselessness by
>> applying (freeware) solutions.
>
> No, you didn't. In fact, it's likely that they're still compromised.
>
>> The one-two punch of Adaware, and SpyBot S&D
>> is often all it takes to clean an infected PC.
>
> Gotta laugh even more. These tools are absolutely useless, since even at
> perfectly clean machines they're claiming a lot of nonsense. How should they
> even provide any useful information about a system that actively lies to them?

Now, even if a certain Sebastian Gottschalk from .de is spewing snipes
proclaiming that using David's Multi-AV to clean operating systems isn't is
accord with (his) scientific facts...the pragmatic/realistic proof is in
the pudding. Users living in the Islands, Booneys, Bush, Outback, Beyond
the Black Stump etc. don't need your claptrap and don't care for your
condescending manner. As a frequent lurker in various pertinent newsgroups,
I haven't seen one post where David's Multi-AV wasn't helpful and
beneficial.

So, Sebastian Gottschalk of .de, go and stick your scientific facts in one
of your bodily cavities, save us from your snipes and keep your
grandiosities within the circle of your associates in the sophisticated
milieu of Berlin. (You are a prime example of German arrogance but your
like minded buckos wouldn't know, now would they?).

G. Morgan
05-20-08, 08:37 PM
Sebastian G. wrote:

>> Well I would have to argue that it *is* a matter of opinion. I have
>> personally resurrected many a machine from the brink of uselessness by
>> applying (freeware) solutions.
>
>
>No, you didn't. In fact, it's likely that they're still compromised.

Yes, I did. No they're not.

>> The one-two punch of Adaware, and SpyBot S&D
>> is often all it takes to clean an infected PC.
>
>
>Gotta laugh even more.

Like a mental patient I'm sure.

> These tools are absolutely useless, since even at
>perfectly clean machines they're claiming a lot of nonsense. How should they
>even provide any useful information about a system that actively lies to them?

That's not been my experience. I've run both on brand new images of XP SP2 &
3 and got -zero- false positives.

So, being the "scientist" you are I'm sure you will now be offering the proof
of your hypothesis. I will be waiting.



--

I kill all Google Group posts, you can too.
Take back Usenet <--> http://improve-usenet.org

Sebastian G.
05-20-08, 08:48 PM
Kayman wrote:

> isn't is accord with (his) scientific facts...

^^^^^
Proof that you're an idiot.

> the pragmatic/realistic proof is in the pudding.


There is none. You cannot proof that you've cleaned the system just by the
absence of obvious signs.


> I haven't seen one post where David's Multi-AV wasn't helpful and
> beneficial.


Of course, since those fools don't understand the meaning of system
integrity. It was helpful insofar that it seemed to cure the symptoms, but
it never restored the system to a well-defined state, leaving all future
work unreliable and potentially compromised.

Sebastian G.
05-20-08, 08:50 PM
G. Morgan wrote:

> Sebastian G. wrote:
>
>>> Well I would have to argue that it *is* a matter of opinion. I have
>>> personally resurrected many a machine from the brink of uselessness by
>>> applying (freeware) solutions.
>>
>> No, you didn't. In fact, it's likely that they're still compromised.
>
> Yes, I did. No they're not.


Trivial counter-proof of your statement: Universal trojan horses exist.

>> These tools are absolutely useless, since even at
>> perfectly clean machines they're claiming a lot of nonsense. How should they
>> even provide any useful information about a system that actively lies to them?
>
> That's not been my experience. I've run both on brand new images of XP SP2 &
> 3 and got -zero- false positives.


Question: What's the difference between a brand new image and a well secured
and hardened system?

> So, being the "scientist" you are I'm sure you will now be offering the proof
> of your hypothesis. I will be waiting.


Trivial: Just change
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath
and it will complain that something isn't right.

G. Morgan
05-20-08, 10:47 PM
Sebastian G. wrote:

>G. Morgan wrote:
>
>> Sebastian G. wrote:
>>
>>>> Well I would have to argue that it *is* a matter of opinion. I have
>>>> personally resurrected many a machine from the brink of uselessness by
>>>> applying (freeware) solutions.
>>>
>>> No, you didn't. In fact, it's likely that they're still compromised.
>>
>> Yes, I did. No they're not.
>
>
>Trivial counter-proof of your statement: Universal trojan horses exist.

Universal Trojans? What the heck are you on about now? I said AA and SBS&D
could (and does) remove a lot of malware making the system clean again. Sure,
not one size fits all. Nobody has invented a one-stop shop for cleaning
crapware.


>
>>> These tools are absolutely useless, since even at
>>> perfectly clean machines they're claiming a lot of nonsense. How should they
>>> even provide any useful information about a system that actively lies to them?
>>
>> That's not been my experience. I've run both on brand new images of XP SP2 &
>> 3 and got -zero- false positives.
>
>
>Question: What's the difference between a brand new image and a well secured
>and hardened system?

What is this, an interrogation? A brand new image of XP would be the state
the system is in as soon as Setup is complete.

A well hardened system would be that image + a good A/V w/updates and a
firewall running before the system becomes a node on the (Inter)network.



>> So, being the "scientist" you are I'm sure you will now be offering the proof
>> of your hypothesis. I will be waiting.
>
>
>Trivial: Just change
>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath
>and it will complain that something isn't right.

Of course a good scanner is going to detect a change in the location of HOSTS,
I fully expect it to.


Now, what about your claim that SBS&D and Ad aware detect false positives on a
brand new XP install? <-- *brand new* meaning no editing of the registry
before scan (especially something as critical as the location of HOSTS)



--

I kill all Google Group posts, you can too.
Take back Usenet <--> http://improve-usenet.org

Sebastian G.
05-20-08, 11:16 PM
G. Morgan wrote:


> Universal Trojans? What the heck are you on about now? I said AA and SBS&D
> could (and does) remove a lot of malware making the system clean again.


And if the malware is an universal trojan horse, the system will remain
infected, albeit appearing clean. So stop claiming the contrary. Most
malware implementations are universal trojan horses.


> A well hardened system would be that image + a good A/V w/updates and a
> firewall running before the system becomes a node on the (Inter)network.


********. Not just that something like "good A/V" doesn't exist (both by
design and by availability), it's far away from being a security
improvement, and even further away from hardening.

But once again: I have setup a system that is provably clean, but not in a
fresh state. I have AdAware and Sypbot S&D run over it, and it claimed
multiple infections and security issues, which were provably nonsense. Your
example of how it behaves on a fresh systems doesn't disprove my claims at all.

>> Trivial: Just change
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath
>> and it will complain that something isn't right.
>
> Of course a good scanner is going to detect a change in the location of HOSTS,
> I fully expect it to.


Nonsense. HKEY_LOCAL_MACHINE is read-only to normal users, so this change
must have been applied by an administrator.
In fact, it was done exactly so for a better management of ACLs, grouping
together various relevant files for which one specifically limits access to
NT-AUTHORITY\SYSTEM and 'named' only.

And this was only one example. It also claims some group policy settings
(which improve security) as issues, noises about cookies with a DOMAIN
attribute (albeit the webbrowser is configured to not care about it), and
even complains about some known good software (like FlashGet).

Or did you ever try the "immunization" function? It spams the registry full
of useless CLSIDs, fails to do so on HKLM, claims success, then reports
incompleteness on next run, and tries again. WTF?

Not gonna mention AdAware. One does need a test machine just to get around
the broken installer (which tries to write some temporary files to
%SystemRoot%\system32), and then it presents you with an almost empty GUI
(since it tries to use a MSHTML style GUI without even checking if rendering
pictures is active), and then pulls of **** similar to Sypbot S&D.


> Now, what about your claim that SBS&D and Ad aware detect false positives on a
> brand new XP install?


This claim is merely a fiction of yours, or your inability to read and
understand.

Aside from that, why can't it detect the most obvious security issues of
such a fresh install?

Kayman
05-21-08, 03:34 AM
On Wed, 21 May 2008 03:48:01 +0200, Sebastian G. wrote:

> Kayman wrote:
>
>> isn't is accord with (his) scientific facts...
>
> ^^^^^
> Proof that you're an idiot.

Ah, So typical and predictable. You must be running out of arguments.

>> the pragmatic/realistic proof is in the pudding.
>
> There is none. You cannot proof that you've cleaned the system just by the
> absence of obvious signs.
>
Sure, yadda, yadda, yawn.
>
>> I haven't seen one post where David's Multi-AV wasn't helpful and
>> beneficial.
>
> Of course, since those fools don't understand the meaning of system
> integrity.

I only wish you'd meet some of them Outback "fools" face to face...

> It was helpful insofar that it seemed to cure the symptoms, but
> it never restored the system to a well-defined state, leaving all future
> work unreliable and potentially compromised.

Now we know. To quote H.L.Mencken:"Puritanism: The haunting fear that
someone, somewhere, may be happy."

Sebastian G.
05-21-08, 04:22 AM
Kayman wrote:

> On Wed, 21 May 2008 03:48:01 +0200, Sebastian G. wrote:
>
>> Kayman wrote:
>>
>>> isn't is accord with (his) scientific facts...
>> ^^^^^
>> Proof that you're an idiot.
>
> Ah, So typical and predictable. You must be running out of arguments.


Another proof that you're an idiot. You're claiming trivial scientific facts
as solely my facts, which is exactly your lack of arguments.


>> There is none. You cannot proof that you've cleaned the system just by the
>> absence of obvious signs.
>>
> Sure, yadda, yadda, yawn.


Yet another proof that you're lacking arguments.

>> Of course, since those fools don't understand the meaning of system
>> integrity.
>
> I only wish you'd meet some of them Outback "fools" face to face...


I do. And interestingly most of them know what they're doing wrong, and
typically beg for the consequences not happening.

>> It was helpful insofar that it seemed to cure the symptoms, but
>> it never restored the system to a well-defined state, leaving all future
>> work unreliable and potentially compromised.
>
> Now we know. To quote H.L.Mencken:"Puritanism: The haunting fear that
> someone, somewhere, may be happy."


If you would bother to understand what an universal trojan horse is (and
feel ashame that you ever dared operating a computer without the most basic
knowledge), then you might get a clue where to place reasonable assumptions.
A compromised system, by definition, remains compromised until it returns
into a well-defined state. Changing the state based on assumptions about the
current state can't achieve that. But well, that's just trivial math...

Donna
05-21-08, 10:50 AM
On Mon, 19 May 2008 08:55:18 -0500, VanguardLH wrote:
> Oh, so the "problem" wasn't what you claimed it to be in your first
> post.

Why so suspicious.

Actually, in hindsight, I wish I knew how programs figure out exactly who
is running them. This Spector program, which I apparently don't have on my
system based on the help here, apparently wires back home who is using it.

How does it do that? (Is this a right group to ask that question?)

It's a privacy spying computer security internet issue.

I'm assuming it keys off the MAC ID, which can easily be changed.

In general, how does a program (such as Spector) know EXACTLY who is using
it and on what computer? Is it the MAC ID or something else that it keys
off of?

D

Donna
05-21-08, 10:54 AM
On Wed, 21 May 2008 08:50:12 -0700, Donna wrote:

> In general, how does a program (such as Spector) know EXACTLY who is using
> it and on what computer? Is it the MAC ID or something else that it keys
> off of?

And better yet, could we all foil such keyloggers simply by changing
whatever it is that it uses to key off of?

Jim Watt
05-21-08, 01:21 PM
On Wed, 21 May 2008 06:16:51 +0200, "Sebastian G." <seppi@seppig.de>
wrote:

<snip>

>And if the malware is an universal trojan horse, the system will remain
>infected, albeit appearing clean. So stop claiming the contrary. Most
>malware implementations are universal trojan horses.

Are these ridden by universal soldiers?
--
Jim Watt
http://www.gibnet.com

Sebastian G.
05-21-08, 03:10 PM
G. Morgan wrote:

> Sebastian G. wrote:
>
>> And if the malware is
>
> [slap]
>
> I should have listened to Kayman when he advised to ignore you. Better late
> than never.


Why do such idiots even come here for discussion if they can't stand arguments?

jim
05-21-08, 05:42 PM
Sebastian G. wrote:
> G. Morgan wrote:
>
>> Sebastian G. wrote:
>>
>>> And if the malware is
>>
>> [slap]
>>
>> I should have listened to Kayman when he advised to ignore you.
>> Better late
>> than never.
>
>
> Why do such idiots even come here for discussion if they can't stand
> arguments?


wow... do you guys just come home drink a bottle of whisky then logon to
alt.this.thats

Kayman
05-22-08, 02:54 AM
On Wed, 21 May 2008 11:22:41 +0200, Sebastian G. wrote:

> Kayman wrote:
>
>> On Wed, 21 May 2008 03:48:01 +0200, Sebastian G. wrote:
>>
>>> Kayman wrote:
>>>
>>>> isn't is accord with (his) scientific facts...
>>> ^^^^^
>>> Proof that you're an idiot.
>>
>> Ah, So typical and predictable. You must be running out of arguments.
>
> Another proof that you're an idiot. You're claiming trivial scientific facts
> as solely my facts, which is exactly your lack of arguments.
>
You don't have to be so hostile if you feel the post is not suitable to
your tastes. You seem to be susceptible to the attitudes, feelings, or
circumstances of others. Try to keep your emotions in check; You would
screw up the context of anything for your purpose of argument. Not an
intelligent approach.
You arrogant, pretentious and condescending swine.
>
>>> There is none. You cannot proof that you've cleaned the system just by the
>>> absence of obvious signs.
>>>
>> Sure, yadda, yadda, yawn.
>
> Yet another proof that you're lacking arguments.

Well, you're not very original. You're so full of **** I doubt any of your
bodily cavity are functioning (this explains why you can't stick your
useless messages anywhere and continue polluting newsgroups).
"You half-witted insignificant gob of rancid mucus."
(Courtesy: the good people from Monty Python).

>>> Of course, since those fools don't understand the meaning of system
>>> integrity.
>>>
>> I only wish you'd meet some of them Outback "fools" face to face...
> I do. And interestingly most of them know what they're doing wrong, and
> typically beg for the consequences not happening.
>
LOL, I just feel off the oil drum I'm sitting on. Any true self-respecting
outback person would rip off your head and **** in your neck!
You probably met somebody called Herr or Frau Kraut living in the 'Wannsee'
area which you as Berlin Insulaner consider JWD or janz weit draussen.
(For the non-Krauts; Wannsee = a lake in the Berlin area, Insulaner =
referred to the denizens of Berlin due to the isolation caused during the
early stages of the cold war, janz weit draussen = beyond the black stump
or outback).

>>> It was helpful insofar that it seemed to cure the symptoms, but
>>> it never restored the system to a well-defined state, leaving all future
>>> work unreliable and potentially compromised.
>>
>> Now we know. To quote H.L.Mencken:"Puritanism: The haunting fear that
>> someone, somewhere, may be happy."
>
> If you would bother to understand what an universal trojan horse is (and
> feel ashame that you ever dared operating a computer without the most basic
> knowledge), then you might get a clue where to place reasonable assumptions.
> A compromised system, by definition, remains compromised until it returns
> into a well-defined state. Changing the state based on assumptions about the
> current state can't achieve that. But well, that's just trivial math...

Rubbish (see my previous post in this thread)!
What *you* don't understand is that Berlin ain't the center of the
universe. Herr Adolph didn't succeed nor will you.

The reason non-technical people listing their problems in (pertinent)
newsgroups is because they're crying out for help and guidance; Something
you never ever provide except hideous snipes, insults and encrypted
remarks. The good people residing/working in remote areas don't need your
empty rhetoric; They are mostly working with limited resources. All they
care about to get their machine running again and that's where David's
Multi-AV *is* the next best thing to re-install the OS [PERIOD]!
They don't give damn about your overbearing bunk because it's just not
feasible for them to do anything more 'sophisticated'. Flattening/wiping
the HDD and re-installing the OS would most probably shut them off from the
rest of the world for good or at least until professional help is
available, which in some instances could take many months.

Heck, to the horror of some German car mechanics ("das geht doch nicht" -
"you can't do that"), we used bananas to "lubricate" the gearbox of our VW
bus which kept us going to the next garage which was about 2000 miles away.
If it was up to those morons we'd still be in the middle of nowhere
(Africa).

Bill Kearney
05-22-08, 09:21 AM
"Sebastian G." <seppi@seppig.de> wrote in message
news:69h69mF31vkatU2@mid.dfncis.de...
> Bill Kearney wrote:
>
>>> Not if you have a decent backup. At any rate, this is not a matter of
>>> opinions, but simple scientific facts.
>>
>> Your advice is bogus, at best.
>
> Calling trivial facts bogus is the reason why you should better shut up.

Yeah, right. Why continue to post your useless drivel? You're not actually
helping the people asking the question. What's the point? Make yourself
feel better? All you're doing is making an ass of yourself. Ah well,
someone had to say it.

John Mason Jr
05-22-08, 10:28 AM
Kayman wrote:
<snip>
> The reason non-technical people listing their problems in (pertinent)
> newsgroups is because they're crying out for help and guidance; Something
> you never ever provide except hideous snipes, insults and encrypted
> remarks. The good people residing/working in remote areas don't need your
> empty rhetoric; They are mostly working with limited resources. All they
> care about to get their machine running again and that's where David's
> Multi-AV *is* the next best thing to re-install the OS [PERIOD]!
> They don't give damn about your overbearing bunk because it's just not
> feasible for them to do anything more 'sophisticated'. Flattening/wiping
> the HDD and re-installing the OS would most probably shut them off from the
> rest of the world for good or at least until professional help is
> available, which in some instances could take many months.
>
<snip>


SG normally raises the same point, and you might not like it but it is
true.

If a machine has been compromised/infected, and you rely on signature
based cleaning/detection methods then you cannot be sure you are not
still compromised.

The correct way to recover is to restore from known good media, and then
make sure that you patch the vulnerability that allowed the compromise
in the first place

If you accept the risk that you may still be compromised then go ahead
and use signature based solutions.


John

David H. Lipman
05-22-08, 04:17 PM
From: "John Mason Jr" <notvalid@cox.net.invalid>


| <snip>
|
| SG normally raises the same point, and you might not like it but it is
| true.
|
| If a machine has been compromised/infected, and you rely on signature
| based cleaning/detection methods then you cannot be sure you are not
| still compromised.
|
| The correct way to recover is to restore from known good media, and then
| make sure that you patch the vulnerability that allowed the compromise
| in the first place
|
| If you accept the risk that you may still be compromised then go ahead
| and use signature based solutions.
|
| John
|

First you have to define "compramised".

Is a system compramised if you have a Gain/Gator malware infection or NYB virus on a FAT32
based system ?


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Kayman
05-22-08, 06:48 PM
On Thu, 22 May 2008 11:28:12 -0400, John Mason Jr wrote:

> Kayman wrote:
> <snip>
>> The reason non-technical people listing their problems in (pertinent)
>> newsgroups is because they're crying out for help and guidance; Something
>> you never ever provide except hideous snipes, insults and encrypted
>> remarks. The good people residing/working in remote areas don't need your
>> empty rhetoric; They are mostly working with limited resources. All they
>> care about to get their machine running again and that's where David's
>> Multi-AV *is* the next best thing to re-install the OS [PERIOD]!
>> They don't give damn about your overbearing bunk because it's just not
>> feasible for them to do anything more 'sophisticated'. Flattening/wiping
>> the HDD and re-installing the OS would most probably shut them off from the
>> rest of the world for good or at least until professional help is
>> available, which in some instances could take many months.
>>
> <snip>
>
>
> SG normally raises the same point, and you might not like it but it is
> true.
>
> If a machine has been compromised/infected, and you rely on signature
> based cleaning/detection methods then you cannot be sure you are not
> still compromised.
>
> The correct way to recover is to restore from known good media, and then
> make sure that you patch the vulnerability that allowed the compromise
> in the first place
>
> If you accept the risk that you may still be compromised then go ahead
> and use signature based solutions.
>

John,
Please read (or re-read) my post dated 20-May-08 10:28:12PM in this thread
:-)

Sebastian G.
05-23-08, 01:39 AM
Bill Kearney wrote:

> "Sebastian G." <seppi@seppig.de> wrote in message
> news:69h69mF31vkatU2@mid.dfncis.de...
>> Bill Kearney wrote:
>>
>>>> Not if you have a decent backup. At any rate, this is not a matter of
>>>> opinions, but simple scientific facts.
>>> Your advice is bogus, at best.
>> Calling trivial facts bogus is the reason why you should better shut up.
>
> Yeah, right. Why continue to post your useless drivel? You're not actually
> helping the people asking the question.


I do, by pointing out bogus advise.

Sebastian G.
05-23-08, 01:42 AM
David H. Lipman wrote:


> First you have to define "compramised".


trivial: system is not in a well defined state

> Is a system compramised if you have a Gain/Gator malware infection or NYB virus on a FAT32
> based system ?


Gain/Gator is not malware, at least it shows no sign of being so. For the
NYB virus, it definitely is compromised, since it's not in a wel-defined
state anymore. You could at most detect what programs it has changed, but
hardly which settings and data were modified.

Then again, a FAT32-based should already be considered as a big security
problem that was most likely already exploited.

John Mason Jr
05-23-08, 01:05 PM
David H. Lipman wrote:
> From: "John Mason Jr" <notvalid@cox.net.invalid>
>
>
> | <snip>
> |
> | SG normally raises the same point, and you might not like it but it is
> | true.
> |
> | If a machine has been compromised/infected, and you rely on signature
> | based cleaning/detection methods then you cannot be sure you are not
> | still compromised.
> |
> | The correct way to recover is to restore from known good media, and then
> | make sure that you patch the vulnerability that allowed the compromise
> | in the first place
> |
> | If you accept the risk that you may still be compromised then go ahead
> | and use signature based solutions.
> |
> | John
> |
>
> First you have to define "compramised".
>
> Is a system compramised if you have a Gain/Gator malware infection or NYB virus on a FAT32
> based system ?

yes and the habits that caused the infection, may have resulted in other
currently undetected malware on the machine.


I do believe that there is a use for malware detection/removal software,
but that the risks are not well explained in a manner that is
understandable to the average user.

John

David H. Lipman
05-23-08, 03:25 PM
From: "Sebastian G." <seppi@seppig.de>

| David H. Lipman wrote:
|
>> First you have to define "compramised".
|
| trivial: system is not in a well defined state
|
>> Is a system compramised if you have a Gain/Gator malware infection or NYB virus on a
>> FAT32 based system ?
|
| Gain/Gator is not malware, at least it shows no sign of being so. For the
| NYB virus, it definitely is compromised, since it's not in a wel-defined
| state anymore. You could at most detect what programs it has changed, but
| hardly which settings and data were modified.
|
| Then again, a FAT32-based should already be considered as a big security
| problem that was most likely already exploited.

I think you are COMPLETELY wrong.

Gain/Gator is adware spyware and it is malware.

NYB is a simple boot sector infector. The data and the system is NOT compramised. We are
not talking about a Backdoor Trojan, Password stealer or a multi-facted Trojan using rootkit
techniques.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Sebastian G.
05-23-08, 04:53 PM
David H. Lipman wrote:


> I think you are COMPLETELY wrong.
>
> Gain/Gator is adware spyware and it is malware.


Aside from some few spurios claims, there's currently no indication for
that. I'd still consider it as typically undesired software, since it
implements functionality which actively breaks the normal usage of its
hosting software.

> NYB is a simple boot sector infector.


Which implies that it had root privileges.

> The data and the system is NOT compramised. We are
> not talking about a Backdoor Trojan, Password stealer or a multi-facted Trojan using rootkit
> techniques.

Wrong, we're talking about exactly this, since such software has most likely
compromised the system due to the very same security vulnerability NYB had
used, or has even dropped NYB in first place. Even further, until you do a
complete comparison against a trusted base, there's no indication that the
malware is exactly and solely the known variant of NYB. Thus, the system
should be clearly considered as compromised.

But considering that you're abusing MSOE as a newsreader, it's painfully
obvious that you have no clue about security.

David H. Lipman
05-23-08, 05:39 PM
From: "Sebastian G." <seppi@seppig.de>

| David H. Lipman wrote:
|
>> I think you are COMPLETELY wrong.
>>
>> Gain/Gator is adware spyware and it is malware.
|
| Aside from some few spurios claims, there's currently no indication for
| that. I'd still consider it as typically undesired software, since it
| implements functionality which actively breaks the normal usage of its
| hosting software.
|
>> NYB is a simple boot sector infector.
|
| Which implies that it had root privileges.
|

No, it does not.


>> The data and the system is NOT compramised. We are
>> not talking about a Backdoor Trojan, Password stealer or a multi-facted Trojan using
>> rootkit techniques.
|
| Wrong, we're talking about exactly this, since such software has most likely
| compromised the system due to the very same security vulnerability NYB had
| used, or has even dropped NYB in first place. Even further, until you do a
| complete comparison against a trusted base, there's no indication that the
| malware is exactly and solely the known variant of NYB. Thus, the system
| should be clearly considered as compromised.
|
| But considering that you're abusing MSOE as a newsreader, it's painfully
| obvious that you have no clue about security.

Your POV is all wrong. It is not the ssytem of concern, its the data. The system has no
value, the data on the system has worth and value. You said "...since it's not in a
wel-defined state anymore..." but legitimate software can also change the state. it is the
data's safety that leads to the conclusion that a system is compramised. If a system is
compramised the dat, not the system, is at risk.

I am not abusing MSOE. I use it in combination with Fidolook and it makes up for MSOE's
short comings. Don't change the subject! What you are doing is redirection.

NYB is well defined, constrained and finite. The system is NOT compramised, it doesn't have
"priveledges". It is easily removed and the data is is not at-risk on an infected media. A
system with NYB does not get compramised. On the otherhand a system with a password
stealing trojan is indeed, compramised.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Sebastian G.
05-23-08, 06:11 PM
David H. Lipman wrote:


>>> NYB is a simple boot sector infector.
> |
> | Which implies that it had root privileges.
> |
>
> No, it does not.


It does. Writing to the boot sector requires either write access to
\Device\PhysicalDriveX or \Device\VolumeX\DR0, both of which imply
Administrator group membership, or SeRestorePrivilege, which is granted only
to Administrator group, or would be equivalent to Administrator privileges
(since one could change ACLs or overwrite system binaries on the raw disk).

> Your POV is all wrong. It is not the ssytem of concern, its the data. The system has no
> value, the data on the system has worth and value.


The system integrity has direct implications on all data, both the stored
ones and the processes ones. Where exactly is access to my private Pr0n
collection a bigger issue than the system forwarding my entered online
banking password to some Ukraine stranger?

> You said "...since it's not in a

> wel-defined state anymore..." but legitimate software can also change the state.


Hint: What's the difference between "state" and "well-defined" state?

> it is the data's safety that leads to the conclusion that a system is
> compramised.

Nonsense. A system can be compromised without having changed any data yet,
though the data are still in danger that such a thing happens in the future.


> I am not abusing MSOE. I use it in combination with Fidolook and it makes up for MSOE's
> short comings.


Such, like, a header line longer than 8192 byte triggering a direct buffer
overflow and therefore immediate compromise just by marking (not even
reading) a posting?

> NYB is well defined, constrained and finite.


The necessary circumstances aren't, unless you're discussing purely
artificial setups.

Jim Watt
05-27-08, 02:01 PM
On Fri, 23 May 2008 14:05:18 -0400, John Mason Jr
<notvalid@cox.net.invalid> wrote:

>I do believe that there is a use for malware detection/removal software,
>but that the risks are not well explained in a manner that is
>understandable to the average user.

I don't think that either David Lipman or myself
are 'average users'.
--
Jim Watt
http://www.gibnet.com

PeroPeroHop
05-29-08, 05:04 PM
where's Brendon?

"Donna" <donnaohl26@yahoo.com> wrote in message
news:TiRXj.8983$nl7.1206@flpi146.ffdc.sbc.com...
>I found a receipt in my husband's credit card bill for something I think
> might be something called Spectre Pro Spyware wireless keylogger.
>
> I presume the software must "phone home" somehow the keylogging activity.
>
> Is there any way, perhaps by looking at network activity, that I can tell
> if my husband bought it for use on my winxp computer?

Dustin Cook
06-03-08, 03:57 PM
Donna <donnaohl26@yahoo.com> wrote in news:TiRXj.8983$nl7.1206
@flpi146.ffdc.sbc.com:

> I found a receipt in my husband's credit card bill for something I think
> might be something called Spectre Pro Spyware wireless keylogger.

Ouch... That's probably not a good thing.
Maybe it's not for your computer?

> I presume the software must "phone home" somehow the keylogging activity.

Depending on the version, it's storing a copy on your computer; if it's
installed there. Not my place to say why it may be present on your
computer, but it's worth noting that previous versions basically did a
snapshot, so anything you do, is copied. Chat sessions, email, web surfing,
and no, you can't erase it from those programs easily.

> Is there any way, perhaps by looking at network activity, that I can tell
> if my husband bought it for use on my winxp computer?

If it's on that computer, and properly installed, under normal conditions,
you shouldn't notice it's presence.



--
Regards,
Dustin Cook - http://bughunter.it-mate.co.uk
BugHunter v2.2e AntiMalware Removal Utility

mackler79
07-05-09, 10:40 PM
Spector pro is the BEST keylogger programme on the market imo.

The original poster says she found a thing on her husbands credit receipt saying he purchased "spector wireless keylogger" or what ever it was.

Ok, that is BS, when u purchase Spector it doesnt show up as Spector on a receipt, how stupid wud that be??? Think about it, u just bought a stealth key logger but they'll put there name on a receipt for all to see, c'mon.


But since u have something to hide from ur husband all u have to do is get ur own keylogger, ther eare plenty out there, dont talk to ur lover for a while and find out his PW for spector and either change the PW or disable it, either way, stop cheating or leave the guy ffs.

Marta007
08-07-09, 06:04 PM
Hi,

If you purchase online it should not; however if you purchase at a brick and mortar shop it is possible that they won't disguise the software.

My issue is/was not sure some dastardly fiend placed this spector product on my machine. No boyfriend ex etc. for over 9 years, don't work from home; was originally done in 2007 and on a second machine in 2009 this one.

I ran Spy bot / Kaspersky (Norton did not detect it) and hired Southern bell techies to finish the job ($129.00) later they proclaimed it clean. They also looked at all the registry keys that were known for this program.

In my case there is no reason for this unless cyber stalking is an in activity. Now I am scanning posts for anything I may have missed.

I have the original emails on a back up and will provide to law enforcement.

I'm not a babe either I am 50+ years old.

Not Nice!!

:)

Marta007
08-07-09, 06:09 PM
Hi again,


PS what does it mean to troll? I did not check out the links because I was afraid it might lead to one of those hijack sites. Oh almost forgot the S. Bell techies used "Hijack this" also.

That Donna person was accused of trolling.

spectorpro PRO
04-10-12, 12:11 PM
Tech people are always so **** you poor poor people.. getting so angry and bothered.. I simply called the support number for Spector Pro and they helped me check my computer and unload. Also. the RULES are with this software that you agree not to download this program to another person's computer without their consent.
Their phone # is 888.598. 2788
And what you do to find out if somebody has got this downloaded to their computer to check others.. press ctrl alt del s and it will bring up a password window .

RaisinCain
04-10-12, 12:18 PM
Way to resurrect a 3 year old thread.

YeOldeStonecat
04-13-12, 12:54 PM
press ctrl alt del s and it will bring up a password window .

Nope..that is not the default hot key combo. And if SpectorSoft was installed by anyone with a clue...they'd be smart enough to change the default hot keys to something not able to be Googled by the suspected guilty party.