How to determine if Spector Pro Spyware is running on my computer?

[John Mason Jr]

David H. Lipman wrote:
> From: "John Mason Jr" <notvalid@cox.net.invalid>
>
>
> | <snip>
> |
> | SG normally raises the same point, and you might not like it but it is
> | true.
> |
> | If a machine has been compromised/infected, and you rely on signature
> | based cleaning/detection methods then you cannot be sure you are not
> | still compromised.
> |
> | The correct way to recover is to restore from known good media, and then
> | make sure that you patch the vulnerability that allowed the compromise
> | in the first place
> |
> | If you accept the risk that you may still be compromised then go ahead
> | and use signature based solutions.
> |
> | John
> |
>
> First you have to define "compramised".
>
> Is a system compramised if you have a Gain/Gator malware infection or NYB virus on a FAT32
> based system ?

yes and the habits that caused the infection, may have resulted in other
currently undetected malware on the machine.


I do believe that there is a use for malware detection/removal software,
but that the risks are not well explained in a manner that is
understandable to the average user.

John

[David H. Lipman]

From: "Sebastian G." <seppi@seppig.de>

| David H. Lipman wrote:
|
>> First you have to define "compramised".
|
| trivial: system is not in a well defined state
|
>> Is a system compramised if you have a Gain/Gator malware infection or NYB virus on a
>> FAT32 based system ?
|
| Gain/Gator is not malware, at least it shows no sign of being so. For the
| NYB virus, it definitely is compromised, since it's not in a wel-defined
| state anymore. You could at most detect what programs it has changed, but
| hardly which settings and data were modified.
|
| Then again, a FAT32-based should already be considered as a big security
| problem that was most likely already exploited.

I think you are COMPLETELY wrong.

Gain/Gator is adware spyware and it is malware.

NYB is a simple boot sector infector. The data and the system is NOT compramised. We are
not talking about a Backdoor Trojan, Password stealer or a multi-facted Trojan using rootkit
techniques.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Sebastian G.]

David H. Lipman wrote:


> I think you are COMPLETELY wrong.
>
> Gain/Gator is adware spyware and it is malware.


Aside from some few spurios claims, there's currently no indication for
that. I'd still consider it as typically undesired software, since it
implements functionality which actively breaks the normal usage of its
hosting software.

> NYB is a simple boot sector infector.


Which implies that it had root privileges.

> The data and the system is NOT compramised. We are
> not talking about a Backdoor Trojan, Password stealer or a multi-facted Trojan using rootkit
> techniques.

Wrong, we're talking about exactly this, since such software has most likely
compromised the system due to the very same security vulnerability NYB had
used, or has even dropped NYB in first place. Even further, until you do a
complete comparison against a trusted base, there's no indication that the
malware is exactly and solely the known variant of NYB. Thus, the system
should be clearly considered as compromised.

But considering that you're abusing MSOE as a newsreader, it's painfully
obvious that you have no clue about security.

[David H. Lipman]

From: "Sebastian G." <seppi@seppig.de>

| David H. Lipman wrote:
|
>> I think you are COMPLETELY wrong.
>>
>> Gain/Gator is adware spyware and it is malware.
|
| Aside from some few spurios claims, there's currently no indication for
| that. I'd still consider it as typically undesired software, since it
| implements functionality which actively breaks the normal usage of its
| hosting software.
|
>> NYB is a simple boot sector infector.
|
| Which implies that it had root privileges.
|

No, it does not.


>> The data and the system is NOT compramised. We are
>> not talking about a Backdoor Trojan, Password stealer or a multi-facted Trojan using
>> rootkit techniques.
|
| Wrong, we're talking about exactly this, since such software has most likely
| compromised the system due to the very same security vulnerability NYB had
| used, or has even dropped NYB in first place. Even further, until you do a
| complete comparison against a trusted base, there's no indication that the
| malware is exactly and solely the known variant of NYB. Thus, the system
| should be clearly considered as compromised.
|
| But considering that you're abusing MSOE as a newsreader, it's painfully
| obvious that you have no clue about security.

Your POV is all wrong. It is not the ssytem of concern, its the data. The system has no
value, the data on the system has worth and value. You said "...since it's not in a
wel-defined state anymore..." but legitimate software can also change the state. it is the
data's safety that leads to the conclusion that a system is compramised. If a system is
compramised the dat, not the system, is at risk.

I am not abusing MSOE. I use it in combination with Fidolook and it makes up for MSOE's
short comings. Don't change the subject! What you are doing is redirection.

NYB is well defined, constrained and finite. The system is NOT compramised, it doesn't have
"priveledges". It is easily removed and the data is is not at-risk on an infected media. A
system with NYB does not get compramised. On the otherhand a system with a password
stealing trojan is indeed, compramised.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Sebastian G.]

David H. Lipman wrote:


>>> NYB is a simple boot sector infector.
> |
> | Which implies that it had root privileges.
> |
>
> No, it does not.


It does. Writing to the boot sector requires either write access to
\Device\PhysicalDriveX or \Device\VolumeX\DR0, both of which imply
Administrator group membership, or SeRestorePrivilege, which is granted only
to Administrator group, or would be equivalent to Administrator privileges
(since one could change ACLs or overwrite system binaries on the raw disk).

> Your POV is all wrong. It is not the ssytem of concern, its the data. The system has no
> value, the data on the system has worth and value.


The system integrity has direct implications on all data, both the stored
ones and the processes ones. Where exactly is access to my private Pr0n
collection a bigger issue than the system forwarding my entered online
banking password to some Ukraine stranger?

> You said "...since it's not in a

> wel-defined state anymore..." but legitimate software can also change the state.


Hint: What's the difference between "state" and "well-defined" state?

> it is the data's safety that leads to the conclusion that a system is
> compramised.

Nonsense. A system can be compromised without having changed any data yet,
though the data are still in danger that such a thing happens in the future.


> I am not abusing MSOE. I use it in combination with Fidolook and it makes up for MSOE's
> short comings.


Such, like, a header line longer than 8192 byte triggering a direct buffer
overflow and therefore immediate compromise just by marking (not even
reading) a posting?

> NYB is well defined, constrained and finite.


The necessary circumstances aren't, unless you're discussing purely
artificial setups.

[PeroPeroHop]

where's Brendon?

"Donna" <donnaohl26@yahoo.com> wrote in message
news:TiRXj.8983$nl7.1206@flpi146.ffdc.sbc.com...
>I found a receipt in my husband's credit card bill for something I think
> might be something called Spectre Pro Spyware wireless keylogger.
>
> I presume the software must "phone home" somehow the keylogging activity.
>
> Is there any way, perhaps by looking at network activity, that I can tell
> if my husband bought it for use on my winxp computer?

[Dustin Cook]

Donna <donnaohl26@yahoo.com> wrote in news:TiRXj.8983$nl7.1206
@flpi146.ffdc.sbc.com:

> I found a receipt in my husband's credit card bill for something I think
> might be something called Spectre Pro Spyware wireless keylogger.

Ouch... That's probably not a good thing.
Maybe it's not for your computer?

> I presume the software must "phone home" somehow the keylogging activity.

Depending on the version, it's storing a copy on your computer; if it's
installed there. Not my place to say why it may be present on your
computer, but it's worth noting that previous versions basically did a
snapshot, so anything you do, is copied. Chat sessions, email, web surfing,
and no, you can't erase it from those programs easily.

> Is there any way, perhaps by looking at network activity, that I can tell
> if my husband bought it for use on my winxp computer?

If it's on that computer, and properly installed, under normal conditions,
you shouldn't notice it's presence.



--
Regards,
Dustin Cook - http://bughunter.it-mate.co.uk
BugHunter v2.2e AntiMalware Removal Utility