Home
Artikel: uninstall Spectorsoft´s eBlaster
Links Bilder Kontakt Gästebuch Member
History
Partner
Forum SAP
Netzwerk
 

oder ins Gästebuch schreiben

Spectorsoft eBlaster 3.0 - Experiences
How to delete, uninstall and remove?

The description for this programm sounds pretty interesting: Logging all activities on a computer: keystrokes, screenshots in certain intervalls, chats, in- & outgoing email, history of visited websites, all this stuff can be sent to a specified email-address, nothing will be left private. Detecting an infected system (eBlaster or Spector) can be done with ElbTecScan (224 KB), it´s freeware, but unfortunately there is no decription how to handle this information.

Particularly insidious is the fact, that there are no traces to be found. No .exe in the taskmanager, no windows-service which is started, no directory, much less a routine for deinstallation. Cleverly camouflaged hides it under the systemfiles.

Firewalls will detect the attempt to connect to the world outside, but apparently the programm is using a leak in the Windows Explorer (not Internet Explorer), so that there is only shown a explorer.exe ... such a window attracts not everyones attention ;-)

--> The Explorer has not to care for the web at all!

After comparing the files of a new system (Windows 200 Prof.) without this devil and a new system with the spying software using the DOS-Command "dir /S > C:\eblaster.txt" I came to following conclusions:

  • the names of the new files varied from the first install to the second (!!!), so not all of the listed files below will also occour in your system

  • some of the files were more than perstistant and could only be removed in safe mode (ocxdrv32.dll and olescn32.dll)

  • ocxdrv32.dll had to be kicked off twice in safe mode

 

Comments:

For eBlaster 2.0 can no statement be done, I´ll only refer to this and this site.

Anyway, in the end there has to be made a final scan with ElbTecScan

There has been no Registry-Comparison, I would´nt wonder if there is one or the other entry to be found ... if someone can help out - you´re welcome!

 

So, here´s the list of new created files after an eblaster-installation, they can all be kicked off without any damage:

C:\WINNT\system32\krnled.dll
C:\WINNT\system32\krnled.exe
C:\WINNT\system32\mserrtrc.dll
C:\WINNT\system32\msrac32.dll
C:\WINNT\system32\msrac32.exe
C:\WINNT\system32\mssecrmd.dll
C:\WINNT\system32\mssecrmd.exe
C:\WINNT\system32\msvbrnt.chm
C:\WINNT\system32\nvrcr32.dll
C:\WINNT\system32\ocxdrv.dll
C:\WINNT\system32\ocxdrv32.dll
C:\WINNT\system32\olescn32.dll
C:\WINNT\system32\rmashlex.dll
C:\WINNT\system32\rmtcore.dll
C:\WINNT\system32\shdocew.chm
C:\WINNT\system32\tsarot32.dll
C:\WINNT\system32\wmscmod.chm

At these two I´m not shure about, ElbTec-Scan will be negative inspite being present:

C:\WINNT\system32\winmsv0lowin.dll
C:\WINNT\system32\winmsv0lowin.drv

As english is not my native language, some expressions may not be overwelming, you´re welcome to help me out

Hope this helps anyway