keylogger

[jm0307]

Dear members,

A friend of mine told me tonight that her daughter was given a pc by her ex-husband a few months ago. Recently, her ex-husband, who owns a small company with an IT department, actually admitted to her that he had asked one of his IT employees to install a keylogger on the daughter's PC before giving it to her as a present. Her daughter obviously wants to get rid of this spyware also.

When I heard this, I mentioned to her that there may be ways to get rid of keyloggers by running the usual antispyware applications of which I had learnt in this forum.

From what I have read in threads discussing keyloggers and general privacy, I thought of the following strategy:

Scans with AS (e.g. SAS, a2) and AV (e.g. Avira, KAV, AVK), with heuristics and detection of potentially dangerous applications enabled. The subsequent installation of a strong firewall and HIPS, to detect and prevent further keylogger installation attempts.

Would this be the correct first approach?
Also, are there any specific anti-keylogger applications which are effective and safe to use?
Would a rollback application prevent the further installation of keyloggers?
If detection fails, is it necessary to reformat the harddrive?

Thanks for your help, and best wishes,

jm0307

[acr1965]

I am sure many people can answer this question better than me, but I'll throw out a few things-

Did the ex-husband state whether he had a software keylogger or hardware keylogger installed?

From what I understand, hardware keyloggers are difficult to detect by scanning. Many of them can be hidden inside a keyboard or plugged into the computer or one of the computer cables. I believe the issue becomes retrieving the hardware keylogger after it saves keystrokes. I suppose this could be done if the ex-husband had the ex-wife bring her computer in to the IT department every few months for maintenance?

As far as software keyloggers, I think it depends on what type of keylogger it is as to whether most scanning can detect them. I have read that commercial keyloggers are purposely not detected by some/most anti-spyware. I assume this is because many businesses use them for legitimate purposes.

So if the ex-husband installed some rogue type software keylogger there is a decent chance it will be detected by scanning. Otherwise detecting it may be more difficult.

But that is just my 2 cents worth.

[19monty64]

Would a HIPS-app. or possibly HJT aid in the keylogger-detection

[jm0307]

Quote:

Originally Posted by acr1965

Did the ex-husband state whether he had a software keylogger or hardware keylogger installed?

Hello acr1965,

No, my friend told me that the ex-husband only told her a few weeks ago that he had a keylogger installed, months after he had given the pc as a present to the daughter. The daughter told me that she too was unaware and broached the subject with her dad but he refused to discuss it with her. They both don't think that her father is a bad person, but rather that he is overly controlling for her age. I suggested to give back the pc, but the daughter didn't like that option. In any case, she is neither a minor nor troubled and so should have a right not to be spied on. I couldn't argue with that... Personally, I still think that giving back the pc is the best option, as her father may merely be trying to be caring and protective, which is a good thing, but his means of achieving this are questionable, to say the least.

Quote:

Originally Posted by acr1965

From what I understand, hardware keyloggers are difficult to detect by scanning. Many of them can be hidden inside a keyboard or plugged into the computer or one of the computer cables.

I have no idea whether it is a hardware keylogger. I didn't even know such things existed until reading some threads before I posted. They didn't mention that her ex-husband ever asked to have access to the pc or have it serviced. They did mention that he still comes to dinner occasionally. I will call them tomorrow and ask whether he services the pc or accesses it when visiting or whether any devices are attached. I will post again when I know more.

Thanks for your help, and best wishes,

jm0307

[acr1965]

The hardware keylogger can be found if it is installed. The most obvious places are in the computer cord or if there is a plug in device.

There are several sites that sell commercial keyloggers and you can see how they look from pics on those sites. Here are a few examples-

The below link shows some hardware keyloggers-


http://www.anti-keylogger.com/keylogging_hardware.html


FWIW- the daughter may want to consider what all may saved in the keylogger logs before giving the computer/keylogger back.

[maddawgz]

Spyware doctor has keylogger protection removal using atm its great MD

[eniqmah]

Spy sweeper, the new KIS 7, trojan removers, etc... they should be able to take care of it. Nirfsoft's CurrProcess.exe and Currports.exe should be able to tell you what's going on. After that, try a rootkit sweep although if it is a commercial keylogger, you probably won't find hidden handles.

[LoneWolf]

BOClean also detects some keyloggers.

[GlobalForce]

*Nice job acr. Good to see a well prepared, coherent post.

Because of close to nil hand's on experience jm, better I let the folk's here describe a slightly involved, but effective mean's of system investigation - http://archives.devshed.com/forums/c...s-1714075.html. In addition, Google's image search will return more than it's share of *hardware keylogger's* for you to get a look at.


Steve

[spy1]

Just for the pure heck of it, why don't you have the daughter d/l and install the trial version of SpyCop:

http://www.spycop.com/download.htm

and see what it indicates after running it, if anything.

The reason I suggest it is because if you're talking about a keylogger installed by a company IT dept. guy, it's probably a commercial keylogger - and that's specifically what SpyCop's designed to detect.

I'm just curious as to whether or not the trial version will find anything. HTH Pete

[jm0307]

Thanks for your kind help.

I have passed on the relevant info and will keep you posted.

Best wishes

[jm0307]

Hello,

Scans with SAS and KAV online scanner were clean! Perhaps this was just a bluff?

They have gone on vacation now, but said that they will try spycop when they return in two weeks.

Thanks again for your kind replies, and best wishes.

jm0307

[SystemJunkie]

Quote:

SpyCop's designed to detect.

SpyCop is very poor, forget it. Totally outdated.

[acr1965]

Quote:

Originally Posted by jm0307

Hello,

Scans with SAS and KAV online scanner were clean! Perhaps this was just a bluff?

They have gone on vacation now, but said that they will try spycop when they return in two weeks.

Thanks again for your kind replies, and best wishes.

jm0307

You may want to email SAS and ask if their product detects "commercial" keyloggers. In the past SAS has been very prompt with replies. It might not hurt to ask what detection technique they would recommend with your possible issue of an installed hardware or software keylogger.

Good luck.

[spy1]

SystemJunkie - I believe that on the off-chance that whatever's there (if anything) is actually a commercial keylogger, then even the trial version of SpyCop might pick up on it - it certainly can't hurt to try it and see.

With SAS and KAV online not finding anything, a similar result with SC would at least be validation of the other two - a positive result from SpyCop would bear checking into.

Needless to say, your out-of-hand condemnation of SpyCop I consider absurd.

jm0307 - Has the daughter noticed any evidence of either the father or the ex-husband knowing any details of her online doings that they wouldn't have, unless they DID have a keylogger installed?

To answer one of the first questions you asked ( "If detection fails, is it necessary to reformat the harddrive?" ), I would say that as a general rule (after you've ruled out the existence of a hardware keylogger) yes - transfer all pictures or other material that needs saved from the computer to removable media, nuke the existing HD with DBAN, re-install everything, change all previous passwords to something else entirely (especially "Administrator" and email account password and the password to get into the computer to start with), disable any "Guest" accounts, tell her to always shut the computer down when she's not there (so the new password will be needed to access the account at startup), etc.

Let us know how it goes when she gets back. Pete

[Meriadoc]

Quote:

SpyCop

Trouble is SpyCop's trial database is crippled until purchased - but yeah it wont hurt.

[spy1]

http://www.spycop.com/faq.htm

SpyCop Trial Version

Q. The SpyCop Trial did not find any spy software!

A. The trial version will only scan 75% of the files on your system. The trial is only meant to test for system compatibility. It does not provide a definitive answer as to whether your system contains spy software or not. SpyCop was designed to find computer monitoring spy programs, and is the most powerful solution available anywhere for doing so. Unfortunately the cost of maintenance and the very nature of the product prevents us from releasing a more functional trial version.

Q. What limitations does the trial version have?

A. Due to the nature of our product, we must make the trial quite limited. The trial is thus intended only to test for system compatibility and has the following limitations:
-No database update/autoupdate options
-Will only scan 75% of the files on your system
-No screensaver capability
-Can not set a password
-No low level scanning

Q. Does the trial leave garbage behind after it is uninstalled?

A. When SpyCop is uninstalled properly by using it's uninstall program, no registry entries or files are left behind. The uninstaller is available in the Start Menu under SpyCop. In some cases, the SpyCop folder may still be present after uninstallation and can be deleted. Refer to uninstalling for a proper removal procedure.

Q. Where do I get the trial version?

A. Trial versions for both the SpyCop Scanner and Evidence Terminator can be downloaded from our standard download page here.

[aigle]

Software keyloggers: there are keyloggers that are stealthed like rootkits and there is chance that u might never trace them with any software. I will suggest a complete format and clean install of windows. No need to waste time in scanners etc.

Hardware keyloggers: U need to return the PC unless u find the keylogger.

[jm0307]

Quote:

Originally Posted by aigle

... there is chance that u might never trace them with any software. I will suggest a complete format and clean install of windows. No need to waste time in scanners etc.

Hello,

Well, it was worth a try. Also, if on a computer competence scale of one to ten, with ten being highest, I would rank a 1.5, then they would probably rank 0.5. So I thought it may be easier for them to run some scans, than having to reformat. This was also the reason for using KAV's online scanner and the free version of SAS is very easy to install. In any case, apparently SAS found plenty of tracking cookies and some Adware, so it wasn't all in vain.

All of the feedback received is greatly appreciated.
I will let them know that reformatting is the most thorough solution - hope they have the discs. For now, they are enjoying their PC free vacation.

Best wishes,

jm0307

[SystemJunkie]

Quote:

Trouble is SpyCop's trial database is crippled until purchased

All versions are crippled, believe me, there are much much better unknown tools available for free just search a bit in www.

[aigle]

Quote:

Originally Posted by jm0307

Hello,

Well, it was worth a try. Also, if on a computer competence scale of one to ten, with ten being highest, I would rank a 1.5, then they would probably rank 0.5. So I thought it may be easier for them to run some scans, than having to reformat. This was also the reason for using KAV's online scanner and the free version of SAS is very easy to install. In any case, apparently SAS found plenty of tracking cookies and some Adware, so it wasn't all in vain.

All of the feedback received is greatly appreciated.
I will let them know that reformatting is the most thorough solution - hope they have the discs. For now, they are enjoying their PC free vacation.

Best wishes,

jm0307

That,s OK. Actually as long as u know that u got a keylogger, immediate format. I will never waste my time in any other thing. Keyloggers is such a class of malware/ badware.

[iceni60]

get her to swop the computer with one of her friends, maybe a BF before she dumps him i couldn't use a computer if it had a keylogger.

i don't know how keyloggers work, but you could try a packet sniffer to see if it's sending stuff over the internet, leave it running while the computer isn't being used for 24 hours and disable as many network programs as possible so it's easier to filter the results. maybe that's a bad idea, i don't know :|

[Woody777]

Install Sygate Free & Let it run. Look at the log files & see if something like Service Host is connecting out. If I thought I had a Keylogger on a computer I would try SpyWare Doctor. If it found nothing I would try A2. I might still reformat.

[bettywont]

Personally I would Reformat from scratch.To the best of my knowledge
EBLASTER IS NOT DETECTABLE.It would send shivers down my spine to
even have the thought that a keylogger would be installed on my computers
I need to know my privacy is 100%
The best thing ,in my opinion is to have the computer professionally inspected and formated;this way you know you will have your right to privacy

[SystemJunkie]

Quote:

EBLASTER IS NOT DETECTABLE.

Everything is detectable, I assume that you are not very familiar with it-security.

Quote:

It would send shivers down my spine to
even have the thought that a keylogger would be installed on my computers
I need to know my privacy is 100%

[Inappropriate remark removed - Blue]