How to tell if keyloggers and real spyware implanted?

If someone had physical control of my computer and loaded keylogging and password recovery software on my computer, how do I find it?

I ran Hijackthis, spybot search and destroy as well as Adaware and everything looks clean.

Is it possible that I still have something that will save my passwords against my will as well as logging my keystrokes? Even if it isn't emailed, if this person accesses my computer, can they recover this info?

TIA

 

If your looking for a keylogger with Spybot or Ad-aware, your not likely to find it with these programs. They're good at finding general spyware, but not too good at finding keyloggers.

And if you don't know what your doing with Hijackthis you should be very careful what you delete with it. It would be best to post a hijackthis log at a qualified forum and let the experts there examine it. They will be able to properly notify you of what you can and cannot delete with it, if any keylogger is found on your system. Here's one such forum http://www.dslreports.com/forum/security But sadly even Hijackthis won't find everything so here's a few other programs that excel at sniffing out hidden keylogger and trojan programs.

First I would recommend downloading and running the free 30 day trial of Security Task Manager http://www.neuber.com/taskmanager/index.html This program is very good at finding keyloggers and other trojan type software. Runs on 98/ME/2k/XP.

Also I would suggest the free trial of Unhackme to find any harder to find rootkit like keyloggers that may be lurking on your system. Only works on 2k/XP. http://www.greatis.com/unhackme/index.html

Another good free program for finding trojans and some spyware/riskware is Ewido Security Suite. http://www.ewido.net/en It's only for 2K/XP operating systems though, so if your running an older OS you won't be able to use it.

But A2 (another free anti-trojan) will run on 98/ME/2K/XP and you may find it helpful as well. http://www.emsisoft.com/en/software/free

And if someone has physical access to your computer, and you think you may be the victim of a hardware keylogger, take a look here for some info on hardware keyloggers. http://www.keyghost.com/Index.htm (link originally posted by Paranoid here https://www.wilderssecurity.com/showthread.php?t=84679 ).

Best of luck, and let us know how things go.

 

In addition to the above you can:

1) Try snoopfree to trap any software keyloggers:
http://www.snoopfree.com/default.htm

2) Run System Internals Filemon to view possible unauthorized file activity:
http://www.sysinternals.com/FileAndDiskUtilities.html

3) Run the trial version of Port Explorer to view possible unauthorized internet connections:
http://diamondcs.com.au/

Rich

 

Hi Richrf,

Could you elaborate on how we can use SI Filemon to detect malware or keyloggers? What are we looking for? I mean, any examples of what we should be looking for?

For example, let's say I did have a keylogger, or other password stealing program on my computer, what entries should I be looking for in Filemon? I'm new to this tool so I'm just looking for any help on how to use it effectively and properly to detect malware.

Thanks for your time and help.

 

Hi InsuranceGuy, Welcome To The Forums!

Wish I had some easy answers for you, but it's all about research.
You might have a look at the Intrusion Detection FAQ among many other fine Articles & Tutorials.

In response to your final questions .... yes, and you tell me?

There is a literal plethora of tools available that, while originally engineered for network diagnostics ....
are the same ones used and modified by those with too much time on their hands.


Hi wondering1,

Lacking quality time with Filemon, you may find Reverse-Engineering Malware of interest.
Here you'll find a brief example using both Filemon and Regmon under System Monitors.



Best to you both,
GF

 

Even though I have not installed or used this, I have heard it is quite effective at not only determining if a rootkit is installed, but at (supposedly) removing all of it as well:

F-Secure Blacklight

It is still in beta for another couple of weeks, and then I believe will not be available as a standalone, but rather will be incorporated into other F-Secure products. If you think you might have a rootkit, it might be worth a try to test it out (and then give us a full report on how effective and worthy you think it is for others to try )

 

Hi,

In message #14 of this thread, Paranoid2000 suggests a way that Process Explorer and Filemon may be helpful in detecting keylogger processes.

https://www.wilderssecurity.com/showthread.php?t=83939&highlight=filemon

Hope this helps,
Rich

 

Lots of good stuff posted here.

I will run a few of them and see what happens.

Quick question, is it possible to search for files altered on a certain day?
If I know the unauthorized access was on a specific day, what kind of files would I search for that were altered on that day?