KeyLogger Trace HELP!!
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: KeyLogger Trace HELP!!

  1. #1
    Junior Member
    Join Date
    May 2006
    Posts
    14

    KeyLogger Trace HELP!!

    Hello everybody. I have a keylogger on my computer. I want to trace it to the computer it came from. I am not that technically inclined when it comes this stuff. I downloaded ethereal and tried to read some tutorial but it was fruitless. Also, I did a clean install of windows a while ago and i thought i had rid myself of the bug, but somehow its back. Do not ask how i know all this. I just need some help tracing it, if possible of course. Thanks!

  2. #2
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,188
    Why can't I ask how you know all of this? Did the keylogger show up in some kind of scan? Give a little more info, and it might be easier for someone here to help you...
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  3. #3
    Senior Member treanglin's Avatar
    Join Date
    Dec 2003
    Posts
    110
    I believe that the difficulty in determining where the keylogger came from is based on the type of environment the computer is used in.

    Is this your home computer?
    Is a a work computer?
    Are/Have other people used the computer?


    Unless you or someone else have already been logging the activity that goes on on the network wire that the computer is used in then I think it would be hard to figure out where it came from if someone installed it remotely.

    I just thought however, that if you are asking what computer/email address the keylogger is sending it's logs too then I mean....sure, you can use ethereal, but if you want to make things a little less confusing you can use the builtin windows "netstat" command with the -o option using the process id of the keylogger and the interval option to see then the program calls up its remote host. When the program "phones home" (the ones I've seen do this every 30 or 60 mins) then you can take note of the ip address and then go from there.

    And easier solution might be to use a GUI utility like tcpview from Systernals and watch for when the keylogger sends it's logs to the remote host. Take note of the remote host and go from there. It might be a litte easier?

    I hope this helps.
    "Do you know why the system is slow?" they ask

    "It's probably something to do with..." I look up today's excuse ".. clock speed"
    -BOFH

  4. #4
    AO's Resident Redneck The Texan's Avatar
    Join Date
    Aug 2003
    Location
    Texas
    Posts
    1,539
    Are you sure that its really a keylogger and if so, it could be hardware based i.e. attached pysically to your pc or it could be software based. I would suggest a good Antivirus scan from something like AVG and also a good anti spyware scan from Adaware. That would be the solution to remove the keylogger but as far as tracing it you might wanna check you event logs and see whats been going on there.
    Git R Dun - Ty
    A tribe is wanted

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Hi,

    I want to trace it to the computer it came from
    actually, that is probably Mission Impossible by now, but don't worry................. what you really need to know is what computer it reports back to ? If it doesn't then it is a physical access situation and no other computer is involved.

    If you can find the active program and its log file, please zip them and post them here and we will be able to tell you what you want to know (hopefully). It would also help if you said what it seems to be called (saves time figuring how it might be encrypted, if at all )

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #6
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    Nihil is exactly right...thats the ONLY probale way you can find it out...just keep monitoring your outgoing connections and that might lead you somewhere near to what you need to know...and if you are able, try to see if the IP is static and if it is, reinstall the windows and block the IP! hopefully the keylogger will not return back again.

    I suggest you use some good firewall ( I use KERIO and it is pretty good at work and FREE)....which will also alert you when an untrusted program tries to communicate to outer world!
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

  7. #7
    Junior Member
    Join Date
    May 2006
    Posts
    14
    okay. i have tcpview, but i do not understand what to look for after running the program. also, i have no idea how to use ethereal to see email. could anybody help me with that. that would be ideal. oh, and how would i find the file, so that i can post it on the board?

  8. #8
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Why not answer the questions asked....

    Is this a work computer...a home computer???

    If you reinstalled...did you format...is that what a "clean" install means?

    Do other people use this computer??

    How do you think the keylogger got on there???

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  9. #9
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    I'm with MLF. How did you know the keylogger came back after the re-install? Did you use HiJackThis and look at the log?

    Run through the posts here and answer the questions. Then, you might get some decent help with the problem, if there really is one.

  10. #10
    Junior Member
    Join Date
    May 2006
    Posts
    14
    sorry for not answering. umm its a personal comp, used only by me. i checked externally to see if there is any device, but its clean. i reformatted the hard drive, i think i did a quick reformat, then reinstalled windows. im pretty certain it was done remotely. i didnt run hijackthis but i will know...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides