August 9th, 2006, 05:17 AM
KeyLogger Trace HELP!!
Hello everybody. I have a keylogger on my computer. I want to trace it to the computer it came from. I am not that technically inclined when it comes this stuff. I downloaded ethereal and tried to read some tutorial but it was fruitless. Also, I did a clean install of windows a while ago and i thought i had rid myself of the bug, but somehow its back. Do not ask how i know all this. I just need some help tracing it, if possible of course. Thanks!
August 9th, 2006, 05:32 AM
Why can't I ask how you know all of this? Did the keylogger show up in some kind of scan? Give a little more info, and it might be easier for someone here to help you...
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
August 9th, 2006, 05:39 AM
I believe that the difficulty in determining where the keylogger came from is based on the type of environment the computer is used in.
Is this your home computer?
Is a a work computer?
Are/Have other people used the computer?
Unless you or someone else have already been logging the activity that goes on on the network wire that the computer is used in then I think it would be hard to figure out where it came from if someone installed it remotely.
I just thought however, that if you are asking what computer/email address the keylogger is sending it's logs too then I mean....sure, you can use ethereal, but if you want to make things a little less confusing you can use the builtin windows "netstat" command with the -o option using the process id of the keylogger and the interval option to see then the program calls up its remote host. When the program "phones home" (the ones I've seen do this every 30 or 60 mins) then you can take note of the ip address and then go from there.
And easier solution might be to use a GUI utility like tcpview from Systernals and watch for when the keylogger sends it's logs to the remote host. Take note of the remote host and go from there. It might be a litte easier?
I hope this helps.
"Do you know why the system is slow?" they ask
"It's probably something to do with..." I look up today's excuse ".. clock speed"
August 9th, 2006, 06:25 AM
Are you sure that its really a keylogger and if so, it could be hardware based i.e. attached pysically to your pc or it could be software based. I would suggest a good Antivirus scan from something like AVG and also a good anti spyware scan from Adaware. That would be the solution to remove the keylogger but as far as tracing it you might wanna check you event logs and see whats been going on there.
August 9th, 2006, 07:46 AM
actually, that is probably Mission Impossible by now, but don't worry................. what you really need to know is what computer it reports back to ? If it doesn't then it is a physical access situation and no other computer is involved.
I want to trace it to the computer it came from
If you can find the active program and its log file, please zip them and post them here and we will be able to tell you what you want to know (hopefully). It would also help if you said what it seems to be called (saves time figuring how it might be encrypted, if at all )
If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?
August 10th, 2006, 06:40 PM
Nihil is exactly right...thats the ONLY probale way you can find it out...just keep monitoring your outgoing connections and that might lead you somewhere near to what you need to know...and if you are able, try to see if the IP is static and if it is, reinstall the windows and block the IP! hopefully the keylogger will not return back again.
I suggest you use some good firewall ( I use KERIO and it is pretty good at work and FREE)....which will also alert you when an untrusted program tries to communicate to outer world!
"Everything should be made as simple as possible, but not simpler."
- Albert Einstein
August 11th, 2006, 09:15 PM
okay. i have tcpview, but i do not understand what to look for after running the program. also, i have no idea how to use ethereal to see email. could anybody help me with that. that would be ideal. oh, and how would i find the file, so that i can post it on the board?
August 11th, 2006, 09:33 PM
Why not answer the questions asked....
Is this a work computer...a home computer???
If you reinstalled...did you format...is that what a "clean" install means?
Do other people use this computer??
How do you think the keylogger got on there???
How people treat you is their karma- how you react is yours-Wayne Dyer
August 11th, 2006, 09:55 PM
I'm with MLF. How did you know the keylogger came back after the re-install? Did you use HiJackThis and look at the log?
Run through the posts here and answer the questions. Then, you might get some decent help with the problem, if there really is one.
August 11th, 2006, 10:16 PM
sorry for not answering. umm its a personal comp, used only by me. i checked externally to see if there is any device, but its clean. i reformatted the hard drive, i think i did a quick reformat, then reinstalled windows. im pretty certain it was done remotely. i didnt run hijackthis but i will know...