Results 1 to 10 of 10

Thread: Detecting A Keylogger?

  1. #1
    Junior Member
    Join Date
    Aug 2006
    Posts
    2

    Detecting A Keylogger?

    Greetings all,

    I have reason to suspect that I have a keylogger sitting somewhere on my PC. Just wondering if anyone can shed light on any possible way to detect one.

    I have googled the topic and come up with mostly "they are impossible to detect, but you can try this....". All of which were pretty unhelpful.

    Anyone able to help or point me in the direction of what activity I should be looking for.

    Thanks

  2. #2

    Re: Detecting A Keylogger?

    Originally posted here by Obliviously
    Greetings all,

    I have reason to suspect that I have a keylogger sitting somewhere on my PC.
    I'm curious to know *Why* you suspect the presence of the Keylogger? *What* did you notice to suspect the presence of the Keylogger?

    On a scale of 1 to 10, I stand at 0 when it comes to inner workings of the computers, sorry I can't help you much, but if you can answer my questions that would be great.

    Thanks
    -We May Need To Solve Problems Not By Removing The Cause, But By Designing The Way Forward Even If The Cause Remains In Place-

    Edward de Bono

  3. #3
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Welcome to AO!

    depending on the type of keylogger, it might be detected by some of the common anti-spyware programs [ie adaware, spybot search and destroy, prevex1, etc] .. try searching for keylogger detection ... also try running 'netstat -a -b' from a command prompt ... ( start > run > cmd ) [sorry if it seems I am talking down to you, but I have no idea of your technical knowledge] this should show you your active connections, and the executable responsible for the connections... hope this helps
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  4. #4
    Junior Member
    Join Date
    Aug 2006
    Posts
    2
    Thanks for the replies

    I'm curious to know *Why* you suspect the presence of the Keylogger? *What* did you notice to suspect the presence of the Keylogger?
    Unfortunately, I am paranoid by nature, not to the extent that I think my phones are being tapped or that a satellite is dedicated solely to watching my every movement, but my job requires I look at people from a different point of view. Some of it becomes habit i guess. It is quite simple really, people I am affiliated with are aware or dropping bits of information during conversations that I only mentioned during personal emails and chats. Email accounts have been tampered with and changing passwords doesnt seem to do much.

    Sounds a bit nutty I know, but hey, if there isnt a key logger at least i'll know how to detect one in the future....ahem...

    sorry if it seems I am talking down to you, but I have no idea of your technical knowledge
    Not at all, as i said earlier, any advice is much appreciated. It seems to be quite a grey area when trying to discern if keyloggers are actually installed on your system. I am using Win XP and am curious if there is actually a program or command line that I can use to check if there is a program sending emails/files or whatever running in the background. I have checked the 'msconfig' and am still working my through determining what everything is in there. (Although, I doubt any keylogger worth its weight in salt would register there, no?)

    Thanks again guys and gals, the voices in my head are telling me to stop writing now

  5. #5
    Banned
    Join Date
    Jul 2006
    Location
    /
    Posts
    385
    Just do scans with your AntiVirus, and antispyware applications in safe mode, and also check your firewall settings to see if any unusual programs etc are trying to access the internet.

    just a few ideas.

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Obliviously , and welcome to AO, home of the paranormal.............. or do I mean abnormally paranoid?

    I think that we need a bit more information?

    1. Is this machine at home, or at work?
    2. Is it part of a local area network?
    3. Does anyone else have unsupervised physical access to the machine?
    4. Do these "events" only happen when you use a particular machine, or any machine?
    5. Do you have a firewall on your machine (not the network)?

    I am not a great believer in keyloggers as a first attack vector. They do tend to generate an information overload, and are not the easiest tool to use properly. I usually suspect some sort of trojan/spyware as being more likely.

    As for software, I would try EWIDO and A-Squared, as they tend to be quite good at detecting this sort of thing. Remember to run them in safe mode.

    people I am affiliated with are aware or dropping bits of information during conversations that I only mentioned during personal emails and chats
    Remember that people talk and they are almost certainly talking behind your back!


  7. #7
    Senior Member chizra's Avatar
    Join Date
    Feb 2006
    Location
    west india
    Posts
    152
    Hi Obliviously,

    Did you the identifying all the processes via Ctrl+Alt+Delete (windows task manager) option. In case all the above methods don't work (and i've no doubt why they should'nt) try google for info about each and every process listed in the windows task manager.

    Sometimes foolish keyloggers tend to show up in the task manager...

    You may find services and processes which you really don't need running in the back ground. Before You do scans (of any type)..do two things in this order.

    A. Disable System Restore-Right Click My Computer>Properties>System Restore
    B. Restart in safe mode
    C. Finally, run any scan.

    Do not enable system restore, after you find anything and clean/delete or quarantine it. You'll bring it back into your system..

    Try an online scan at:

    trend micro and at symantec

    Shabba Khair..


    Hindsight is an exact science.
    MudBubble

  8. #8
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    ummm......well I am a junior member...of course seniors will help you but here is a small suggestion from myself...netstat is an amazing command but do you use a firewall??? If no then start using one now! If yes then which firewall do you use??? If your firewall shows active connections, then do this:

    Open the live monitoring section of your firewall...and now block all the programs at once...now you will start getting notices that some applications are trying to connect to the internet...you look at the path and the description which firewall will provide and go on allowing them (and creating rules on the fly too). Now if there is any keylogger ( as you suspect), it should try to connect to its remote system once within 24 hours. Just keep looking at the path of the programs that try to make connections... and when you see a program which you think is a possible keylogger, disallow it and forst try to find out if that file is really a keylogger or if it is a system service...(it can be found easily using the Microsoft knowledge base...and from google....I prefer to search microsoft knowledge base using google!)...You may also post the name and path of the file here in AO.

    If you get sure that the suspected file is a trojan / keylogger then you can remove it easily.

    Thanks.
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

  9. #9
    T3h Ch3F
    Join Date
    Sep 2001
    Posts
    718
    Originally posted here by chizra
    Sometimes foolish keyloggers tend to show up in the task manager...
    A little bit like some AO members..................

    Get some good religion from Bad Religion.

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Very true

    Why is it everyone seems to squeal "keylogger" these days, when there are much more sophisticated solutions around?

    This is an example:

    http://www.symantec.com/security_res...100113-5137-99

    Assuming that you can eliminate physical access and activities by your systems administrators, this is what you would look for:

    1. Collection of information.
    2. Storage of information.
    3. Transmission of information.

    People who write security compromise software that is worth its salt are well aware of Task Manager and how to avoid it.

    At the very least you should use more sophisticated tools such as Process Explorer 9.02 and Startup CPL 2.8 (or later versions if available).

    brokencrow has just posted this free software:

    http://www.sophos.com/products/free-...i-rootkit.html

    It might prove helpful in detecting anything that has been stealthed?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •