What can you realy do?

Just a thought... If say a mate a work say's he has got a keylogger on my system and he can see everything i'm typing (and lets just say he's not lying). What is every check and scan i can do to find and remove it?

You can check what processes are running, look for any out of the ordinary names.Or do a full system scan with either an AV or trojan scanner (or both). Or if you have some time, look through all your startup files for anything thats you don't recognize.

A good virus scan with up to date definitions is a good start. Then I would suggest a trojan scanner like TauScan or TheCleaner incase there is more than just a simple keylogger on your system. Just as a thought, you might also want to try AdAware to see if it picks up anything suspicious.

lets say nothing picks up anything... what can you manually do?
also would it be possible to make a program that could tell you all the programs in your memory and every thing in que in the kernal, wouldn't this alert you to any new virus or trojans or keylogger or suspicious code if your virus scaners cant find anything?

Well as far as seeing what is running, bringing up the Task Manager in Windows via Ctrl Alt Del will give you a rough idea, though some keyloggers and trojans don't show up in the task manager even. If all else fails, backup all your important stuff, and reformat and reinstall, just becareful that you dont reinfect your system from your backup media.

Sygate Personal Firewall Pro alerts you if your kernal has changed, manually you could search your startup registry, im not sure about exactly where to search or what to search for, but a nice trojan scanner should detect it.

Hey Hey

if you get SpyBot's Search and Destroy (located here) and in advanced mode go to Tools.. you'll find a process list. It'll give you a complete list of what's running, and where it's located on your hard drive. You can check it out and see if anything suspicious is running.

acctually i heard if you think something sus is going on to check:
regedit,
HKEY_LOCAL_MACHINE>SOFTWARE>MICROSOFT>WINDOWS>CURRENTVERSION>RUN and look for anything out of the order there... though i wouldn't know what to look for, theres so manny sus programs insatlled im too afraid to touch...
PS. taskmaneger/processes says:
i'll just say the weird things but...
IAMAPP.exe
NAVAPW32.exe
aptezbp.exe
bgswitch.exe
SYSPROXYSVC.exe
NISUM.exe
alg.exe
spoolsv.exe
rakusb.exe
lsass.exe
winlogon.exe
csrss.exe
smss.exe
hpztsb04.exe

Type the filename in google and see what it brings up if you are concerned about something, but at least 50% of the files you listed there are general system files and pretty standard stuff..... There's some system processes (smss, csrss, winlogon)... looks like Norton AV (NAVAPW32).. you can check google for the rest..

cool thanx, but where else can i look to see if there is anything abnormal on my system.
also what sort of ports should i be looking out for in 'netstat -an' also i heard that ICMP doesn't use ports... so how does it work and how do i find if anything was using that?

If this is a work computer, refer the situation to the sys admin. they should have a procedure to follow. Also don't be too quick to rule out hardware keystoke recorders, they are cheap (~$40) and would be easier for him to install on your work computer most likely. Something clipped onto the keyboard cable since keyboard cables tend to not have ferrite beads on them since the power. (at least mine never do, but I tend to buy the super cheap keyboards heh)

I think it is important that you start with the sys admin though, if you don't want your friend to get into trouble, just make up something about the computer acting up. I don't assume you have the required permissions on the system to do too much else as far as installing new scanning applications and such and it is always best to follow proper channels, especailly if you acidentally mess something up. :)

best of luck

catch

You could ask a tech to look into it, or check the server to see if the files appear there.

ok, so where would you start looking on a PC. This of coarce is more fightning because it would mean he has put somthing on through the net with out me knowing...

Check the .ini and .sys files because that where they are.

And it's good to have another Aussie here!

what do i look for in the *.ini *.sys and are you refering to say 'win.ini' and 'config.sys' coz there are a lot of ini's out there.

PS are the eagles playing soon?
i'm acutally suprised how many ausies there are. and how many americans too

stink, as for you list of processes you may find the link her to be handy:
http://www.antionline.com/showthread...ight=processes
This was posted by tonybradley a few days ago.

The main launch point will probably be in the registry, where you have looked. The spyware detection tools already mentioned and a good virus scan should find anything. btw what version of windows are you using it is usualy useful to know.

Waverebel

It's theoretically possible to construct a software keylogger that is extremely difficult to detect. It wouldn't need to create any processes, and any files it created could be hidden by using system call interception to ensure they didn't show up in directory listings.

Such a keylogger is in principle simply impossible to reliably detect. Therefore I suggest that to make sure, you reformat the machine and reload all software from trusted sources.

well, a format does sound a little extreem if im not even sure if it's true or not, plus wouldn't it be likley that in my backup i would back up the logger unknowlingly, oh and waverebal, i've got windows xp professional with service pack 1.

also explain how on of these indetectable loggers work?

If they keylogger used the techniques described here

http://www.antionline.com/showthread...hreadid=240901

(Windows rootkits: a stealthy threat)

Then it could remain hidden from any level of inspection. It would not need to run any processes (or it could hide those that did), and it could hide its files and registry entries.