Removing a Keylogger?

[W. eWatson]

A friend suspects he has a keylogger on his computer. If so, it seems
important to find out who put it there. I would imagine that if one can
somehow probe it, they would find an ip address that shows them where the
information is going. For some reason, he thinks its not important. However,
since his PC is pretty fresh, he wants to reformat the hard drive and
re-install the OS (XP). My guess is that would not always remove the
keylogger. Comments?

Is there a way to find the keylogger, and remove it w/o taking the measures
above?

I'm discounting the possibility that there's a h/w keylogger attached.

--
W. eWatson

(121.015 Deg. W, 39.262 Deg. N) GMT-8 hr std. time)
Obz Site: 39° 15' 7" N, 121° 2' 32" W, 2700 feet

Web Page: <www.speckledwithstars.net/>

 

[Lanwench [MVP - Exchange]]

A friend suspects he has a keylogger on his computer. If so, it seems
important to find out who put it there.

Eh - I'd be more worried about removing it.

I would imagine that if one
can somehow probe it, they would find an ip address that shows them
where the information is going. For some reason, he thinks its not
important.

He probably wants his computer back!

However, since his PC is pretty fresh, he wants to
reformat the hard drive and re-install the OS (XP). My guess is that
would not always remove the keylogger. Comments?

If he does a total wipe/format/reinstall of the box & reinstalls from known
good media, it will be clean.

 

[db ´¯`·.. >]

formatting usually clears out such
suspicions involving software, but
formatting does not physically work
on physical hardware spying devices:

but here is more information
for you:

http://en.wikipedia.org/wiki/Keylogger

--------------

if your friend is being spied on,
then you may be as well.
--

db·´¯`·...¸><)))º>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces

 

[Mick Murphy]

Get him to download, install, update and scan with these 2 Programs.
You might have to scan it in Safe Mode.
All info below.

And formatting will remove it.

http://www.spybot.info/en/index.html

Spybot Search & Destroy 1.6 is a very good, FREE Anti-Spyware Program.
Download, install, update, and immunize your System with it.
Then SCAN with it.
Update it, and scan your System once a fortnight.

http://www.malwarebytes.org/mbam.php

Malwarebytes is as the name says, a Malware Remover!
For the Free version scroll down their page to either download from
Download.com, or Major Geeks.com

Download, install, and update.

Important re: Safe Mode
If you happen to find a problem that you can’t uninstall / delete, reboot
the computer, and go into Safe Mode.
To get into Safe mode, tap F8 right at Power On / Startup, and use UP arrow
key to get to Safe Mode from list of options, then hit ENTER.
RESCAN your computer with your Anti-Virus, Malwarebytes and Spybot S & D
while in Safe Mode.

 

[W. eWatson]

Get him to download, install, update and scan with these 2 Programs.
You might have to scan it in Safe Mode.
All info below.

And formatting will remove it.

http://www.spybot.info/en/index.html

Spybot Search & Destroy 1.6 is a very good, FREE Anti-Spyware Program.
Download, install, update, and immunize your System with it.
Then SCAN with it.
Update it, and scan your System once a fortnight.

http://www.malwarebytes.org/mbam.php

Malwarebytes is as the name says, a Malware Remover!
For the Free version scroll down their page to either download from
Download.com, or Major Geeks.com

Download, install, and update.

Important re: Safe Mode
If you happen to find a problem that you can’t uninstall / delete, reboot
the computer, and go into Safe Mode.
To get into Safe mode, tap F8 right at Power On / Startup, and use UP arrow
key to get to Safe Mode from list of options, then hit ENTER.
RESCAN your computer with your Anti-Virus, Malwarebytes and Spybot S & D
while in Safe Mode.

I take it there's no way to hide the keylogger in some place where a
reformat will not clobber it? Or that keyloggers are so smart they hide
themselves from the impending doom of a reformat?

--
W. eWatson

(121.015 Deg. W, 39.262 Deg. N) GMT-8 hr std. time)
Obz Site: 39° 15' 7" N, 121° 2' 32" W, 2700 feet

Web Page: <www.speckledwithstars.net/>

 

[W. eWatson]

formatting usually clears out such
suspicions involving software, but
formatting does not physically work
on physical hardware spying devices:

but here is more information
for you:

http://en.wikipedia.org/wiki/Keylogger

That's an interesting link.

--
W. eWatson

(121.015 Deg. W, 39.262 Deg. N) GMT-8 hr std. time)
Obz Site: 39° 15' 7" N, 121° 2' 32" W, 2700 feet

Web Page: <www.speckledwithstars.net/>

 

[db ´¯`·.. >]

yeah, wiki is a pretty
good resource.

--

db·´¯`·...¸><)))º>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces

 

[sgopus]

Once you boot into say (an install cd) the keylogger is no longer memory
resident, therefore can't hide itself, and after the format any reference to
it has been removed, therefore it can't run. and yes it can't hide itself.

Keyloggers, if resident in memory, can hide themselves from you seeing them
running, but only if windows is running, booting to the install cd precludes
the keylogger from loading.

 

[W. eWatson]

yeah, wiki is a pretty
good resource.

Here's an interesting part from it.
==============
Writing software applications for keylogging is trivial, and like any
computer program can be distributed as a trojan horse or as part of a virus.
What is not trivial however, is installing a keystroke logger without
getting caught and downloading data that has been logged without being
traced. An attacker that manually connects to a host machine to download
logged keystrokes risks being traced. A trojan that sends keylogged data to
a fixed e-mail address or IP address risks exposing the attacker.
=============

Unfortunately, the writer(s) don't say how the culprit can be traced.
--
W. eWatson

(121.015 Deg. W, 39.262 Deg. N) GMT-8 hr std. time)
Obz Site: 39° 15' 7" N, 121° 2' 32" W, 2700 feet

Web Page: <www.speckledwithstars.net/>

 

[W. eWatson]

Interesting.

Once you boot into say (an install cd) the keylogger is no longer memory
resident, therefore can't hide itself, and after the format any reference to
it has been removed, therefore it can't run. and yes it can't hide itself.

Keyloggers, if resident in memory, can hide themselves from you seeing them
running, but only if windows is running, booting to the install cd precludes
the keylogger from loading.

--
W. eWatson

(121.015 Deg. W, 39.262 Deg. N) GMT-8 hr std. time)
Obz Site: 39° 15' 7" N, 121° 2' 32" W, 2700 feet

Web Page: <www.speckledwithstars.net/>