Posted 26 June 2009 - 07:12 PM
i am a system admin by day and a home computer tech/best friend by night
one home computer tech call i got was that a practical joke was played on one of my friends
one night a whole bunch of people were over at my friends house for dinner/ a party
there were pictures and slideshows running on the home computer... well someone thought it would be utterly hilarious to install a keylogger on the computer to see the inner details of my friend's life
a few days later the person that installed the keylogger came by with some private details that were only meant to be seen by the recipient's/family eyes
and that shocked my friend and hurt her too, so now her computer is absolutely useless for any private messaging or credit transactions
short from a re-install of Vista, UGH!!!! what can be done to disable or nuke a keylogger?
the keylogger is probably designed to be totally transparent to the user so it will be hard to find...
and the prankster said that the keystrokes were emailed to him by the program if that helps any on identifying the brand name of the keylogger
and it is probably a legitimate program, so spyware scanners probably wont pick it up
do you think running wireshark/a packet sniffer would reveal details about the keylogger?
would i be able to block ports/block the logger with vista's firewall if it isnt using port 80 or 443?
i might get lucky and be able to delete it out of program files... but i think the keylogger is deep in system32/system folder :P
anyways, this is just a musing at how to solve this problem without having to kidnap the prankster and chaining him to the desk until it gets removed
Posted 26 June 2009 - 07:59 PM
You could also treaten the prankster with calling the cops...there are laws on the books in some jurisdiction which could be used to deal with such crap. Personally, I would have ZERO issue with calling the cops on some jerk like that.
Posted 26 June 2009 - 08:21 PM
If someone has physical access to a particular PC , then you cannot be sure whether this is a case of a keylogger installed or something else. I mean it could be a simple batch file hidden as a shortcut to a commonly used program doing the same things as a keylogger. Given the person had limited time of access on the infected PC , it will more likely be a 3rd party keylogger installed.
Well, the anti-virus and ant-spyware software's have entries of many keyloggers in their database, but they are considered as PUPs(Potentially Unwanted Programs) , so they an AV with default settings may miss it or it may detect and would be ignored by user as it will be shown as a low level threat/warning. Try running various scans , online scans will help here.
You may try to find the keylogger manually. First thing is to check out the task manager process list and find any suspicious processes. Many keyloggers have settings options that make them invisible in windows task manger. So , next use process monitor . If this fails ,next step will be File Monitor , which will definitely catch the keylogger with detailed examination. Search for both these programs on msft technet website.
>would i be able to block ports/block the logger with vista's firewall if it isn't using port 80 or 443?
Locking your firewall will help in transmission of details to Internet but not prevent any logging. Set firewall to ask for each connection and this may also help in identification but not in case in which keylogger have some process name that is a legitimate windows process.
Prevention is the best cure against loggers. The use of non-admin accounts for such occasions and for giving others people access and security measures like UAC would have surely ensured the installation of such programs fail. But you know , these aren't used by most.
btw - use of virtual keyboards can also bypass some keyloggers but not all. Hope this info help and you will be able to isolate that PUP.
Posted 26 June 2009 - 10:25 PM
Assuming it is a SOFTWARE Keylogger program and NOT a HARDWARE Keylogger,
I would ask the experienced, certified, Volunteer "Microsoft Most Valuable Professional(s)"
that staff the Support Forums at aumha.net . They have access to and have
experience using little known highly sophicated programs to uncover and deal with such