detecting a keylogger

what is the best way to determine if a keylogger is installed in your
PC ?

Re: detecting a keylogger

Nicols wrote:
> what is the best way to determine if a keylogger is installed in your
> PC ?

boot from a Linux Live CD
determination: no keylogger

Re: detecting a keylogger

Nicols wrote:
> what is the best way to determine if a keylogger is installed in your
> PC ?

To do a complete forensics of the hard disk.

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: detecting a keylogger

>> what is the best way to determine if a keylogger is installed in your
>> PC ?
>To do a complete forensics of the hard disk.

A keylogger 'in' the pc could also mean a hardware device.
Not sure a check on the hard disk will find this.

Jos

Re: detecting a keylogger

Greetings,

A hardware keylogger, such as one built into a keyboard or in-line with the
keyboard cable will be undetectable unless you physically look for it.

A software keylogger will likely be found if you run a sequence of rootkit
revealer from Sysinternals, Microsoft Windows Defender (beta)tool, and
install a current anti-virus software product with an up-to-date virus
definition file. This should find pretty much all of the nasty stuff out
there. Of course nothing is guaranteed, as the bad guys are constantly
coming up with new and exciting ways to spy on you.

Oh yeah - if you have time to waste you could also take Sebastian's
suggestion and boot off a live linux CD. Wouldn't really accomplish
anything useful though.

Cheers,

Systemguy

"the_jos" wrote in message
news:1145364192.874775.129800@i39g2000cwa.googlegroups.com.. .
>>> what is the best way to determine if a keylogger is installed in your
>>> PC ?
>>To do a complete forensics of the hard disk.
>
> A keylogger 'in' the pc could also mean a hardware device.
> Not sure a check on the hard disk will find this.
>
> Jos
>

Re: detecting a keylogger

Systemguy wrote:

> A software keylogger will likely be found if you run a sequence of rootkit
> revealer from Sysinternals, Microsoft Windows Defender (beta)tool, and
> install a current anti-virus software product with an up-to-date virus
> definition file.

ROFL. Nothing of this would help against a modified system executable, a
normally loaded driver or alike - which is typical for a software keylogger.

Beside that, both RKRevealer and Windows Defender (beta!) are crap.
RKRevealer simply installs a service and then crashes when trying to the
ListDir() call and stumbling upon a symlink to a non-inserted removable
medium (without any "Ignore" or "Cancel" possibility). Windows Defender
doesn't even install (the MSI is tagged to require admin rights) and
even when clobbed in manually (including allowing certain otherwise
restricted access) it crashes for plain programmed stupidness.

> This should find pretty much all of the nasty stuff out
> there.

Only known and/or dumb nasty stuff.

> Oh yeah - if you have time to waste you could also take Sebastian's
> suggestion and boot off a live linux CD. Wouldn't really accomplish
> anything useful though.

It eliminates any threat of system-compromising software (well, if it
was created on a trusted system)? Wouldn't do anything else for online
banking.

Re: detecting a keylogger

the_jos wrote:
> >> what is the best way to determine if a keylogger is installed in your
> >> PC ?
> >To do a complete forensics of the hard disk.
> A keylogger 'in' the pc could also mean a hardware device.

Yes.

> Not sure a check on the hard disk will find this.

It will not. I didn't mean hardware keyloggers.

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: detecting a keylogger

Systemguy wrote:
> A software keylogger will likely be found if you run a sequence of rootkit
> revealer from Sysinternals, Microsoft Windows Defender (beta)tool, and
> install a current anti-virus software product with an up-to-date virus
> definition file.

I doubt that. It's so easy to hack a key logger, that it is difficult to
detect.

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: detecting a keylogger

"Sebastian Gottschalk" wrote in message
news:4al0u1Ftp7ajU1@news.dfncis.de...
> Systemguy wrote:
>
>> A software keylogger will likely be found if you run a sequence of
>> rootkit
>> revealer from Sysinternals, Microsoft Windows Defender (beta)tool, and
>> install a current anti-virus software product with an up-to-date virus
>> definition file.
>
> ROFL. Nothing of this would help against a modified system executable, a
> normally loaded driver or alike - which is typical for a software
> keylogger.
>
> Beside that, both RKRevealer and Windows Defender (beta!) are crap.
> RKRevealer simply installs a service and then crashes when trying to the
> ListDir() call and stumbling upon a symlink to a non-inserted removable
> medium (without any "Ignore" or "Cancel" possibility). Windows Defender
> doesn't even install (the MSI is tagged to require admin rights) and

Wouldn't you expect to require admin rights when using a utility like this?

> even when clobbed in manually (including allowing certain otherwise
> restricted access) it crashes for plain programmed stupidness.

Didn't write 'em and certainly didn't claim they were perfect.

>
>> This should find pretty much all of the nasty stuff out
>> there.
>
> Only known and/or dumb nasty stuff.

And that is the majority of the nasty stuff out there. Of course, if you
are
being targetted by a foreign Government then all bets are off.

I did put in the "nothing is guaranteed" disclaimer, remember? ;o)

>
>> Oh yeah - if you have time to waste you could also take Sebastian's
>> suggestion and boot off a live linux CD. Wouldn't really accomplish
>> anything useful though.
>
> It eliminates any threat of system-compromising software (well, if it
> was created on a trusted system)? Wouldn't do anything else for online
> banking.

Granted - If you were looking to do this. However, please take a look at
the original question Nicols posted. Your suggestion does not answer it.

Re: detecting a keylogger

Systemguy wrote:
> Windows Defender
>> doesn't even install (the MSI is tagged to require admin rights) and
>
> Wouldn't you expect to require admin rights when using a utility like this?

Not for Windows Defender. I just want to scan my user's account and data
for stuff, nothing more. Spybot and AdAware can do it as well!

>> Only known and/or dumb nasty stuff.
>
> And that is the majority of the nasty stuff out there.

And this is the nasty stuff you don't need to fear.

> Granted - If you were looking to do this. However, please take a look at
> the original question Nicols posted. Your suggestion does not answer it.

It does. Modifiy the conditions reasonably and you can make sure that
there's no software-based keylogger. Which is probably his goal.

Re: detecting a keylogger

"Sebastian Gottschalk" wrote in message
news:4an5qhFtjbueU1@news.dfncis.de...
> Systemguy wrote:
>> Windows Defender
>>> doesn't even install (the MSI is tagged to require admin rights) and
>>
>> Wouldn't you expect to require admin rights when using a utility like
>> this?
>
> Not for Windows Defender. I just want to scan my user's account and data
> for stuff, nothing more. Spybot and AdAware can do it as well!

So you wouldn't want to scan the rest of the system for, oh, I don't know, a
keylogger?

>>> Only known and/or dumb nasty stuff.
>>
>> And that is the majority of the nasty stuff out there.
>
> And this is the nasty stuff you don't need to fear.

ROTFLMAO! That's a good one. Let's just put blindfolds on, earplugs in and
pretend
they don't exist too!

>> Granted - If you were looking to do this. However, please take a look at
>> the original question Nicols posted. Your suggestion does not answer it.
>
> It does. Modifiy the conditions reasonably and you can make sure that
> there's no software-based keylogger. Which is probably his goal.

Re: detecting a keylogger

Systemguy wrote:

>>>> Windows Defender
>>>> doesn't even install (the MSI is tagged to require admin rights) and
>>> Wouldn't you expect to require admin rights when using a utility like
>>> this?
>> Not for Windows Defender. I just want to scan my user's account and data
>> for stuff, nothing more. Spybot and AdAware can do it as well!
>
> So you wouldn't want to scan the rest of the system for, oh, I don't know, a
> keylogger?

The rest of the system is read-only for the user. Well, once a month one
can do a simple rootkit scan and reverify all checksums...
And Windows Defender still is just an ad/spyware scanner, even though
they changed the name.

>>>> Only known and/or dumb nasty stuff.
>>> And that is the majority of the nasty stuff out there.
>> And this is the nasty stuff you don't need to fear.
>
> ROTFLMAO! That's a good one. Let's just put blindfolds on, earplugs in and
> pretend they don't exist too!

The dumb nasty stuff is easily recognized, both by the user and by
anti-malware companies (creating according signatures), so it's no big
deal. Yet unclassified malware is the real threat.

Re: detecting a keylogger

If it's a software key logger a program like spycop should get it, have
a look at their site:

www.spycop.com

Regards.

Re: detecting a keylogger

Wow, that was an undetailed reply. You expect someone asking that
question to know what to do with this answer?

Re: detecting a keylogger

Joshua Reed wrote:
> Wow, that was an undetailed reply. You expect someone asking that
> question to know what to do with this answer?

Yes: thinking about the problem once more