Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Friend is being hacked, keylogs, breaks passwords, copies IM's and they have no ip to trace

Posted on 2003-10-22
Medium Priority
Last Modified: 2013-11-16
Hi. A friend is having real trouble with a hacker. They have stolen passwords, monitoring IM's etc. We believe it is a keylogging program. We were told there is no way to get rid of it because it is a spyder in the system. They also use AIM, and it seems when the hacker "takes over" the account, it knocks them offline.  Any suggestions to remove this, and to catch the person doing it? Thanks in advance.
Question by:Serendipity14
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +6
LVL 49

Expert Comment

ID: 9601602
Ask him to install and run these softwares


SpyBot-S&D is an adware and spyware detection and removal tool. This includes removal of certain advertising components, that may gather statistics as well as detection of various keylogging and other spy utilities. In addition, it also securely removes PC and Internet usage tracks, including browser history, temporary pages, cookies (with option to keep selected) and more. The program offers an attractive outlook-style interface that is easy to use and multi-lingual. SpyBot-S&D allows you to exclude selected cookies, programs or extensions from being reported, allowing you to prevent false positive messages for items that you dont want to be alerted of every time. It can even scan your download directory for files that have been downloaded, but not yet installed, allowing you to detect unwanted programs before you even install them. SpyBot produces a detailed and easy to understand report before it deletes any files and allows you to deselect any item that you do not want to be processed. In addition, a recovery feature allows you to restore your settings if needed. Very nice tool, that exceeds the capabilities of the popular Ad-Aware application. 


AdAware is a privacy tool, that scans your memory, registry, hard, removable and optical drives for known data-mining, aggressive advertising, and tracking components. It then lists the results and offers to remove or quarantine the components. The program detects a wide range of adware/spyware related issues and can be updated with the latest signatures via the built-in update utility. Please be advised that removing certain components may impact the functionality of effected software applications. You should fully read the included Ad-aware documentation before removing any files! 


HijackThis is a tool, that lists all installed browser add-on, buttons, starup items and allows you to inspect them, and optionally remove selected items. The program can create a backup of your original settings and also ignore selected items. Additional features include a simple list of all startup items, default start page, online updates and more. Intended for advanced users. 

Keylogger Hunter

Keylogger Hunter is a program that attempts to detect any keyloggers that may be running on your computer. It performs a system analysis, which takes about 3-5 minutes and then produces a list of suspicious files (if any). It detected 2 out of 3 running keyloggers in our test. Future versions are planned to be shareware. 


KL-Detector is designed to provide a way to find out whether your activity is being recorded with a keylogger application. It uses the fact that most keyloggers create a hidden log file on your hard drive and therefore scans for any suspicious activity during a test period that you have to initiate. Basically, it asks you to use the keyboard for several minutes, type some text or do similar activities, while it is monitoring your system to check if it can detect any suspicious logging activity. KL-Detector is intended for occasional use and not as a permanently running program, as normal PC activity may cause false positives. During our test, it did detect changes in a keylogger log file (that we installed), but it did not find the activity suspicious enough to warn us. Advanced users may get value by inspecting the logged items, however novice users should not rely on the results. 

X-Cleaner Free

XCleaner is a privacy tool suite that detects and removes installed spyware and adware components and includes tools to securely delete files, edit the registry, disable startup programs and more. Additional features include IE home page protection, cookie, cache and history cleaning, built-in password generator and more. This free version also contains some additional feature options, however they are disabled and require upgrade to a full version. The spyware and adware scanning as well as many cleaning features however can be used freely. 


SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It achieves this by disabling the CLSIDs of popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage. This allows you to run Internet Explorer with Active-X enabled, but it will never download or even prompt you for any of the known ActiveX controls. All other Active-X controls or plug-ins will work fine. The SpywareBlaster database contains information on these known spyware Active-X controls and can be updated with the click of a button. The application windows displays a list of all controls that it is able to detect (this is not a list of what was found on your computer). The program cannot detect if you have any of the known objects already installed, but if you do, they will be disabled. The program also allows you to take a snapshot of your computer (certain settings) in its clean state and later revert many changes made by spyware and browser hijackers. 


SpywareGuard provides a real-time protection solution against so-called spyware. It works similar to an anti-virus program, by scanning EXE and CAB files on access and alerting you if known spyware is detected. If this is the case, it initially blocks access to the file and then allows the user to select an action. SpywareGuard provides a fast scanning engine, signature-based scanning, heuristic/generic scanning, a control panel, and an online-update utility for downloading of definition updates. It does not replace your anti-virus protection, but instead detects programs that may cause privacy concerns. The list of detected programs includes AdBreak, AdultLinks/LinkZZ, Brilliant Digital, CommonName, Cytron, FreeScratchAndWin, FriendGreetings, HighTraffic, HotBar, IEDisco, iGetNet,, MoneyTree Dialer and others. 


SpySites allows you to manage the Internet Explorer Restricted Zone settings and easily add entries from a database of 1500+ sites that are known to use advertising tracking methods or attempt to install third party software. You can select the sites from the list, or optionally add all of them, or only the "worst offenders". The program then adds the URLs to the IE Restricted Zone settings. Once configured, there is no need to run the program again, unless you want to add additional sites. 

LVL 49

Accepted Solution

sunray_2003 earned 200 total points
ID: 9601614
Also have him install firewall for better protection like zonealarm

Ask him not to store passwords in his computer  ( disable remember password )

Ask him to download this software to check for trojan ( trojan remover)

Update the virus definitions and scan for viruses


Author Comment

ID: 9601733
He did all that and it comes up with nothing. This hacker comes onto IM and threatens him and says he is watching. It appears to be in the system and untraceable.
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.


Expert Comment

ID: 9602007
Here's an idea...

reformat the entire box and reinstall the OS. Use differnet usernames/passes for ALL internet related activity: email, IM, etc. That's the only way you'll be 100% that everything is removed.

LVL 49

Expert Comment

ID: 9602311
>>  This hacker comes onto IM and threatens him and says he is watching. It appears to be in the system and untraceable.

Test him . I donot agree to what he is saying. May be he is fooling your friend. Ignore and delete his contact in IM ..


Expert Comment

ID: 9603703

Sunray does it again! Yeah sounds to me like the guy threatening is just a moron - when I was moderating a chat server a few years back we'd see these kind of threats all the time. Usually came to nothing. Often turns out the instigator has a chip on their shoulder becaus ethey failed computing 101 in junior school.

The best thing I can recommend is if your friend is using XP, start with going into advanced TCP/IP options and switching on the built-in firewall, otherwise use zonealarm or something like that as Sunray suggested. I can't speak for zonealarm but some have built in IDS functionality which can give you the source address and type of attack.

Also get him to run netstat -a at the command prompt to see what open connections there are to the machine - look for something strange. Look for direct connections to broadband service providers - a typical one would be something like (netvigator being a local ISP here) or something like that.

Your friend should only have direct outbound connections unless he is using something like Kazaa etc.

I can't suggest that you post the full output of netstat -a to this forum as someone may use it malignantly, however you can post it if you replace all mention of your friends machine name and IP with x's and y's etc...

If you find a suspect IP or a few suspect IPs check back with us here and we can tell you how to find out where they are and what you can do about it. This kind of behaviour is nothing more than online bullying and it annoys me intensely. Let's get 'em.


Author Comment

ID: 9604654
Thanks for all your comments. I will pass this all on.  Thanks for taking the time. I will keep you updated.

Expert Comment

ID: 9607303
My answer would be quite simple, use these software:

- ZoneAlarm Pro (firewall)
- BlackICE (firewall)
- SpySweeper (real-time protection)
- Ad-Aware Pro (real-time protection)
- Norton Antivirus (real-time protection)

BlackICE and ZoneAlarm can co-exist no problems, and the other programs can keep monitoring the system,
keep in mind that their virus / protection definitions must be up to date in order to keep the system safe.

Scan the system with the scanners, then make sure important files arent infected, back 'em up, and do a fresh
install, I would recommend using some disk wiping software, these will make sure no bad data is left on the
HDD, do a 7 write / delete cycle ( or more, but could take more time ), that option is available in the disk wiping / cleaning software.


Expert Comment

ID: 9607332
Another comment, install BlackICE, ZoneAlarm, NeoTrace (tracing program) / HackTracer.

1) Install BlackICE, ZoneAlarm
2) connect to the internet ,and use ZoneAlarm to shutdown all internet activities
3) go to blackIce, clear the evidence log and other logs
4) via ZoneAlarm, re-eanable the internet
5) watch BlackICE's main window for types of suspicious attacks.
6) note down the IP address / details
7) launch NeoTrace / hacktracer / tracert, punch in the IP address, trace the hacker using the software.

Maybe that would help?

Expert Comment

ID: 9620654
I downloaded Keylogger Hunter and when I went to do the scan, there's a flashlight scanning, then a window comes up and says:
"Parimeter is incorrect"

what happened and what do I do?


Expert Comment

ID: 9623447
The security set up I use is
1)ZoneAlarm firewall (the regular version is even free)
2) Pest patrol (detects over 15,000 "pests" such as keyloggers, adware, malware, hackers and other spies
3)Norton anti virus
4)Zone log analyser (reads the firewall logs and can report access attempt for you)

After you have everything set up test your firewall online and make sure it is working correctly.

Expert Comment

ID: 9631360
all of these suggestions are great and some cost alot of coin too...

this is what I use and it's essentially free

-ZoneAlarm (free version)
-Avast Anti-Virus (free, but has a nag every few months to re-register)
-Spybot S&D
I use them both because one will always find things that the other didn't

but I also think these guys are sounds like this guy is just harassing your friend. Best thing to do is try to ignore him...he'll eventually find someone else to annoy.

Expert Comment

ID: 9633890
You may also what to try a product called sypcop:

It's a anti-keylogger and anti-spy product!

I've been years it for a while.   It's wroth a try!

Expert Comment

ID: 9757680
I cannot open my ADD/REMOVE says cannot open Rundll32.exe is missing.

where can i redownload this from??????

*running windows 95*

Thank you

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question