Friend is being hacked, keylogs, breaks passwords, copies IM's and they have no ip to trace

Hi. A friend is having real trouble with a hacker. They have stolen passwords, monitoring IM's etc. We believe it is a keylogging program. We were told there is no way to get rid of it because it is a spyder in the system. They also use AIM, and it seems when the hacker "takes over" the account, it knocks them offline.  Any suggestions to remove this, and to catch the person doing it? Thanks in advance.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ask him to install and run these softwares


SpyBot-S&D is an adware and spyware detection and removal tool. This includes removal of certain advertising components, that may gather statistics as well as detection of various keylogging and other spy utilities. In addition, it also securely removes PC and Internet usage tracks, including browser history, temporary pages, cookies (with option to keep selected) and more. The program offers an attractive outlook-style interface that is easy to use and multi-lingual. SpyBot-S&D allows you to exclude selected cookies, programs or extensions from being reported, allowing you to prevent false positive messages for items that you dont want to be alerted of every time. It can even scan your download directory for files that have been downloaded, but not yet installed, allowing you to detect unwanted programs before you even install them. SpyBot produces a detailed and easy to understand report before it deletes any files and allows you to deselect any item that you do not want to be processed. In addition, a recovery feature allows you to restore your settings if needed. Very nice tool, that exceeds the capabilities of the popular Ad-Aware application. 


AdAware is a privacy tool, that scans your memory, registry, hard, removable and optical drives for known data-mining, aggressive advertising, and tracking components. It then lists the results and offers to remove or quarantine the components. The program detects a wide range of adware/spyware related issues and can be updated with the latest signatures via the built-in update utility. Please be advised that removing certain components may impact the functionality of effected software applications. You should fully read the included Ad-aware documentation before removing any files! 


HijackThis is a tool, that lists all installed browser add-on, buttons, starup items and allows you to inspect them, and optionally remove selected items. The program can create a backup of your original settings and also ignore selected items. Additional features include a simple list of all startup items, default start page, online updates and more. Intended for advanced users. 

Keylogger Hunter

Keylogger Hunter is a program that attempts to detect any keyloggers that may be running on your computer. It performs a system analysis, which takes about 3-5 minutes and then produces a list of suspicious files (if any). It detected 2 out of 3 running keyloggers in our test. Future versions are planned to be shareware. 


KL-Detector is designed to provide a way to find out whether your activity is being recorded with a keylogger application. It uses the fact that most keyloggers create a hidden log file on your hard drive and therefore scans for any suspicious activity during a test period that you have to initiate. Basically, it asks you to use the keyboard for several minutes, type some text or do similar activities, while it is monitoring your system to check if it can detect any suspicious logging activity. KL-Detector is intended for occasional use and not as a permanently running program, as normal PC activity may cause false positives. During our test, it did detect changes in a keylogger log file (that we installed), but it did not find the activity suspicious enough to warn us. Advanced users may get value by inspecting the logged items, however novice users should not rely on the results. 

X-Cleaner Free

XCleaner is a privacy tool suite that detects and removes installed spyware and adware components and includes tools to securely delete files, edit the registry, disable startup programs and more. Additional features include IE home page protection, cookie, cache and history cleaning, built-in password generator and more. This free version also contains some additional feature options, however they are disabled and require upgrade to a full version. The spyware and adware scanning as well as many cleaning features however can be used freely. 


SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It achieves this by disabling the CLSIDs of popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage. This allows you to run Internet Explorer with Active-X enabled, but it will never download or even prompt you for any of the known ActiveX controls. All other Active-X controls or plug-ins will work fine. The SpywareBlaster database contains information on these known spyware Active-X controls and can be updated with the click of a button. The application windows displays a list of all controls that it is able to detect (this is not a list of what was found on your computer). The program cannot detect if you have any of the known objects already installed, but if you do, they will be disabled. The program also allows you to take a snapshot of your computer (certain settings) in its clean state and later revert many changes made by spyware and browser hijackers. 


SpywareGuard provides a real-time protection solution against so-called spyware. It works similar to an anti-virus program, by scanning EXE and CAB files on access and alerting you if known spyware is detected. If this is the case, it initially blocks access to the file and then allows the user to select an action. SpywareGuard provides a fast scanning engine, signature-based scanning, heuristic/generic scanning, a control panel, and an online-update utility for downloading of definition updates. It does not replace your anti-virus protection, but instead detects programs that may cause privacy concerns. The list of detected programs includes AdBreak, AdultLinks/LinkZZ, Brilliant Digital, CommonName, Cytron, FreeScratchAndWin, FriendGreetings, HighTraffic, HotBar, IEDisco, iGetNet,, MoneyTree Dialer and others. 


SpySites allows you to manage the Internet Explorer Restricted Zone settings and easily add entries from a database of 1500+ sites that are known to use advertising tracking methods or attempt to install third party software. You can select the sites from the list, or optionally add all of them, or only the "worst offenders". The program then adds the URLs to the IE Restricted Zone settings. Once configured, there is no need to run the program again, unless you want to add additional sites. 

Also have him install firewall for better protection like zonealarm

Ask him not to store passwords in his computer  ( disable remember password )

Ask him to download this software to check for trojan ( trojan remover)

Update the virus definitions and scan for viruses


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Serendipity14Author Commented:
He did all that and it comes up with nothing. This hacker comes onto IM and threatens him and says he is watching. It appears to be in the system and untraceable.
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Here's an idea...

reformat the entire box and reinstall the OS. Use differnet usernames/passes for ALL internet related activity: email, IM, etc. That's the only way you'll be 100% that everything is removed.

>>  This hacker comes onto IM and threatens him and says he is watching. It appears to be in the system and untraceable.

Test him . I donot agree to what he is saying. May be he is fooling your friend. Ignore and delete his contact in IM ..


Sunray does it again! Yeah sounds to me like the guy threatening is just a moron - when I was moderating a chat server a few years back we'd see these kind of threats all the time. Usually came to nothing. Often turns out the instigator has a chip on their shoulder becaus ethey failed computing 101 in junior school.

The best thing I can recommend is if your friend is using XP, start with going into advanced TCP/IP options and switching on the built-in firewall, otherwise use zonealarm or something like that as Sunray suggested. I can't speak for zonealarm but some have built in IDS functionality which can give you the source address and type of attack.

Also get him to run netstat -a at the command prompt to see what open connections there are to the machine - look for something strange. Look for direct connections to broadband service providers - a typical one would be something like (netvigator being a local ISP here) or something like that.

Your friend should only have direct outbound connections unless he is using something like Kazaa etc.

I can't suggest that you post the full output of netstat -a to this forum as someone may use it malignantly, however you can post it if you replace all mention of your friends machine name and IP with x's and y's etc...

If you find a suspect IP or a few suspect IPs check back with us here and we can tell you how to find out where they are and what you can do about it. This kind of behaviour is nothing more than online bullying and it annoys me intensely. Let's get 'em.

Serendipity14Author Commented:
Thanks for all your comments. I will pass this all on.  Thanks for taking the time. I will keep you updated.
My answer would be quite simple, use these software:

- ZoneAlarm Pro (firewall)
- BlackICE (firewall)
- SpySweeper (real-time protection)
- Ad-Aware Pro (real-time protection)
- Norton Antivirus (real-time protection)

BlackICE and ZoneAlarm can co-exist no problems, and the other programs can keep monitoring the system,
keep in mind that their virus / protection definitions must be up to date in order to keep the system safe.

Scan the system with the scanners, then make sure important files arent infected, back 'em up, and do a fresh
install, I would recommend using some disk wiping software, these will make sure no bad data is left on the
HDD, do a 7 write / delete cycle ( or more, but could take more time ), that option is available in the disk wiping / cleaning software.

Another comment, install BlackICE, ZoneAlarm, NeoTrace (tracing program) / HackTracer.

1) Install BlackICE, ZoneAlarm
2) connect to the internet ,and use ZoneAlarm to shutdown all internet activities
3) go to blackIce, clear the evidence log and other logs
4) via ZoneAlarm, re-eanable the internet
5) watch BlackICE's main window for types of suspicious attacks.
6) note down the IP address / details
7) launch NeoTrace / hacktracer / tracert, punch in the IP address, trace the hacker using the software.

Maybe that would help?
I downloaded Keylogger Hunter and when I went to do the scan, there's a flashlight scanning, then a window comes up and says:
"Parimeter is incorrect"

what happened and what do I do?

The security set up I use is
1)ZoneAlarm firewall (the regular version is even free)
2) Pest patrol (detects over 15,000 "pests" such as keyloggers, adware, malware, hackers and other spies
3)Norton anti virus
4)Zone log analyser (reads the firewall logs and can report access attempt for you)

After you have everything set up test your firewall online and make sure it is working correctly.
all of these suggestions are great and some cost alot of coin too...

this is what I use and it's essentially free

-ZoneAlarm (free version)
-Avast Anti-Virus (free, but has a nag every few months to re-register)
-Spybot S&D
I use them both because one will always find things that the other didn't

but I also think these guys are sounds like this guy is just harassing your friend. Best thing to do is try to ignore him...he'll eventually find someone else to annoy.
You may also what to try a product called sypcop:

It's a anti-keylogger and anti-spy product!

I've been years it for a while.   It's wroth a try!
I cannot open my ADD/REMOVE says cannot open Rundll32.exe is missing.

where can i redownload this from??????

*running windows 95*

Thank you
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.