How to detect or prevent monitoring program

I had a former employee that I have discovered, through his admission, that he deployed stealth remote monitoring on some other employee'd home computers and delivered the application via email to the remote computer. I would have thought anti-virus or anti-spyware programs would have prevented this. Now I am concerned that the extet of the malicious activity is greater than he admits. How can I check for the existence of stealth monitoring or key-logging and how can I prevent it in the future?

I do not know what program was used. However, I did a quick search on Google and found a lot of products claiming to be able to do this type of activity.

Any suggestions would be greatly appreciated.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Start with a virus \ spyware scan.   Use Symantec, Trend Micro, spyware doctor, Malwarebytes, and combo fix for starters.     You will need to run more than one.    Then get Autoruns, and see if anything looks suspicious.     Remove un-needed programs.  

Apply all updates to the computers, unless you know of updates that have issues.   Turn on Windows Firewall.  

You may never really be sure you got rid of everything.   Assume your work has been compromised also.   See further below.

Check with management and make sure it is ok to work on users home computers.   It can be time consuming, and you will end up fixing a lot of stuff that didnt belong to this guy anyway.

did he custom write the program?    Why just home computers, and not your servers?   Did he say why he was doing that?   And why tell you anwyay?   This doesnt make sense.

Have your home users change ALL of their passwords.   Including, online bank accounts, email, 401K, etc... it doesnt matter what it is, change it.    Better safe than sorry.   Have them change their router passwords, especially if he was installing it for them.  

Talk to your lawyer, in case you need to prosecute.    Keep notes of everything you do.

You should also change ALL of your passwords at work, including Root \ Domain admin passwords.   Check membership in these groups:   Account Operators, Schema admins, Enterprise admins and Domain admins.   Verifiy that each account belongs there.    Sit with HR, and verify all user accounts.
Complete a full security audit of your company.  

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dcadlerAuthor Commented:
One of the other employees was a woman he was attracted to, the other was her boyfriend. The admission was in the form of statements he made to the woman saying he was monitoring everything he did and he referenced conversations she had made in chats and emails to her boyfriend. The comments he made was in the form of emails to the woman and I have seen copies of the email. They included some personal pictures that the woman had on her hard drive.The employee was fired because of his behavior.

I have already changed all passwords and advised all employees to do the same. I will probably recommended that the two employees involved reformat their systems but I would first like to find the software to use as evidence. They currently have Sophos AV on their system, which is what we are running on our work network. There are no items in their quarantine. The AV is up to date. The MS updates are current.

Are you saying to run several different kinds of AV software?
When you say "autoruns" are you talking about registry entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Run ?

Is there any kind of network monitor or forensic program that I can use to catch the stealth program in action to determine the IP where the logs are being sent?

As I understand it, this software can be send in an email and simply by opening the email, it can install and hide itself. Is this really possible? I always tell my employees never to open emails from sources they do not know but in this case, it was a person they knew. This seems like a ridiculously easy way to spy on someone and I would think there would have to be a way to prevent it in the first place.

Do you know these types of programs can use port 80. If so, it would pass the firewalls.


Yes, I am saying run more than one virus\spyware program.   The AV companies (Symantec, Trend, Sophos...) are good at picking up viruses, and the anti-spwyare companies (malwarebytes, Combofix) are good at picking up spwyare.   (I wish there was one program that worked on everything)

Get autoruns from here... 
It can show you everything that runs at startup.   It looks in that registry entry, and a lot of others.  Be careful, and just disable things before you delete them.    A lot of the programs listed in Autoruns are legitimate, so disabling them can cause the computer to not boot.

if these machines are at work, you may be able to catch it in your firewall logs.   Set your firewall to monitor all traffic coming from that machine, and not the other machines...

Some software can hide itself in email, especially if it is HTML email, and be set to run automatically, usually with a bug in the email client software.    A lot of other software will run, becuase the user clicks an attachment.    i.e. - think the loveletter virus from a few years back.

Another way to find stealth software - run wireshark - 
After installing it, you would need to shut all your programs down, such as IE, then start it, and see if you catch any network traffic going out.     A lot of programs use Port 80, as everyone has that open.

Once Wireshark is up and running, go into Notepad, and type a lot of characters.   Pages of them.   The idea is that some keystroke loggers only send out information when the buffer gets full, so you could be waiting all day for that to happen.

Look for other programs, such as Gotomypc, logmein, Dameware, PCanywhere, VNC, etc.   All of these programs allow some sort of remote control.    They are legitimate programs, and will not show up in any virus\malware scan.     Gotmypc and logmein go out through Port 80, and connect to their server, so it would go through most firewalls.  go here for a demo - 
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

btanExec ConsultantCommented:
Also to add, the stealth can be rootkit and detecting it is not easily since they are at lower level (rather than simple user application level). Try
a) GMER (
b) Comodo BOClean : Anti-Malware (
BOClean watches memory, registry, and the file system waiting for malware to load up and then shuts it down before they have a chance to operate.

They complement the AV and firewall. Do not neglect anti-malware s/w - they add the layer of defenses.

There is a good read, see

A desktop can be considered "high risk" by falling into one or more of the following categories:
      Higher Risk User: User is more likely to...
          o Install "Browser Optimizers", screensavers, goodies such as weather/coupon "toolbars", or "Search Tools"
          o Install P2P file Sharing software or download games
          o Visit web sites containing software or applets to download (such as gamez sites)
          o Visit web pages with ActiveX downloads contained in banners and pop-ups
          o Visit web pages with contain (either natively or through a banner) an IE exploit
          o Open an enclosure or click on a link with an email
      Higher Risk Desktop:
          o Desktop has not been recently patched and restarted
          o The machine's browser security settings are not set high enough
          o The User Profile is not restricted enough

By proactively monitoring and scanning the network, installed malware may be detected early in the infection cycle. The "high risk" machines may even act as an "early warning system" for the detection of malware.

One of the more interesting network-based malware detection techniques utilizes snort to detect malware. (Snort is a network-based Intrusion Detection System (IDS) which scans and alerts on suspicious traffic patterns.) This involves loading up snort signatures which match traffic patterns of known spyware, adware, and malware. Many of these signatures have been conveniently aggregated into "bleeding malware" rules located on the Bleeding Snort web site. Detection of many malware-infected computers is possible by having snort (with the bleeding-malware rules) "listen" (monitor) to network traffic and alert on a match with the "Bleeding Malware" rules.

Things to do for better prevention
    * Educate users on "better browsing habits": refrain from installing "Browser Optimizers", screensavers, toolbars, games, etc.
    * Educate users on "corporate computer use": not to visit web pages containing games, chat rooms, etc.
    * Educate users on "email safety": refrain from opening attachments, previewing an email, or clicking on links with an email.

    * Lock down user profiles to prevent unauthorized installations (which should help prevent files being written to the system folder as well as certain malwares from registering themselves to run upon startup).
    * Harden Browser Security Settings
    * Install active-spyware protection
    * Host Files

Gateway Solutions:
    * Block known malware sites router, firewall (cvp with URL block list), or network aggregation point
    * Use proxy server with URL block-list (or appliance)
    * Add the domains associated with the malware to your INTERNAL DNS server with a loopback or null address, to prevent hosts within that domain from resolving to an IP address.
btanExec ConsultantCommented:
Can also check out EMCO Network Malware Cleaner (specially designed for network virus scanning)

dcadlerAuthor Commented:
Great tips. Many of the suggestions had to do with overall policy and as a result, I have hardened our internal network use policies and added multi-layer protection. Thanks,
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.