How to check for legal spyware or keyloggers?

I have a client that would me to check her computer for legal spyware like Spectorsoft or something of that nature. She wants to make sure that there aren't any key loggers or anything on there. Most malware scanners do not find the legal products that you install yourself, so I wanted to know if anyone knows of another way to discover them if they are running in the background.
mousemenAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TolomirAdministratorCommented:
just give the free www.prevx.com scanner a try.

It will detect a keylogger. Legal or not.

Tolomir
0
mousemenAuthor Commented:
PrevX did not find anything and neither did spyware doctor. Any other suggestions to finding possible keyloggers? I want to cover all my bases before saying it is clean. Thanks for the help.
0
ChiefoftheChissCommented:
Check out this link, if you have access to it.
http://www.experts-exchange.com/Hardware/Desktops/Q_23335274.html
Ironically, I am 250 point from accessing it again to make sure it has your solution or not, but you might check it out if you can, or maybe another expert can find out if it helps you - sorry


If not, while not definitive:

Check for these processes
winnetcl.exe
webebot.exe
winnetcl.exe
webebot.exe

Check for these DLL's
netknlhm.dll
netknl.dll


0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

ChiefoftheChissCommented:
Okay I got myself back to expert again, apparently all the link says is that SAV - symantec antivirus will look for it, and the asked confirmed with Symantec.
0
madunix (Fadi SODAH)Commented:
Usually every anti virus detects key loggers. ...update your AV and scan, that should work
I use NOD32 http://www.eset.com/
0
TolomirAdministratorCommented:
I can only think of an offline scan.

http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

Rootkits can only be kept unseen as long as they have control over the operating system.

Using this bootdisk you can scan windows while inactive. Showing all files what are normally hidden/protected.
0
TolomirAdministratorCommented:
As last resort, install the computer from scratch. Installing only trustworthy software.
Creating a user account without administrator permissions.
Using the administrator account only for installation of software / updates etc.

Tolomir
0
rpggamergirlCommented:
Some rootkit scanners can detect keyloggers, running IceSword for example and analyzing the logs from the following areas:
Processes, Startup, and Win32 Services and taking notes of red entries from Processes, Startup, Win32 Services, and SSDT.

Then go to the Message Hooks function and take note of the Process Path for any entries that are Type WH_KEYBOARD <-- this is to detect possible keyloggers.

The WH_KEYBOARD is the main one to look for but keyloggers may also be present under these Types:
WH_MSGFILTER
WH_GETMESSAGE
WH_KEYBOARD_LL
WH_JOURNALRECORD

0
TolomirAdministratorCommented:
I did read an article today regarding that matter.

1st: Virusscans are useless because spyware companies bring antivirus companies to court if they remove legal spyware.
2nd: There are unlimited opportunities to hide spyware: rootkits, thread injections, hooking

To to be rather secure ask a professional dealing with that matter on daily basis or reinstall the computer from scratch and keep away from any lan with active directory that allows remote installation of software.

Use a strong administrator password, prevent booting from usb, dvd in bios. Secure the hardware that a user is not allowed to physically access the hard disk.

Tolomir
0
TolomirAdministratorCommented:
to identify the usual spyware I will list the method of detection:

eblaster: Check for strange filenames explorer plugins in the category ShellServiceObjectDelayLoad; lookup for urlmkpl.dll
I am big brother: call iview from commandline, lookout for a file bigbrotherbox.gif
mini key log: Use RunAlyzer to search for winlogon entries with filesize and MD5 hash, that are not shown in windows explorer (rootkit)
orvell monitoring: press ctrl+shift+o
pc agent: Use RunAlyzer to search for winlogon entries with filesize and MD5 hash, that are not shown in windows explorer (rootkit)
 pearl echo suite: search for a file called CDoonarrival.dll (maybe 00 instead of oo), execute "ec7unins" from shell
refog employee (Personal) monitor: search for a file called mpk.exe. Execute "runrefog" from shell
spector pro: Check for strange filenames explorer plugins in the category ShellServiceObjectDelayLoad; lookup for SHMSWNMP.DLL or SHMSWNRC.dll

because of rootkit techniques it might be needed to boot from a linux live system, as the avira recover cd (mentioned above) and search for the files while windows is inactive.

Tolomir

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TolomirAdministratorCommented:
use regedit to get here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

http://www.safer-networking.org/en/runalyzer/index.html
0
mousemenAuthor Commented:
Alright, I scanned with Avira boot CD, and nothing was found. I am now going through the other suggestions and will update once I am done. Thanks for all the help so far.
0
mousemenAuthor Commented:
ChiefoftheChiss: I did not find any of those processes or DLLs.

rpggamergirl: I was unable to run Icesword on this system, even with the Vista version, though I tried both.

Tolomir: I went through and checked for everything you suggested and ran RunAlyzer. I also searched for those DLLs from an Ubuntu boot disk, but found nothing. The only thing that I notice that was strange was when I checked the registry key:

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"

... there was a entry called Webcheck. Is this a sign of something, or is it completely normal?
0
TolomirAdministratorCommented:
I got that webcheck too. {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

Seems like there is no spyware installed. At least something that can be detected.

Another way to get access to all information that is exchanged is sniffing the lan - so it is best to access important sites just with https:// prefix.

Email should be transfered via SSL encryption.

 
0
mousemenAuthor Commented:
Thankyou for all the help Tolomir. I will let the client know that it is clean.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.