mousemen
asked on
How to check for legal spyware or keyloggers?
I have a client that would me to check her computer for legal spyware like Spectorsoft or something of that nature. She wants to make sure that there aren't any key loggers or anything on there. Most malware scanners do not find the legal products that you install yourself, so I wanted to know if anyone knows of another way to discover them if they are running in the background.
ASKER
PrevX did not find anything and neither did spyware doctor. Any other suggestions to finding possible keyloggers? I want to cover all my bases before saying it is clean. Thanks for the help.
Check out this link, if you have access to it.
https://www.experts-exchange.com/questions/23335274/is-Spectorsoft-installed-on-my-computer.html
Ironically, I am 250 point from accessing it again to make sure it has your solution or not, but you might check it out if you can, or maybe another expert can find out if it helps you - sorry
If not, while not definitive:
Check for these processes
winnetcl.exe
webebot.exe
winnetcl.exe
webebot.exe
Check for these DLL's
netknlhm.dll
netknl.dll
https://www.experts-exchange.com/questions/23335274/is-Spectorsoft-installed-on-my-computer.html
Ironically, I am 250 point from accessing it again to make sure it has your solution or not, but you might check it out if you can, or maybe another expert can find out if it helps you - sorry
If not, while not definitive:
Check for these processes
winnetcl.exe
webebot.exe
winnetcl.exe
webebot.exe
Check for these DLL's
netknlhm.dll
netknl.dll
Okay I got myself back to expert again, apparently all the link says is that SAV - symantec antivirus will look for it, and the asked confirmed with Symantec.
Usually every anti virus detects key loggers. ...update your AV and scan, that should work
I use NOD32 http://www.eset.com/
I use NOD32 http://www.eset.com/
I can only think of an offline scan.
http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html
Rootkits can only be kept unseen as long as they have control over the operating system.
Using this bootdisk you can scan windows while inactive. Showing all files what are normally hidden/protected.
http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html
Rootkits can only be kept unseen as long as they have control over the operating system.
Using this bootdisk you can scan windows while inactive. Showing all files what are normally hidden/protected.
As last resort, install the computer from scratch. Installing only trustworthy software.
Creating a user account without administrator permissions.
Using the administrator account only for installation of software / updates etc.
Tolomir
Creating a user account without administrator permissions.
Using the administrator account only for installation of software / updates etc.
Tolomir
Some rootkit scanners can detect keyloggers, running IceSword for example and analyzing the logs from the following areas:
Processes, Startup, and Win32 Services and taking notes of red entries from Processes, Startup, Win32 Services, and SSDT.
Then go to the Message Hooks function and take note of the Process Path for any entries that are Type WH_KEYBOARD <-- this is to detect possible keyloggers.
The WH_KEYBOARD is the main one to look for but keyloggers may also be present under these Types:
WH_MSGFILTER
WH_GETMESSAGE
WH_KEYBOARD_LL
WH_JOURNALRECORD
Processes, Startup, and Win32 Services and taking notes of red entries from Processes, Startup, Win32 Services, and SSDT.
Then go to the Message Hooks function and take note of the Process Path for any entries that are Type WH_KEYBOARD <-- this is to detect possible keyloggers.
The WH_KEYBOARD is the main one to look for but keyloggers may also be present under these Types:
WH_MSGFILTER
WH_GETMESSAGE
WH_KEYBOARD_LL
WH_JOURNALRECORD
I did read an article today regarding that matter.
1st: Virusscans are useless because spyware companies bring antivirus companies to court if they remove legal spyware.
2nd: There are unlimited opportunities to hide spyware: rootkits, thread injections, hooking
To to be rather secure ask a professional dealing with that matter on daily basis or reinstall the computer from scratch and keep away from any lan with active directory that allows remote installation of software.
Use a strong administrator password, prevent booting from usb, dvd in bios. Secure the hardware that a user is not allowed to physically access the hard disk.
Tolomir
1st: Virusscans are useless because spyware companies bring antivirus companies to court if they remove legal spyware.
2nd: There are unlimited opportunities to hide spyware: rootkits, thread injections, hooking
To to be rather secure ask a professional dealing with that matter on daily basis or reinstall the computer from scratch and keep away from any lan with active directory that allows remote installation of software.
Use a strong administrator password, prevent booting from usb, dvd in bios. Secure the hardware that a user is not allowed to physically access the hard disk.
Tolomir
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Alright, I scanned with Avira boot CD, and nothing was found. I am now going through the other suggestions and will update once I am done. Thanks for all the help so far.
ASKER
ChiefoftheChiss: I did not find any of those processes or DLLs.
rpggamergirl: I was unable to run Icesword on this system, even with the Vista version, though I tried both.
Tolomir: I went through and checked for everything you suggested and ran RunAlyzer. I also searched for those DLLs from an Ubuntu boot disk, but found nothing. The only thing that I notice that was strange was when I checked the registry key:
"HKEY_LOCAL_MACHINE\SOFTWA
... there was a entry called Webcheck. Is this a sign of something, or is it completely normal?
rpggamergirl: I was unable to run Icesword on this system, even with the Vista version, though I tried both.
Tolomir: I went through and checked for everything you suggested and ran RunAlyzer. I also searched for those DLLs from an Ubuntu boot disk, but found nothing. The only thing that I notice that was strange was when I checked the registry key:
"HKEY_LOCAL_MACHINE\SOFTWA
... there was a entry called Webcheck. Is this a sign of something, or is it completely normal?
I got that webcheck too. {E6FB5E20-DE35-11CF-9C87-0
Seems like there is no spyware installed. At least something that can be detected.
Another way to get access to all information that is exchanged is sniffing the lan - so it is best to access important sites just with https:// prefix.
Email should be transfered via SSL encryption.
Seems like there is no spyware installed. At least something that can be detected.
Another way to get access to all information that is exchanged is sniffing the lan - so it is best to access important sites just with https:// prefix.
Email should be transfered via SSL encryption.
ASKER
Thankyou for all the help Tolomir. I will let the client know that it is clean.
It will detect a keylogger. Legal or not.
Tolomir