Solved

How to check for legal spyware or keyloggers?

Posted on 2010-08-18
15
1,349 Views
Last Modified: 2012-05-10
I have a client that would me to check her computer for legal spyware like Spectorsoft or something of that nature. She wants to make sure that there aren't any key loggers or anything on there. Most malware scanners do not find the legal products that you install yourself, so I wanted to know if anyone knows of another way to discover them if they are running in the background.
0
Comment
Question by:mousemen
  • 7
  • 4
  • 2
  • +2
15 Comments
 
LVL 27

Expert Comment

by:Tolomir
ID: 33468973
just give the free www.prevx.com scanner a try.

It will detect a keylogger. Legal or not.

Tolomir
0
 

Author Comment

by:mousemen
ID: 33470359
PrevX did not find anything and neither did spyware doctor. Any other suggestions to finding possible keyloggers? I want to cover all my bases before saying it is clean. Thanks for the help.
0
 
LVL 6

Expert Comment

by:ChiefoftheChiss
ID: 33470392
Check out this link, if you have access to it.
http://www.experts-exchange.com/Hardware/Desktops/Q_23335274.html
Ironically, I am 250 point from accessing it again to make sure it has your solution or not, but you might check it out if you can, or maybe another expert can find out if it helps you - sorry


If not, while not definitive:

Check for these processes
winnetcl.exe
webebot.exe
winnetcl.exe
webebot.exe

Check for these DLL's
netknlhm.dll
netknl.dll


0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 6

Expert Comment

by:ChiefoftheChiss
ID: 33470988
Okay I got myself back to expert again, apparently all the link says is that SAV - symantec antivirus will look for it, and the asked confirmed with Symantec.
0
 
LVL 25

Expert Comment

by:madunix
ID: 33472182
Usually every anti virus detects key loggers. ...update your AV and scan, that should work
I use NOD32 http://www.eset.com/
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 33473010
I can only think of an offline scan.

http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

Rootkits can only be kept unseen as long as they have control over the operating system.

Using this bootdisk you can scan windows while inactive. Showing all files what are normally hidden/protected.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 33473020
As last resort, install the computer from scratch. Installing only trustworthy software.
Creating a user account without administrator permissions.
Using the administrator account only for installation of software / updates etc.

Tolomir
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 33474066
Some rootkit scanners can detect keyloggers, running IceSword for example and analyzing the logs from the following areas:
Processes, Startup, and Win32 Services and taking notes of red entries from Processes, Startup, Win32 Services, and SSDT.

Then go to the Message Hooks function and take note of the Process Path for any entries that are Type WH_KEYBOARD <-- this is to detect possible keyloggers.

The WH_KEYBOARD is the main one to look for but keyloggers may also be present under these Types:
WH_MSGFILTER
WH_GETMESSAGE
WH_KEYBOARD_LL
WH_JOURNALRECORD

0
 
LVL 27

Expert Comment

by:Tolomir
ID: 33483772
I did read an article today regarding that matter.

1st: Virusscans are useless because spyware companies bring antivirus companies to court if they remove legal spyware.
2nd: There are unlimited opportunities to hide spyware: rootkits, thread injections, hooking

To to be rather secure ask a professional dealing with that matter on daily basis or reinstall the computer from scratch and keep away from any lan with active directory that allows remote installation of software.

Use a strong administrator password, prevent booting from usb, dvd in bios. Secure the hardware that a user is not allowed to physically access the hard disk.

Tolomir
0
 
LVL 27

Accepted Solution

by:
Tolomir earned 250 total points
ID: 33483841
to identify the usual spyware I will list the method of detection:

eblaster: Check for strange filenames explorer plugins in the category ShellServiceObjectDelayLoad; lookup for urlmkpl.dll
I am big brother: call iview from commandline, lookout for a file bigbrotherbox.gif
mini key log: Use RunAlyzer to search for winlogon entries with filesize and MD5 hash, that are not shown in windows explorer (rootkit)
orvell monitoring: press ctrl+shift+o
pc agent: Use RunAlyzer to search for winlogon entries with filesize and MD5 hash, that are not shown in windows explorer (rootkit)
 pearl echo suite: search for a file called CDoonarrival.dll (maybe 00 instead of oo), execute "ec7unins" from shell
refog employee (Personal) monitor: search for a file called mpk.exe. Execute "runrefog" from shell
spector pro: Check for strange filenames explorer plugins in the category ShellServiceObjectDelayLoad; lookup for SHMSWNMP.DLL or SHMSWNRC.dll

because of rootkit techniques it might be needed to boot from a linux live system, as the avira recover cd (mentioned above) and search for the files while windows is inactive.

Tolomir

0
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 250 total points
ID: 33483854
use regedit to get here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

http://www.safer-networking.org/en/runalyzer/index.html
0
 

Author Comment

by:mousemen
ID: 33488494
Alright, I scanned with Avira boot CD, and nothing was found. I am now going through the other suggestions and will update once I am done. Thanks for all the help so far.
0
 

Author Comment

by:mousemen
ID: 33502429
ChiefoftheChiss: I did not find any of those processes or DLLs.

rpggamergirl: I was unable to run Icesword on this system, even with the Vista version, though I tried both.

Tolomir: I went through and checked for everything you suggested and ran RunAlyzer. I also searched for those DLLs from an Ubuntu boot disk, but found nothing. The only thing that I notice that was strange was when I checked the registry key:

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"

... there was a entry called Webcheck. Is this a sign of something, or is it completely normal?
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 33508618
I got that webcheck too. {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

Seems like there is no spyware installed. At least something that can be detected.

Another way to get access to all information that is exchanged is sniffing the lan - so it is best to access important sites just with https:// prefix.

Email should be transfered via SSL encryption.

 
0
 

Author Closing Comment

by:mousemen
ID: 33511744
Thankyou for all the help Tolomir. I will let the client know that it is clean.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Protect postfix server against DDos / Dos attacks 7 36
local DNS vendor. 4 60
New firewall implementation guidance 12 64
ASP server side get value 15 24
The 21st century solution to antiquated pagers.
On Beyond Tools A conversation I recently had with the DevOps manager of a major online retailer really made me think about DevOps monitoring tools (https://www.onpage.com/devops-incident-management-tool/). The manager and I discussed how sever…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question