?
Solved

How to check for legal spyware or keyloggers?

Posted on 2010-08-18
15
Medium Priority
?
1,376 Views
Last Modified: 2012-05-10
I have a client that would me to check her computer for legal spyware like Spectorsoft or something of that nature. She wants to make sure that there aren't any key loggers or anything on there. Most malware scanners do not find the legal products that you install yourself, so I wanted to know if anyone knows of another way to discover them if they are running in the background.
0
Comment
Question by:mousemen
  • 7
  • 4
  • 2
  • +2
15 Comments
 
LVL 27

Expert Comment

by:Tolomir
ID: 33468973
just give the free www.prevx.com scanner a try.

It will detect a keylogger. Legal or not.

Tolomir
0
 

Author Comment

by:mousemen
ID: 33470359
PrevX did not find anything and neither did spyware doctor. Any other suggestions to finding possible keyloggers? I want to cover all my bases before saying it is clean. Thanks for the help.
0
 
LVL 6

Expert Comment

by:ChiefoftheChiss
ID: 33470392
Check out this link, if you have access to it.
http://www.experts-exchange.com/Hardware/Desktops/Q_23335274.html
Ironically, I am 250 point from accessing it again to make sure it has your solution or not, but you might check it out if you can, or maybe another expert can find out if it helps you - sorry


If not, while not definitive:

Check for these processes
winnetcl.exe
webebot.exe
winnetcl.exe
webebot.exe

Check for these DLL's
netknlhm.dll
netknl.dll


0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
LVL 6

Expert Comment

by:ChiefoftheChiss
ID: 33470988
Okay I got myself back to expert again, apparently all the link says is that SAV - symantec antivirus will look for it, and the asked confirmed with Symantec.
0
 
LVL 25

Expert Comment

by:madunix
ID: 33472182
Usually every anti virus detects key loggers. ...update your AV and scan, that should work
I use NOD32 http://www.eset.com/
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 33473010
I can only think of an offline scan.

http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

Rootkits can only be kept unseen as long as they have control over the operating system.

Using this bootdisk you can scan windows while inactive. Showing all files what are normally hidden/protected.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 33473020
As last resort, install the computer from scratch. Installing only trustworthy software.
Creating a user account without administrator permissions.
Using the administrator account only for installation of software / updates etc.

Tolomir
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 33474066
Some rootkit scanners can detect keyloggers, running IceSword for example and analyzing the logs from the following areas:
Processes, Startup, and Win32 Services and taking notes of red entries from Processes, Startup, Win32 Services, and SSDT.

Then go to the Message Hooks function and take note of the Process Path for any entries that are Type WH_KEYBOARD <-- this is to detect possible keyloggers.

The WH_KEYBOARD is the main one to look for but keyloggers may also be present under these Types:
WH_MSGFILTER
WH_GETMESSAGE
WH_KEYBOARD_LL
WH_JOURNALRECORD

0
 
LVL 27

Expert Comment

by:Tolomir
ID: 33483772
I did read an article today regarding that matter.

1st: Virusscans are useless because spyware companies bring antivirus companies to court if they remove legal spyware.
2nd: There are unlimited opportunities to hide spyware: rootkits, thread injections, hooking

To to be rather secure ask a professional dealing with that matter on daily basis or reinstall the computer from scratch and keep away from any lan with active directory that allows remote installation of software.

Use a strong administrator password, prevent booting from usb, dvd in bios. Secure the hardware that a user is not allowed to physically access the hard disk.

Tolomir
0
 
LVL 27

Accepted Solution

by:
Tolomir earned 1000 total points
ID: 33483841
to identify the usual spyware I will list the method of detection:

eblaster: Check for strange filenames explorer plugins in the category ShellServiceObjectDelayLoad; lookup for urlmkpl.dll
I am big brother: call iview from commandline, lookout for a file bigbrotherbox.gif
mini key log: Use RunAlyzer to search for winlogon entries with filesize and MD5 hash, that are not shown in windows explorer (rootkit)
orvell monitoring: press ctrl+shift+o
pc agent: Use RunAlyzer to search for winlogon entries with filesize and MD5 hash, that are not shown in windows explorer (rootkit)
 pearl echo suite: search for a file called CDoonarrival.dll (maybe 00 instead of oo), execute "ec7unins" from shell
refog employee (Personal) monitor: search for a file called mpk.exe. Execute "runrefog" from shell
spector pro: Check for strange filenames explorer plugins in the category ShellServiceObjectDelayLoad; lookup for SHMSWNMP.DLL or SHMSWNRC.dll

because of rootkit techniques it might be needed to boot from a linux live system, as the avira recover cd (mentioned above) and search for the files while windows is inactive.

Tolomir

0
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 1000 total points
ID: 33483854
use regedit to get here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

http://www.safer-networking.org/en/runalyzer/index.html
0
 

Author Comment

by:mousemen
ID: 33488494
Alright, I scanned with Avira boot CD, and nothing was found. I am now going through the other suggestions and will update once I am done. Thanks for all the help so far.
0
 

Author Comment

by:mousemen
ID: 33502429
ChiefoftheChiss: I did not find any of those processes or DLLs.

rpggamergirl: I was unable to run Icesword on this system, even with the Vista version, though I tried both.

Tolomir: I went through and checked for everything you suggested and ran RunAlyzer. I also searched for those DLLs from an Ubuntu boot disk, but found nothing. The only thing that I notice that was strange was when I checked the registry key:

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"

... there was a entry called Webcheck. Is this a sign of something, or is it completely normal?
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 33508618
I got that webcheck too. {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

Seems like there is no spyware installed. At least something that can be detected.

Another way to get access to all information that is exchanged is sniffing the lan - so it is best to access important sites just with https:// prefix.

Email should be transfered via SSL encryption.

 
0
 

Author Closing Comment

by:mousemen
ID: 33511744
Thankyou for all the help Tolomir. I will let the client know that it is clean.
0

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question