Solved

How to check for legal spyware or keyloggers?

Posted on 2010-08-18
15
1,339 Views
Last Modified: 2012-05-10
I have a client that would me to check her computer for legal spyware like Spectorsoft or something of that nature. She wants to make sure that there aren't any key loggers or anything on there. Most malware scanners do not find the legal products that you install yourself, so I wanted to know if anyone knows of another way to discover them if they are running in the background.
0
Comment
Question by:mousemen
  • 7
  • 4
  • 2
  • +2
15 Comments
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
just give the free www.prevx.com scanner a try.

It will detect a keylogger. Legal or not.

Tolomir
0
 

Author Comment

by:mousemen
Comment Utility
PrevX did not find anything and neither did spyware doctor. Any other suggestions to finding possible keyloggers? I want to cover all my bases before saying it is clean. Thanks for the help.
0
 
LVL 6

Expert Comment

by:ChiefoftheChiss
Comment Utility
Check out this link, if you have access to it.
http://www.experts-exchange.com/Hardware/Desktops/Q_23335274.html
Ironically, I am 250 point from accessing it again to make sure it has your solution or not, but you might check it out if you can, or maybe another expert can find out if it helps you - sorry


If not, while not definitive:

Check for these processes
winnetcl.exe
webebot.exe
winnetcl.exe
webebot.exe

Check for these DLL's
netknlhm.dll
netknl.dll


0
 
LVL 6

Expert Comment

by:ChiefoftheChiss
Comment Utility
Okay I got myself back to expert again, apparently all the link says is that SAV - symantec antivirus will look for it, and the asked confirmed with Symantec.
0
 
LVL 25

Expert Comment

by:madunix
Comment Utility
Usually every anti virus detects key loggers. ...update your AV and scan, that should work
I use NOD32 http://www.eset.com/
0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
I can only think of an offline scan.

http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

Rootkits can only be kept unseen as long as they have control over the operating system.

Using this bootdisk you can scan windows while inactive. Showing all files what are normally hidden/protected.
0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
As last resort, install the computer from scratch. Installing only trustworthy software.
Creating a user account without administrator permissions.
Using the administrator account only for installation of software / updates etc.

Tolomir
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Some rootkit scanners can detect keyloggers, running IceSword for example and analyzing the logs from the following areas:
Processes, Startup, and Win32 Services and taking notes of red entries from Processes, Startup, Win32 Services, and SSDT.

Then go to the Message Hooks function and take note of the Process Path for any entries that are Type WH_KEYBOARD <-- this is to detect possible keyloggers.

The WH_KEYBOARD is the main one to look for but keyloggers may also be present under these Types:
WH_MSGFILTER
WH_GETMESSAGE
WH_KEYBOARD_LL
WH_JOURNALRECORD

0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
I did read an article today regarding that matter.

1st: Virusscans are useless because spyware companies bring antivirus companies to court if they remove legal spyware.
2nd: There are unlimited opportunities to hide spyware: rootkits, thread injections, hooking

To to be rather secure ask a professional dealing with that matter on daily basis or reinstall the computer from scratch and keep away from any lan with active directory that allows remote installation of software.

Use a strong administrator password, prevent booting from usb, dvd in bios. Secure the hardware that a user is not allowed to physically access the hard disk.

Tolomir
0
 
LVL 27

Accepted Solution

by:
Tolomir earned 250 total points
Comment Utility
to identify the usual spyware I will list the method of detection:

eblaster: Check for strange filenames explorer plugins in the category ShellServiceObjectDelayLoad; lookup for urlmkpl.dll
I am big brother: call iview from commandline, lookout for a file bigbrotherbox.gif
mini key log: Use RunAlyzer to search for winlogon entries with filesize and MD5 hash, that are not shown in windows explorer (rootkit)
orvell monitoring: press ctrl+shift+o
pc agent: Use RunAlyzer to search for winlogon entries with filesize and MD5 hash, that are not shown in windows explorer (rootkit)
 pearl echo suite: search for a file called CDoonarrival.dll (maybe 00 instead of oo), execute "ec7unins" from shell
refog employee (Personal) monitor: search for a file called mpk.exe. Execute "runrefog" from shell
spector pro: Check for strange filenames explorer plugins in the category ShellServiceObjectDelayLoad; lookup for SHMSWNMP.DLL or SHMSWNRC.dll

because of rootkit techniques it might be needed to boot from a linux live system, as the avira recover cd (mentioned above) and search for the files while windows is inactive.

Tolomir

0
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 250 total points
Comment Utility
use regedit to get here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

http://www.safer-networking.org/en/runalyzer/index.html
0
 

Author Comment

by:mousemen
Comment Utility
Alright, I scanned with Avira boot CD, and nothing was found. I am now going through the other suggestions and will update once I am done. Thanks for all the help so far.
0
 

Author Comment

by:mousemen
Comment Utility
ChiefoftheChiss: I did not find any of those processes or DLLs.

rpggamergirl: I was unable to run Icesword on this system, even with the Vista version, though I tried both.

Tolomir: I went through and checked for everything you suggested and ran RunAlyzer. I also searched for those DLLs from an Ubuntu boot disk, but found nothing. The only thing that I notice that was strange was when I checked the registry key:

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"

... there was a entry called Webcheck. Is this a sign of something, or is it completely normal?
0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
I got that webcheck too. {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

Seems like there is no spyware installed. At least something that can be detected.

Another way to get access to all information that is exchanged is sniffing the lan - so it is best to access important sites just with https:// prefix.

Email should be transfered via SSL encryption.

 
0
 

Author Closing Comment

by:mousemen
Comment Utility
Thankyou for all the help Tolomir. I will let the client know that it is clean.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now