Solved

Malware

Posted on 2011-03-02
7
527 Views
Last Modified: 2012-05-11
A client is suspicious that an estranged spouse has installed keylogging software or something similar on a laptop, and has asked to have it checked for such. I plan to take the usual steps used for malware and rootkit detection. Also, I have a little experience with eBlaster and will attemp to look for that.
I am looking for suggestions beyond what I plan to do to help do a more thorough job. This is not what I normally do and am no expert in this area.
Thanks!
0
Comment
Question by:westone
7 Comments
 
LVL 6

Expert Comment

by:CrowaX
Comment Utility
I would check the running processes in the task manager for anything unusual. I would try running multiple programs if you don't already, eg: spybot, malewarebytes and even combofix if its Windows XP.

There is also a slim chance they have a hardware keylogger. They usually plug into the back of the computer between the PS2 keyboard and the motherboard port.
0
 
LVL 4

Expert Comment

by:lgg733
Comment Utility
Did the client provide any evidence to this? Also did the estranged spouse get into the clients email or something of that nature? Aside from finding the keylogger you should suggest the client change all their passwords and possible contact authorities if they haven't yet. They should also adjust their facebook/twitter security settings if they use those services.
I was involved similiar situation over the last year and long story short the estranged spouse violently attacked the client. There was no keylogger but the spouse was able to get into the clients email because the client used very obvious passwords.
I know it is not really your place to get involved in a domestic dispute if you are just being consulted for technical needs but often estranged spouses using keyloggers and such are just the beginning of worse things to come. Just some suggestions.
0
 
LVL 1

Accepted Solution

by:
DigitalBay earned 500 total points
Comment Utility
Step 1.
Remove the hard drive and mount it on a different computer with a clean system.

Step 2.
From the clean computer:
a) Scan for Viruses
b) Scan for Spyware/Malware
c) Scan the disk for errors with forced repair

Step 3.
Reinstall the hard drive

Step 4
Before restarting computer, disconnect Ethernet cable and/or wireless network device.

Step 5
Boot normally into the primary administrator account for Windows XP

Step 6
From the operating system...
a) Install new and updated virus software and spyware/malware software from your clean CD or Flash drive.
b) Scan for Viruses and Spyware/Malware
c) Optional: Schedule a Disk Scan on reboot and reboot the computer
.

Step 7
Reset ALL options to "Default" in each and every Internet Browser the client uses on that computer.

Step 8
NOTE: If tech has his own computer available, (Recommended) then skip to Step 9.

If Client's computer connects wirelessly to the internet...
Unplug the modem but not the wireless router.
(If using a two-in-one modem/wireless router you will have to skip this step and take your chances.)
Now, reinstall or restart the wireless network device on the client's computer.

Step 9
Open a Command window and type ipconfig /all
Find the Wireless Network LAN and note the Default Gateway (example: 192.168.1.254)

Step 10
Type http://111.222.333.444 into the address bar on the browser. (Replace 111.222.333.444 with the Default Gateway that you noted in the previous step.)

Step 11
a) Enter the required password to gain access the router's setup page.

b) Before making any changes in the router settings, be sure to the customer has the Username and Password for their ISP account and especially if the account is a PPPoE handeled by the router. (If the client does not know what it is – get them on the phone with their ISP immediately.)
 
c) Consider resetting the router back to factory defaults at this point and ESPECIALLY if the default password has not been changed, and/or the connection is not secured.

d) AT THE VERY LEAST always do the following…
1. reset the router password
2. create a new encryption passkey phrase
3. reset all of the firewall settings in the router to factory default.
4. reset the passkey and verify connection on the client’s computer.
5. check for any irregular or unwanted open ports or port forwarding that

Step 12
Remove their old virus scanner and any suspicious scanners the client previously installed.
Reboot the computer.

Step 13
Go to c:\Program Files and manually delete any folders left behind by the programs you uninstalled.
Using extreme caution, do the same in c:\Program Files\Common

Make sure another undeleted program is not in the folder before you delete it. Delete only the folders for the programs you uninstalled.

Step 14
Delete all Temp and Temporary Internet Files. (Try CCleaner)

Step 15
Run a registry repair program of you choice.

Step 16
Open System Configuration dialog box (configsys) and click on Selective Startup, go to the Startup tab and uncheck all unnecessary (if not all) non-OS startup items

Step 17
Reboot the computer

Step 18
DO NOT SKIP STEP 17! You must be sure that the computer reboots normally before we move to the next step.

Dump the System restore files…
Once rebooted, open the System Properties and click on the System Restore button.
Click to turn off System Restore, click OK and reboot the computer.

Step 19
Power up the modem. If the client has a dynamic IP, you might consider a complete power cycle.

Complete Power Cycle: Unplug the Modem and Router and shut down the computer. Plug in the modem, wait for it to connect (about 60 sec.) then plug in the router and wait for it to connect (about 60 sec.) then power on the computer.

Step 20
a) Make sure that all the windows updates are installed
b) Make sure the Virus and Malware programs are up to date.

I think you are done. :)
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Expert Comment

by:DigitalBay
Comment Utility
Clarification of Step 11 above
d) AT THE VERY LEAST always do the following…

1. reset the router password
2. create a new encryption passkey phrase
3. reset all of the firewall settings in the router to factory default.
4. reset the passkey and verify connection on the client’s computer.
5. check for any irregular or unwanted open ports or port forwarding that

Should read...

4. check for any irregular or unwanted open ports or port forwarding in the router.
5. reset the passkey and verify connection on the client’s computer.
0
 
LVL 1

Expert Comment

by:DigitalBay
Comment Utility
Man-oh-man! I thought I reread this thing enough but alas (and not necessarily lastly)...

Add to Step 18...
After the computer reboots, , go turn System Restore back on and create a new Restore
point.
0
 

Author Closing Comment

by:westone
Comment Utility
Thanks!
0
 
LVL 1

Expert Comment

by:DigitalBay
Comment Utility
Add to the end of Step 18...

After the computer reboots, go turn System Restore back on and create a new Restore Point.
Open Windows Firewall from Control Panel and reset all Firewall Settings to Factory Default.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now