Google Answers Logo
View Question
Q: SPYWARE EXPERT NEEDED! ( No Answer,   1 Comment )
Category: Computers > Security
Asked by: jimtac-ga
List Price: $20.00
Posted: 08 Aug 2006 20:14 PDT
Expires: 07 Sep 2006 20:14 PDT
Question ID: 754080
I have found 2 key loggers ("sc-keylog" and "perfect keylogger") on my
office computer. I have not yet removed them. How do I determine where
the information gathered is going? I need specfic instructions on how
to determine the above requested information.

Request for Question Clarification by sycophant-ga on 08 Aug 2006 21:05 PDT

Both the keyloggers you refer too allow logs to be sent by email. 

It should be possible to determine where the emails are being sent by
monitoring your network connection with an application like Ethereal.

This article explains this concept with Perfect Keylogger:

The concepts explained in this article should allow you to determine
the destination of the logs for both keyloggers. It is possible that
the keyloggers are set to only email once a week, or even less. To
accurately determine where these emails are going it is necessary to
capture them.

Using SysInternals Process Monitor you should be able to issolate the
processes that the keyloggers are running as,using this information
with Reg Mon and File Mon it may be possible to locate configuration
information for the loggers, but my research indicates that this is
likely to be encrypted.

Essentially, you need to capture data from the network connection
until the keylogger sends logging data to the recepient email address.

Perfect Keylogger also supports an FTP upload option. Again, this
traffic can be captured and reviewed with Ethereal.

Applications of interest:

Process Explorer

TCP View

File Mon

Reg Mon

Are these details sufficent for your situation?


Clarification of Question by jimtac-ga on 09 Aug 2006 20:06 PDT
I downloaded ethereal and as soon as I started the program, I realized
I had no idea what I was looking at.  If I am able to figure out how
to capture data, what will I do with it.  I'm kind of a catch and
release sort of guy.
There is no answer at this time.

From: victag-ga on 15 Aug 2006 23:44 PDT
If you are using Windows, you can run the command netstat -A to see
all of the current connections your computer has.  To do this, ensure
you have all other applications closed to minimize the traffic your
computer is likely to have.  Click Start, then Run and type cmd and
click ok.  Then at the command prompt, type netstat -A and press
enter. Take note of any connections listed that are not just Listening
and look at the Foreign Address to see who is connected.  This may
help you find an IP address you can begin to investigate on

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  

Google Home - Answers FAQ - Terms of Service - Privacy Policy