Google Answers Logo
View Question
 
Q: SPYWARE EXPERT NEEDED! ( No Answer,   1 Comment )
Question  
Subject: SPYWARE EXPERT NEEDED!
Category: Computers > Security
Asked by: jimtac-ga
List Price: $20.00		 Posted: 08 Aug 2006 20:14 PDT
Expires: 07 Sep 2006 20:14 PDT
Question ID: 754080 
I have found 2 key loggers ("sc-keylog" and "perfect keylogger") on my
office computer. I have not yet removed them. How do I determine where
the information gathered is going? I need specfic instructions on how
to determine the above requested information.
Request for Question Clarification by sycophant-ga on 08 Aug 2006 21:05 PDT 
Hi, 

Both the keyloggers you refer too allow logs to be sent by email. 

It should be possible to determine where the emails are being sent by
monitoring your network connection with an application like Ethereal.

This article explains this concept with Perfect Keylogger:
http://www.securityfocus.com/infocus/1829

The concepts explained in this article should allow you to determine
the destination of the logs for both keyloggers. It is possible that
the keyloggers are set to only email once a week, or even less. To
accurately determine where these emails are going it is necessary to
capture them.

Using SysInternals Process Monitor you should be able to issolate the
processes that the keyloggers are running as,using this information
with Reg Mon and File Mon it may be possible to locate configuration
information for the loggers, but my research indicates that this is
likely to be encrypted.

Essentially, you need to capture data from the network connection
until the keylogger sends logging data to the recepient email address.

Perfect Keylogger also supports an FTP upload option. Again, this
traffic can be captured and reviewed with Ethereal.

Applications of interest:
Ethereal
http://www.ethereal.com/

Process Explorer
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

TCP View
http://www.sysinternals.com/Utilities/TcpView.html

File Mon
http://www.sysinternals.com/Utilities/Filemon.html

Reg Mon
http://www.sysinternals.com/Utilities/Regmon.html

Are these details sufficent for your situation?

Regards,
Sycophant
Clarification of Question by jimtac-ga on 09 Aug 2006 20:06 PDT 
I downloaded ethereal and as soon as I started the program, I realized
I had no idea what I was looking at.  If I am able to figure out how
to capture data, what will I do with it.  I'm kind of a catch and
release sort of guy.
Answer  
There is no answer at this time.

Comments  
Subject: Re: SPYWARE EXPERT NEEDED!
From: victag-ga on 15 Aug 2006 23:44 PDT		  
If you are using Windows, you can run the command netstat -A to see
all of the current connections your computer has.  To do this, ensure
you have all other applications closed to minimize the traffic your
computer is likely to have.  Click Start, then Run and type cmd and
click ok.  Then at the command prompt, type netstat -A and press
enter. Take note of any connections listed that are not just Listening
and look at the Foreign Address to see who is connected.  This may
help you find an IP address you can begin to investigate on
http://whois.domaintools.com/
Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  

Google Home - Answers FAQ - Terms of Service - Privacy Policy