help with keyloggers

June 3, 2009 at 19:22:45
Specs: Windows XP
Very long story, so I will try to make it short. Basically a psycho ex is keylogging my computer. Found one that had been on my computer since Sept. 08, didn't find it until March or so. I removed that one successfully. He was boasting that it didn't matter because there were several more in place. I thought he was bluffing until recently he was able to re-sight to me emails, im conversations etc. that he was not privy to.
I have run every scan, dl every virus program, spyware program etc. that I can find, that's free, and they all find nothing.
I don't know what else to try but this is getting ridiculous. Any help would be greatly appreciated.

See More: help with keyloggers

Report •


#1
June 3, 2009 at 19:54:44
Hi,
1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Can you also make a new HijackThis log and upload it to rapidshare.com. HijackThis: Here

-------------------------------------------------


Report •

#2
June 3, 2009 at 21:33:26
Ok done, so far just have dl and made the file for the AVG, I'll do the hijack part in a minute. Thanks for your help in advance!
Let me know if this works, kinda new at this stuff.
http://rapidshare.com/files/2405943...

Report •

#3
June 3, 2009 at 21:38:30
http://rapidshare.com/files/2405954...
and there is the hijack log. Again let me know if that came out right. Never used that before.
Thanks!
-Stacy

Report •

Related Solutions

#4
June 4, 2009 at 06:12:39
Do you run http://www.widestep.com/anti-keylog... and SnoopFree. You have bunch of anti-keyloggers on your system if none of them found anything i doubt there is anything lol... There are other aspects of hacking then just keylogging.

Also: Upload this file C:\WINDOWS\System32\Drivers\aai8b11d.SYS and C:\WINDOWS\system32\DRIVERS\wanatw4.sys to rapidshare.com and private message me the download link. Just want to make sure its not one of those custom keyloggers that you pay for.

-------------------------------------------------


Report •

#5
June 4, 2009 at 08:57:58
Yeah, I dl everything I could find or that was suggested to me, specifically for keyloggers and they always find zilch. Problem being, he isn't an idiot when it comes to computers. I had a friend remotely access my computer, he couldn't find anything, until my ex had gotten into my house when I was at work and went on my computer. Then some icon appeared in my sys tray and it revealed the logger. It was taking screen shots, recording audio, text and video.
This friend did a port scan? I think it was called, he said he found nothing so whatever it is, is on my computer. My ex is friend with some pretty well known people that hack psp's and things like that. I know, not the same as a computer per se but the crowd that does that is also into computers. He claims these friends have given him "the tools" to continue to do whatever he wants.
So I just don't get what else it is, how does someone see ims, emails etc. unless they're recording keystrokes or grabbing screen shots? I thought this was done by keyloggers? But I will u/l those files and pm you. Thanks for your time!
-Stacy

Report •

#6
June 4, 2009 at 09:11:02
hmm I don't seem to see either of those files.

Report •

#7
June 4, 2009 at 09:22:01
1) Run this in AVZ:

begin
SetAVZPMStatus(True);
RebootWindows(true);
end.

2) After reboot follow Response Number 1 step 1 and make a new log.

-------------------------------------------------


Report •

#8
June 4, 2009 at 09:31:35
http://rapidshare.com/files/2407905...
there is a hijack log, for some reason after the computer rebooted, I went into the log sub folder and there was just the one from earlier. It didn't seem to be modified to today's time. Not sure that worked.

Report •

#9
June 4, 2009 at 09:35:03
Wrong one. Follow part 2 is you did step 1.

-------------------------------------------------


Report •

#10
June 4, 2009 at 10:21:21
Ok, it runs the script fine, reboots fine. But when I get back and go into the log folder/ virusinfo_syssecure folder, it appears just to be the original one I already sent you. I never needed to create a log file, it just did one automatically, so I assumed it would for this as well.

Report •

#11
June 4, 2009 at 10:42:14
Yes it overwrites it just upload it to rapidshare. Its basically same.

-------------------------------------------------


Report •

#12
Report •

#13
June 4, 2009 at 18:36:13
hmm something is not right its same file. Delete the LOG folder then follow Response Number 7 in order numbered.

-------------------------------------------------


Report •

#14
June 4, 2009 at 18:47:13
Yeah, it isn't working. I deleted the folder, and repeated everything. Just got back on and it didn't make a folder at all. When I enter the script, right after I hit run, it pops up saying it was executed without errors and shuts me down. The very first time I did one of those, it took a few secs and there were little blue bars appearing to show progress. This time no progress bars. Not sure what the problem is.

Report •

#15
June 4, 2009 at 18:52:11
Also, had a nice little chat with him today. He said something about using a "global hook" whatever that is! Is that a type of keylogger? Is it possible with that, he can see ims and emails? He wouldn't say anymore, but again went on and on about how nothing I do will undo the damage, I said I would buy a new computer since this one we had when we lived together and has tons of his crap on it. He said it wouldn't matter he could still access it.

Report •

#16
June 4, 2009 at 19:15:53
Which one doesn't work? Response Number 1?

-------------------------------------------------


Report •

#17
June 4, 2009 at 19:20:37
I thought you had wanted me to redo #7's script. That one doesn't seem to make a log go in the folder.

Report •

#18
June 4, 2009 at 19:23:01
Response Number 7 step 2) = Response Number 1 Step 1)

-------------------------------------------------


Report •

#19
June 4, 2009 at 19:36:16
http://rapidshare.com/files/2409527...
Ok think I got it.

Report •

#20
June 4, 2009 at 19:56:01
Do you use Stardock Boot Screen? I am not seeing any normal Stardock applications running.

-------------------------------------------------


Report •

#21
June 4, 2009 at 19:57:55
Yep, why is it bad?

Report •

#22
June 4, 2009 at 20:19:06
Download This file. Note its name and save it to your root folder, such as C:\.

* Disconnect from the Internet and close all running programs.
* Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
* Click on this link to see a list of programs that should be disabled.
* Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
* Allow the driver to load if asked.
* You may be prompted to scan immediately if it detects rootkit activity.
* If you are prompted to scan your system click "Yes" to begin the scan.
* If not prompted, click the "Rootkit/Malware" tab.
* On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
* Select all drives that are connected to your system to be scanned.
* Click the Scan button to begin. (Please be patient as it can take some time to complete)
* When the scan is finished, click Save to save the scan results to your Desktop.
* Save the file as Results.log and upload that file to rapidshare.com and post download link in your next reply.
* Exit the program and re-enable all active protection when done.

-------------------------------------------------


Report •

#23
Report •

#24
June 5, 2009 at 04:48:59
Download and Run OTViewit

1. Please download OTViewIt by OldTimer.
2. Save it to your desktop.
3. Double click on the icon on your desktop.
4. Click the "Scan All Users" checkbox.
5. Push the "Run Scan button.
6. Two reports will open, copy and upload them to rapidshare (paste download link).
7. OTViewIt.txt <-- Will be opened
8. Extra.txt <-- Will be minimized

Thanks :thumbup2

-------------------------------------------------


Report •

#25
Report •

#26
June 5, 2009 at 05:26:52
upload C:\Documents and Settings\CaidenTech\Desktop\0thssk0k.exe to rapidhsare and send me download link. I don't see any thing in the logs since past 30 days. As far as i can tell there is no logger of any sort.

-------------------------------------------------


Report •

#27
Report •

#28
June 5, 2009 at 08:59:52
You can try http://www.free-av.com/en/tools/4/a... if that doesn't detect anything then you might want to change all the passwords on computer and password protect your computer at boot via bios.

-------------------------------------------------


Report •

#29
June 5, 2009 at 17:03:03
Well today he mentioned that I was getting "advice" from someone about trying to find whatever it is he's using to see everything I do on here. He laughed about it and said it's not on my computer and it won't be found. Is this even possible? I don't understand how this works. If someone checked to make sure there wasn't anything outbound on my computer going somewhere else, then one would think it is on my computer but no one ever seems to find things.
I know he isn't bluffing because as recently as Tuesday he was able to tell me word for word conversations I had. I do thank you for your help, I'm just perplexed how it is there's nothing on my computer or going out anywhere yet he sees everything. He said it isn't real time, but he was able to see something the next day from the night before. So it gets sent to him soon enough. Do you know of anything that could do this, if it's not a keylogger?
-Stacy

Report •

#30
June 5, 2009 at 17:32:46
Anyways whatever it is do let us know when you find out :). Like he said whatever it is its not on your computer. Good luck on your quest!!

-------------------------------------------------


Report •

#31
June 5, 2009 at 17:32:58
There's one thing that comes to mind... he or someone or a program could be remotely accessing your pc and recording activity from elsewhere. They could even be intercepting packets you send accroos the internet.

neoarks scans are very comprehensive so I would imagine that the likelyhood of anything on your pc doing the reporting would have thrown up a red flag or two.

There are two things I can think of to combat this.

The first is a software firewall to monitor any inbound connection attempts. Basicaly if you haven't initiated any web interaction, or are in the middle of already doing something on the web and the firewall is triggered it should raise an eyebrow. By no means are software firewalls foolproof, but they do add an extra layer of security.

The second is requesting that your ISP change your IP address, I'm sure if you explain the dilemna they will happily oblige. Any remote access needs your WAN IP to connect and if they are unable to locate your IP Address they can't connect. This is what I would be doing if it were myself.

Also do you use a wireless router, or have any kind of wireless connectivity?


Report •

#32
June 5, 2009 at 17:41:34
Yes, I use wireless. That is possible, like I said it's my ex not some stranger on the internet messing with me. He helped me set up my network, so it's possible when things were fine between us and he was over here that he could have gone on here and gotten that information.
I'm not sure what kind of firewall I have on here, it says I have one but it may just be the one that windows puts on here. Do you recommend any one in particular?
Is it possible that if he has a laptop or something with a wireless connection, that he could sit outside my house and connect to the internet and find out any of the IP information?

Report •

#33
June 5, 2009 at 18:59:50
Accessing your PC through the wireless connection is a very good likelyhood.

If he set up the encryption on the wireless he basically has untethered access, if he or someone with another pc with wireless connectivity is within range. This is scarily easy to do.

First thing is to alter the security settings on your wireless router. This is very important. If you have documentation you should look at changing the encryption key . If you have the option of WPA vs WEP use WPA. This is much much stronger than WEP. Also change the password to the router login configuration page. Look into MAC address filtering also.

Windows XP does have a firewall... but honestly it is nothing to rave about.

I have Zonealarm firewall (free) for years and have found it to be very good. You may notice a slight slowdown in bootup times on your PC. Zonealarm will need to be trained, basically it means you have to teach it what is allowed access to the internet and whats not. It will also alert you of any intrusion attempts. Net to pc.

Sorry I have found myself in a bit of a rush so I haven't put as much time into this post as I should.

If you have any more queries please ask.

Also if you need help to bolster down you router and wireless security settings you can ask for assistance in the networking forum also. They're very good at network security. We will have a look also if you wish to provide the details (make model) of your modem router.


Report •

#34
June 7, 2009 at 11:50:38
Is it possible that if I do any of this right now, he'll just see the passwords? I dl the firewall, have it up and running. It doesn't seem to be identifying any problems as of yet.
Should I assume that only when my computer is connected to the internet that he's able to access it? So if i disabled the wireless connection and set up passwords he shouldn't be able to see them?

Report •

#35
June 7, 2009 at 16:35:55
EDIT The advice below is based on the fact that no software keyloggers were found on your PC. I'm not sure if he would go to the extent of using a hardware keylogger (undetectable by software), but it is possible. This technology can transmit wirelessly also, so that physical access isn't needed to host PC.

Google "hardware keylogger" images, to get an idea of what to look for at the back of your pc tower.END EDIT

If you use wireless he can connect anytime he is within range and your wireless is running. You don't have to be connected to the internet.

If you change the encryption on the wireless device, employ MAC address filtering and change the password to the router login he won't be able to connect to your internal network (your home pc's). If the option is available you can also hide SSID, this basically makes the network hidden to wireless devices. Again this is another small measure that isn't unbreakable, the really really important part is to change your encryption key.

Have a look at the password management strategy below to create yourself a strong password for encryption. This prevents brute force attacks to gain access, e.g. dictionary attacks.

http://www.computing.net/answers/se...

If you use these steps he will not be able to gain access to your network via the wireless. The only way to gain access would be to physically be at your router and perform a hard reset, so if all your configurations are cleared the possibility of this having being done are strong.

You should also change your passwords to any Emailing and Instant messaging applications you use, as neoark has already suggested.

Another thought occured to me, if he is reciting instant messages that you have had I would check to see that they are not automatically being saved, have a look to see if this is happening, if it is you might want to set the IM program up so it does not save instant messaging conversations.

Many countries have laws to protect against people accessing networks without authority, especially for malicious or wilful intent. It may pay to speak with the local authorities in this regard to see where you stand.

Most routers today keep a log of all machines MAC addresses which have accessed the network. The MAC address can tie the network card to the PC which in turn ties it to the person.


Report •

#36
June 7, 2009 at 17:24:53
Hmm, I do archive my pms.
He almost never seems to have his laptop, he does have his psp around a lot. I know this can connect wirelessly.
My concern is that if I switch over passwords, he will somehow be able to view me doing this and then it's pointless.
How do I get into the router? It's a belkin.

Report •

#37
June 7, 2009 at 18:14:36
Does he have physical access to your pc? Your network will never truly be secure if he does.

You might want to encrypt the contents of your IM folder and other sensitive data.

http://www.snapfiles.com/downloadfi...

To be totally sure how to log into your router we will need the model number as well... it should be on a sticker on the underside or the back.

It is adviseable that your pc is phsically connected to the router with a network cable rather than logging in wirelessly. Saying this though I often log into mine wirelessly.

To log into the majority of most Belkin routers you open a web page and put 192.168.2.1 into the address bar and hit enter. The default username and password fields are left blank.

If you can get to the router login page and don't know the login and password, and the default settings have been changed, you will need to do a hard reset. To do this look for a small pin hole button and depress it with a paper clip or pen nib for about 5 seconds. The login and password (and all other settings) should reset back to factory condition.


Report •

#38
June 7, 2009 at 18:37:18
Well we have two kids together so he has to come here to get them and what not. He has broken in twice to my house and both times messed with the computer. I did contact the police back in Feb when I first found the keylogger, they took a statement, went for a warrant but so far no arrest. They never even sent someone to look at my computer, so I doubt it will stick. As we currently type, he is sending private conversations to everyone on my buddy list. I seriously want to scream right now. He is not physically allowed in my home, or on the computer. But he does come and sit in the driveway to get the kids. So it worries me that he could just turn his psp on and connect to my network and get whatever he can. I don't know how it works or if that's possible I'm just thinking out loud. I'll go and get the model number.
I tried the number thing for the router, i googled. and it didn't work for me.

Report •

#39
June 7, 2009 at 18:46:33
hmmm I don't know if this is right, but all I could find was BDC08418641W0..the last one is either a zero or the letter o.

Report •

#40
June 7, 2009 at 18:54:42
I'm not familiar with the PSP and the extent of network capabilities. But as with any kind of wireless device there are often ways to make them do what you want through firmware and software upgrades.

It does sound like he has access to your messenger program, if he is sending the messages under your username. I think he has your password here, so it would be best to change it ASAP to something obscure. Refer to the post about password management strategy. Also change the details for the forgotten password form i.e. secret question and email account to retrieve the lost password from. Change the password to your email account to and the forgotten password details there also.

To prevent physical access to your computer, setup a login page to password protect the operating system.

http://pcsupport.about.com/od/tipst...


Report •

#41
June 7, 2009 at 19:08:25
That looks like the product serial number.

Are there any other letters / numbers?

Is there a picture of your one below?

http://images.google.com.au/images?...


Report •

#42
June 7, 2009 at 19:08:33
Oh, he isn't on my user name sending them out. He's sending out ims he's getting from the keylogger or whatever it is he's using to spy on me. He's sent screen shots to people of my ims etc.
I've changed my passwords many times since this first started. Made sure they had numbers and symbols and he's still getting in which worries me that just changing passwords on things isn't enough. That he's seeing what the passwords are being changed to so it's not preventing anything.

Report •

#43
June 7, 2009 at 19:23:24
Ok I'm confused. I went back to see if there was anything else on it and I found something that said model. So I wrote down the number, googled it and it came up as the backup battery? We got everything from AT&T. I've seen a router before and this doesn't even look like one. All that seems to be there is the modem and then some battery? I'm connected wirelessly because the modem is upstairs and my computer is downstairs.

Report •

#44
June 7, 2009 at 19:27:01
It's not good to hear that screenshots of your pm's are going out. Is this recent or something that happened only before you discovered the keylogger?

Either the screen shots are being captured real-time or they're being cached and then collected. Either way the system security is being compromised.


Report •

#45
June 7, 2009 at 19:30:59
Have you got the modem details?

Report •

#46
June 7, 2009 at 19:51:38
lol you're going to think i'm so stupid lol. ok i just went to at&t's website and the "modem" is like the gateway? i guess for a 2 wire connection? so i'm assuming this acts like a router for the wireless? i'm going to go upstairs and get the details.
I can't be sure, when he sent screen shots to people, it only had the time stamp on them not the dates. if they came from the archive it would show the date, i don't time stamp my pms. so figure that one out lol.
Ok what would you need to know about the modem?

Report •

#47
June 7, 2009 at 19:59:03
I have attached an article about jail time for ex husband and keylogging... maybe you should pass it on.

http://billpstudios.blogspot.com/20...

Bill Pytlovany the author of winpatrol has been providing this excellent free security program for years now (I use it myself) and has included a display hidden startup entry that is able to ID software keyloggers.

Another article:

http://blogs.pcworld.com/tipsandtwe...

Definitely worth looking into


Report •

#48
June 7, 2009 at 20:02:52
The model number should do it.

I will also get you to give the gateway address.

Click on start > run and copy / paste the bolded text blow into the run box and hit enter.

cmd /c ipconfig /all > "%userprofile%\desktop\ipconfig.txt

You will have a file on the desktop named ipconfig, can you open it and provide the default gateway details.

It should look something like 192.168.x.x


Report •

#49
June 7, 2009 at 20:09:04
Ok I was able to use the 192. thingy, and it got me into everything. I'm scared to change the system password lol. will this mess up the internet for other people in the house? Will they need to change the password on their computer as well?

Report •

#50
June 7, 2009 at 20:30:13
ok, i did the ssid thing. it was set so that anyone within range could access the network. I took that off. Then I went into the mac filtering option.
Found something interesting. There were 4 devices currently allowed. a default setting, then two named computers, then one named "manwhore". I did not come up with that name but that's what I called a guy friend on here alllllll the time that my ex is obsessed with.I don't see my computer on there. Do you think he renamed my computer as that? Or do you think that's him on some other device?

Report •

#51
June 7, 2009 at 20:49:06
Ok I moved that one to the blocked devices section just in case it was someone's something on my network and they named it that, but I doubt it.

Report •

#52
June 7, 2009 at 20:52:05
Can you follow the Run command from response #48.

Once you have run it open the text document on the desktop named ipconfig and see if the MAC address

example Physical Address. . . . . . . . . : 00-1S-4D-4C-E5-34

Corresponds to the entry named "manwhore"

Your pc will have an inclusion in the MAC filtering list... so through deduction you should be able to see which if any PC MAC addys don't belong. You will have to find the physical addresses on all of the wirelessly connected PCs though.


Report •

#53
June 7, 2009 at 20:56:14
It was already set up with the WPA-PSK setting for wireless network security. There are other options for WPA but is that one ok? It says WPA-PSK, WPA2-PSK for another option, does that mean for two different computers, two wireless connections? If so, does that mean only the first wireless connection is protected and mine has been open the entire time?

Report •

#54
June 7, 2009 at 21:09:14
Ok, I'm pretty sure whatever that is, he put it there. So what does that mean? Him allowing himself on the network would mean that only when he was in range he was able to somehow get information sent to him?But since that was basically on a daily basis or every other day kinda thing, it was often enough. Now that I've taken that away, he can't? Problem maybe solved?

Report •

#55
June 7, 2009 at 21:11:52
The WPA-PSK setting will be fine for all of your PC's, because it is the one currently being used.

WEP is an older encryption method and is now very easy to "crack"

WPA is newer and still very strong when a decent passphrase / password is used.

WPA2 is the newest, and most secure. This may not be compatible with some older hardware tech.

When you change the password it will need to be changed on all wireless devices / PCs in the house. After it is changed the next time the PC's attempt to open a web page they will be informed about a secure network and prompt for a password. Once the password is entered the setting should stick and thereafter connecting should be just like it was originally.

If you have Vista on any of the machines you will have to go into networks in the control panel and activate network discovery.

Make your pasword secure, and try to use a combination of letters numbers and symbols. Try to use more than 20 characters, the more the better.


Report •

#56
June 7, 2009 at 21:16:37
Changing the password to the router / modem interface won't affect any pc's connecting to the net. It just means that to access the router / modem config page the new password will be needed.

Report •

#57
June 7, 2009 at 21:19:14
Yes, having his machine allowed access means that he could at anytime when in range connect to your home network. By removing his MAC address or disallowing it temporarily means he can't access. If he can get to the router / modem config page again though he can put his device back on the allowed list though.

The passwords are really needed.


Report •

#58
June 7, 2009 at 21:42:08
One last thing. How many computers connect wirelessly?

You have settings for 4 MAC addys allowed? This would indicate there are 4 PCs?


Report •

#59
June 7, 2009 at 22:18:05
Originally there were 3 pcs hooked up. We have phone through the internet and cable. All 3 services go through the modem. So there's a long list of things. But under the MAC allowed devices, there was one called default, then two pc names I recognized and know are ok, my computer name and then the "manwhore" one.
All the things that show up on the home network are listed as local interfaces. 1 ethernet, 4 homepna, 1 wireless.

Report •

#60
June 7, 2009 at 23:15:52
Okay...

depending on what you have this is basically how it should look.

2 PCs that connect wirelessly and no other wireless devices. MAC filtering 2 devices allowed.

2 PCs that connect wirelessly, 1 PC wired in with ethernet cable. MAC filtering 2 devices allowed.

2PCs that connect wirelessly, and 1 gaming device that connects wirelessly. MAC filtering 3 devices allowed.

and so on...


Report •


Ask Question