I have a situation that is stumping me. I had a computer brought to me that the indivdual suspects has a keylogger on it. I asked them what makes them believe there is one there, and they told me that a new business associate had sent them a .xls document a few weeks back, and that after that not only did there computer slow down tremendously, but they also noticed that he seemed to know everything that was going on through their personal emails. They sent out a fake email, and to their suprise within several minutes the associate was on the phone asking questions that would pertain to the fake situation.
System Dell Inspirion running Vista Home edition
Of course I have ran antispyware software (which catches a minimal amount) and I have also checked processes (which this one seems to hide on top of the startup programs), I hav also been checking the logs for outbound traffic, however I am sure the logger uses port 80 or 443 so this will be hard to determine. Does anyone have any ideas for finding if this keylogger is actually on the system? Is there also a way to look at what IP address the informatio is being relayed to? I also have the suspected .xls file. Can I check this file to see if this is the spreader?
This answer assumes you have the computer available to you and you can run it live. This is not forensic.
Make an Incident Response toolkit on your own computer. This is just a CD with a bunch of tool on it. You can throw CMD.exe on there, but as keydet89 states this is no guarantee because you would still be using DLL files from the suspect machine. But that could be OK.
Get the Sysinternals tools, or you could just run them straight from the web at live.sysinternals.com
My thinking is to run tools like
Process Monitor and Process Explorer and pslist -t,
and handle - this is a good one it will tell you what files that processes have open. If it is a keylogger, then it will need to have a file open to write the keys to.
There are more, but I dont have my notes in front of me.
These will be a good start.
If you have never used pslist. It will show the processes running and there will be child processes that will be running under them. Look for ones that dont look right and investigate from there.
Good luck.
In addition to the above I would consider running placing a hub between the suspect PC (Or spanning the ports on the switch if it is connected to commercial grade networking) and it's internet access then running wireshark or any other network capture tool to capture any packets that leave/enter the machine. This will soon let you know wheter information is getting out that way though it may be encrypted, you will also get the destination IP this way though a smart adversary will be using some form of anonymising utilising proxies etc.
Mialta
This sounds like eBlaster from spectorsoft (
With the computer running hit the keys ctrl + shift + alt + t simultaneously. If eblaster is on the computer then a generic dialog box will pop up asking for a password.
A forensic analysis of eblaster can be found at http//
I believe this is eblaster because it communicates via port 443 and it has a remote installation option.