Trace keylogger's footsteps?

[hannahj]

I'm wondering if there's any way to see the log files a keylogger created to find out what info has been accessed, and where it was sent.

The keylogger in question was found and removed by SB (banker.fgv) two days ago, and I've never had any indication that my banking or other sensitive financial info was cracked, but I have for several months now suspected that someone I know has been tracing my steps online. (Could just be your garden variety paranoia.)

Anyway - now that the keylogger has been removed, is there a way to find its log files, or evidence of its transmissions?

Thanks!

Hannah

[tashi]

Hello hannahj,

I've never had any indication that my banking or other sensitive financial info was cracked, but I have for several months now suspected that someone I know has been tracing my steps online.

If you believe there is a possibility that the system is still compromised follow the instructions in this link: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
Then start a topic in the Malware Removal Forum where an analyst will advise you as soon as available.

It would be prudent to change your online passwords using other system.

Anyway - now that the keylogger has been removed, is there a way to find its log files, or evidence of its transmissions?

The person who did the keylogging would have those.

Basic information: http://en.wikipedia.org/wiki/Keystroke_logging

Best regards.

[hannahj]

Hi Tashi,
Thanks for your quick reply. I did change my passwords from another computer. Scanning with SB my system now comes up clean.

I understand that the goal of a keylogger program is to send the information to the one who installed it - but I wondered if by viewing my router logs or my firewall logs, for instance, I might find evidence at least of where the logs were being sent. Or is a keylogger that good at covering its tracks?

[tashi]

Hi there,

I understand that the goal of a keylogger program is to send the information to the one who installed it - but I wondered if by viewing my router logs or my firewall logs, for instance, I might find evidence at least of where the logs were being sent?

Quite a few variables are in play.

You can of course analyze router and firewall logs if they are retained back to the time in question.

If you suspect a particular person did they have physical access to the computer.

Is the router passworded, are you using WEP or WPA.

At this point if the PC is clean the best defence might be to use preventative measures rather than try to track down the hacker.

Best regards.

[hannahj]

Hmmm - I would love to analyse my logs - if only I knew what to look for!

But to answer your questions:

No, they didn't have physical access (I actually suspect that I picked up the keylogger on their myspace page).

Router is indeed passworded and using WEP.

I agree prevention is the best course of action. I'm just dying to know if my suspicions are founded.

[tashi]

Hi hannahj,

(I actually suspect that I picked up the keylogger on their myspace page).

Do you recall the scenario?

[hannahj]

yes, there were a couple different funky events.

Landing on this particular myspace page popped up a window saying that the page was protected and prompted for a username and password, which I didn't provide but just x-ed out the window. This was absolutely NOT a myspace generated message, it even provided a name of the "security service". At the time I assumed the myspace page had been the victim of a hack that was phishing for other myspace pws. I guess this is still the most likely assumption.

Then another time visiting the page my browser suddenly tried to open several other pages, then froze and I had to use the task manager to shut it down.

I know, not very convincing. But this particular person has been uncannily knowing so much about me for months now, all unrelated and trivial things, and everything they mention is something I have recently searched on. I wish I believed in psychic connections - because that would be a more comfortable explanation. And just to clarify, I am a very grounded, not at all paranoid type of person. (really!)

[tashi]

Hello hannahj,

Then another time visiting the page my browser suddenly tried to open several other pages, then froze and I had to use the task manager to shut it down.

It might have been best not to re-visit the same page.

If there is a possibility that the web page in question is compromised it should be reported to My Space as it could affect other users who go there.

Best regards.

[hannahj]

It might have been best not to re-visit the same page.

See, now here's where we learn something about ourselves and our uncontrollable urges.

[drragostea]

tashi offers good advice .
If you are still a bit a bit buggy or jumpy, you can always enable the the WPA2 Wi-Fi encryption function on your router. Most routers should support it more or less. It is as simple as a "dropbox" option and clicking "Okay".