How do I detect hidden spyware

[neophyte61]

Some sort of spyware has been downloaded on to my personal computer. It makes a copy of every internet page that has been visited, including email and chat, records the time and creates a log. Basically it allows you to see everything that a user has done in the time that he has been logged in. The software is accessed by going to the start page and typing in the password. The software doesn't show up as a program or application anywhere that I have been able to find and although I have anti-spyware software on my computer, it doesn't detect it when it does a sweep.

Anyone have any suggestions?

[jcarle]

You may want to watch this video : http://www.microsoft.com/emea/spotlight/se...spx?videoid=359

[TranceEnergy]

Check if you'r shields are up.

https://www.grc.com/default.htm

I passed ;D

"

Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.

"

"

Your Internet port 139 does not appear to exist!

One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.

Unable to connect with NetBIOS to your computer.

All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet."

That's the results you should get..

Also use a browser like firefox with noscript plugin so you can decide to trust websites or not yourself, dont confuse that with IE's webphishing whatsitname.

IE is best left not used, even in emergencies, even more so then.

[jcarle]

Shield's UP has absolutely no bearing on his malware situation. It simply detects which ports are listening to external connections.

[DigeratiPrime]

Use Process Monitor to see what process is writing the logs, then with Process Explorer determine what thread of that process is responsible, suspend all the bad threads, then kill them and delete their modules. Run a good AV afterwards and pray you really got everything.

If the modules are modified Windows modules, or you have a rootkit which is subverting Windows, then things get more complicated...

As jcarle points out ShieldsUP is irrelevant and a poor Firewall leak testing utility anyway.

http://www.matousec.com/projects/firewall-challenge/

[neophyte61]

Thanks for the suggestions, but as my nickname suggests, I am a neophyte when it comes to things computers. Not only do I not know what Process Monitor is, but I would have no clue as to how to access it.

In my case, this is simply a spying-type software that has been downloaded from the Internet (intentionally, by another user, she confirmed it and I have seen her access it by simply going to the Start page and typing in a password) onto my computer, for the express purpose of recording what internet, email and chat sites I have visited. (As an example, this email is being recorded as I type it). It is hidden somewhere on the harddrive, perhaps disguised as another progam or application. As I indicated in my original email, the anti-spyware software that I downloaded did not uncover it.

I don't really care that it is on my computer, was just curious as to how I could discover where it is hidden.

Edited September 1, 2008 by neophyte61

[Geej]

I don't really care that it is on my computer, was just curious as to how I could discover where it is hidden.

Why you don't care that it is on your computer? Just curious to know why.

The way to discover where it is hidden has been suggested by DigeratiPrime. Use Process Explorer. You need to learn how to use some of these great tools to sniff out possible spyware. (Yours is more like keylogger program). Spyware are really evasive.

Lastly, go to add/remove in control panel and uninstall the program (since you know it was installed intentionally). But I doubt the prorgam is listed there for you to remove. Hence you need to do some tracing...

[submix8c]

FYI, some legitimate software vendors have this type of application specifically to find out what you are doing. They usually get purchased by someone who suspects you of doing something "naughty" and want to catch you at it (for whatever reason). You may play he!! finding out what it is to remove it since it's sometimes more stealthy than an actual virus and may not show up with any removal tools (it is after all legitimate...).

Your only other option if you can't remove it would be to back up your "stuff" (wink) and reload. Keep browsing around for helpful hints - and Google on some of the things mentioned (e.g. "Process Explorer", HijackThis, etc.). Could be an ActiveX, a RUN item, or any other number of things.

Hope I didn't offend... you may just be a victim of extreme suspicion. Good luck...

[FishBowl]

What start page are you talking about, that would require a login?

The internet itself would not need this at all...

Just a portal page of an internet provider may be required in some cases, but this would also be forced up if starting empty and trying to go anywhere else to.

Some malware may have set your start page to a nasty place or mislead such an address (and others) by manipulating your HOSTS file.

Suppose your Internet Explorer uses something weird as it's start page, and you should try to

- set that to empty page

- restart IE then and make sure the page in fact is blank

- then use the address of that blank page as start page

- completely stop using IE for the internet

BTW, if using Outlook Express, that's just another component of IE...

So also stop using this.

Also clean your system from all Browser Helper Objects, Downloaded Program Files, ActiveX components installed, clean up temporary internet files.

If a machine is as badly infected as yours seems to, there's a fat chance, it's already hijacked and trying to infect others, like all of your contacts.

So this is serious.

[neophyte61]

submix8c - no offence taken,you are exactly right, it is a legitimate software, purchased and downloaded for the express purpose of catching me doing something naughty. It is indeed stealthy, my anti-spyware software doesn't pick it up.

Geej - I don't care because I am not doing anything on here that I shouldn't be. The irony of the situation is that I found about the software being on here because someone else was doing something on the computer that they shouldn't have and it was pointed out to me via the software.

FishBowl - the start page I am referring to is the page that the computer automatically takes you to when you first log in - the one that has all the shortcut icons. From that page, the password for the software is typed and it brings up the software home page. It is not as serious as you make it out to be, because it is not a malware. As submix8c correctly deduced, it is a legitimate software, purchased and downloaded to record internet activity by all users.

[FishBowl]

So this is not really your machine? Or not your internet account? Nor life, yet?

Means, you would in any case have to ask the one who's responsible for it.

[neophyte61]

Fishbowl - thanks very much for the insight and the suggestion.