Anyone know any good programs for detecting keyloggers?

TDS-3 and Process Guard - a few top AV's are doing a much better job now

(I'm sure you already know) Process guard coverage (bold is free version)

Control application execution
Protect applications from unwanted termination
Protect applications from unwanted modification & injection
Protect applications from unwanted viewing
Block new and changed programs
Protect physical memory (prevent operating system vulnerabilities)
Block Global Hooks (stops keyloggers and password stealers)
Block unwanted driver/service installation (stops rootkit trojans)
Block registry DLL injection (stops spyware such as CoolWebSearch)
Secure Message Handling (protects applications from messages)
Interface Lock (protects from malicious changes and other users)

For possible existing keyloggers ~ anti-keylogger programs:
SpyCop (signature based)
X-Cleaner will find some keyloggers - http://www.xblock.com/download-freeware.shtml
Snoopfree - http://www.snoopfree.com/default.htm
Pest patrol's Keypatrol (not sure how well but Pest patrol sure has a lot of false positives) - http://www.pestpatrol.com/KeyPatrol/

Then there's: http://www.privacykeyboard.com/anti-keyloggers.htmlThe PrivacyKeyboard™ for Microsoft® Windows® NT/2000/XP Workstations is the FIRST product of its kind in the world that can provide every computer with strong protection against ALL types of keylogging programs (keyloggers) and keylogging hardware devices (hardware keyloggers), both known and unknown, currently in use or presently being developed worldwide.

TaskInfo shows hidden processes: http://www.softpedia.com/get/System/System-Info/TaskInfo.shtml


current info about keyloggers themselves can be found here: http://keylogger.org/reviews.cgi?null=1

TDS-3 is useless I tried it on a few and it didn't flag any of them same with Ewido. I'm not looking for something that stops them installing I am looking for something that will find them on an infected system. X-Cleaner and MS AntiSpyware seem to detect a few but generally this seems an untapped market, perhaps there has not been a demand but I'm sure I could stir one up. SpyCop sounds like it might be worth a try do you know if they do a Try&Buy.

SnoopFree apparently only runs on Windows XP - well that's what it said when I tried to install it, but I don't think it's a scanner as such anyway.

http://www.topshareware.com/SpyCop-download-1889.htm

I think there will always be a try and buy. If not, someone, out there, will force it into a try and buy.

Bummer..... SpyCop proved equally worthless. On the brighter side Symantec Antivirus got some. It's quite surprising how poor detection really is - I think I'll go down the internet cafe and surf on the internet a bit swapping between machines on a regular basis to install... I mean check for malicious software ;)

How about: http://www.anti-keyloggers.com/products.html

Tried Counter-Spy this is obviously a thinly veiled re-pack of Giant Anti-Spyware, lots of files start with the prefix gcASxxxx - what are the chances? Quite a few have identical names - what are the chances? The GUI is almost identical - what are the chances?

Anti-Keylogger is not a detection proggy either plus there is misleading advertising on the product homepage (5cows on the tucows icon it only got 3 - similar discrepancies down that list) I don't like that. There are others out there that are pay only but previous experience of that kind of deal tells me it's likely to be rubbish they won't let you try it cos you would never buy it if you could.

I downloaded 7 random keyloggers today and have been trying to detect them with various progs all day long unfortunately I haven't gone about it in a very scientific way so I may have to start over using Virtual PC or VMWare. Anyone using Blazing Tools PerfectKeylogger you have done your money - it's about the only one that everything in the world detects instantly.

How about this 4 cow: http://www.tucows.com/preview/195832.html

Are keyloggers able to hide from "Security task manager"?

**edit - a little dated but here's 13 anti-keyloggers tested: http://www.wilderssecurity.com/showthread.php?t=50166&page=1

Keyloggers used for tests:

1. 007 keylogger
2. PC Bloodhound 1.1
3. PC spy 2.4.1
4. Actmon computer monitor v 5.11
5. Auto keylogger v 5.2
6. Pal computer surveillance system 3.2
7. Desktop spy agent
8. Blazing tools perfect keylogger lite v 2.80
9. Family keylogger v 2.80
10. Ghost keylogger v 3.80
11. Invisible keylogger 1.1
12. In the know 1.17
13. Home keylogger v 1.70
14. Key key 2000 professional 1.22
15. Keyboard logger 1.3
16. Looxee keylogger v 5.0.1.4
17. Real spy monitor build 2.13
18. Personal inspector v 400b
19. Computer monitor keylogger 1.0
20. Spy anytime pcspy 2.3
21. Sc-Keylog 2.25
22. Orvell monitoring 2004
23. Pal keylogger 1.01
24. Spyanywhere 3.01
25. Spybuddy 3.1
26. Spy-keylogger 1.0
27. Win-Spy stealth window monitor 7.1
28. XPC spy pro 2.02
29. Wintective keylogger and screen capture 2.2
30. Keylogger Express 1.01
31. Advanced Keylogger 1.0
32. Quick keylogger 2.1
33. Handy keylogger 3.24
34. NS keylogger 3.24
35. Ghost keylogger lite v 3.8

Latest Snooper Definitions updated on December 27, 2002
From Who's Watching me website - fills you with confidence.

In your Wilders link it actually states STM picked them all up - that's cool and I am going to look into it, in the main those results just prove my point that it's an untapped market. STM certainly looks good value and I like the interface it could just be 'the ONE'.

OK how about this. I installed it yesterday - http://www.iarsn.com/taskinfo.html
Home: http://www.iarsn.com/taskinfo.html
TaskInfo shows information about all running processes and threads including ring0 VxD threads. Information about each process includes:

* Most of the Processes that want to be invisible like worms, keyloggers and other spy software
* All threads (with details including Thread Start Address and Call Stack with Symbolic Information if possible)
* CPU usage (multiple CPU supported)
* Memory usage
* Scheduling rate
* Path



* Opened files and handles
* Loaded modules (DLLs etc.)
* Command line
* Environment variables
* Version information
* Connections
* and more!

TaskInfo also shows detailed system information:

* Total CPU usage (multiple CPU supported)
* Total memory usage (physical, virtual etc.)
* Total number of processes and threads
* Thread switches and interrupts rate
* Read/write data rates on disks
* Modem connection speed (if present)

STM looks completely awesome at the moment, it has features which are exactly what I need and it flags potential threats - I believe at this early stage of testing it is going on my essential software list. It has flawlessly flagged 6 keyloggers and screen capture progs so far, it doesn't really remove them but there is an old saying that goes something like 'if someone is in your computer it isn't your computer anymore' which basically translates to 'Hacked? Then wipe and reload dude'. I am buying it some flowers and a box of chocolates later.

I will certainly check out your other suggestion - have you run any bad things at it yet?

I don't purposely install bad apps. I do have a CD full of live viruses though.
Here's the latest Spycop (but perhaps useless)

http://img199.exs.cx/img199/1863/spycop2005032219lw.gif (http://www.imageshack.us)

Here's a screenshot of TaskInfo:

http://img31.exs.cx/img31/1661/awesome9yt.jpg

I don't understand this message because there is no indication in the normal window (top rated is 57 which is considered "harmless"

http://img131.exs.cx/img131/9021/danger8eh.jpg (http://www.imageshack.us)

here is a link to stm

Security Task Manager Security Task Manager displays detailed information about all running processes (applications, DLL's, BHO's and services). For each process, it improves on Windows Task Manager, providing:

file name and directory path
security risk rating
description
start time
CPU usage graph
embedded hidden functions
e.g. keyboard monitoring, browser supervision or manipulation
type of process
e.g. visible window, systray program, DLL, IE-plugin, service
The Security Task Manager recognizes also virtual driver software, services, BHO and other processes hidden from the Windows task manager.

http://www.neuber.com/taskmanager/index.html


I hace added this valuable program to my essentials as well.

:)

The best bit in STM is down the bottom it gives you all the info you need to sift the good ones from the bad ones and combined with HijackThis, RegSeeker and a good working knowledge of Windows it is awesome.

It won't tell you what you got but it will highlight what needs examining - you can then comment each one. Nod32 antivirus that looks malicious to me, only joking it weighs up positives and negatives derived from the properties of the process and give you a nice little round-up. It also reveals the strings inside the app which can uncover hidden command line options and internal commands like 'net share hackme$ c:\'.

The rating number doesn't mean it's necessarily harmful it is more an indication of the abilities of the app. One that is hidden, logs keystrokes, takes screen captures and is hidden in startup will only rate 33 or so (I tried some that do exactly that) but the abilities are listed so you can say to yourself "hmmmm.... I don't remember trying to spy on myself". Nod32 probably has high priority, lots of hidden windows, intercepts email, intercepts disk reads and injects global hooks all over the gaff (only guessing) so will score high.

Nod only rates a 57 on my pc

And some keyloggers rated 22. The number isn't the important bit.

ok thanks. I don't see anything running I don't recognize but that's not enough - I should study what exactly is going on right? (the message I received) I have the trial version

In the main Window click on a process to highlight it. In the properties window - bottom middle - when you move the cursor to a line it will change to a '?' click on it, a short explanation of why that is highlighted will appear.

Bottom left of screen is major details of the file - who made it, what description they gave it, how it runs and when it was started.

In the text strings box bottom right you will find way too much detail in normal files which are coded by professionals with time and effort to spend putting in all kinds of error messages, program information etc..etc..

But in dodgy files you will often find only few strings - no/few error messages because they don't want you to know the app is running, some command lines and often the coders tag/sig something like 'you are all l4/\/\3rz and I r0x0rz::made by Weener2004'.

There are other ways to do all this but it takes time - to have it in one nice package is great.

what do you think of taskinfo? No warnings but seems to give even more info: Screenshot: http://img31.exs.cx/img31/1661/awesome9yt.jpg

No contest STM wins all ways round. Having lots and lots of info is not what I really want, what I want is relevant info which is what STM provides. If I was looking for an app to monitor processes in great detail then I would consider it a useful addition, it may even be a killer app for something - but as yet I don't know what that something is.

In a strange quirk of fate I checked three laptops today and one of them had a keylogger on it, it also had about 30 trojan infections but I just thought it was a fortean moment.

What found it? Avast antivirus - I am not using my new tools yet but as soon as Avast highlighted it I recognised the filename as a default install of a very good logger.

I have a problem with STM - every time I click OK another access violation pops up. I thought perhaps it was PG but I disabled that but still get the errors

http://img97.exs.cx/img97/472/stm5uf.jpg (http://www.imageshack.us)

**edit - I think it may be due to outpost

http://img199.exs.cx/img199/662/task2ay.jpg (http://www.imageshack.us)

I have STM on several systems both full and nagware version and don't have a problem either with or without PG 2 / 3 (still use PG2 cos free one is better than free PG3). The error message is I agree very reminiscent of what happens if PG is blocking an application trying to access physical memory. If you put PG into learning mode does it still happen?

I would bank on it being PG unless you have any other apps that could prevent access to physical memory. I know on PG2 the PGhash and PGuard files used to occasionally corrupt (I wrote a utility to back them up periodically for that reason) but I haven't had that problem with 3.

You could also allow the STM executable terminate, modify, read for protected apps as well as Global Hooks, Physical Memory and install Drivers/Services. That should pretty much cover all possibilities for PG blocking it.

I set up PG and disable app control in outpost but still - there's something funny going on. I have to use taskmanager to shut it down because when I click ok on the popup another pops up - endlessly. I think perhaps something to do with this blank spot - very suspicious

http://img48.exs.cx/img48/4341/hang3xl.jpg (http://www.imageshack.us)

I had a malware infection of some kind of adware/spyware on a customers PC today which made STM do what yours is doing I clicked OK 15 times before it finally let me kill the process, it wasn't a blank line like yours though and yours hasn't finished running cos there is no red 'security' level. I have also found another nice process monitor come info tool 'The Ultimate Troubleshooter' and at only $25 I like it. I am not sure it gets into essential tools but it is very useful as it contains a dtabase of tasks / processes and some information on each. See www.answersthatwork.com which has some good useful stuff anyway and a nice section of tools.

http://www.answersthatwork.com/TUT_images/tut_ok.jpg

What about PrevX - that might be stopping STM from reading it's memory space.

I disabled all that could prevent.

I'm trying that trouble shooter. what does "not ok"mean? should I disable the service? Also, I have a whole lot of unknowns.

**edit - Problem solved with Security Task Manager. I deleted a folder (STM) from "all users" application data. - works now

Looks like I will have to purchase sTm because this is "killing" me!

http://i148.exs.cx/img148/2940/kill0dp.jpg (http://www.imageshack.us)

TUT click on the not OK line and there should be an explanation of why they think it's not OK down below. They might be wrong but it's nice to know their opinions. For unknowns r-click the line and choose properties it will give you the files details and default icon - mostly these will be self explanatory like RapApp.exe is a BI process.

I am using STM in normal troubleshooting procedure now and it is excellent. Bagged myself 17 various malware programs with it today including the now rare RapidBlaster executable 'rb32.exe' and the rapidblaster variant 'adaware.exe' - woohoo!

I would if I could read gibberish - http://www.techzonez.com/forums/showthread.php?t=14689

That is excellent, I take my hat off to you. You don't use EasyCleaner do you?

I have run various cleaners - why? Did it leave a Spanish housekeeper in my computer? :p


Rik said you can leave your hat on.

It's just that I have tried Toni Arts EasyCleaner many times over the years and it regularly has proved to me that it is the work of the devil. It always seems to get 5 stars in all the shareware archives but whenever I have it on a PC it breaks it quick time and it is consistent win95, win98, winMe, 2000, XP. It may be bad luck - but it has a 100% record and that's a lot of bad luck. The button with 'Registry Cleaner' on it should say 'Trash this PC now?'.

I have too many cleaners. I occasionally use Crap Cleaner and the reg cleaner in Fix-it Utilities. Perhaps I should restore all of them to check -