Since the (spam) thread was deleted I will repost my findings:

I haven't tried many anti-keylogger apps but Security Task manager, TaskInfo could not pick up "Elite Keylogger" (widestep) unless unhidden. I ran a scan of windows folder with NOD32 but nothing found. However, Unhackme picked it up immediately

I thought this might be an interesting test. Yes, it's well hidden. Unless you unhide it (windump view), it's hiddden - it already picked up my login password and screenshots. However, Unhackme detected it immediately on boot (Screenshot) while hidden. However this app could not delete it (I tried all options). The only way to rid it was to uninstall it. I am sure about Unhackme's find because I rebooted immediately after uninstalling and Unhackme reported nothing this time.

*edit - another interesting bit of info was the fact that somehow internet connection was prevented by any means (FTP, browser) something prevented CPU access so that connection was impossible. Upon uninstalling keylogger, connection has been returned to normal - **edit - this is probably unrelated as the cpu problem persists (another thread)

http://img100.exs.cx/img100/2408/keylog1zm.jpg (http://www.imageshack.us)

Someone, at another board, also ran a test. Here are his results:

I also tested the Elite Widestep keylogger, and boy is that a tricky one to detect. Nearly every security program I tested against it, failed to detect it! Including MSAS, Ewido, A2, Pest Patrol, Spybot, Ad-aware, BlackLight, and a few others.

The only programs that were able to find it were Unhackme (as Lynchknot posted) and Rootkit Revealer 1.32 (I haven't downloaded the latest version of RR yet).

I would have liked to test Spycop against it but I don't have the $50. to do so. They really should have a trial version available of Spycop. But anyway at least we have some free tools available to detect this junk.

i get hackerdefender100 found but only when i click demo.

if i click check it it says nothing found

so do i have a rootkit or not?

when i click demo i get this and the next screen shows the rootkit.

Demo gives you an example of what it will look like if it found something. When it found that keylogger, it kept popping up - repeatedly.

so the pic you posted is what it found or was that the demo?

That was found as "invisible software"

That was found as "invisible software"

My understanding is that rootkits cannot be removed as they replace many key system files.

You will need to think about who you are accepting email and files from as hackerdefenfer is a serious trojan that makes "the beast" look tame.

Is that on your restore disc?

What is UnHackMe?
UnHackMe allows you to detect and remove a new generation of Trojan programs - invisible Trojans. They are called "rootkits".

UnHackMe is not a usual Trojan's scanner like RegRun or HijackThis.

It's used to detect Invisible Trojans (rootkits) only!

A rootkit is a collection of programs that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network. The intruder installs a rootkit on a computer using a user action or by exploiting a known vulnerability or cracking a password. The rootkit installs a backdoor giving the hacker a full control of the computer. It hides their files, registry keys, and process names, and network connections from your eyes.

Your antivirus could not detect such programs because they use compression and encryption of its files. The sample software is Hacker Defender rootkit.

get it here,
http://greatis.com/unhackme/

right but this is also detecting this keylogger as, I guess, it appears to have some resemblance to rootkit characteristics in the way it's hidden or perhaps even it's method(?)

right but this is also detecting this keylogger as, I guess, it appears to have some resemblance to rootkit characteristics in the way it's hidden or perhaps even it's method(?)

I would be trying to find out who is hacking your computer and who you allowed or trusted to download and accept the file.

Something you must be alerted to is the fact that many trojans now include reverse connection tobypass your hardware routers and firewall.

The trojan program finds a way out of your computer without alerting you and contacts a specific ip that is pre-determined. Many hackers use no-ip for this as they can mask and re-direct the ping to any computer anywhere on the net.

You could try to determne where the keylogger is sending the info to. find out who is connecting to your computer and do ip traces.

If you can get more info about the trojan program you may be abble to diassemble the server dll or exe and you may be able to get the ip it is sending your desktop images to.

If it is no-ip then they may not release that info to you however they will investigate and if they determine it is used for trojans they will close the account and the program will send your info to a url that no longers exists and one that can no longer be used by the person who is survelliancing you.

Egghead. This is a well known and widely used commercial keylogger that people purposely install on their computers to spy on their spouse, employees, kids, ect. I installed it myself to test my security apps. http://www.widestep.com/ It is practically undetectable - but I found something that discovered it.

Egghead. This is a well known and widely used commercial keylogger that people purposely install on their computers to spy on their spouse or employees. I installed it myself to test my security apps. http://www.widestep.com/


ok. i didn't read where you said that it detected it as widestep.

I thought it found the rootkit hackerdefender on your computer and that someone slipped it into your backdoor.....

:runs:

It did not detect it as widestep. It only detected something that appeared to be a rootkit.

It did not detect it as widestep. It only detected something that appeared to be a rootkit.

So what do you think of the program?

Microsoft is working on a similar program yet they report that repairing rootkit infections is extremely difficult and that it is best to format.

I think it's great that it picked up the keylogger because, it appears, not much will.
More important than detecting for rootkits though, would be preventing them.

The microsoft thing is not really that great - something like creating a list of directory entries inside windows then you boot to a bootable cdrom and do same and compare - so hidden files will show up as differences. I am sure it works but it isn't something you will want to be doing very often - ProcessGuard is your best defence.

Sorry your PM doesn't point to anything Lynch thread must have been deleted. I would be dubious about installing any application that was based on a rootkit - you see the whole thing about rootkits is you don't know what they are hiding or what they are doing. There is only one thing to do if you have a rootkit on your system and that is wipe and reload it. Even if you installed it yourself how do you know it doesn't send your passwords off to a database somewhere - I said it before and I will say it again rootkits are naughty.

The thread was deleted. It was spam by the developer of Elite Keylogger "are your children safe" I think the thread was entitled. This keylogger delivered via Trojan would be a scary thought. It's gone - unhackme no longer picks anything up - besides, I'm on a clean True Image now since......

There may be a time in the near future that I might use Winrollback (I have it installed)

Maybe if you don't pay up for the full version it 0wns your system and opens it to the script kiddies and their MmuuuuuHHaahhaaa! Or maybe it secretly can be used by a remote operator to download and install all kinds of heinous material to your PC and then it auto-reports it to the authorities after a 15 day trial period!!

No pay - go jail, it says it in the EULA you didn't read. All you wanted was to see if your chiddlers were accessing Barney Naked Purple Porn web sites and now you are in the dock right next to MJ wishing you really were in Neverland!!! A knock at the door 'Come out with your hands above your head you filthy pervert and get what's coming to ya!'

Somewhere downtown there's a dossier the size of a small form factor PC with details of all the stuff that has been remotely reported on your PC. Your credit card details have been used to access questionable content on the world wide web and the rootkit has stealthily deleted all traces of itself 2 hours after dobbing you in and changed your wallpaper to a Donkey and a young asian man involved in some kind of .....eeew just what is that?

Me ..........I don't really like Barney.

Spoken by a true "neverland" junkie: I downloaded 7 random keyloggers today and have been trying to detect them with various progs all day long unfortunately I haven't gone about it in a very scientific way so I may have to start over using Virtual PC or VMWare. Anyone using Blazing Tools PerfectKeylogger you have done your money - it's about the only one that everything in the world detects instantly. - http://www.techzonez.com/forums/showpost.php?p=89626&postcount=7 :p

Yeah that wasn't a VM that was a spare system.
.....is that a knock at the door?

Anyway ek is a bit naughty but hooray for rootkit revealer, I love sysinternals stuff. I will test it on some of the other naughty ones as well. If you know the reg keys a simple reg patch will also detect it because if you try to access one of the hidden keys you get an error when you should not get any notifications.

With these progs the demos are not the same as the full versions though - they always change the filenames and reg keys and some allow you to specify the filenames yourself. I would also doubt that the windump file is necessary for the operation of the logger, it is probably just the UI so you can cut/paste it to a floppy if you like. That file isn't hidden in windows so would be a bit of a giveaway unless you rename it.

It's an impressive logger though - looks like it's back off to the internet cafe............

hehe just teasing. I would much rather install a keylogger myself - then uninstall it with it's own uninstaller than to have a trojan install it behind my back. Yes, that "windump" is not needed as the keylogger is running. Windump is only to call up the gui so you can view logs and set preferences - or uninstall it.

Shows up in STM for me but there is some kind of trigger event which eventually does hide it even from STM. At the moment I think it's when u try to access the registry keys for the services. This was taken after 5 reboots because I thought it had something to do with reboots before then.

Also don't just close the boxes when it asks you to put in a password - I did that then it wouldn't let me in afterwards and I had to remove it manually then re-install it.

a-ha!
:)

Curio, do you feel like testing this one?

Unbeatable Stealth Capabilities - SSPPYY offers many levels of stealth to prevent the remote user from removing the software. SSPPYY will NOT be displayed in the Task Manager, the Process Tab (under Windows NT/XP/2000), Add / Remove Programs, or anywhere else where it may be possible for the user to detect other software!SSPPYY spy software is your all-in-one solution to monitoring spouses, co-workers, children, employees and just about any other person you suspect may be misusing your PC! Ever want to remotely monitor your computer without having to physically access or install software? SSPPYY offers you the ability to remotely install the spy software! Simply send SSPPYY module attached to an email!
SSPPYY can be hidden behind a picture or a greeting card so
your employees or child will never know what the file is!
No attachment necessary, SSPPYY can be sent in a web link!
Includes built-in Web server, Mail server and Aurora server!
Remotely install. No physical access needed!
Deploy with one click via email!
Surveillance and Logging Features
Internet Conversation Logging - Log both sides of all chat and instant message conversations for AOL/ICQ/MSN/AIM/Yahoo Instant Messengers.

Beta news



UnHackMe 2.5 beta detects and successfully removes Elite Keylogger.
Direct download:
http://greatis.com/unhackme250b.exe
Removing of EK is not simple.
After restarting of computer you will get BSOD because the driver is out.
After restart Windows will boot as well.

Best wishes,
Dmitry Sokolov

Many of these keylogger/remote monitoring tools make wild claims that they do not live up to, I'd take it with a pinch of salt if I were you. I have tested quite a few that made similar claims and they are all picked up by AV, I think the AV firms pick these out because of the 'supposed' remote install capability. No trialware is usually a giveaway that they are rubbish - once bitten twice SSHHYY. But if anyone has a free copy........

Widestep - I can remove and detect it no problem. Perhaps you should ask Mr Sokolov about SSPPYY and wether it is a scam, I'm sure that if his software is for detecting and removing that stuff he must have a vested interest in testing it in a professional way.

It's funny that if it does all it claims and is undetected by all that symantec has a definition webpage about it http://securityresponse.symantec.com/avcenter/venc/data/spyware.ssppyy.html.

Mcafee http://vil.mcafeesecurity.com/vil/content/v_124606.htm

edit...... just found this too http://castlecops.com/article4953.html

hehe, Dmitry Sokolov's beta post followed mine after I reported that unhackme was unable to remove elite keylogger.

windump /uninstall
Don't even ask about how easy it is to remove the password.

Originally Posted by lynchknot
From a fellow member at another board: windump /uninstall
Don't even ask about how easy it is to remove the password.

Hmm maybe if he doesn't already he should write a program that does this as quick and easy as UnHackMe does. Or maybe it's not as easy as he makes it sound.

Thanks,

Chris.

It is always a good idea to keep some things under your hat.

I think you could write a program but I was afraid to "ask" :)

@echo off
windump /uninstall

Put it in a batch file.

You don't need to know the password to uninstall as the program is not protected that way. No need to detect it, it will tell you to reboot to complete the uninstall. If you do want to detect (maybe you think snidy user has removed/renamed windump.exe) then just install the original package - it will tell you if it's already there. STM and RKR also detect it as shown previously but you need to know what you are looking at. There are other ways but they are not necessary.

thanks curio, I'll go post, if you don't mind

If you discover your PC is being monitored by EK - by whatever means you discover it - DO NOT use a third party software to remove it. By running '>windump /uninstall' you will remove the logger but it will leave some nice details behind - details you want ;)

Reboot the PC and then download and re-install Elite Keylogger, because the registration details are retained you will now have the full version ready activated but without any password protection. Run '>windump view' and EK will prompt you for a password, put one in. Once the program opens select a day and click view logs, once the logs are decrypted you can see at the bottom of any set of logs the original registered owners details including their registration key.

This will empower you with one or two things both/either of
a) A full free verion of the software to go round installing on everyones PCs so that you can get all their passwords for everything and generally misbehave knowing it will be blamed on the original registered owner.
b) The knowledge of which low down dirty scum wants to spy on you.

For even more harmless fun you can install it on a PC that belongs to some big angry bloke with tatoos then reveal it to him with the registered owners details on view - maybe give him an address too.

:)

hahaha

cool info

thanks for the post:D

hey lynchknot,

I came across this program that seems to detect spyware.

It detected eblaster (http://www.eblaster.com/) and is the only one that could. tried some but got tired of looking lol

this program seems to be amazing

scanned my friends computer and it founf over 400 baddies including probot key logger. ad-aware and spybot reported non found even after updates so..........
http://www.nethunter.cc/index.php?id=11

can you test out adware spy to see if it's any good?

www.adwarespy.com (http://www.adwarespy.com)

btw,
system task manager detected eblaster but did not say the name. in adware spy it did confirm as eblaster and after removal by the program the entries were removed after scan with system task monitor

eblaster and probot are survellance software that is installed by an attacker or parent/spouse etc....

oh jezz. I did not follow your post. I just install probot damnit. It's not very hidden. I can see it running in task manager


Some of the findings may be fake to make the product look better than the rest. This Protowall block does not look encouraging. It sort of looks like GiantAS with a new face

Packet to "adwarespy.com" ( 66.70.113.139 ) blocked. [protocol: TCP - src: 1231 / dst: 80]

Did you not checkout the list of suspect spyware removers - from egg's sticky thread?

http://www.spywarewarrior.com/rogue_anti-spyware.htm :rolleyes:

No, I trusted him. http://www.techzonez.com/forums/images/smilies/confused.gif Never again Mr. Eggman. I want to throw hard boiled eggs at you. :eek:

Here's the scan

http://img170.echo.cx/img170/5838/scan17ml.jpg (http://www.imageshack.us)

I immediately followed up, without fixing anything, with Giant scan


http://img179.echo.cx/img179/503/scan27sf.jpg (http://www.imageshack.us)

Did you not checkout the list of suspect spyware removers - from egg's sticky thread?

http://www.spywarewarrior.com/rogue_anti-spyware.htm :rolleyes:

Curio, This thing removed eblaster and that was verified using security task manager.

It seems to work well.

That is why I am asking for more opinions

update from old post. the user that it found 400 spyware. the tech did a goofy re-install of windows and it's called windows.001 lol

so when it did the deep scan it found all the spyware files on the old installation. it deleted all the baddasses.

@lynchknot - it may have scanned your quarantein folder.

atm - nothing I tried detected eblaster so this proigram gets high marks by me for finding it.

also high marks for being unknown and thus not detected by badass WINLOGONPC.EXE and thus was not on their kill list and I was able to use adware spy's process viewer and able to kell WINLOGONPC.EXE. after doing so i was able to get control of task mon and msconfig.

I'm going to read the rogue list now

thanks

here is what rogue says:

false positives work as goad to purchase (1 (http://www.wilderssecurity.com/showthread.php?t=45615)); same app (http://www.spywarewarrior.com/family_resemblances.htm#3) as AdDriller, 2004 Adware/Spyware Remover & Blocker, ADS Adware Remover, AdWare SpyWare Blocker & Removal, AdwareX Eliminator, Ad-Where 2005, ETD Security Scanner, Privacy Tools 2004, SpyBeware, Spy-Kill, & The Web Shield; Ad-aware knockoff (http://www.spywarewarrior.com/family_resemblances.htm#3) [A: 6-29-04 / U: 7-7-04]
end:


Ad-aware did not alert me to eblaster noir any other spy scanner except security task manager. stm showed a dll file and a search in gogle showed it as eblaster.
adware spy found it as eblaster

You must purchase product to get cleaned.

does ad-aware full have a built in process viewer?

I don't know eggfead. I'm not about to delete entries in program files, that were listed, that are safe. What quarantine? I don't have anything in any.

So MSAS missed 400+ registry keys? Or, that's an awful lot of false positives


Symantec detects eblaster: http://securityresponse.symantec.com/avcenter/venc/data/spyware.eblaster.html

I don't know eggfead. I'm not about to delete entries in program files, that were listed, that are safe. What quarantine? I don't have anything in any.

So MSAS missed 400+ registry keys? Or, that's an awful lot of false positives


Symantec detects eblaster: http://securityresponse.symantec.com/avcenter/venc/data/spyware.eblaster.html

FYI:
ran giant and it found cydooor. no probot. you should be alarmed if you have probot on your system
http://www.nethunter.cc/probotse.php

BTW
adware spy did detect probot on my friends computer with 400 hits. files where there.

My adware spy scan on my computer did detect cydoor as well but nothing else. no false positves.

more testing andt i like this program

you should be alarmed if you have probot on your systemFrom post 34

oh cheezz. I did not follow your post. I just install probot damnit. It's not very hidden. I can see it running in task manager

Some say a suspect sign is spelling errors at website

What is Theifware

Originally Posted by lynchknot
oh cheezz. I did not follow your post. I just install probot damnit. It's not very hidden. I can see it running in task manager

they have two version. the trial or public is not stealth. the stealth or private version is completly hidden.

What is Theifware?
I see when i googled it brought many adware scanner sites that look fake.

if spelled proper you get http://www.thiefware.com/

- http://www.adwarespy.com/about.html
http://img188.echo.cx/img188/5486/16ss.jpg (http://www.imageshack.us)

I value your opinion so I will try it on VM with EK and BFK. For your information I tested SpywareDoctor earlier today and it sucked big time. It failed to detect any of the spyware that I know to be on that particular machine (I installed it) but did want me to delete Dev C++ because it said it was the CWS trojan.

I find NoAdware quite useful which is also on the rogues list because apparently they stole the original database from Spybot, naughty naughty, so I have an open mind. Apps change over time and sometimes rotten apps come good like sometimes good apps go bad. Anyone tried XoftSpy - apparently that detects loggers but I haven't tried it yet.

Note on XoftSpy: XoftSpy was listed on this page because of concerns with false positives (1, 2, 3, 4), questionable license terms, and the use of aggressive, deceptive advertising (1, 2), including exploitation of the name "spybot" by affiliates. Earlier versions of XoftSpy were also Ad-aware knockoffs. (There was clone of XoftSpy named SpyBurn, but that application is no longer available.)

Over the past few months, XoftSpy has taken aggressive steps to reign in its affiliates (who were primarily responsible for the unsavory advertising), revised its license text, and released a new version of XoftSpy (version 4.0) that addresses our concerns with false positves. Given these changes we can no longer regard XoftSpy as "rogue/suspect" anti-spyware.

(Note: other domains associated with XoftSpy include: adware-destroyer.com, adware-elimination.com, adwarekillers.com, adware-real-free-scan.com, adwares.net, anti-adware.net, antispywares.com, deletespyware.net, nomorespyware.net, removespyware.net, softspy.net, softwho.com, spywarebest.com, spyware-detection.net, spywareprof.com, spywarepurge.com, spywarerem.com, spywareremoval.net) [A: 6-26-04 / U: 12-7-04] .

Thus, the new version of XoftSpy is not considered "rogue/suspect" anti-spyware.
From Eric Howes pages http://www.spywarewarrior.com/family_resemblances.htm#3 which are great by the way and he also states that
The vendor for NoAdware has been revamping the application so that more recent versions share almost no commonalities with the rest of this family of cloneware.
Wouldn't you just know it?

Still I ran AdwareSpy on a PC with just EK on it no other suspect poop. It found 6 "spys" which were all fps and not EK. It apparently uses the same reference file format as ad-aware so you could just import the reference into ad-aware and run that if you want some fps - I didn't confirm this though. Not finding EK doesn't really bother me as it is legitimate monitoring software which requires local access to the PC for installation. The FPs on the other hand are there so people who run the trial will think they are infected and will be 'tricked' into buying it.

The firm behind the app 'elite concepts' apparently has the most 'clone' apps and the apps have the most FPs.

I make no judgement just present the facts.

perfect! thanks for that.

so what do you recommend as a good tool to detect eblaster and ek. I do ad-ware and spyware scans and virus scans and trojan scans and these programs do not or cannot alert the user that they have a screen capturing or keylogging program on their pc. adware spy worked in that instance but false positives are bad. I did confirm Eblaster to be on the pc. if these adware companies could adopt a single standard than we could clean them lol. but when they do dll injection or install direct to memory through the web to even rootkits, it seems like we cannot win.

my priorities are - rid adware and spyware because it slows and or crashes the operating system
spy programs intently installed on a computer by a friend or other.
malitious viruses that delete or corrupt key system files and data.

This is where the cash is but I tell ya you need 20 programs to scan and conquer

STM appears to be the most essential app of all time. It tells you everything that is running on your PC - you need knowledge to deal with what it shows you but it doesn't need signatures to detect malware so even one-off trojan builds would be detected by it whereas a sig_based scanner would show nothing. I don't know if it can show Hacker Defender type rootkits but it certainly shows the hidden processes of EK so perhaps it can.

It's cheap and I love it.

This screencapture should tell you a little more about Adwarespy
...and a little more about EBlaster.

Webroot SpySweeper now detects Elite Keylogger as of at least 18-05-2005.

go webroot!