What I'd do first is make sure you have the latest virus definitions (as some antivirus tools scan for such things). Then, I'd run both Ad Aware and Spybot Search & Destroy (after updating their definition files). After that, I'd give RootkitRevealer a run-through.

Not to say that these steps are necessarily foolproof, but it couldn't hurt. And, then again, I somehow have doubts about their "absolutely undetectable" claim -- "absolutely" is a very strong word :-/.
posted by Handcoding at 4:28 AM on October 25, 2005

Try Ctrl+Alt+L. That is the default for hidding/unhiding the program. Check the system tray after that.

How do you know/think that that program is installed?
posted by dking at 4:32 AM on October 25, 2005

If this was a unix-type system and you had reason to believe you had been rootkitted then everyone would be telling you to reinstall and not chance it. I don't see any reason you should treat this differently. Backup your data and reinstall Windows and your other software, or restore from a backup that you believe to be clean, and make sure the route you think it got installed by has been closed off. It's the only way you'll ever get complete peace of mind.
posted by edd at 4:34 AM on October 25, 2005

It is entirely possible to write a program that hooks itself deeply into the kernel, and intercepts any system calls that might provide a clue to its presence. This is generally called a rootkit.

When dealing with programs of this type, the first rule is that you can never trust the running system. Once a program has sufficient privileges to muck around with the kernel, all bets are off. You can try running programs like Rootkit Revealer that will attempt to detect signs of a rootkit, but you have to realize that this will never be perfect - a rootkit can always be written to outsmart any such kind of detection. Of course, doing so is not always practical so there is some hope of being able to find traces of it.

But for absolute certainty you need to boot the system from some external medium and then inspect things from there. The most common ways of doing this are with a Knoppix liveCD or a BART PE liveCD. The latter might make things somewhat easier since it's windows and not linux, and this means that you can even mount the registry hives from the target system, and poke around with regedit -- even though you've booted from CD and nothing from the target HD is actually being executed. There are probably purpose-made liveCDs for doing things like this and other "forensic" type activities.
posted by Rhomboid at 5:46 AM on October 25, 2005 [1 favorite]

Just reinstall windows. If you have a reasonable suspicion that your system has been compromised then you also have no idea what about the extent of the security breach. You say the system has a key logger--but is that all? No amount investigating or security tools will ever be able to move your system back to the secure state. Back up your data, zero out the drive, and do a fresh reinstall.
posted by nixerman at 6:23 AM on October 25, 2005

nixerman has the right idea: Nuke the site from orbit, it's the only way to be sure.

Also, whatever you did that put somebody in the mood to install a keylogger on your machine, stop doing that too.
posted by jjg at 7:24 AM on October 25, 2005

FYI, Webroot's "Spy Sweeper" program (14-day-free-trial available) was able to detect and get rid of some junk on my Windows machine that neither Spybot, Ad-Award, MS Antispyware, or two AV programs was able to detect. I'd always laughed at people who paid for anti-spyware software, but I'm going to go buy it myself soon.
posted by mrbill at 9:50 AM on October 25, 2005

I just emailed their support address to ask this question on your behalf. I'm so curious to see how they'll reply.
posted by evariste at 11:50 AM on October 25, 2005

I think it has legal implications for them if they refuse to help someone whose computer is being trespassed with their help, which is why I'm really curious how helpful they'll be.
posted by evariste at 11:51 AM on October 25, 2005

What if you tried to install Perfect Keylogger on said computer yourself? If you're lucky, it would give you a message that the program is already installed, and if you're not lucky, at least you can run Spybot, Rootkit Revealer, etc. and see if they catch the program knowing it IS installed. If, after you install it, one of those programs finds the Keylogger you installed but no others, you can probably feel pretty safe.
posted by joshuaconner at 12:22 PM on October 26, 2005

This thread is closed to new comments.