Urgent: How do I get rid of keylogger on my computers
October 31, 2016 9:55 AM   Subscribe

I know for a fact someone has installed something on at least one of my computers. How do I get rid of this?

For months I've suspected something, but today I've received full on confirmation. I had it set up so that a blackberry (given to me by my boyfriend) would forward texts directly to my email address. Texts that I know he wouldn't want others to know about would be mysteriously deleted from both my phone and my email a few days later. I told him something weird was going on with the phone and that I thought our phones might be hacked, but he acted suspiciously calm about it.

So something told me to try and forward certain emails and messages that came from him to ANOTHER email. One that is NOT connected to my blackberry and that he certainly didn't know anything about. And I changed the password to all my emails as well. Woke up this morning to find that those messages I forwarded to the new email address who's password was just changed were suddenly GONE. I also checked a third email address that he used to use and I just yesterday there were emails there from him that today are GONE. The only possibility is that he has the passwords to all my emails. The ONLY way he'd have that is if he had access to my laptop(s) somehow because I never use any of his.

I'm assuming he has not separated entirely from his ex and he's afraid if I found out I'd be able to prove to her how long we've been together and that's why this is happening. I mean who else would want to delete emails from him from 2013? But right now, my main concern is getting whatever programs he's got on here off.

I'm using an internet cafe right now. I changed all my passwords at the internet cafe. I have both my laptops with me now, but I'm afraid to log onto the internet with them until I can see what's going on.
posted by olivetree to Computers & Internet (26 answers total) 8 users marked this as a favorite
 
If it were me, I would implement two step authentication for my email logins and after that, change my email passwords again.

If this is your boyfriend, and you do not trust him, why is he still your boyfriend?
posted by AugustWest at 9:58 AM on October 31, 2016 [25 favorites]


I agree -- two factor authentication + change your phone password + change all your email passwords, ideally to totally random strings through something like LastPass, which you ALSO then set up for two factor authentication. (Note this would force someone to get through two layers of two-factor to get into your account -- once to get the password from LastPass and another time to log into the account.)

And, agreed, if you truly suspect your boyfriend is breaking into your email accounts for any reason, break up with him immediately. Ew.
posted by rainbowbrite at 10:04 AM on October 31, 2016 [5 favorites]


Response by poster: *Please only answers to the questions. No obvious things like DTMF or call the police... Those I already know how to do. Right now I really need to deal with my computer security only. I just need to get whatever's on my computers off right now. Thanks. :(
posted by olivetree at 10:04 AM on October 31, 2016 [9 favorites]


Also be sure to check the forwarding and filtering settings on all accounts to make sure they aren't set to auto forward and/or auto delete anything.
posted by primethyme at 10:06 AM on October 31, 2016 [16 favorites]


Also, I do not know if MalWareBytes addresses keyloggers, but it is worth downloading and implementing regardless.
posted by AugustWest at 10:11 AM on October 31, 2016 [1 favorite]


It's drastic, but it would work:
[Get a savvy friend to] Boot your machines from a Linux DVD or USBstick. Get all your files off of them and into an external backup medium. Then do a wipe and a clean reinstall of your operating system of choice.

Best of luck to you! This is awful.
posted by Too-Ticky at 10:12 AM on October 31, 2016 [23 favorites]


If one of the accounts is a gmail account, you can see IP addresses of recent logins by going to the bottom of the inbox page and clicking on "details" where is says "Last account activity" in small print bottom right. You may be able to see if a different IP address was used to login. Also, check the trash bin to see if that was cleared out after the emails were deleted.
posted by AugustWest at 10:14 AM on October 31, 2016 [8 favorites]


Oh, and of course: once your machines are clean, change your passwords.
posted by Too-Ticky at 10:18 AM on October 31, 2016


The only way to be genuinely sure that malware has been removed is to back up your data files, wipe the machine, and reinstall.

It's a huge hassle, but it is what it is.
posted by uberchet at 10:21 AM on October 31, 2016 [12 favorites]


Response by poster: Just to mention: I know that I can look at recent login activity in gmail and such, but it's not helpful because for reasons I don't understand even when I'm on using my computer it'll say I'm logging in from Minneopolis or some other random state. Maybe it's because I use a hotspot usb. But if it does that with my own activity (which it does) there's no way I can tell the difference if someone else logs in. So unfortunately that's not a help.
posted by olivetree at 10:21 AM on October 31, 2016


If you have Windows 8 or 10, you can look into booting into the advanced recovery screen, and do a "Refresh" on your computer. This effectively re-installs the operating system, removing all programs that are currently on there, back to the system defaults.
I was worried about my files (documents, photos, music, etc.,) but it worked safely around them, and left them all in place.

You can do this by pressing shift as you click reboot, all the way through, from the shut-down process, until your computer comes back up. So long as you're not actively connected to the internet, you should be fine. This is the simplest solution.
posted by a good beginning at 10:30 AM on October 31, 2016 [3 favorites]


Since you're being very particular about answers, the question I see you asking is "How do I get rid of it?"

To get rid of it with any certainty you should back up your data, wipe it clean and reinstall the OS. That's a sure fire way to be absolutely sure. People say it's a big hassle, but it's not. Especially if you prepare for this inevitability from the start by keeping your data in one place and know where that is.
posted by humboldt32 at 10:41 AM on October 31, 2016 [11 favorites]


Boot to a live CD/USB set up from another, non-compromised machine. Transfer your data files (music, photos, documents, etc.) to a brand new external hard drive, and scan them for malware. Wipe your machine completely and start over from a fresh OS install. Also, change all your passwords and implement two-factor authentication wherever possible. Then transfer your data back.

If someone has had physical access to your computer and you already know for a fact that they've done something as malicious as installing a keylogger, there's no way of knowing what else they've done. Nuke it from orbit. Even the above protocol isn't totally foolproof, but your boyfriend would need to be pretty savvy and have gone to extraordinary lengths to set up something that would get around a wipe and reinstall.
posted by Anticipation Of A New Lover's Arrival, The at 10:43 AM on October 31, 2016 [3 favorites]


I'm sorry for this additional bad news. Depending on the sophistication of the attacker, you may have to be concerned about a hardware key logger. This would be a device installed inside your system that will wirelessly transmits key logs via bluetooth or WiFi.

If the malicious attacker has the skills, resources and motivation. (skills: ability to use a screwdriver, resources: a spare $20, motivation: ?) you may need to do more than the suggested 'nuke from orbit' already outlined.

Turn off your computers and do not turn them back on. Go to a library or friends house, go two-factor, change passwords. Go buy a new computer. If you have hacker/maker type friends you might ask them to inspect the insides of your laptops for hardware keyloggers.
posted by bdc34 at 11:10 AM on October 31, 2016 [11 favorites]


I think the question you're really asking is "How do I detect a keylogger?" Because I think you're going to want the evidence that a wipe-and-reinstall would delete, right? You want to A) prove the problem and B) solve the problem.

I would immediately begin using these solutions, one by one.
posted by Mo Nickels at 11:18 AM on October 31, 2016 [3 favorites]


FWIW, there are non-software key loggers as well. Ones that can hide within a keyboard, or masquerade as cables/dongles/adapters in the back. What level of certainty/tech-expertise/paranoia are we aiming for ?

You note USB hotspot for access ? If you aren't https everywhere (and even then...) it's possible to leak credentials there as well ... Boils down to technical prowess of the adversary.
posted by k5.user at 11:32 AM on October 31, 2016


RevoUninstaller? I put this on all my computers, along with basic security software. Does a great job finding all the everything and deleting it!

I'd still probably wipe though, as I would if I had been actually hacked by anyone.
posted by jrobin276 at 11:49 AM on October 31, 2016


You may have also thought of this, but as an interim stopgap while you work through the suggestions above, you could use the same public computer you're on to set up an email account that you only access on not-your-devices, and forward to that for paper-trail reasons.

Be safe. I know you say you've got this, and we're rooting for you, but if he's tracking your online activity be aware that he may see this MeFi question and know your username.
posted by deludingmyself at 12:55 PM on October 31, 2016 [20 favorites]


[Get a savvy friend to] Boot your machines from a Linux DVD or USBstick. Get all your files off of them and into an external backup medium. Then do a wipe and a clean reinstall of your operating system of choice.

This is the best advice here. The only thing i'd add is that you want to completely wipe the hard drive. There are all kinds of things like boot sector/EFI partition rootkits and various ways to hide this sort of thing. If i genuinely suspected this was going on, i'd at the very least delete the entire partition table with the windows installer, but likely back up my data then run this set to the simple "all zeroes" option before i set up again.

Paranoid? Yea, but... i would go there.

A hardware keylogger in a laptop is unlikely, but is eminently possible in a desktop. I honestly wouldn't worry too much with a laptop on that front though.
posted by emptythought at 4:19 PM on October 31, 2016


Also it's been stated already, but i wanted to double down on resetting EVERY account password, and enabling text verification/two factor authorization on every account that allows it.
posted by emptythought at 4:20 PM on October 31, 2016


Assuming what computers you have fall into the categories of many fairly recent consumer laptops, ultrabook, chromebook, or convertable tablet (Surface), there probably isn't a hardware keylogger. Unless creepy person is a computer repair tech by trade and has all the special tools to get them open. If it would help you feel better, turn them over and look for scratches around any screwholes and around the seams.

Business laptops that are meant to be repaired, that would be different and a hidden hardware keylogger is more plausible. Still unlikely.

But I'm with the people who would backup files and do a hard wipe and reinstall, just to be sure. If you need to turn one on to do that, turn off the wireless antenna first thing. Just don't log into your accounts from your possibly compromised devices to make sure that any keylogger doesn't get your new passwords.

Take care of yourself, do what you need to do to stay safe.
posted by monopas at 4:22 PM on October 31, 2016


May be this is obvious, but if he's installed a keylogger before, it's likely to happen again if he has unattended physical access to them in the future. And he's going to become very apparent when you do remove it. I don't know how much is involved to install one, but based on the phrasing in your question, it might not take much time.
posted by neilbert at 7:46 PM on October 31, 2016 [2 favorites]


Make sure you change your security questions, if your e-mail provider uses them, to ones nobody else would know the answers to.
posted by The corpse in the library at 1:53 PM on November 1, 2016


If you decide to go the "nuke from orbit" method, I'd strongly suggest replacing the existing drive rather than wiping and reinstalling, just to guard against the boot-sector stuff already mentioned. Keep the existing drive for forensics or evidence or whatever.
posted by chazlarson at 2:32 PM on November 1, 2016


Another vote for backup, nuke and reinstall.

Articles on the internet about how to remove this sort of stuff aren't worth the paper they are printed on. If, at the end of the process, you are not certain that you are 100% clean - then all that effort was for absolutely nothing.

Find a friendly geek to help you out. If they suggest anything else apart from backup, nuke and reinstall then find a more knowledgeable geek.
posted by mr_silver at 3:39 PM on November 1, 2016


Could there be a webcam filming your keyboard? Nobody mentioned that yet.
posted by guy72277 at 2:41 AM on November 2, 2016


« Older What happens to disability claims when the third...   |   Gelatin for arthritis: is there SCIENCE behind it? Newer »
This thread is closed to new comments.


Tags

Share