You are viewing our Forum Archives. To view or take place in current topics click here.
Tutorial: Checking for Keyloggers/etc.
Posted:

Tutorial: Checking for Keyloggers/etc.Posted:

FlamesUK
  • TTG Addict
Status: Offline
Joined: Sep 23, 201014Year Member
Posts: 2,245
Reputation Power: 304
Status: Offline
Joined: Sep 23, 201014Year Member
Posts: 2,245
Reputation Power: 304
Very brief explanation for users using Windows.
Fine print: This is for educational purposes only,
though I doubt you could use it with malicious intent.
Furthermore, This is only to be used for the detection of malicious programs that utilize a connection to the internet. (Keyloggers, Specific type of Trojans, etc.)
It's also not used to remove said programs.
This is just to prevent people making "OMG AM I KEYLOGGED" threads constantly.


To find Keyloggers (as well as any other malicious program accessing the internet),
It's usually not as simple as just opening your Task Manager and finding the process.
Nor is it as easy as running a virus scan.
The fact of the matter is that if a hacker wants their activity to be undetectable,
You will not see it.
That's all there is to it.
Hackers can use complex method of hiding files/processes from such tools to make this sort of 'quick fix' impossible.
Though it may be possible with that kid down the block that gave you a Keylogger to mess with you, it's not possible with an educated hacker.

To avoid this,
There are several ways to figure out if someone has unauthorized access over your client.
The easiest being as follows:

Do this once BEFORE YOU CONNECT TO THE INTERNET IN ANY WAY.

Press the start menu button.

Click "Run". (Windows 7 may not have this by default. Just search it in your "Search programs and files" bar.)

Type "Cmd", and run it.

You should now be in a Command Prompt.

Now enter: netstat -arn

Press enter.

You should now see a list of numbers under "Network Address, Netmask, Gateway Address, Interface, Metric".

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
255.255.255.255 255.255.255.255 255.255.255.255 0.0.0.0 1

If it doesn't look like something like that,
And you're not connected to the internet...
Your computer is infected.

If it does, move on.

Next, connect to the internet.
Repeat the "netstat -arn" command mentioned earlier.

You should now see numbers under "Network Destination, Netmask, Gateway Address, Interface, Metric"

If it doesn't list only the network addresses used by your ISP...
You're infected.

As a rule of thumb, it should be something like:

0.0.0.0 0.0.0.0 216.1.104.70 216.1.104.70 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
216.1.104.0 255.255.255.0 216.1.104.70 216.1.104.70 1
216.1.104.70 255.255.255.255 127.0.0.1 127.0.0.1 1
216.1.104.255 255.255.255.255 216.1.104.70 216.1.104.70 1
224.0.0.0 224.0.0.0 216.1.104.70 216.1.104.70 1
255.255.255.255 255.255.255.255 216.1.104.70 216.1.104.70 1

If you see something odd listed here... It's bad.

In the next section you are going to close every program you have using the internet.
You're now going to open up your Command Prompt and type: netstat -an
The only IP listed here after you close everything accessing the internet should be the one assigned to you by your ISP.
If there are any other IPs listed here...
You're infected.

Rule of thumb... Should look like this:

Protocol Local Address Foreign Address State
TCP 0.0.0.0:0 0.0.0.0:0 LISTENING
TCP 216.1.104.32:120 0.0.0.0:0 LISTENING
TCP 216.1.104.32:121 0.0.0.0:0 LISTENING
TCP 216.1.104.32:122 0.0.0.0:0 LISTENING
UDP 216.1.104.32:123 *:*

Listed here, 216.1.104.32... The bolded part will almost always change.
Consider that number your "Session ID".

Last, Go back into your Prompt.
Type in, again: netstat -arn
Look for "Interface list".
You should now see all your active network adapters.
Assuming you still have all your programs closed,
You should only see the net adapters normally used by your computer.
(And possibly a Teamviewer VPN assuming you use Teamviewer. It doesn't like to close its net adapter sometimes.)

If you see something your computer obviously doesn't use normally,
(Assuming you don't know how to use your control panel to find the network adapters manually) Google is your friend.
Chances are that if it's utilizing half of your network connection with everything closed...
It's probably not friendly.
Now, that step won't usually show anything odd,
Even if you have a virus.
So, I won't go so far as to say you're not infected yet.

The last step... Obviously: Run a virus scan.
Hackers are able to hide viruses from these scans using very simple methods.
Naturally though, you can't hide from everything.
The more Anti-virus programs you have,
The better the chance of picking something up. (Seriously. It may be annoying, but if you're security conscious, it's a must.)

That concludes this installment of "Stop Failing 101".

The following 22 users thanked FlamesUK for this useful post:

TTG_Troll_ (01-21-2015), Parcool (12-25-2014), _VenoM (12-01-2014), OtakuBoo (11-16-2014), K_Mckenzie_K (09-02-2014), Katsumi (07-04-2014), Batman- (06-25-2014), lel (11-26-2013), Churro- (05-20-2013), Noval (05-19-2013), Fnatic (03-19-2013), r00t (02-19-2013), XenoChrist (02-19-2013), brendan64shark (02-08-2013), abg_hype (12-30-2012), GumMice (12-30-2012), Resolute (09-22-2012), SimplyGamer (08-08-2012), ECS (07-31-2012), DynamicBomb (06-29-2012), BULLETSTORM (04-19-2012), JackM97 (04-19-2012)
#2. Posted:
YOLOSWAGMASTER420
  • TTG Senior
Status: Offline
Joined: Sep 29, 201113Year Member
Posts: 1,748
Reputation Power: 81
Status: Offline
Joined: Sep 29, 201113Year Member
Posts: 1,748
Reputation Power: 81
Very good post good job man
#3. Posted:
Zuul
  • Video King
Status: Offline
Joined: Apr 24, 201014Year Member
Posts: 288
Reputation Power: 30
Status: Offline
Joined: Apr 24, 201014Year Member
Posts: 288
Reputation Power: 30
Very good informative post, I actually had a keylogger the previous week. Good job Flames :thumbsup:
#4. Posted:
Status: Offline
Joined: Jul 09, 201014Year Member
Posts: 1,800
Reputation Power: 67
Status: Offline
Joined: Jul 09, 201014Year Member
Posts: 1,800
Reputation Power: 67
What happened to Dawns post on this??? Yours looks the same from what i can remember...

-Dope
#5. Posted:
Mika
  • TTG Contender
Status: Offline
Joined: Jul 08, 201113Year Member
Posts: 3,129
Reputation Power: 135
Status: Offline
Joined: Jul 08, 201113Year Member
Posts: 3,129
Reputation Power: 135
DopestDope_Eva wrote What happened to Dawns post on this??? Yours looks the same from what i can remember...

-Dope


Vanished into thin air never to be gazed upon ever again.

I was listening to dramatic music while writing this comment.
#6. Posted:
-Pope
  • TTG Champion
Status: Offline
Joined: Jan 15, 201014Year Member
Posts: 8,929
Reputation Power: 392
Status: Offline
Joined: Jan 15, 201014Year Member
Posts: 8,929
Reputation Power: 392
Good post man, I've been cleaning out my computer and I didn't really understand to check for Keyloggers and such but this broke it down to make sure I was clean.
#7. Posted:
WHITEGUY999
  • Resident Elite
Status: Offline
Joined: Feb 19, 201212Year Member
Posts: 243
Reputation Power: 9
Status: Offline
Joined: Feb 19, 201212Year Member
Posts: 243
Reputation Power: 9
good job! but um....can you make the font size a bit bigger? to me it seems tiny and very hard to read!
#8. Posted:
iRetro750
  • Junior Member
Status: Offline
Joined: Apr 25, 201212Year Member
Posts: 66
Reputation Power: 5
Status: Offline
Joined: Apr 25, 201212Year Member
Posts: 66
Reputation Power: 5
Wow petty good mint solind big massive post you have got there here
#9. Posted:
Fake
  • Resident Elite
Status: Offline
Joined: Feb 14, 201014Year Member
Posts: 225
Reputation Power: 8
Status: Offline
Joined: Feb 14, 201014Year Member
Posts: 225
Reputation Power: 8
OR, you could download Comodo Firewall, SpyBot - Search and Destroy, and open up msconfig.
#10. Posted:
fwiz
  • Powerhouse
Status: Offline
Joined: Jan 20, 201212Year Member
Posts: 484
Reputation Power: 17
Status: Offline
Joined: Jan 20, 201212Year Member
Posts: 484
Reputation Power: 17
this is awesome tut it's a good one
Jump to:
You are viewing our Forum Archives. To view or take place in current topics click here.