Keylogger?

[NomarFachix]

I fairly sure that I have a keylogger on my computer. Every time that I change a password for a website (Battle.net), I get an alert later that day that the password has changed and personal information has changed, and to verify it. Sometimes it's verified already and the next step is sent to me, meaning that whoever it is has my e-mail passwords and stuff too.

I am constantly changing both e-mail account passwords and the passwords for the site itself, but no matter the different combinations, words, etc they are always found out and changed in a short period of time. AND it's only on this computer. When I'm at my other homer (in another state), I'll get attempted log-in overload notices, but never a changed password or account information.

Anyone have experience with keyloggers? I'd first and foremost like to hunt this [expletive] down and murder him/her with my bare hands (exaggeration), but I know it's likely impossible to trace whoever it is. Other than that just suggestions for ridding the damn thing... Every time I install a new anti-virus or anti-spyware it just locks up my system and I have to do a system restore to get it functioning again.

I'm building a new computer in the next few weeks from the ground up, at which point my Windows upgrades and fancy new anti-virus and all that will suffice in keeping this kind of thing from happening again (hopefully!). But until then, I'll be damned if this isn't annoying. Help me!

 

[Sephire]

You are the only user on you PC? Anti-virus running all the time?

 

[NomarFachix]

Yes, I'm the only user. I currently have NOD32 running, but to be honest it does seem to be doing anything most of the time.

 

[Sephire]

For your your piece of mind. Reformat.

 

[buckjrdley]

Open a command prompt and type "netstat -o". This should show you all the processes on your machine communicating over your network connection.
Look for the number under PID (process ID) associated with any weird addresses that pop up under foreign addresses.
Open Task manager and go to the process tab and you should be able to find the name of the process associated with that ID number (there's a PID column in this tab, if you don't see one you can go to view select columns and put a check mark next to PID) .
If anything funky shows up, that could be your keylogger and you can remove the program from your machine.

The idea behind this is to hopefully catch a keylogger process installed on your machine communicating with an external source.

This idea isn't foolproof though, because if the process is set to only send info at certain times, then it's a hit or miss kind of thing.

Hopefully you can catch this thing red-handed!

 

[E411]

All of the tactics mentioned are useless with high-end keyloggers.

There is a well known exploitation framework called Metasploit that can be deployed via a variety of means, including malicious websites or even remote exploits like MS-08-067.

It has a package called Meterpreter, which runs an exploitation package in-memory. It is basically undetectable via virus scanners and can migrate around within various processes. You can run it within iexplorer.exe or even in the virus scanner exe itself. It won't show up obviously in netstat, or in any program managers or otherwise.

There is likely no way for a non-expert to track down the software and even if you did, determining who was controlling it would be very difficult, especially since meterpreter is very good at "pivoting", which allows it to proxy connections through a chain of compromised hosts.

Reformat the system. Sorry!