Locating SPY software

[goobernoodles]

I was referred to a private investigation firm by an old coworker to clean up a machine with spyware. I figured it was going to be an easy job, run a few scans, possible some manual removal of crap.

Found one fairly harmless trojan, ran avg, malwarebytes, ad aware, spybot, and even ccleaner. Overkill, really, as the machine appeared to be in half decent shape.

Turns out they actually meant spy software. Such as.. keyloggers... etc.

So my question is... where should I start looking? I assume I should start by looking to see if there are any strange processes running... check out the registry for what runs on startup.. etc.. But has anyone ever gone out looking for traces of keyloggers and/or other crap that can be used to spy on another machine?

 

[lxskllr]

I'm no expert, but A/V software should pick up "legitimate" spyware also. They work the same way, it's just a matter of intent. In addition to what you said, scan for rootkits, and programs that allow remote PC operation.

 

[goobernoodles]

Well, just by searching the registry, I found traces of pc spy keylogger and vskeylogger. I'm going to hold off until tomorrow, as they might have just wanted proof... but... As far as these keyloggers go, how can I be sure they are removed, if that is indeed what I need to do?

 

[goobernoodles]

I'm going to answer my own question and just recommend to them to just do a full system rebuild. As it's the only way to be 100% sure you have a clean machine.

 

[balloonshark]

It seems like I remember a-squared anti-malware would detect commercial keyloggers. It's worth looking into although a rebuild is best. If they use usb devices, I would scan them also to prevent possible reinfection.

I would also investigate the likelihood of a hardware keylogger.

 

[cougar78]

Anyone tried Trend Micro's Hijackthis? I'm not sure if it will detect (i'd like to know the answer if anyone knows).