One for the security experts...

[Jon]

Now this is probably a bit of a weird one...

I think i have a keylogger on one of my computers, i am a local admin on the machine etc and have noticed nothing unusual until today and haven't been anywhere dodgy or installed unlicenced software etc.

I noticed my scheduled AV scan had hung whilst looking at a directory "C:\Program files\NS Keylogger xxx" there was some more info after but i don't have it here. It was on a DLL if that makes any difference and Symantec AV

I went to the location and couldn't find any reference to it, i checked that my settings were set to show hidden files and folders and also to show protected operating files but still nothing. I then went in and changed the folder view settings at the registry level which still showed nothing.

What i'm wondering is as the computer is a member of a domain is it possible for an admin etc to install an app like that so it's completely invisible? The OS is Vista Ultimate.

I'm just really worried that there is a keylogger that i can't locate that the AV scan can locate, any advice would be very much appreciated. My next steps are to build a new machine then image\mount the disk externally and have a look with something a bit more powerful than windows.

Just feeling very paraniod at the moment and heading to another machine to go and change all my passwords

Cheers,

Jon.

[Mac]

It's certainly possible to hide entries from a file system using a RootKit. Essentially this sits in front of most system services and is incredibly good at hiding.

If you want to be really sure, then install ANOTHER copy of Win XP on the same machine - choose a different directory, ideally another hard disk. Then install your AV on that and run a scan on the original volume.

An easier way would be to take the hard disk out of your machine and pop it another unit as a slave/secondary drive (or put it in a USB cage) and then scan it. My guess if you'll find you've got some form of rootkit.

It is possible to implement these without the users seeing. We do regularly on our secure sites. But to be fair, all the users are warned as such on those particular sites.

[Jon]

It's certainly possible to hide entries from a file system using a RootKit. Essentially this sits in front of most system services and is incredibly good at hiding.

If you want to be really sure, then install ANOTHER copy of Win XP on the same machine - choose a different directory, ideally another hard disk. Then install your AV on that and run a scan on the original volume.

An easier way would be to take the hard disk out of your machine and pop it another unit as a slave/secondary drive (or put it in a USB cage) and then scan it. My guess if you'll find you've got some form of rootkit.

It is possible to implement these without the users seeing. We do regularly on our secure sites. But to be fair, all the users are warned as such on those particular sites.

Cheers Mac,

The machine in question is dual boot Vista\XP so will fire XP up and scan from there.

I just had my eyes opened in the last 12 hours !!

Jon.

[Jon]

Ran the scan and nothing turned up.

Have retired the disk and passed it to someone to investigate.....

Jon.