How can I tell if a keylogger got added to my PC while I was in Beijing?

I was in Beijing, and I used my Windows PC there with a freeware firewall
and freeware anti virus and freeware malware scanners.

Recently a friend said nearly all American travelers were to be warned by
the State Department that their laptops, if left in the hotel, were almost
certainly compromised.

How could I tell if a keylogger or other spyware was inserted onto my
laptop by the Chinese?

Donna Ohl wrote...

> I was in Beijing, and I used my Windows PC there with a freeware firewall
> and freeware anti virus and freeware malware scanners.
>
> Recently a friend said nearly all American travelers were to be warned by
> the State Department that their laptops, if left in the hotel, were almost
> certainly compromised.
>
> How could I tell if a keylogger or other spyware was inserted onto my
> laptop by the Chinese?
>

Sniff the keyboard. If you can smell sweet & sour, you've been got at.

On Sun, 26 Oct 2008 21:59:26 -0700, Donna Ohl
<(E-Mail Removed)> wrote:

>I was in Beijing, and I used my Windows PC there with a freeware firewall
>and freeware anti virus and freeware malware scanners.
>
>Recently a friend said nearly all American travelers were to be warned by
>the State Department that their laptops, if left in the hotel, were almost
>certainly compromised.
>
>How could I tell if a keylogger or other spyware was inserted onto my
>laptop by the Chinese?

You MUST get one of these without delay
http://zapatopi.net/afdb/

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_R...:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/...moving_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjunction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://spywarehammer.com/simplemachi...php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://aumha.net/viewforum.php?f=30, or another appropriate forum for review
by an expert in such matters, not here.**
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

Donna Ohl wrote:
> I was in Beijing, and I used my Windows PC there with a freeware firewall
> and freeware anti virus and freeware malware scanners.
>
> Recently a friend said nearly all American travelers were to be warned by
> the State Department that their laptops, if left in the hotel, were almost
> certainly compromised.
>
> How could I tell if a keylogger or other spyware was inserted onto my
> laptop by the Chinese?

"Donna Ohl" <(E-Mail Removed)> wrote in message
news:ASbNk.4031$(E-Mail Removed)...
>I was in Beijing, and I used my Windows PC there with a freeware firewall
> and freeware anti virus and freeware malware scanners.

Usually, depending on which ones you have, these are adequate
safeguards. A couple of anti-spyware applications could also be
added to round things out.

> Recently a friend said nearly all American travelers were to be warned by
> the State Department that their laptops, if left in the hotel, were almost
> certainly compromised.

Physical access to the machine trumps all!

> How could I tell if a keylogger or other spyware was inserted onto my
> laptop by the Chinese?

Scan for everything under the sun from a *clean* environment.
Booting from a known clean boot cd should thwart *most*
malware from interfering with the scanning.

Follow the advice of PA Bear as well. If I am not mistaken, the
HijackThis program has to be run from the tainted environment
in order to get at the registry data it needs to scan.

I guess zeroes are good enough for stopping a process from
accessing the data, by this leaves you open to forensic probes.

"FromTheRafters" <(E-Mail Removed)> wrote in message
news:O%(E-Mail Removed)...
> "Donna Ohl" <(E-Mail Removed)> wrote in message
> news:ASbNk.4031$(E-Mail Removed)...
>>I was in Beijing, and I used my Windows PC there with a freeware firewall
>> and freeware anti virus and freeware malware scanners.
>
> Usually, depending on which ones you have, these are adequate
> safeguards. A couple of anti-spyware applications could also be
> added to round things out.
>
>> Recently a friend said nearly all American travelers were to be warned by
>> the State Department that their laptops, if left in the hotel, were
>> almost
>> certainly compromised.
>
> Physical access to the machine trumps all!
>
>> How could I tell if a keylogger or other spyware was inserted onto my
>> laptop by the Chinese?
>
> Scan for everything under the sun from a *clean* environment.
> Booting from a known clean boot cd should thwart *most*
> malware from interfering with the scanning.
>
> Follow the advice of PA Bear as well. If I am not mistaken, the
> HijackThis program has to be run from the tainted environment
> in order to get at the registry data it needs to scan.
>

"Trespasser" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Worse case scenario, you wont. There are programs inpervious to
> detection, you could always format and re-install your laptop if you are
> that worried about it. Next time be a little more aware of 'free' stuff
> ...... theres no such thing as free !
>

There is nothing impervious to detection if you use the right tools and are
willing to invest the time needed to find them. Personally, I would just do
a secure wipe and practice better safeguards in the future.

Damn, that post belongs in another thread.

I wanted to post this here:

http://www.ngssoftware.com/research/...CI_Rootkit.pdf

"FromTheRafters" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I guess zeroes are good enough for stopping a process from
> accessing the data, by this leaves you open to forensic probes.
>
> "FromTheRafters" <(E-Mail Removed)> wrote in message
> news:O%(E-Mail Removed)...
>> "Donna Ohl" <(E-Mail Removed)> wrote in message
>> news:ASbNk.4031$(E-Mail Removed)...
>>>I was in Beijing, and I used my Windows PC there with a freeware firewall
>>> and freeware anti virus and freeware malware scanners.
>>
>> Usually, depending on which ones you have, these are adequate
>> safeguards. A couple of anti-spyware applications could also be
>> added to round things out.
>>
>>> Recently a friend said nearly all American travelers were to be warned
>>> by
>>> the State Department that their laptops, if left in the hotel, were
>>> almost
>>> certainly compromised.
>>
>> Physical access to the machine trumps all!
>>
>>> How could I tell if a keylogger or other spyware was inserted onto my
>>> laptop by the Chinese?
>>
>> Scan for everything under the sun from a *clean* environment.
>> Booting from a known clean boot cd should thwart *most*
>> malware from interfering with the scanning.
>>
>> Follow the advice of PA Bear as well. If I am not mistaken, the
>> HijackThis program has to be run from the tainted environment
>> in order to get at the registry data it needs to scan.
>>
>
>

I've heard these rumors before, too, and I'm not convinced they're true.
I've traveled to China several times, it isn't the monolithic evil empire
that bulletins like this would seem to indicate. Any laptop left anyplace
unattended has risk; drive encryption like BitLocker is really the only way
to mitigate such attacks (other than keeping the laptop with you at all
times).

--
Steve Riley
(E-Mail Removed)
http://blogs.technet.com/steriley
Protect Your Windows Network: http://www.amazon.com/dp/0321336437



"Donna Ohl" <(E-Mail Removed)> wrote in message
news:ASbNk.4031$(E-Mail Removed)...
> I was in Beijing, and I used my Windows PC there with a freeware firewall
> and freeware anti virus and freeware malware scanners.
>
> Recently a friend said nearly all American travelers were to be warned by
> the State Department that their laptops, if left in the hotel, were almost
> certainly compromised.
>
> How could I tell if a keylogger or other spyware was inserted onto my
> laptop by the Chinese?

"Steve Riley [MSFT]" <(E-Mail Removed)> wrote in
news:E3C4B9CE-9821-4AB1-A7B4-(E-Mail Removed):

> I've heard these rumors before, too, and I'm not convinced they're
> true. I've traveled to China several times, it isn't the monolithic
> evil empire that bulletins like this would seem to indicate. Any
> laptop left anyplace unattended has risk; drive encryption like
> BitLocker is really the only way to mitigate such attacks (other than
> keeping the laptop with you at all times).
>

Depending on where you go in China, if you leave a laptop behind, yes,
someone might come along and install something and not take your laptop.
Why would they do this? Having remote access is more valuable, let you
decrypt the data for them.

If you suspect your computer has been compromised, I wouldn't even bother
scanning it unless your a pro; and are willing and know how to go low level
on your own. If you don't have the skills, secure wipe the drive, and
reload the system from known clean backups. In the future, keep all
important data safe and encrypted. Using a proprierty encryption system for
the entire HD isn't a bad idea in this case. That way, no password, no
access, no dropping/installing anything.


--
Regards,
Dustin Cook, Author of BugHunter
BugHunter - http://bughunter.it-mate.co.uk
MalwareBytes - http://www.malwarebytes.org