Keystroke Logging Software Removal Instructions

CIS Logo Information Technology Issues Management
Computing and
Information Services

Keystroke Logging Software and Removal Instructions

During the summer of 2002, the United States Secret Service was investigating several nationwide computer intrusions/hacking incidents and requested its field offices to contact system administrators at colleges and universities in their districts to address the issue. These incidents involved the surreptitious insertion of software programs specializing in "key logging".

To date, all known incidents have been restricted to college and university computer systems. The motives of the perpetrators and the number of computer systems compromised remains unknown. In efforts to avert the potential compromise of computer users' privacy, the Secret Service has recommended a nationwide "alert" to all colleges and universities.

Key logger software is a program, which causes every keystroke made on the computer to be recorded. The program can remain completely undetected and is initiated when the computer is turned on. The key logger records everything outgoing to include emails, documents, login names, passwords, and credit card numbers etc.

IMPORTANT ** THE FOLLOWING INSTRUCTION ONLY PERTAIN TO FACULTY STUDENTS AND STAFF OF TEXAS A&M UNIVERSITY: If any of these keylogging utilities are found on your PC, please do not delete them, but contact CIS's Information Technology Issues Management team at ITIM@tamu.edu. Thank you for your cooperation in this matter.

StarrCommander Pro or STARRCMD.EXE
This is a key logger that records all the key strokes to a file allowing you to view them, just by typing the victims IP address in the Internet Explorer (or some other Internet browser).
Files to detect:
Default path: C:\winnt\system32\KREC32
Files to remove: ehks.zip 200 KB, and ev0luti0n HTTP key logger V2.0

loggerv0.9.1.zip 1469 KB
This is a simple key logger that runs invisibly on the target computer. All keys logged are kept in a file called "dat.cab". This file can be opened in any text application and is stored in the same directory as the key logger. When the key logger is first run it should automatically edit the target machine's registry to start on boot-up. The executable can be renamed to anything.
Files to detect:
Default path: C:\windows
Files to remove: all files revealed by typing the following command from a DOS window - "C:\windows\logger.exe /show"

DK2Full.zip 900 KB
Diablo Keys 2.2 - Win32 key logger has a new version... Diablo Keys is a windows keystroke logger that will log all activity in the system, including keys, windows, time and date. DK will send the logs to a predefined email address or ftp account... The New version grabs window text boxes and cached passwords, is more stable, faster and easier to use. It is now compatible with windows NT/2000 and ME. DK is not a Trojan but a monitoring tool like PCAcme, although it is completely free. This requires physical access to the computer.

Files to detect:
Default path: Varies
Files to remove: DK2Full.zip

SKLOGV1.12 (by stAlllOnized) 13 KB
This is a key logger that can log all keystrokes, is case-sensitive and supports all standard keys. It has been written in vb, uses the GetAsyncKeyState API call and doesn't need any other dll or ocx file (only the standard vb6 dlls). It restarts when you start windows (modifies the registry) and can be started/stopped anytime by using key combinations.
Files to detect:
Default path: c:/windows/system
Files to remove: windowskj.log

Phantom2.zip 36 KB
Phantom2 is the successor to Phantom, a keystroke record and playback program for MS-DOS. Works as a TSR (Terminate and Stay Resident) program that resides in memory.
Files to detect:
Default path: Varies
Files to remove: Phantom2.exe, Phantom.exe

KeyLog25.zip 56 KB
KEYLOG!.EXE is a Windows 3.x/95 version 2.5 of a freeware utility that records keystrokes. It is the successor of the original KeyLog. There are newer and better features in this program. To quit the program, all you need to do is press CTRL-ALT-DEL and end the program called -KiDViD-. -KiDViD- is KeyLog's name in disguise.
Files to detect:
Default paths: C:\windows\temp and C:\windows\system
Files to remove:
1. KeyLog!.exe in C:\Windows\Temp
2. KeyLog!.txt in C:\Windows\Temp,
3. KeyLog!.reg in C:\Windows\Temp, and
4. Qpro200.dll in C:\Windows\System

Ghost Keylogger 2.0
Ghost Keylogger is an invisible easy-to-use surveillance tool that records every keystroke to an optionally encrypted log file. The log file can be sent via e-mail to a specified receiver.
Files to detect:
Default path: C:\program files\sync manager
Files to remove: synconfig.exe and logfile.cip

TAMU System administrators and/or IT specialists are strongly encouraged to conduct an internal query of their respective computer networks using the technical file names provided above to determine if any identified key logger software has been installed. Students should understand that this list is not necessarily all-inclusive. This culprit or culprits may be using other files not listed above, consequently students should take note of any computer anomalies.

The "Comments" button above will direct your mail to the CIS Web mail box.

Last Modified: November 3, 2004

CIS Logo
Texas A&M University

Computing & Information Services

Information Technology Issues Management

Phone: (979)845-9254, Fax: (979)845-2704

Teague Building, Room 322

College Station, TX 77843
e-mail address itim

We value your comments and opinions, so please do not hesitate to send us mail.

Back to ITIM Home Page View scheduled changes by Resource

	Information Technology Issues Management
Computing and Information Services