[PLUG] Looking for a keylogger infection...
plug_0 at robinson-west.com
plug_0 at robinson-west.com
Tue May 17 19:39:22 UTC 2005
I'm trying to clean up a friend's XP system. I found a file
called twacker in the root directory that's looks like a log
from a keylogger. Now this is silly of course, why would a
trojan ever leave a record of what it did? I'm planning on
using an isolated Linux system to store a copy of what's on
the system if there's something that needs to be recovered
later and then I want to zero format the drive.
Is there a program I should burn to a cd and install to my
friend's computer that will find any keylogger that might
be there? Does anyone know a specific file name to search
for or something that will be in the registry that will
indicate a keylogger is installed?
My plan after zero format, I'm thinking I can do that using
Linux and dd, is to install Windows XP first to the first
half of her hard drive and then put Fedora Core 3 on the
other half. My idea is to back up the Windows system using
the Fedora Core 3 system. I want her to able to restore
Windows to a known clean state. I'm planning on keeping a
second copy of the backup myself. Is it possible to read
the NTFS filesystem so I can use tar etc. under Fedora Core
3, to back the Windows system up? My goal is to write a
script so that teaching her a little about Linux, she can
restore the Windows system by simply logging in to the Linux
side and running the script. Do I need to be
thinking image file instead of tarball so I don't have
to worry about the specifics of NTFS? I want the
restore procedure to reset every single bit on the
windows partition and the boot sector of the hard
drive as well, I figure that this will almost
certainly clean off any malware. I should probably
make a bootable cd with grub in case the boot sector
does get comprimised.
OT: Is there a program that will lock the windows registry?
-- Michael C. Robinson
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
More information about the PLUG
mailing list