How to Identify and Remove Keylogging Malware from Your Windows 8 Computer

Step-by-Step Guide

1. 1

   Step 1: Determine whether or not your computer is in fact subject to a keylogging malware.

   Start with some probing questions:
   Have any of your account passwords been compromised? Have any of your account passwords been compromised, even after changing your password several times? Have you experienced a slowdown in your computer's performance not explained by other potential factors? Has your web cam been turned on without your doing, or without using a face-time type software (such as Skype)?
2. 2

   Step 2: If you have answered 'yes' to any of the questions in step 1

   To identify a keylogging malware, you have a few options.
   
   A less intuitive choice would be to download a spyware or keylogger detector program.
   
   For example, here is a list of services with download links: http://download.cnet.com/1772-20_4-0.html?query=keylogger+detector&platform=Windows%2CMac%2CiOS%2CAndroid%2CWebware%2CMobile&searchtype=downloads.
   
   Note:
   If you use a very simple password, or share passwords with another person, you may not have any malware issues (this will be further discussed below under preventative measures). , To do so, you will need to run your command prompt as an administrator.
   
   On a Windows 8 machine, use your 'window' hotkey+S.
   
   This will open your search tab on your right hand side.
   
   Enter: 'cmd' into the query bar.
   
   Left click on CMD, and run as administrator. , You need to change your current working directory to your C:\ root directory, and display your current running processes with netstat.
   
   To do this:
   Type: cd \ Press enter.
   
   Type: netstat
   -b Press enter. , In the introduction, it was explained that keylogging malware will send collected data to the the malware's owner.
   
   In order to do so, the malware requires an active connection.
   
   As you can see in the image, under the 'State' column, all of the current processes are established, which means that there is an active connection. , While you're viewing this page, you will have an established connection.
   
   This connection will coincide with whatever internet browser you're using.
   
   Circled in the picture, you can see that this computer is currently running an instance of chrome.exe (Google Chrome).
   
   This is the important part––what you'll what to do now is go through the established connections while closely examining the names of the software that are currently displayed.
   
   What you're doing now is looking for a suspicious software name, or a current browser name that would be slightly deviated from the normal name.
   
   For example: instead of , we would have or . , If you are still unsure, here are the PID (process IDs) of each process, which you will cross reference with your Task Manager.
   
   In your command prompt, Type: netstat
   -ano Press enter.
   
   To open your Task Manager, press CTRL+ALT+DELETE.
   
   Once Task Manager is open, click:
   More Details, then click the details tab. , This is essentially just to confirm that your computer is running services with active connections that are not harmful.
   
   As circled in the image, PID #4764 corresponds with the Google Chrome on Task Manager.
   
   You can now conclude that this active connection is harmless. , Let's say you had a known malware displayed in netsat, called 'Backdoor.Alvgus.a.exe'.
   
   To find out what you're dealing with, go to www.spywareguide.net, and search their database for a description of this malware. , This is rather simple.
   
   For demonstrative purposes, assume that Firefox is the malware that found running on your computer, and you would like to delete it.
   
   In the details tab, locate Firefox.
   
   Left click on it, and select 'Open File Location'.
   
   In Task Manager, left click on Firefox again, and click 'End Task'.
   
   Go back to the file location, and navigate to the parent folder (in this case, just click on ProgramFiles(x86) in the search bar above.
   
   Now delete the Firefox folder Go to your recycling bin, and permanently delete the folder. , Your virus should be all gone.
   
   It is recommended that you restart your computer and go through the same steps to see if the malware is still running once you reboot, just to be sure. , The number one cause for you to have any type of malware installed on your computer is carelessness.
   
   It is imperative that you do not download anything from untrusted sites, or click on any links that you are unsure of.
   
   It is also recommended that you change your password every 6 weeks.
   
   Do not share your passwords, and do not rush through software installations.
   
   If you are unsure about software, do an online search for feedback about the software from other people, or ask in relevant forums for advice.
3. 3

   Step 3: it is highly probable that you have a keylogging malware installed onto your computer.

4. 4

   Step 4: For a more thorough approach

5. 5

   Step 5: identify a keylogging malware with the 'netstat' method.

6. 6

   Step 6: As you can see

7. 7

   Step 7: you are currently in the C:\WINDOWS\system32> directory.

8. 8

   Step 8: What you see now are the active connections on this computer.

9. 9

   Step 9: Check the software names closely.

10. 10

    Step 10: If you have found something suspicious

11. 11

    Step 11: you are about to take care of it.

12. 12

    Step 12: At this stage

13. 13

    Step 13: you will have to cross reference the PIDs from your command prompt screen

14. 14

    Step 14: with those on your Task Manager.

15. 15

    Step 15: As you've noticed

16. 16

    Step 16: the image computer does not have any malware running on the PC.

17. 17

    Step 17: Delete the malware.

18. 18

    Step 18: Take preventative measures in future.

Detailed Guide

About the Author