A method to check for keyloggers
There are anti-monitoring shareware tools available, but a simple, easy method to check a computer that's suspected, is to use a freeware tool by PCMag named INCTRL5.
http://www.pcmag.com/article2/0,4149,25214,00.asp
It's main objective is to track/report installations and uninstalls. But can easily be used to track any changes to the registry and/or to any/all activity on selectable drives. What it does in it's originally intended purpose is take a snapshot of the registry and drives, run the selected install program, and report changes. It'll even run/report over a reboot cycle.
Where the anti-monitoring use comes in. Inctrl can also be used without an install. Which also, btw, is how you can use it for checking what uninstalls left behind when compared to the install report. Starting it w/o an install/setup activity, Inctrl takes it's 'snapshot' and closes. Telling you to restart it when your 'whatever activity' is finished. It then compares it's snapshot with the now present system and reports changes. Inctrl is not stopped by hidden/system files.
Monitoring/keyloggers/screenloggers operate usually on a timed basis (screenshots), or are triggered by keyboard activity..saving that activity to a file which can be retrieved later.
To use Inctrl, close all active programs, open Notepad only, run Inctrl w/o install, type a phrase or two in Notepad and wait 3min..do nothing else during that 3min wait! This is to give any keylogger/screenshot time to do it's stuff if present. Leaving Notepad open, restart Inctrl and clk GO. Inctrl will compare it's previous system snapshot to the present and report changes.
If no keylogger/monitor, you'll see no file changes. If one is active, you'll be shown the file and folder where it's saved it's log update. More than likely that folder will also contain the logger itself..zap it. And any registry changes made by the logger as well. Those can be zapped also but usually can be left w/o problems as the logger now has no vehicle. [insert usual disclaimer about making a recent backup of registry before changing anything in registry]
To experience for yourself how the above method works, instead of opening Notepad to a new document, open a previously saved text file, run Inctrl, and then add/delete a phrase or two in that document. Save the file w/o closing Notepad. Run Inctrl again. You'll see the filesize change reported. Actually Inctrl will report a change even if the only the timestamp has changed and filesize remained the same but filesized change is the indicator of logger activity.
Note: this simple method can also watch file/registry activity while online, but sorting thru the 'what's normal' and gleaning suspicious activity is very dependent on the discerner's knowledge of what's 'normal' activity. Lottsa disk writing goes on when using IE or AOL/Netscape. Less with browsers like Opera that don't integrate with the desktop OS, but still a lot. Personally I leave that watchdog activity to a good anti-virus app.
__________________