Helping people with computers... one answer at a time.

Once a keylogger has control of your machine, it is very difficult to remove completely. Trying to do it without reformatting might be a long road.

I have an HP, AIO running Windows 7 as its operating system. I clicked on a link from what I thought was a trusted source, but got a hijacker/keylogger. I ran Malwarebytes and it said it was removed, but days later someone tried to steal my credit card number for a purchase while I was online. I ran a KL detector and it described all sorts of program changes in my Start menu and registry that said my keystrokes are being followed along with snapshots of my web pages. Without wiping clean the entire system, is there anything I can do to make sure my privacy is safe online once again?

In this excerpt from Answercast #46, I look at a machine that has a persistent keylogger. It's going to take some work to clean this machine up!

Cleaning up a keylogger

Unfortunately, the reality of this situation is that the answer is no.

One of the maxims of computer security is that:

  • Once your machine has been compromised;

  • Once you have malware that is known to have infected your machine;

  • It's not your machine anymore.

It's best thought of as the hacker's machine as the person who created the malware is now in control of your machine.

The hacker is still there

And that applies even if you think you've removed the malware. The fact is that, as you've seen, all anti-malware tools cannot remove all malware. So that means that:

  • Malware A, B, and C might be get removed by program 1;

  • But program 2 may actually only recognize B and C;

  • But also may be able to remove D.

It's just too complex. That's one of the reason we often suggest running more than one anti-malware tool.

Advanced malware tools

I'm not sure what additional anti-malware tools you happen to be running. Malwarebytes is absolutely a good one and one that I recommend often. That's one approach:

If you can't stand the thought of reformatting and reinstalling your machine:

  • Go out and try several different additional anti-malware tools.

  • They don't have to be installed as services to run continuously.

  • What you're looking for are static and complete scans of your machine from several different products.

The other thing to do is to do a reboot from a live CD, or a standalone CD, that has anti-malware software on it. For example, Windows Defender Offline is effectively a version of Microsoft's Security Essentials that boots from CD. This is important because it allows the anti-malware software to scan and delete files that might not otherwise be deletable while Windows is running.

  • By booting from the CD, your copy of Windows is not running and the tools that are executed from the CD have the opportunity to play around with things that it normally would not have the opportunity to play around with.

Reformat – reinstall

Those are the kinds of things that are the road that we go down, if you will, if you can't reformat and reinstall.

Given your situation, given what you've described, where you've already attempted to remove some malware and yet you still have malware that remains, I really, honestly, in your shoes would:

  1. Backup the machine so that you don't lose any data,

  2. Reformat,

  3. Reinstall Windows,

  4. Reinstall all of your applications,

  5. And restore your data.

That's the only way you're going to know that you are going to be secure as you move forward online.

Article C5727 - August 23, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

1 Comment
Claude Holloway
August 26, 2012 7:12 PM

you forgot to mention Step 6:
Change all of your signons and passwords.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.