Ghost Keylogger by Sureshot – FAQ
This manual applies to Ghost Keylogger and Ghost Key Logger Lite. If you can’t find the requested information, please consult the manual. It may have the required information.
Frequently Asked Questions
1. What is Ghost Keylogger?
2. What is the purpose of the program?
3. On what platforms does Ghost Keylogger run?
4. How invisible is the keylogger?
5. Is Ghost Keylogger password protected?
6. I lost my password. What should I do?
7. How is Ghost Keylogger uninstalled?
8. What can I do to make the keylogger as hard to spot as possible?
9. I get the error message “Could not find the DLL WS2_32.dll”. What should I do?
10. I’m not sure what isn’t working, is there a way I can find out?
11. I think I’ve found a bug, what should I do?
12. Somebody installed Ghost Keylogger on my computer without my knowledge, how do I uninstall it?
20. I have an AOL account – can Ghost Keylogger email the log files?
21. Where can I get an email account?
22. How can set up a mail account for the keylogger?
23. I would like to use the same email account as I use in my email client? How can I do that?
24. When I press the Test button to test my mail settings, it won’t work. What should I do?
25. How invisible are the emails that Ghost Keylogger sends?
26. I use a modem, how invisible will Ghost Keylogger send emails?
27. How can I use my hotmail account to send emails?
40. Will the keylogger log the Windows username and password when logging in on a Windows 95/98/ME machine?
41. Will the keylogger record the Windows username and password when a user logs in on a Windows NT/2000/XP machine?
42. Does Ghost Keylogger record the URLs that a user visits?
43. Will the keylogger log ICQ sessions?
44. Does Ghost Keylogger record chat room conversations?
45. How can I monitor other computers in a network?
46. I would like to empty the log file. How can I do that?
47. I would like to monitor a multi-user machine. Is that possible?
48. Ghost Keylogger doesn’t record any keystrokes, what should I do?
Ghost Keylogger is an invisible surveillance tool that records every keystroke to an encrypted log file. The log file can be sent with email to a specified receiver. The Keylogger also monitors the internet activity by logging all URLs the user visits. It monitors the time and title of the active application; even text in editboxes and static text is captured.
The purpose of the program is to provide you with an activity log of what is going on your computer.
Ghost Keylogger is running on Windows 95/98/ME/NT/2000/XP.
It is hard to find Ghost Keylogger. You can’t find the keylogger in the add/remove programs menu, start menu or the task bar. It is invisible in the Task Manager’s Application menu. On Windows 95, 98 and ME you can’t even see it in the Task Manager’s process list.
Yes, the Config application is password protected. Among other things the Config application is used to view log files. So the user has to know the password of the application in order to view the logs.
You have to uninstall and install the software.
Before you can uninstall the keylogger, you have to find it on your computer. The default installation of Ghost Keylogger is “C:\Program Files\Sync Manager\”. Look in explorer if you can find this folder. If you can’t find the default installation directory, you can try to search for the file uninstall.bat or syncconfig.exe.
When you have found the file called uninstall.bat, double-click it to remove registry entries and to stop the execution of Ghost Keylogger. When this is done, simply delete all files in the directory “Sync Manager”. Warning: if you found Ghost Keylogger in for example the “C:\Windows” directory, do not delete all files.
After installation you can easily deploy the keylogger. This will allow you to copy only the needed files to a target machine. You can choose a cover name for these files. For more information about deploying the keylogger see the manual.
Also, we recommend that you choose a meaningless directory to install/deploy the keylogger to, perhaps under the windows folder. E.g. “C:\Windows\System32\npdp”. It is most unlikely that users look into such folder. Making the keylogger files hidden will make it harder to find as well.
If you get the error message “Could not find the DLL WS2_32.dll”, please download and install Microsoft’s Winsock 2 update for Windows 95 at http://www.microsoft.com/Windows95/downloads/contents/WUAdminTools/S_WUNetworkingTools/W95Sockets2/Default.asp
If you are not sure what is causing the error, Ghost Keylogger can help you to find out exactly what is going on. To do this, start the configuration application (config.exe) and press the “Advanced Settings” button under the “System Tab”. In this dialog you can find two options called “Report with messagebox” and “Report with log file”. If an error occurs and the first option is used, Ghost Keylogger will output error messages in message boxes. Observe that this will reveal Ghost Keylogger and should only be used for debugging purpose. Reporting to log file creates a file called syncagentlog.txt with all error messages. Open this file and the error message might give you an idea of what is going on.
As far as we know, we don’t have any undetected bugs in our code
If you’ve found a bug, please get in touch with us. Please include this in your bugreport:
1. The version of the software. Look in the “About” tab in the Config application.
2. Information about your platform, that is, the Windows version.
3. And most important, detailed description of what goes wrong.
Installing Ghost Keylogger on somebody elses compter could be illegal. Check with your local authorithies.
Before you can uninstall the keylogger, you have to find it on your computer. One of the following procedures will find it.
Removing an installed keylogger
See question 7. If you can’t uninstall it this way, Ghost Keylogger has probably been deployed on your computer. To remove a deployed keylogger see the instructions below.
Removing a deployed keylogger
A deployed keylogger is much harder to find (see manual for details) and you will have to trace it through the registry.
1. Press “Start” button->Run
2. Type “regedit” and press enter
3. Windows 95/98/ME: Navigate to the following key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3. Windows NT/2000/XP: Navigate to the following key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunRunServices
4. You can find a Name called “Synchronization Agent” this will point to a .exe file. This is the Ghost Keylogger file.
5. Write down the full path of the .exe file pointed out by the “Synchronization Agent” key.
Now you know where Ghost Keylogger is installed, the next step is to uninstall it. You can do this in two different ways.
This first way requires that you restart the computer.
1. Delete the key in the registry. (Select it and press the delete key).
2. Reboot the computer.
3. Use explorer to find the Ghost Keylogger file pointed by the registry entry.
4. A deployed keylogger comes in three files. An .exe file, a .dll file, and a .cfg file. All files are named as the .exe file pointed out in the registry. Eg. if the file pointed out by the registry was named hidden.exe, there will exist two files called hidden.dll and hidden.cfg as well. Remove these three files. You have now uninstalled Ghost Keylogger from your system.
The second way requires that you have a litle knowledge of the command prompt.
1. Press the “Start” button->Run
2. Windows 95/98/ME: type “command” and press enter.
2. Windows NT/2000/XP: type “cmd” and press enter.
3. Goto the directory pointed out from the registry.
4. The file pointed out in the registry was an .exe file. Type the name of the exe file followed by the parameters -uninstall -reportwithmessagebox. Eg. if the filename is “hidden.exe”, type “hidden -uninstall -reportwithmessagebox” and press enter. A messagebox should report success.
5. A deployed keylogger comes in three files. An .exe file, a .dll file, and a .cfg file. All files are named as the .exe file pointed out in the registry. Eg. if the file pointed out by the registry was named hidden.exe, there will exist two files called hidden.dll and hidden.cfg as well. Remove these three files. You have now uninstalled Ghost Keylogger from your system.
If you have an AOL account you can use one of the preconfigured accounts or get a free email account. See the next question.
There are lots of places where you can get an email account. We recommend www.gmx.com. They are reliable. Yahoo is also good, but is not free. Here are a few:
http://www.gmx.com (in German)
Your username your full email address, eg. [email protected], not only yourname
http://www.mail.yahoo.com (not free anymore)
1. Please go to http://www.gmx.com. If you don’t have an account already, please sign up. Do this by pressing the “–> Anmelden” link. Fill in the required information and choose a username. The homepage is in German, but you can use free onlie translation services like, http://babelfish.altavista.com/.
2. Open the Keylogger config application. Choose the Mail tab. Check “Log with email”. Under “Preconfigured mail services”, choose “User Defined”.
3. In the “From” field, enter your email address, that is “[email protected]”. In the “To” field, enter the email address of where you’d like to send the logs. You may send it to your new address, “[email protected]”, if you like.
4. In the SMTP field, enter “mail.gmx.net”.
5. Now, check the “Use POP authentication”. In the “POP” field, enter “pop.gmx.net”.
6. In the “Username” field, enter “[email protected]”. In the “Password” field, enter your password.
7. Push the “Test” button to make sure that the settings work. If the keylogger says the mail was sent successfully a mail should arrive in a couple of minutes.
You can use the same email account for the keylogger as you are using in your email client. In order to send mail you have to configure the keylogger under the “Mail” tab. You can get the necessary setting from you email client.
If you are using Outlook Express, do like this:
1. In the Ghost Keylogger configuration application under the mail tab, select “User Defined” mail service.
2. Open Outlook Express.
3. In the Outlook Express menu click Tools->Accounts.
3. Double click on one of the accounts to view its settings.
4. In the General tab you can see the exact email address. Copy and paste this into the “From” field under the keyloggers mail tab.
5. In the Servers tab you can see your SMTP and POP server. Click “Use POP authentication” in the keylogger. Copy the SMTP server name from Outlook to the SMTP field in the keylogger. Do the same with the POP server name.
6. Also under the Servers tab, copy the “Account name” field to the keyloggers “Username” field.
7. Fill in the password of your mail account in the “Password” field in the keylogger.
8. In the “Advanced” tab in Outlook Express, if the SMTP and POP port is not 25 and 110 you have to do these changes in the keylogger as well.
If you can’t get the mail working, please check the following:
– Try all of the preconfigured mail accounts. (Default Mail 1-4)
– If you’re using a user defined account. Have you entered the correct settings in the mail tab? The error message you get when pressing the Test button might give you a clue what is wrong.
– Are you behind a firewall that does not allow SMTP connections? Please consult you system administrator.
The emails that Ghost Keylogger sends uses a direct connection to the mail server you’ve chosen. That is, it does not use your email client (Outlook, Outlook Express etc) to send the emails. No trails are left of the sent email.
Using a modem is no problem. The keylogger will silently check if you are connected to the Internet. It will not start dialling. Thus, emails are only sent when the modem is already connected to the Internet.
Hotmail doesn’t allow users access to their SMTP and POP servers without using their webmail. So you can’t use your Hotmail account to send Ghost Keylogger emails. Please use another mailservice to set up an account. See question 21. Of course you can have Ghost Keylogger emails sent to your hotmail account. Just enter your hotmail address in the “To” field under the mail tab.
Yes, Ghost Keylogger will log the username and password when logging in on a Windows 95/98/ME machine.
No, Ghost Keylogger will not log username and password when logging in on a Windows NT/2000/XP machine.
Yes, Ghost Keylogger logs the URLs of visited sites.
Yes, Ghost Keylogger records all keystrokes on the computer where it’s installed. This implies that that only one side of the conversation is recorded. You will get a pretty good idea of the conversation from this information.
Ghost Keylogger records all keystrokes on the computer where it’s installed. This implies that only one side of the conversation is recorded. You will get a pretty good idea of the conversation from this information.
If you’d like to monitor multiple computers in a network you have to install it on each computer you’d like to monitor. Notice that you must purchase multiple licenses in order to do that. If you’d like to have the log files sent to a central location you could send them to the same email account.
Under the file tab in the config application, press the “Clear logfile” button.
If you are running windows 95/98/ME Ghost Keylogger will monitor all users.
If you are running windows NT/2000 please follow these instructions to monitor a multi-user machine:
1. Log in as “Administrator” and install the software.
2. Start the configuration application and configure the software according to your preferences. Before you let any other user log in you have to change the rights for the “logfile.cip” file to be writable by the users you’d like to monitor. If you are using the “Report with log file” option you have to change the rights for the “sesclilog.txt” file as well.
3. To change the rights for a file, right-click the file -> Properties, then press the “Security” tab.
XP Professional users must first disable “Simple File Sharing” in order to see the “Security” tab.
1. Click Start, and then click My Computer.
2. On the Tools menu, click Folder Options, and then click the View tab.
3. In the Advanced Settings section, clear the Use simple file sharing (Recommended) check box.
4. Click OK.
5. Now follow the same steps as for Windows NT/2000 to change the rights of the file.
On Windows XP Home edition, the security tab has been completely removed. This is to avoid that novice users lock themself out. However there are two ways to change the access rights for the logfile.cip file on XP Home edition.
The first is to enter Windows in Safe mode and login as administrator. To login in Safe mode press F8 when the computer just started to load Windows. The security tab will now be visible.Follow the same steps as for Windows NT/2000 to change the rights of the file.
The second is to use the command line, (you need to logged in as Administator).
1. Press the Start button->Run.
2. Type cmd.exe, press enter.
3. Goto the directory with the logfile. (Default is “C:\Program Files\Sync Manager\”)
4. Use the command line tool cacls.exe to change the ACL (Access Control Lists) for the logfile. Do this for every user you want to monitor, or preferable use the “Everyone” account if you want to be able to monitor all users.
cacls /? will display help.
The following command line will give write access to the “Account name” account.
cacls logfilename /E /G “Account name”:W
cacls logfile.cip /E /G “Guest”:W
cacls logfile.cip /E /G “Everyone”:W
1. First of all make sure that Ghost Keylogger is running. To ensure this, start the config application and make sure that the “Start Ghost Keylogger” button is disabled and the “Stop Ghost Keylogger” button enabled. This indicates that the keylogger is running.
2. Make sure that you look into the right logfile. You can find the name of the log file under the “File” tab. View that file from under the “View log file” tab.
3. Make sure that the keylogger has been running long enough to write to the logfile. The default file buffer size is 1024 bytes which means that it should write to the file after a couple of minutes of normal surfing and typing.
4. Ghost Keylogger uses something called a hook chain to receive pressed keys. Other applications can attach to this chain, but it’s important that they pass keys on to the next application in the chain. If an application fails to do this, it will result in Ghost Keylogger doesn’t record any keystrokes, only events such as titelbars etc. The solution is to identify installed programs that may be attached to the hook chain and uninstall them. Applications that monitors keystrokes in the entire system are good candidates, and of course other keyloggers.