A security researcher revealed today that he had purchased two new laptops from Samsung, and discovered both of them to be infected with the StarLogger (download) keystroke-recording program. While there's very little that can be done about keystrokes already recorded, checking your own laptop for such software is actually quite simple--if you're familiar with mucking about in your system directories and Registry.

Note that the researcher only reported StarLogger on two models, a Samsung R525 and a Samsung R540. CNET examined another new Samsung laptop, the Samsung Series 9, and did not find a keylogger installed.

Because it's a keylogger, most often used for spying on employees and children, StarLogger cannot be accessed from your Start menu. (Or at least, it shouldn't be accessible there. If it is, whoever installed it did a poor job.)

The easiest way to find StarLogger is to look for its Registry key, which is used to load it when Windows is started. To see if this has occurred, open a command prompt and type "Run Regedit". Then go to the Menu bar, select Edit and then Find. You want to search for "winsl", without the quotes. If it's installed, you should see a Registry key that looks like this:

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winsl

You can also look for the following files on your hard drive, although keyloggers are designed to hide themselves. Open Windows Explorer, and then hit the Alt key to bring up the Menu bar. Go to Tools, Folder Options, and View. Under Advanced Settings, you'll see an option for Hidden Files and Folders. Make sure that Show is checked.

If you have StarLogger, its files will be located in your Windows root directory, in a subdirectory labeled "SL". A list of files you can expect to see is below:

• iv.ini
• WinSL.dat
• WinSL.exe
• WinSLH.dll
• ImgView.exe
• SL-Test.txt
• unins000.dat
• unins000.exe
• StarLogger.url
• WinSLManager.exe
• StarLogger.url
• Uninstall StarLogger.lnk
• StarLogger.lnk
• StarLogger on the Web.lnk
• WinSLManager.exe
• WinSLH.dll
• WinSL

You can also check your Task Manager for WinSLManager.exe.

How to remove it
First, make sure that your antivirus program is up-to-date. It's entirely possible that your antivirus will detect and remove it if you run a full scan. However, there is a manual method you can use, too.

The first step is to stop the StarLogger process by going to the Processes tab in the Task Manager, right-clicking on WinSLManager.exe, and clicking on End Process. If that doesn't work, you will have to end the process by booting into Safe Mode, tracking down the precise location of WinSLManager.exe, and deleting it there.

The second step is a bit trickier and involves unregistering the StarLogger DLL file. Open a command prompt and navigate to the folder containing WinSLH.dll. Then type "regsvr32 /u WinSLH.dll" without the quotes, and you should see a pop-up window telling you that the file has been successfully unregistered.

Third, go back to the Registry and locate the Registry key for StarLogger, as was done above. Right-click on it and select Delete. Last, manually delete all the files that you discovered in the SL directory, and remove the directory itself.

Actually, that's the second-to-last thing you have to do. The final step is to send a letter of complaint to Samsung and ask for your money back.

A security researcher says he discovered keylogging software installed on two brand-new Samsung laptops that could be used to monitor all activities on the computer remotely.

Mohamed Hassan, founder of NetSec Consulting, discovered StarLogger software on Samsung laptops with model numbers R525 and 540 after running security scanning software on the systems when he bought them last month, he writes in a guest column in Network World posted today.

Windows-based StarLogger starts up when the computer is turned on, records all keystrokes made on the computer, can be difficult to detect, and can be set to periodically send surreptitious e-mails with information gleaned from the computer to a predetermined e-mail address, with screen capture images attached.

A Samsung representative told CNET this afternoon that the company was looking into the matter. "Samsung takes Mr. Hassan's claims very seriously," the statement said. "After learning of the original post this morning on NetworkWorld.com, we launched an internal investigation into this issue. We will provide further information as soon as it is available."

Hassan said when he called and logged an incident report with Samsung on March 1, support personnel initially denied that keylogging software was on Samsung laptops and then referred him to Microsoft, saying "all Samsung did was manufacture the hardware," he writes. Eventually, a supervisor got on the phone and confirmed that Samsung put the software on the laptop to monitor machine performance "and to find out how it is being used."

"In other words, Samsung wanted to gather usage data without obtaining consent from laptop owners," Hassan wrote.

Related:
• How to detect and remove StarLogger

He said he contacted three public relations representatives at Samsung for comment and went public with the matter after they failed to reply after one week.

The incident could incur the wrath of customers similar to the backlash that occurred after Sony BMG Music Entertainment sold copy-protected compact discs that installed so-called rootkit software hidden inside computers in 2005. Sony was forced to recall 4.7 million of the discs.

Updated 3:35 p.m. PT with Samsung comment and at 2:44 p.m. PT to reflect that CNET Reviews was unable to find the keylogger on a Samsung Series 9 laptop.

Originally posted at InSecurity Complex

Wondershare's new iMate is a multipurpose Windows utility for iPhone, iPod, and iPad owners. With it you can rip DVDs, convert videos, copy music and photos from your iDevice to your PC, create ringtones, and more.

It normally costs $59, but from now until April 2, you can get Wondershare iMate absolutely free. It's the full, unrestricted version of the program. The only catch: you don't get updates or tech support.

iMate sports an attractive, easy-to-navigate interface, with oversize buttons directing you to each of its four main areas: Music & Videos, Photos, Books, and Ringtones. If you need help figuring out how to proceed within those areas, Wondershare offers a thorough user guide.

The DVD ripper and video converter alone are probably worth the download for most users. I used the former to rip some episodes from my "Simpsons Season 9" discs, and it worked easily and flawlessly (if a little slowly).

As for the rest of the features, not everyone will find them useful, but it's nice to have the option of, say, backing up and managing your photos and video recordings.

To get iMate, follow this link, then click the blue Download button. Next, click the red Get Keycode button, which will take you to Wondershare's Facebook page. Click the "Like" button, enter your name and e-mail address, then click Get Keycode on that page. My confirmation e-mail (containing the necessary registration code) arrived in a matter of seconds.

Not a Facebook user? No problem, just skip the deal. I'm sure I'll get an earful from a few folks who think this is evil somehow, but I think it's hard to argue when you're getting something valuable for free.

Originally posted at iPhone Atlas