How to detect and remove StarLogger
Finding out whether your Samsung laptop has a keylogger surreptitiously installed and figuring out how to remove it are not as hard as you might think.
Editors' note, 10:44 a.m. PT on March 31: Samsung has been cleared of the keylogger allegations. Read the details in CNET's follow-up story.
A security researcher revealed today that he had purchased two new laptops from Samsung, and discovered both of them to be infected with the StarLogger (download) keystroke-recording program. While there's very little that can be done about keystrokes already recorded, checking your own laptop for such software is actually quite simple--if you're familiar with mucking about in your system directories and Registry.
Note that the researcher only reported StarLogger on two models, a Samsung R525 and a Samsung R540--and that Samsung subsequently said that he was mistaken. CNET examined another new Samsung laptop, the Samsung Series 9, and did not find a keylogger installed.
Because it's a keylogger, most often used for spying on employees and children, StarLogger cannot be accessed from your Start menu. (Or at least, it shouldn't be accessible there. If it is, whoever installed it did a poor job.)
The easiest way to find StarLogger is to look for its Registry key, which is used to load it when Windows is started. To see if this has occurred, open a command prompt and type "Run Regedit". Then go to the Menu bar, select Edit and then Find. You want to search for "winsl", without the quotes. If it's installed, you should see a Registry key that looks like this:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winsl
You can also look for the following files on your hard drive, although keyloggers are designed to hide themselves. Open Windows Explorer, and then hit the Alt key to bring up the Menu bar. Go to Tools, Folder Options, and View. Under Advanced Settings, you'll see an option for Hidden Files and Folders. Make sure that Show is checked.
If you have StarLogger, its files will be located in your Windows root directory, in a subdirectory labeled "SL". A list of files you can expect to see is below:
- iv.ini
- WinSL.dat
- WinSL.exe
- WinSLH.dll
- ImgView.exe
- SL-Test.txt
- unins000.dat
- unins000.exe
- StarLogger.url
- WinSLManager.exe
- StarLogger.url
- Uninstall StarLogger.lnk
- StarLogger.lnk
- StarLogger on the Web.lnk
- WinSLManager.exe
- WinSLH.dll
- WinSL
You can also check your Task Manager for WinSLManager.exe.
How to remove it
First, make sure that your antivirus program is up-to-date. It's entirely possible that your antivirus will detect and remove it if you run a full scan. However, there is a manual method you can use, too.
The first step is to stop the StarLogger process by going to the Processes tab in the Task Manager, right-clicking on WinSLManager.exe, and clicking on End Process. If that doesn't work, you will have to end the process by booting into Safe Mode, tracking down the precise location of WinSLManager.exe, and deleting it there.
The second step is a bit trickier and involves unregistering the StarLogger DLL file. Open a command prompt and navigate to the folder containing WinSLH.dll. Then type "regsvr32 /u WinSLH.dll" without the quotes, and you should see a pop-up window telling you that the file has been successfully unregistered.
Third, go back to the Registry and locate the Registry key for StarLogger, as was done above. Right-click on it and select Delete. Last, manually delete all the files that you discovered in the SL directory, and remove the directory itself.
Actually, that's the second-to-last thing you have to do. The final step is to send a letter of complaint to Samsung and ask for your money back.