Reinstalled Windows 7 upgrade to remove keylogger eBlaster

An ex-girlfriend remotely installed the keylogger eBlaster which is made by SpectorSoft. After research, I decided to reinstall my Windows 7 Home Premium 64 bit upgrade disc.

I booted from the DVD drive and arrived at a screen that showed two partitions: recovery and the existing W7 files. I deleted the W7 partition and proceeded with the installation which went fine.

Now, I wonder if some of the eBlaster files could have been installed on the recovery portion of the hard drive. Seems unlikely but need to be sure. Also, there is now a third partition called "System Reserve" at 100 MB. Could that be the work of eBlaster? I assume the recovery partition holds the original Vista OS. Should I leave it alone or delete that partition?

Thanks in advance.

You may like to have read of those two tutorials:
SSD / HDD : Optimize for Windows Reinstallation
Clean Install with a Upgrade Windows 7 Version

The article you linked states:

This will show you how to do a Clean Install using a retail Upgrade Windows 7 installation disc.

The upgrade disc I used is an OEM.

The recovery partition would be untouched unless you had system restore turned on and restore points got written to recovery which can happen if you're not careful. Some OEMs have or at least used to have this idiotic default setup whereby restore points would be saved that way, ultimately causing the recovery partition to become unusable apart from giving annoying low disk space warnings. Of course, if your computer was not setup that way, you should be fine.

In addition, would suggest you delete all old restore points saved onto a non-windows partition (if any). One thing you can do is to completely ditch the recovery partition option and instead image your nice new clean install using macrium reflect. Do this after you've got all apps and drivers installed and tweaked. That way you can restore the system in a jiffy without bothering with software reinstalls.

If you had made recovery disks before this trauma, they are equivalent to having the recovery partition.

Bill2 said:

The recovery partition would be untouched unless you had system restore turned on and restore points got written to recovery which can happen if you're not careful. Some OEMs have or at least used to have this idiotic default setup whereby restore points would be saved that way, ultimately causing the recovery partition to become unusable apart from giving annoying low disk space warnings. Of course, if your computer was not setup that way, you should be fine.

In addition, would suggest you delete all old restore points saved onto a non-windows partition (if any). One thing you can do is to completely ditch the recovery partition option and instead image your nice new clean install using macrium reflect. Do this after you've got all apps and drivers installed and tweaked. That way you can restore the system in a jiffy without bothering with software reinstalls.

If you had made recovery disks before this trauma, they are equivalent to having the recovery partition.

Trauma is the appropriate word.

Just learned how to view Disk Management and apparently the recovery partition is empty. It shows capacty @ 11.72 GB with 11.72 GB free. Not sure how it got deleted. Maybe during the original upgrade process?

It may have its files hidden. Boot free Partition Wizard bootable CD, rightclick Recov Partition to Explore to see if files are intact. If not, you can rightclick it again to Wipe it with a set of zeroes to overwrite any infected or corrupt code. Then Create a new partition or Resize Win7 into the deleted space.

Hopefully you made the Recovery Disks before clean reinstalling. But you apparently have an Installation DVD which is a much better option anyway.

If you didn't wipe the partiition where you reinstall Win7, there could be infected code on it as well, so you might want to start over by wiping the entire HD using PW CD Disk tab, or the tutorial earlier posted by theog to wipe HD with Diskpart.

You can use any retail installer whether OEM, upgrade or full version to reinstall your version of Win7.

I was unable to confirm or deny the existence of the keylogger after I did the reinstall. I decided to do a clean install of Windows 7 with the DVD upgrade disk. I deleted everythng on the hard drive and proceeded with a clean install. Microsoft verified Windows 7 with no issues.

I was certain this would kill the keylogger but a friend suggested that a sophisticated keylogger could hide files in the BIOS and reinstall itself after the clean install. If so, I guess I am stuck with it.

I read on the Spector Soft/eBlaster website that its keyloggers use Windows Explorer to send activity emails to its client so I blocked both instances - 32 and 64 bit - of Windows Explorer with Zone Alarm.

If there are any other things I can do, I would appreciate the feedback.

I hoped you wiped the HD as suggested using a 3rd party tool or DISKPART Clean All command as deleting or formatting erases nothing and infected code is still there otherwise.

Use free MS Security Essentials or Avast 5 with the Win7 firewall for best performance. Malwarebytes is good for on-demand scanning.