As EFF outlined in a special report, ComputerCOP is a piece of "Internet Safety" software of dubious value that law enforcement agencies around the country have distributed to families for free. One of the main components of the software is KeyAlert, a keystroke-capturing function that records everything a user types.

KeyAlert has two major functions. First, it logs keystrokes on the user's hard drive. Second, it allows the person installing the software to set certain keywords. Whenever those keywords are typed, the computer sends an email with those keystrokes to the person who installed the software.

ComputerCOP doesn't appear in any of the major malware/spyware registries, so you'll need to do a little digging yourself. With this easy guide, we'll show you how to identify whether ComputerCOP has been installed on your  computer and how to remove it.

Step One: To determine if KeyAlert is running, open the Task Manager and look for CCNet.exe. Alternatively, if the user installed it in the default location, you can find it installed in “C:\Program Files\WinSS\Book”.  You may also be able to spot its icon in the system tray.  On a Mac, open Finder and navigate to the root directory of your Mac's hard drive. If there is a file named "LogKextUninstall.command" then the Mac version of ComputerCOP's keylogger is installed.

Image showing how to find ComputerCOP's Key Alert on a Windows machine.

How to find ComputerCOP's keylogger on your Windows computer.

When KeyAlert is running, all keystrokes are logged to text files located in the folder “C:\Windows\WinCCNet”. These text files are completely unencrypted. (On a Mac, these keystroke logs are actually encrypted, but can be decrypted with the software's default password. Instructions for viewing them are available here.)

Image showing the location of unencrypted key logs generated by ComputerCOP's Key Alert on a Windows machine.

Unencrypted logs can contain usernames and passwods.

When KeyAlert's email warning functionality is activated, these logs are also transmitted over the Internet unencrypted. This allows anyone on the same network to view the content of the ComputerCOP alert email, including any usernames or passwords that may have been typed before one of the keywords.

Image of a packet capture log showing key logs being transmitted unencrypted over the Internet.

ComputerCOP transmits keystrokes unencrypted over the Internet.

KeyAlert can be uninstalled even without the installation CD. Go to Add/Remove Programs, select “KeyAlert”, and then click “Remove”, or if the user installed it in the default location, delete the folder “C:\Program Files\WinSS\Book” and then make sure to reboot your computer. On a Mac, open Finder and navigate to the root directory of your Mac's hard drive. Find the file named "LogKextUninstall.command" and double-click on it to uninstall the keylogger.

Image showing how to uninstall Key Alert from your computer.

How to uninstall Key Alert.

You will also want to delete all the keystrokes records stored on your hard drive. Go the folder “C:\Windows\WinCCNet" and delete the entire folder. On Mac these are deleted automatically.