Keylogger hmm...

Hello there all

Well, I have a problem that drives me paranoid for the last couple o' weeks. A friend told me about some trojan called prorat and that it would have a client to manage remote access to any computer on which the trojan ran in the form of an executable, including but not limited to keyloggers. Although I havent specifically been sent such a file over msn or any other chat proggy, I'm going nuts with the fact that some websites could have inserted and executed malware through IE, not necessarily prorat but any other proggy with similar features. I've d/l'd and installed the latest versions of ad-aware and spybot s&d, I keep them updated, further I've installed f-prot, avast! and a-squared antivirus programs, running them consecutively and as if this wasn't enuff, I've installed zone-alarm 4 whatnot, was not entirely satisfied and installd sygate. Now I'm running sygate and it drives me even more paranoid whenever I see the traffic logs pointing at websites and ip addies which I'm not visiting at all. I've slowed down and screwed up the entire system I guess :/

I'm on xp home sp2 and I'm really in despair. Now, cut to the chase, is there any way to detect if a keylogger is actively running on the machine.

The entire thing started with the fact that some people, whom I do not know at all have added me as their msn buddies and those I've rejected have filled up the blocked people box under messenger's privacy section. I have not given out my msn address anywhere on the net. I had to change my hotmail acct and the thing still persists. That's why I'm suspecting remote control over my pc atm. I'd be glad if you help me out.

Thanks

 

Make sure you are running only one anti-virus and one software firewall.

We ask that you first try to do ALL the TUTORIAL listed below. We then ask you for a HJT log. It must not be inline but rather as a .log or .txt attachment. HJT must be placed in it's own folder and not run from a zipped file. Be sure to close all unnecessary programs, it makes it much easier to read the HJT log.

This site has alot of good tools for cleaning up your computer. It's very important that the first thing you do is the following:

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

Try this... you may find it's all you need. If not post your results and I am sure someone will help you. Everyone is quite busy, as you can see by the number of posts, so hang in there.
Good Luck!!

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

Thank you very much for the suggestions. I've done it the way you told me, downloaded the latest ver. of HJT and ran it on the machine after having disabled avast! resident monitor and VRDM generator. However, I might not have been able to disable any other apps. Also, a locator.exe running in the task manager is bugging me but HJT did not point at it :S

here's the log as is I hope I could attach it properly.

On a side note, there are 2 BHO's running as well, since I had downloaded and tried out SpywareDoctor as well because it was featured in the downloads section of majorgeeks. However, I no longer use IE, but mozilla firefox v. 1.0.1.

Thanks again for the reply

 

Unless I am missing something your log looks OK.
Do you know what this is?
C:\WINDOWS\System32\Wintab32.exe
I think it is probably OK but if you right click, properties, and version - see what it says.

Are you having any specific problems any more? Make sure only running one Firewall and AV. Don't just diasable, you must actually uninstall.

As far as locator.exe (which I don't see running), go here to see what it is
Locator.exe

Not to be confused with locater.exe which I believe is bad.

 

running process. (Wintab32.exe)
ACE-CAD Digitizer Tablet (Wintab Digitizer Services, LCS/Telegraphics)




did you do the online scans?

run CWShredder (wich you should have already from the read me)
close everything in tray
all running apps(Acecad etc. . )
and open windows(even this one)


run Hjt
have HJt fix these

O18 - Protocol: shell - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) safe to remove
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) safe to remove

make sure system restore is off and reboot
and post a new log

 

well, I've checked out and yes locator.exe is a necessary application for rpc which is essential to run avast's on-access scanner, I'm glad it's not locater.exe I'm having running here as for wintab32.exe, I've found out that it's an application of a company called LCS Telegraphics and I don't know what this app. is good for. I consider deleting it after having found out exactly what it is. Thank you very much for the assistance and I'm glad I stumbled accross this forum. I was actually visiting majorgeeks frequently for downloads and info but signing up for the forums as well was indeed a good idea

Edit after Jarcher's reply ~ oi I better don't touch the wintab32 because it seems to belong to the acecad tablet driver eheh =))

Jarcher, I'm going to do the scan you've recommended, cheers

 

again, I hang my head in shame. .
sorry chas,

remove my posts

and Jamsession,
forgive me if I caused any problems

 

Nope I haven't removed any of them since they're avast's on-access scanner files and have to reside in the background for 7 different apps anyway, so no worries Jarcher

HjT did not find anything strange as well. I'll get my HD formatted to upgrade to Win XP pro in about a month or so, I'm glad none of the apps have found anything about keyloggers.

Cheers y'all

 

Your Welcome

If everything seems OK, you should check this out now: How to Protect yourself from malware!

Once everything seems OK be sure to turn System restore back on.

 

No worries, the file still sits there happily

TheOldThug = System restore is running again too, thanks so much guys )))