Unauthorized keylogger program

Vista Compatibility with Sysgate Firewall

I tried to download Sysgate Firewall because someone installed 'sys keylogger pro' on my computer without my permission or knowledge. (No one else has access to my computer.) But I received a message saying that this program was incompatible with my OS (Vista) Any suggestions on how to make sure this keylogger is gone, and how to prevent future infections?
Please understand that I am an amateur user, and I don't understand technical jargon. :confused
Thank you very much.

 

I previously posted on this, but evidently I wasn't clear enough.
Someone installed 'sys keylogger pro' on my computer without my knowledge or permission. This is my home computer. It is not connected to any network, and no one has physical access to it. The reply to my previous post said that since 'sys keylogger pro' is not 'malware', that they could not help me remove it. It seems that someone is trying to steal my personal information, so I consider it to be malware, whether or not it meets the standard definition. Webroot Spysweeper found it and quarantined it, but KL Detector said that it is probably still there. (KL Detector also gave me a list of suspicious files, but I don't know what from what, as far as that is concerned.) (I also have a 'Hi Jack This' log, if that would do any good to anyone who knows how to decipher it.)
Does anyone know how I can find and remove this? Do I need to change all of my passwords, etc.?
Also, please keep in mind that I am strictly an amateur computer user, so I don't understand technical jargon.
Also: Thank you very much for this site. I truly appreciate the help you offer.
<snip>

 

Wow! There is only one person I can think of who would both have the expertise to do that, and who would even think of doing that - and he would have had to do a B&E in order to do it as I never have visitors in my home. Highly unlikely - but you seem to know your stuff, so I guess that is what happened.
In answer to your questions, my copy of Webroot Spysweeper is a paid copy, and it says that it still has the keylogger program in quarantine.
I have also installed a program called 'I Hate Keyloggers' that claims to protect my typing from detection, but I now type all of my passwords and other sensitive information on the on-screen keyboard.
Here is the file that KL Detector gave me, though please note that I deleted all of the temporary internet files as soon as I saw this list:

KL-Detector has found some suspicious files:
C:\Users\Dana\ntuser.dat
C:\Windows\System32\config\SOFTWARE
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{BA61C91B-0A63-4024-BBEF-0A0EBAB27053}.tmp
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\21QYKFS1\dnserror[1]
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1O8Y326K\ErrorPageTemplate[1]
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\J9CIWRSM\errorPageStrings[1]
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0QDYB2CB\dnserror[1]
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\21QYKFS1\ErrorPageTemplate[1]
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1O8Y326K\errorPageStrings[1]
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\J9CIWRSM\httpErrorPagesScripts[1]
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\21QYKFS1\background_gradient[1]
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1O8Y326K\info_48[1]
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\21QYKFS1\favcenter[1]
C:\Users\Dana\AppData\Local\Microsoft\Windows\UsrClass.dat
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{407A284C-0934-46E5-8BA3-846472370DBC}.tmp
C:\Users\Dana\AppData\Local\Temp\OneNoteRuntimeCache\OneNoteRuntimeCache.onecache
C:\Users\Dana\AppData\Roaming\Microsoft\Windows\Cookies\dana@msn[2].txt
C:\Users\Dana\AppData\Roaming\Microsoft\Windows\Cookies\dana@msn[3].txt
C:\Users\Dana\AppData\Local\Microsoft\Windows Live Mail\Hotmail (da 8b9\Sent items\00294823-000000D0.eml
C:\Users\Dana\AppData\Roaming\Microsoft\Windows\Cookies\dana@live[1].txt
C:\Windows\System32\wbem\repository\INDEX.BTR
C:\Windows\System32\wbem\repository\OBJECTS.DATA
C:\Users\Dana\AppData\Local\AT&T\Communication Manager\diagnostics.txt
C:\Users\Dana\AppData\Local\Temp\gold.gif
C:\Users\Dana\AppData\Local\Temp\silver.gif

Please check; someone might have installed a keylogger on your computer!


You MAY want to take a look at:
C:\Users\Dana\
C:\Windows\System32\config\
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\
C:\Windows\
C:\Users\Dana\AppData\Local\Temp\
C:\Users\Dana\AppData\Local\
C:\Windows\Prefetch\
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\21QYKFS1\
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1O8Y326K\
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\J9CIWRSM\
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0QDYB2CB\
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\
C:\Windows\Temp\
C:\Users\Dana\AppData\Roaming\Microsoft\Windows\Cookies\Low\
C:\Users\Dana\AppData\Roaming\Microsoft\Windows\Cookies\
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\
C:\Users\Dana\AppData\Local\Microsoft\Windows\
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\
C:\Users\Dana\AppData\Local\Temp\msohtmlclip1\
C:\Users\Dana\AppData\Roaming\Microsoft\Windows\Recent\
C:\Users\Dana\AppData\Local\Temp\OneNoteRuntimeCache\
C:\Users\Dana\AppData\Roaming\Microsoft\Windows\
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KDM2ZQBD\
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D5NIPR8A\
C:\Users\Dana\AppData\Local\Microsoft\Windows Live Mail\
C:\Users\Dana\AppData\Local\Microsoft\
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WSJ0DEOH\
C:\Windows\System32\wbem\repository\
C:\Users\Dana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L0O9UX1R\
C:\Windows\tracing\


And here is the Webroot Spysweeper log from the relevant sweep, (Please note the entry @ 2:11 am):

4:40 AM: IE Tracking Cookies Shield: Removed ccbill cookie
4:40 AM: IE Tracking Cookies Shield: Removed ccbill cookie
4:36 AM: ApplicationMinimized - EXIT
4:36 AM: ApplicationMinimized - ENTER
Operation: Registry Access
Target: \SYSTEM\ControlSet003\Enum\Root\LEGACY_SSIDRV\
Source: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
4:33 AM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet003\Enum\Root\LEGACY_SSHRMD\
Source: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
4:33 AM: Tamper Detection
4:15 AM: Removal process initiated
2:36 AM: Traces Found: 1
2:36 AM: Scheduled Sweep has completed. Elapsed time 00:36:35
2:36 AM: File Sweep Complete, Elapsed Time: 00:28:42
2:32 AM: Warning: SweepDirectories: Cannot find directory "h:". This directory was not added to the list of paths to be scanned.
2:32 AM: Warning: SweepDirectories: Cannot find directory "g:". This directory was not added to the list of paths to be scanned.
2:32 AM: Warning: SweepDirectories: Cannot find directory "f:". This directory was not added to the list of paths to be scanned.
2:32 AM: Warning: SweepDirectories: Cannot find directory "e:". This directory was not added to the list of paths to be scanned.
2:32 AM: Warning: SweepDirectories: Cannot find directory "d:". This directory was not added to the list of paths to be scanned.
2:32 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\appdata\roaming\webroot\spy sweeper\temp\ssmsb34cd32f-3cd4-4118-8153-b9ca022e7092.tmp". The operation completed successfully
2:32 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\appdata\roaming\webroot\spy sweeper\temp\ssms65ae9639-9eb4-4ea6-ba03-76f285dd68b7.tmp". The operation completed successfully
2:32 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\appdata\roaming\webroot\spy sweeper\temp\ssms9a47c026-6605-4a9b-9a85-7c0bb13b4bb3.tmp". The operation completed successfully
2:32 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\appdata\roaming\webroot\spy sweeper\temp\ssms8e6e54ed-ad17-4669-91a0-cd39863d1e2f.tmp". The operation completed successfully
2:32 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\appdata\roaming\webroot\spy sweeper\temp\ssmsfebeacfa-11eb-45af-98a4-78e969e0011f.tmp". The operation completed successfully
2:32 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\appdata\roaming\webroot\spy sweeper\temp\ssmsbd035114-f874-4d3d-921c-71bba986f48e.tmp". The operation completed successfully
2:32 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\appdata\roaming\webroot\spy sweeper\temp\ssmsf0009d1d-05f8-42b7-afcd-1f945ac01c42.tmp". The operation completed successfully
2:32 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\appdata\roaming\webroot\spy sweeper\temp\ssms6e35474c-2abc-453e-a7fe-a91cdbad72f2.tmp". The operation completed successfully
2:32 AM: Warning: Failed to open file "c:\windows\system32\logfiles\wmi\rtbackup\etwrtmsmppssession.etl". The operation completed successfully
2:32 AM: Warning: Failed to open file "c:\windows\temp\jet18bd.tmp". The operation completed successfully
2:32 AM: Warning: Failed to open file "c:\windows\system32\config\system.log2". The operation completed successfully
2:32 AM: Warning: Failed to open file "c:\windows\system32\config\software.log2". The operation completed successfully
2:32 AM: Warning: Failed to open file "c:\windows\system32\config\security.log2". The operation completed successfully
2:32 AM: Warning: Failed to open file "c:\windows\system32\config\sam.log2". The operation completed successfully
2:32 AM: Warning: Failed to open file "c:\windows\system32\config\default.log2". The operation completed successfully
2:32 AM: Warning: Failed to open file "c:\windows\system32\config\components.log2". The operation completed successfully
2:32 AM: Warning: Failed to open file "c:\windows\serviceprofiles\networkservice\ntuser.dat.log2". The operation completed successfully
2:32 AM: Warning: Failed to open file "c:\windows\serviceprofiles\localservice\ntuser.dat.log2". The operation completed successfully
2:32 AM: Warning: Failed to open file "c:\users\dana\appdata\local\microsoft\windows\usrclass.dat.log2". The operation completed successfully
2:32 AM: Warning: Failed to open file "c:\users\dana\ntuser.dat.log2". The operation completed successfully
2:11 AM: C:\Program Files\InstallShield Installation Information\{E6707034-D7A4-49B1-94D0-F5AACE46F06C}\setup.exe (ID = 1316172)
2:11 AM: Found System Monitor: sys keylogger pro:cry
2:07 AM: Starting File Sweep
2:07 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
2:07 AM: Starting Cookie Sweep
2:07 AM: Registry Sweep Complete, Elapsed Time:00:00:31
2:07 AM: Starting Registry Sweep
2:07 AM: Memory Sweep Complete, Elapsed Time: 00:07:12
2:00 AM: Starting Memory Sweep
2:00 AM: Start Scheduled Sweep
2:00 AM: Sweep initiated using definitions version 1082
2:00 AM: Sweep initiated using definitions version 1082

Thank you very much for your help and information. I will go carry out the rest of your suggestions now. Take care.

 

Thanks chaslang. I am breathing a little easier, but I would still like to make absolutely sure about this. I found the website that sells 'sys keylogger pro', and I'm thinking of downloading their free 10 day trial just to see how it works, and where it is stored with a mind to finding/deleting the original program if it is/was there. Do you think this is a good idea?
Also, I didn't install 'I Hate Keyloggers' until after this all started, so that wasn't what Webroot was detecting. So far, Webroot hasn't said anything about 'I Hate Keyloggers'. Also, Webroot specifically identified the offending program as 'sys keylogger pro'.
Thanks again for your help. :wave

 

Further information:
I tried to download 'sys keylogger pro', though I was going to wait to install it until I heard from you again. I opened the download folder and saw a 'keylogger pro' icon as the copying process was happening, but the icon disappeared as soon as the copying process completed, and I received an alert from Webroot that the file had been quarantined. I thought about telling Webroot to allow the file, but I was afraid that it would also un-quarantine the original keylogger program if it indeed had ever been there.
This is all very confusing, and I would greatly appreciate any further feedback that you may have.
Thank you.

 

OK. Thanks again. I'll do that, and give you an FYI. C-ya! :wave

 

Hello again.

Yesterday, I shot an e-mail to Webroot, and I received this reply:
Hi,

Definitions version 1082 for Webroot Antivirus/Spy Sweeper was incorrectly detecting a threat as Sys Keylogger Pro. The false detection has been corrected in definitions version 1083.

Please restore the quarantined file and update the definitions of the Spy Sweeper program which will resolve the false detection during future sweeps.

For further assistance, please call our US/North American phone support at 1-866-612-4227 (Mon.-Fri. from 7am to 6pm MT), or our UK phone support at +44 (0)845 0822 498 (Mon.-Fri. from 9am to 5pm CET).

Thank you once again for choosing Webroot software.

So, I guess it is case closed. (I wish I had done that first!)

Once again, thank you for your time and patience. :cool