Find keylogger/activity monitor process running on my computer

Posted on 2004-11-23
Last Modified: 2008-05-19
My boss has installed some sort of program to monitor every keystroke and activity that takes place on our computers.  I know when it was installed, but I don't know what it is.  He knows that I'm looking for it and is fine with that.  I have run several programs that claim to be able to detect such software, but to no avail.  I have looked at every process listed in the task list of the task manager.  I have run a file monitor.  This is what I know about it:  The data that it collects is kept on this computer, or one of its mapped drives and is later fetched by him to look at.  I am in the Administrators group on this machine which runs XP-Pro.  The installation routine of this program did all of the work of hiding it.  I do not want to disable it or remove it.  I simply want to know where it is, and how it can be hidden from the running processes list.  Thanks a million to anyone who can help me find this thing.  It's become a quest and my boss is really amused by all of it.  I can install any software that will help too.

These items are in the startup tab of the MSCONFIG dialog:

AutoCAD Startup Accelerator

Here are the running processes:

Image Name                   PID Services                                    
System Idle Process            0 N/A                                          
System                         4 N/A                                          
smss.exe                     572 N/A                                          
csrss.exe                    620 N/A                                          
winlogon.exe                 644 N/A                                          
services.exe                 688 Eventlog, PlugPlay                          
lsass.exe                    700 Netlogon, PolicyAgent, ProtectedStorage,    
svchost.exe                  876 DcomLaunch, TermService                      
svchost.exe                  940 RpcSs                                        
svchost.exe                 1036 AudioSrv, CryptSvc, Dhcp, dmserver, ERSvc,  
                                 EventSystem, helpsvc, lanmanserver,          
                                 lanmanworkstation, Netman, Nla, RasMan,      
                                 Schedule, seclogon, SENS, SharedAccess,      
                                 ShellHWDetection, srservice, TapiSrv,        
                                 Themes, TrkWks, W32Time, winmgmt, wuauserv,  
svchost.exe                 1148 Dnscache                                    
svchost.exe                 1232 LmHosts, RemoteRegistry, WebClient          
spoolsv.exe                 1388 Spooler                                      
clisvcl.exe                 1712 clisvc                                      
inetinfo.exe                1792 IISADMIN, MSFtpsvc, SMTPSVC, W3SVC          
FrameworkService.exe        1808 McAfeeFramework                              
VsTskMgr.exe                1844 McTaskManager                                
nvsvc32.exe                 1964 NVSvc                                        
wdfmgr.exe                   248 UMWdf                                        
Wuser32.exe                  320 Wuser32                                      
naPrdMgr.exe                1112 N/A                                          
alg.exe                     2008 ALG                                          
SMSAPM32.exe                3404 N/A                                          
explorer.exe                3768 N/A                                          
shstat.exe                  2240 N/A                                          
UpdaterUI.exe               1016 N/A                                          
launch32.exe                3860 N/A                                          
realsched.exe               3712 N/A                                          
jusched.exe                 2140 N/A                                          
ctfmon.exe                  1816 N/A                                          
msnmsgr.exe                 2148 N/A                                          
SMSMon32.exe                1668 N/A                                          
mdm.exe                     1428 MDM                                          
OUTLOOK.EXE                 2032 N/A                                          
devenv.exe                  1608 N/A                                          
cmd.exe                     2192 N/A                                          
wmiprvse.exe                2296 N/A                                          
Question by:awendle
    LVL 11

    Expert Comment

    if your running XP PRo and IISADMIN with those services can you goto http://localhost ? maybe it's intergrated with the IIS Webserver?
    LVL 1

    Author Comment

    I am able to go to http://localhost and it takes me to the web page I created.  I'm pretty sure that the other programmers in my group are not using IIS at all.  I was using it for some web stuff I did.  It wasn't installed until I installed it.
    LVL 11

    Expert Comment

    ok, how do you know he has a keylogger? Are you sure it's nothing thats getting tracked by a switch/router or manager?
    LVL 1

    Author Comment

    I don't know for sure that it's a keylogger, but he I know that he is able to collect everything typed in emails, web browsers, IM dialogs, and supposedly any other application that is running on the pc.  I know it's not  a network tracker because he went around and installed it on each pc.  (I saw him doing it.  I just didn't know that's what he was doing until the next day.)  He told me that it does not send the data over the network.  I had been running a port scanner and found nothing there.  One of the employees got him to show him the information he had logged on him and he had to fetch the data from his pc and then view it with whatever sort of viewing tool he has.
    LVL 18

    Assisted Solution

    Note: Any malware can be named anything - so you should check where the files of the running processes are located on your disk. If a "non-Microsoft" .exe file is located in the C:\Windows or C:\Windows\System32 folder, then there is a high risk for a virus, spyware, trojan or worm infection and to a lesser extent visa-versa!

    You could also check out the Sysinternals diagnostics tools:

    namely Process Explorer for some other info:

    You could also look at something like this:   

    LVL 1

    Author Comment

    Thanks meintsi,

    I am very familiar with sysinternals.  They have awesome software!  I have used several of their tools to look at this machine (including procexp) but I have not been able to figure out which process it is.  It has to be one of them, doesn't it?  It's my understanding that every process that is running on a pc has to be in that list.  Is that right?  How are .NET processes listed?

    I'll take a look at the other site you mentioned.
    LVL 7

    Accepted Solution

    I prefer using sysinternals
    autorunsc -d -e -m -s -w
    as it provides path and software maker and even service/program description so it's easy to figure out what's what.

    LVL 11

    Expert Comment

    I would try APM, it has a great interface that shows you the dll's that are running for each process, check it out. BTW when you figure it out let me know what program it is :)
    LVL 1

    Author Comment

    I found it late last night with a tool I found at the web site meintsi pointed me too, but the info from tymes was also helpful, so I'm going to split the points between those two.

    For those who are interested, the application is one of Spectorsoft's products which can be found at   It is very cleverly hidden.  It shows up on my system under the explorer task with sysinternal's procexp as botlan.dll.  This name is different on every machine that it's installed on.  There is another (ctrlbio.dll on my machine) that seems to be used for memory mapping.  The botlan.dll lists an export of murlbot.dll which turned up spectorsoft's name in a google search.  spectorsoft's name also showed up in the botlan.dll in the string resources as an email address.  The way the program restarts at boot time is by the following registry key:


    Mine said: Vbaboot  and resolved to this: c:\windows\system32\botlan.dll

    I located the data files by monitoring all files modified by the explorer.exe process with another great product from sysinternals, filemon.exe.  There were 50, or so, in a directory named c:\windows\system32\statmic\  (in my case) and all had long cryptic names like this:
    EF23E97F7F2F42E1A14A9064CD9AE648BDDA23D6.tpr ending in .tpr except one which was named:  linkwsock.ocx.  This ocx file is not an ocx at all, but an ascii log file, which can be read with notepad.  All of the files (including the dll's) were backdated to the same date: 8/4/2004 1:56 AM on my machine, but this was different on my coworker's machines.

    That's about all I know, so far.  Thanks to all who participated.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    Suggested Solutions

    If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article ( first and run the tool TDSSKiller ( to get rid of the infection. Once done, and if the …
    Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now