• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 983
  • Last Modified:

Find keylogger/activity monitor process running on my computer

My boss has installed some sort of program to monitor every keystroke and activity that takes place on our computers.  I know when it was installed, but I don't know what it is.  He knows that I'm looking for it and is fine with that.  I have run several programs that claim to be able to detect such software, but to no avail.  I have looked at every process listed in the task list of the task manager.  I have run a file monitor.  This is what I know about it:  The data that it collects is kept on this computer, or one of its mapped drives and is later fetched by him to look at.  I am in the Administrators group on this machine which runs XP-Pro.  The installation routine of this program did all of the work of hiding it.  I do not want to disable it or remove it.  I simply want to know where it is, and how it can be hidden from the running processes list.  Thanks a million to anyone who can help me find this thing.  It's become a quest and my boss is really amused by all of it.  I can install any software that will help too.

These items are in the startup tab of the MSCONFIG dialog:

AutoCAD Startup Accelerator

Here are the running processes:

Image Name                   PID Services                                    
System Idle Process            0 N/A                                          
System                         4 N/A                                          
smss.exe                     572 N/A                                          
csrss.exe                    620 N/A                                          
winlogon.exe                 644 N/A                                          
services.exe                 688 Eventlog, PlugPlay                          
lsass.exe                    700 Netlogon, PolicyAgent, ProtectedStorage,    
svchost.exe                  876 DcomLaunch, TermService                      
svchost.exe                  940 RpcSs                                        
svchost.exe                 1036 AudioSrv, CryptSvc, Dhcp, dmserver, ERSvc,  
                                 EventSystem, helpsvc, lanmanserver,          
                                 lanmanworkstation, Netman, Nla, RasMan,      
                                 Schedule, seclogon, SENS, SharedAccess,      
                                 ShellHWDetection, srservice, TapiSrv,        
                                 Themes, TrkWks, W32Time, winmgmt, wuauserv,  
svchost.exe                 1148 Dnscache                                    
svchost.exe                 1232 LmHosts, RemoteRegistry, WebClient          
spoolsv.exe                 1388 Spooler                                      
clisvcl.exe                 1712 clisvc                                      
inetinfo.exe                1792 IISADMIN, MSFtpsvc, SMTPSVC, W3SVC          
FrameworkService.exe        1808 McAfeeFramework                              
VsTskMgr.exe                1844 McTaskManager                                
nvsvc32.exe                 1964 NVSvc                                        
wdfmgr.exe                   248 UMWdf                                        
Wuser32.exe                  320 Wuser32                                      
naPrdMgr.exe                1112 N/A                                          
alg.exe                     2008 ALG                                          
SMSAPM32.exe                3404 N/A                                          
explorer.exe                3768 N/A                                          
shstat.exe                  2240 N/A                                          
UpdaterUI.exe               1016 N/A                                          
launch32.exe                3860 N/A                                          
realsched.exe               3712 N/A                                          
jusched.exe                 2140 N/A                                          
ctfmon.exe                  1816 N/A                                          
msnmsgr.exe                 2148 N/A                                          
SMSMon32.exe                1668 N/A                                          
mdm.exe                     1428 MDM                                          
OUTLOOK.EXE                 2032 N/A                                          
devenv.exe                  1608 N/A                                          
cmd.exe                     2192 N/A                                          
wmiprvse.exe                2296 N/A                                          
2 Solutions
if your running XP PRo and IISADMIN with those services can you goto http://localhost ? maybe it's intergrated with the IIS Webserver?
awendleAuthor Commented:
I am able to go to http://localhost and it takes me to the web page I created.  I'm pretty sure that the other programmers in my group are not using IIS at all.  I was using it for some web stuff I did.  It wasn't installed until I installed it.
ok, how do you know he has a keylogger? Are you sure it's nothing thats getting tracked by a switch/router or manager?
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

awendleAuthor Commented:
I don't know for sure that it's a keylogger, but he I know that he is able to collect everything typed in emails, web browsers, IM dialogs, and supposedly any other application that is running on the pc.  I know it's not  a network tracker because he went around and installed it on each pc.  (I saw him doing it.  I just didn't know that's what he was doing until the next day.)  He told me that it does not send the data over the network.  I had been running a port scanner and found nothing there.  One of the employees got him to show him the information he had logged on him and he had to fetch the data from his pc and then view it with whatever sort of viewing tool he has.
Note: Any malware can be named anything - so you should check where the files of the running processes are located on your disk. If a "non-Microsoft" .exe file is located in the C:\Windows or C:\Windows\System32 folder, then there is a high risk for a virus, spyware, trojan or worm infection and to a lesser extent visa-versa!

You could also check out the Sysinternals diagnostics tools:     http://www.sysinternals.com

namely Process Explorer for some other info:

You could also look at something like this:             http://www.anti-spy.info

awendleAuthor Commented:
Thanks meintsi,

I am very familiar with sysinternals.  They have awesome software!  I have used several of their tools to look at this machine (including procexp) but I have not been able to figure out which process it is.  It has to be one of them, doesn't it?  It's my understanding that every process that is running on a pc has to be in that list.  Is that right?  How are .NET processes listed?

I'll take a look at the other site you mentioned.
I prefer using sysinternals
autorunsc -d -e -m -s -w
as it provides path and software maker and even service/program description so it's easy to figure out what's what.

I would try APM, it has a great interface that shows you the dll's that are running for each process, check it out. BTW when you figure it out let me know what program it is :)

awendleAuthor Commented:
I found it late last night with a tool I found at the web site meintsi pointed me too, but the info from tymes was also helpful, so I'm going to split the points between those two.

For those who are interested, the application is one of Spectorsoft's products which can be found at http://www.spectorsoft.com   It is very cleverly hidden.  It shows up on my system under the explorer task with sysinternal's procexp as botlan.dll.  This name is different on every machine that it's installed on.  There is another (ctrlbio.dll on my machine) that seems to be used for memory mapping.  The botlan.dll lists an export of murlbot.dll which turned up spectorsoft's name in a google search.  spectorsoft's name also showed up in the botlan.dll in the string resources as an email address.  The way the program restarts at boot time is by the following registry key:


Mine said: Vbaboot  and resolved to this: c:\windows\system32\botlan.dll

I located the data files by monitoring all files modified by the explorer.exe process with another great product from sysinternals, filemon.exe.  There were 50, or so, in a directory named c:\windows\system32\statmic\  (in my case) and all had long cryptic names like this:
EF23E97F7F2F42E1A14A9064CD9AE648BDDA23D6.tpr ending in .tpr except one which was named:  linkwsock.ocx.  This ocx file is not an ocx at all, but an ascii log file, which can be read with notepad.  All of the files (including the dll's) were backdated to the same date: 8/4/2004 1:56 AM on my machine, but this was different on my coworker's machines.

That's about all I know, so far.  Thanks to all who participated.

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now