Keyloggers?!

v-a-m · 03-16-2003, 04:37 AM

Hi there, I used the demo version of "Anti-keylogger" and "Spy Cop", to detect keyloggers.

Now Anti-Keylogger found one file:

c:\Documents and Settings\Owner\application data\Motive\Acme\plugin\log\pchbtn.log

Inside at the "plugin" folder while backtracking there are other various folders, and I found inside that one had "PC Doctoer" and "Solo" (as in Solo Antivirus) documents. Programs I had downloaded a while ago and got rid of.

Anywyas, my first question is...

1. What exactly is a keylogger? Is it someone sitting at home watching me type. Im worried that It may be a friend (none in particular, just paranoia maybe?) reading personal emails, or even stealing my crediit card info, as I recently used it online.

2. Is this file anyway malicious?

3. Is it related to those programs I mentioned earlier (PC Doctoor, and Solo?

Any help would be much appreciated, on this topic?! Im kinda cluesless.

BTW; I use Stop-Sign from eAnthology, and it detects no keyloggers?

no1_vern · 03-16-2003, 05:50 AM

Hi VAM,
Welcome to Techimo. Ill try to help.

The first thing that comes to mind is, is this your personnal computer or does it belong to a/your company? If it belongs to the company I strongly suggest you leave it alone, and maybe complain to your boss(but that is up to you). Legally because it is the companies Comp. You should leave it alone.

If it is yours, Did you buy this computer used or is it new? How long have you had it?

This program is usually used for security and prevention, but it can be used in nefarious ways(usually to capture a login password, etc.)
Simply put its a program that records each and every key that is typed into the keyboard. It had valid it support uses.

Quote: "purpose of the program is to provide you with a log of what you have typed on your own computer for later review. System administrators may also use the software to monitor computer usage with proper warning in advance. Please note that final user assumes all responsibilities associated with using this program."

That is from a FAC file here: http://www.amecisco.com/faq_ik97.htm#Q2

Malicious? Not directly, but that depends on who put it there and why. I am assuming it was put there by your IT guys(assuming its a company comp) for support purposes, but that is just a guess. It might have been put there by the previous owner or someone who had access to your computer.

I dont know if those programs are related- google didnt give me a hit on pchbtn.log, "PC Doctoer". Were they in the c:\Documents and Settings\Owner\ (or before) tree/folder extension?

Vern

v-a-m · 03-16-2003, 07:24 PM

Thanks for replying.

The computer was bought new last year (June/July 2002). I notcie when I do a search abotu something, like "vitamins" or something I'll get many emails, you know junk mail, about that subject.

I get tons of pornography, even though I dont search for pornography on the internet. And Many many "credit/loan" type emails. I block them, but more keep coming. That could be related?

Nobody has access to my computer but me/my family (who rarely if ever uses it). Unless it was put there by someone online?

I didnt quite understand this;

"I dont know if those programs are related- google didnt give me a hit on pchbtn.log, "PC Doctoer". Were they in the c:\Documents and Settings\Owner\ (or before) tree/folder extension?"

The PC Doctor File, asnd Solo file were in here...

c:\documents and settings\owner\application data\motive\acme\plugin\maps\eHelp\Maps\ (then there is a PC Doctor folder) and a "Solo" folder.

They both conttain these following files:

control folder (which contains; "MapMeta", "singer" and "toc" files for each)

_PrimaryMap_.mcm

and also

PcdMXLStringer.mzp (FOR PC DOCTER) and, SoloEmptyRecycleBin.mzp

I hope this helps you, help me? haaha anyways thanks for everything,

Thanks alot, I appreciate it.
VAM

davidamarkley · 03-16-2003, 07:30 PM

You might want to download Ad-Aware or another spyware scanner. Run that, and see what it brings up.

David

no1_vern · 03-16-2003, 09:30 PM

HI VAm,

I agree with DAvid, your most likely culprit in this case(the emails after you do a search leads to you having a spyware program installed).

This program is NOT related to a key logging program. Your best bet I think is for you to download Lavasofts Adaware(here: http://lavasoft.element5.com/support/download/ ) which is what I use, but if you dont like/want to use it there are several others you can get.

Vern

Nighthawk · 03-17-2003, 12:18 AM

I think Spybot Search and Destroy (http://spybot.safer-networking.de/) will specifically search for keyloggers. It's worth a download/scan.

PyroSama · 03-17-2003, 12:59 AM

Download Ad-aware and go to this site: www.antivirus.com

Look on the main list for free scan.

Then give it your email and location then let it update then finaly scan.

Post a list of what it comes up with. (virus scanner)

Also do a search : start>find>files or folders

In the space for "Containing text:" type in your credit card number. Search your c drive and see if it comes up with any file.
If it does post the name of the file not what you searched for or the contents of the file just the name.

If it doesnt come up you should be fine in the way of a key logger hopefully.

PyroSama

PyroSama · 03-17-2003, 01:01 AM

Or type something along the lines of h3klj45 in some message window (dont coppy paste) and then search for that same text if it doesnt find your credit card number. (type something you wouldnt have typed before in your life)

PyroSama

v-a-m · 03-17-2003, 02:46 AM

Okay I did this; "start" > "search" > "all files and folders", and searched for my credit card # (no results), and also I did that number/letter type thing you recommened. And it returned no results as well.

I use Ad-aware 6 now, Ive done various scans the first turned up 30 results. And now even back to back scans, still finds at least, one (they are all "RISK LEVEL: Low"), but the one that is not really going away is "CyDoor".

Does anyone know what CyDoor is?

Also I did the free online virus scan at Micro Trend. The results were; "Congratulations you are virus free" etc.

I installed "SpyBot Search & Destroy". Firstly it said this:

"You have AdAware installed.
If you have the AdAware option to scan inside archives enabled, AdAware may find files in the Spybot-S&D folder. Spybot-S&D does not contain any spyware, but it creates backups of everything you fix (until you remove those backups from the Recovery list), and AdAware complains about these backups. You can safely ignore these backups found by AdAware."

Does this mean I have to remove something. That blew my mind, can you guys figure out what that means?

Anyways the program worke and found a bunch of thing, I deleted most. Except EAccelration, Windows Media, and MS Works files.

Thanks everyone, for being so helpul. All of you. Appreciate it.

VAM

jadison · 03-17-2003, 03:58 AM

Quote:

Does anyone know what CyDoor is?

Yep, it's part of KaZaa (file sharing proggie). If you remove it (or any instance of it as there are several), you will no longer be able to run KaZaa. There were claims that KaZaa Lite didn't contain any spyware, but they were false.

You can leave it there, if you're worried about security then I'd do the following in KaZaa:

1) Go to Tools -> Options
2) Select the Traffic tab, and check Disable sharing of files with other KaZaa users