So I have this red dot in my task bar that says "your activity is recorded" then asks for a password when I click it. Now I've looked extensively in to this and all I've been able to find is stuff about PcPandora and Familykeylogger, neither which have ever been installed on my laptop (I'm the only one that uses it and knows the password to access it). I've run as many spyware and malware scanners as I can and I've located some supposedly infected .dll files, but the problem is I can't delete them. Windows says they're being used by another program, but it doesn't say which one. This problem showed up when I was using uTorrent for the first time. It happened once before, but the dot went away instantly and I just forgot about it. I can tell you all you need to know and show you some screenshots if you need them. I also have a Combofix log, if that'll help at all.

Oh, and I use Vista if that means anything.

Well, a basic first step would be to try and end the process.
Press Ctrl-Alt-Del and click "start task manager".
When it opens, click the processes tab and look for anything relating to PcPandora or FamilyKeylogger and end the process.

More long term, which spyware checker(s) did you run?

So far I haven't been able to find anything relating to those two programs. Let's see, I ran Windows Defender, Prevx CSI, Spyware Doctor, ComboFix, and KLDetector. I also used Security Task Manager to find which tasks were potentially harmful and found two .dll files that I haven't been able to delete.

Post up some screenshots, along with a picture of all processes running. HJT log couldn't hurt, but those are a pain in the ass to sort through on my own rig, let alone look through someone else's.

It's most likely not letting you get rid of those corrupt .DLL's because whatever they're causing to run, is still running. So you'll have to kill the process before you can delete the .DLL's. Hopefully that's all thats wrong, but after we sort that out run those spyware checkers peroidically, and see if anything else comes up.


By the way, processes are in your task manager. Ctrl-Alt-Del -> Task Manager -> 'Processes' tab on the top.

Here are some screenshots:

Red Dot (http://i15.photobucket.com/albums/a392/mantha100/1.jpg)
When Clicked (http://i15.photobucket.com/albums/a392/mantha100/2.jpg)
Tasks Running (http://i15.photobucket.com/albums/a392/mantha100/3-1.jpg)

EDIT:

Showing processes from all users:
1 (http://i15.photobucket.com/albums/a392/mantha100/4.jpg)
2 (http://i15.photobucket.com/albums/a392/mantha100/5.jpg)
3 (http://i15.photobucket.com/albums/a392/mantha100/6.jpg)

So far I haven't been able to find anything relating to those two programs. Let's see, I ran Windows Defender, Prevx CSI, Spyware Doctor, ComboFix, and KLDetector. I also used Security Task Manager to find which tasks were potentially harmful and found two .dll files that I haven't been able to delete.

I'd give Adaware (http://www.download.com/Ad-Aware-2007/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5&cdlPid=10827250) and Spybot (http://www.safer-networking.org/en/mirrors/index.html) a try, they're probably the best two anti spyware tools available and they're both free. Windows Defender is decent, but I haven't heard of any of the other programs you mentioned.

Okay I'll try both of those.

I looked around aswell and found this: Link (http://www.techtalkz.com/windows-xp/151272-red-dot-taskbar-your-activity-recorded.html)
If you google "red dot your activity is recorded" you'll find a number of responses on this, including a hint that this can be a feature of some parental control software, particularly from a product called PC-Pandora. It asks for the password because it's offering the administrative user - only - access to the recorded logs.

Yes, this is technically a keylogger. But because it can be from a "legitimate" source, deliberately installed parental control software, many A/V and security apps may explicitly ignore it.

The more I look around, the more that the problem points to this PcPandora Family Keylogger. Are you the owner of the computer? I would rather not look into it any further, if the owner put it there purposely. And the fact that you say you were toying with utorrent, and then later on this red dot shows up, doesn't make me think it was something you downloaded, but more so someone doesn't want you doing whatever it is your doing.

Again, if your the owner of the computer, then I'll look around some more. Just trying to do the somewhat right thing. You know, ignoring the fact that you use utorrent and all. :lol:

I looked around aswell and found this: Link (http://www.techtalkz.com/windows-xp/151272-red-dot-taskbar-your-activity-recorded.html)


The more I look around, the more that the problem points to this PcPandora Family Keylogger. Are you the owner of the computer? I would rather not look into it any further, if the owner put it there purposely. And the fact that you say you were toying with utorrent, and then later on this red dot shows up, doesn't make me think it was something you downloaded, but more so someone doesn't want you doing whatever it is your doing.

Again, if your the owner of the computer, then I'll look around some more. Just trying to do the somewhat right thing. You know, ignoring the fact that you use utorrent and all. :lol:

neither which have ever been installed on my laptop (I'm the only one that uses it and knows the password to access it).

I think that answers that.

:pop:

It's getting late over here, or early. I'll try to help you out tomorrow, if nobody else corrects the problem. If your overly parinoid about it, just disconnect it, and check this thread tomorrow on a different computer for some suggestions.

If it is sending information somewhere, it can't when it's not online.

Just checking through your list of processes. Do you have a Motorola modem (or had one at some point)? If not, sm56hlpr.exe shouldn't really be running.

neither which have ever been installed on my laptop (I'm the only one that uses it and knows the password to access it).
Are you sure? I mean, I've heard of people sneaking programs like this onto others' computers in the past.

Okay, I'm just going to go ahead and steal the information for you from the Blizzard site because Keyloggers are a massive issue with WoW, and they seem to know what they're talking about. It's all here (http://forums.worldofwarcraft.com/thread.html?topicId=1778038509&sid=1).

We strongly recommend that players continue to update their operating systems for the best security possible. Microsoft regularly releases security updates which helps to combat the dangerous links to key-loggers that are being encountered. Following each release I would certainly recommend that players ensure that all critical Windows Updates have been installed on their computers. Updates can be downloaded from:

http://update.microsoft.com/microsoftupdate

Further details regarding such updates will be posted below and can be read at:

http://www.microsoft.com/technet/security/default.mspx

Enabling Automatic Updates is also recommended.


Antivirus Software:

A program that scans a computer's memory and storage space to identify and eliminate viruses. Please note that you can have more than one antivirus program running on your system. Some programs may not detect what another can.



AVG Free http://free.grisoft.com/freeweb.php

Tauscan http://www.tauscan.com/

Moosoft http://www.moosoft.com/

Symantec security check http://www.symantec.com/securitycheck


Macintosh specific:



Symantec Antivirus http://www.symantec.com/consumer_products/home-mac.html



Anti-Spyware Software:

A program that scans a computer's storage space and services to identify and eliminate programs designed to monitor computer usage beyond the user's acceptance. Among many technical issues spyware can also cause crashing, minimizing of the game window, and connection issues. Please note that you can have more than one anti-spyware program running on your system. Some programs may not detect what another can.



Ad-Aware SE http://www.lavasoftusa.com/

Ewido Anti-Spyware http://www.ewido.net/en/download/

Microsoft Windows Defender http://www.microsoft.com/athome/security/spyware/software/default.mspx

Spybot-Search & Destroy http://www.safer-networking.org/en/mirrors/index.html


From people I know of that have been keylogged before, Spybot is a really good program to use. Good luck, and if this doesn't work, I'm pretty sure it's not a keylogger.

Can you have any more processes running on your computer?

Of coure you should run the spyware scan and antivirus scans, but in addition to that you might want to kill some of the processes you do not need. When you have time google some of the processes that are running and see if you need them or not.

Another thing I saw that was shocking was that firefox was taking up 133,312 K which is a lot of memory. That leads me to believe it is some sort of spyware program installed.

Here are some screenshots:


2 (http://i15.photobucket.com/albums/a392/mantha100/5.jpg)


O.K. Going on the basis that i know little (read: nothing) about what things vista shows by default in task manager, the second proccess down on that screenshot looks a tad suspect to me. Thats from reading the descriptions, recognising some of them from my XP task manager etc. That one doesn't seem to fit any.

EDIT: Nick, she clearly has a lot of RAM. Firefox usually uses ~155000kb on my comp, and i have 1.25Gb of RAM.

Hmm, i'm not that knowledgeable about the common processes running with Vista, but i have a feeling that having 2 csrss processes can't be a good sign.
Oh wait, nevermind, i checked MSDN, 2 seems to be normal... weird.

Eh, screw this.
1) Open the little password thingy box.
2) Open Task Manager.
3) Minimize everything else. (pause programs as well, i should hope Task Manager at least allows Suspend now, if not then damn i hate Microsoft even more, try Process Explorer)
4) Grab the password box and shake it all around the screen as much as possible.
Why you ask? Well, this will cause more CPU usage, easily IDing whatever process it is.
It worked for me before for several things, including finding out the auto-logout timer back in the school library :lol:
Since that process list seems rather large, you might need to do this a few times, scrolling down each time you fail to find any highly active programs.

And Beefynick, Firefox is just a memory-hogging bastard, thanks to Mozillas crappy programmers who fail at any form of decent memory management. (even a memory expert who coded a program to prevent memory leaks and crashes struggled getting it working with Firefox, and had to resort to coding special code specifically for it!)

...And Beefynick, Firefox is just a memory-hogging bastard, thanks to Mozillas crappy programmers who fail at any form of decent memory management. (even a memory expert who coded a program to prevent memory leaks and crashes struggled getting it working with Firefox, and had to resort to coding special code specifically for it!)

I use Firefox and have never had it use above 50,000k of memory. Which 50,000k of memory is quite a bit for a browser but still, more than twice that is insane.

I use Firefox and have never had it use above 50,000k of memory. Which 50,000k of memory is quite a bit for a browser but still, more than twice that is insane.

Lucky you.
Although do you use many extensions?
The extensions are one of the main reasons for most of the memory leaks, still indirectly because of Mozilla not cleaning up memory automatically. (DownThemAll causes a ton of leaks, and leftover files occasionally on failed downloads)

Whenever i'm running FF, it slowly eats up memory through the day, then i have to end it when it ends up getting to the 90% numbers... (2 gig RAM)
Not like it matters much with Tab-resume on shutdown/crash.

Well I've run Adaware and Spybot, neither of which returned anything other than some cookies relating to Opera. McAfee said it deleted some Trojans it found on it's own, but this red dot is STILL there. So like InTransit said, I guess it's not a keylogger. What else can I do to find the program that's doing this?

I just did a search for uninstall keylogger and vista in google and it came up with this site.

http://search.wareseeker.com/anti-keylogger-vista/

There's a few programs up there that could be the problem. Granted you dont want to download those programs because you already have a keylogger (:fmita:) But maybe this could give you an idea on what to look for.

Have you tried getting rid of closing everything? Every little piece of software, even the sounds icon until the red is the only thing running and then seeing what your task manager says? I see that you don't have a lot running but maybe it's something else. What about your start up menu?

Have you thought about getting a hard drive and started to back up everything? If you want it gone...there may be only one option left.

Well when I tried what fabz suggested, not much changed. I really don't want to get an external hard drive, I guess that'll be a last resort.

Some more screenshots:

According to Security Task Manager, an infected file (http://i15.photobucket.com/albums/a392/mantha100/dll.jpg)
In my files (http://i15.photobucket.com/albums/a392/mantha100/location.jpg)
When I try deleting it (http://i15.photobucket.com/albums/a392/mantha100/denied.jpg)

EDIT: I ran my computer on Safe Mode, and the dot still showed up.

The dot will still show up in safe mode, but you should be able to delete the dlltab.dll file easily. You may need to disable it from the task manager.

The dot will still show up in safe mode, but you should be able to delete the dlltab.dll file easily. You may need to disable it from the task manager.

How can I do this?

Also, when I open up the enter password window and click "Go To Process" in the task manager, it goes to explorer.exe, so does that mean this is infected? And when I do what Hunnter said (shaking the window around and such), the CPU usage jumps up on explorer.exe.

If you are in safe mode, you can shut down any of the mcafee virus scan processes and processes that are not used by windows (you will know which ones are used by windows). It would make sense that explorer.exe shows more usage because it is what displays most of the windows.

You should be able to click Task Manager and then click the processes tab. Once there clicking End Process would end the unwanted process from running.

You should be able to click Task Manager and then click the processes tab. Once there clicking End Process would end the unwanted process from running.

Well I know how to end processes, but I don't know which one of them has anything to do with dlltab.dll

Considering it would be extremely bad (your system might stop working) to go deleting system32 files unless you know exactly what you're doing, I'm going to point you over to a real tech support forum before you fuck something up: TechSupportGuy (http://www.techguy.org/). Start a topic in their General Security (http://forums.techguy.org/78-general-security/) section (one of the first in the main forum listing).

Don't worry about deleting dlltab.dll. It has been created by the virus; it serves no purpose in an un-infected system.

Ah, looks like one of those bastards hooked onto explorer.

Well, you will need some process explorer program, to which i suggest Process Explorer... :lol:
You can search for the dlltab under Search.
Terminate the handles you find in the lower pane. (might need to show it using View menu)
Then you should be able to delete the file.

If not, then you might need to unregister it.
Win+R
regsvr32 /u dllname
Also, make sure its attributes aren't set as read only and/or system
Win+R
Attrib -s -r filelocation

That should work.
If not, then Vista is more trouble than i thought, and this is as far as i can help you.

Press start > Run > msconfig > Startup > deselect everything you don't want. (edit: this is what programs are set to start when you turn on yuor computer, it will usually be programs such as anti-virus programs and updating, msn or messaging programs that like to do this, and virus's/annoying programs that don't like to go away.)
Restart. >
Virus scan again and get the files while the programs not running. >
Look in control panel at ad and remove programs too.

edit: Also default passwords probably 'password'

Try this (http://www.lockergnome.com/griffin/2007/11/12/how-to-delete-a-file-being-used-by-another-program/)

I never had to use this program. Avast Antivirus (http://www.avast.com/) is free and very efficient. When it finds an infected file that cannot be deleted it has an option "Remove on next system boot" or something. You should give it a try. Another great option in Avast is Boot-scan, where you can schedule a boot-time scan that will allow you to delete any infected file before almost any processes are loaded.