1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Might I be getting keylogged?

Discussion in 'General Security' started by LosingSleep, Jan 8, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. LosingSleep

    LosingSleep Thread Starter

    Joined:
    Jan 8, 2013
    Messages:
    4
    Hello. I might need some advice or help, or both. Let me say in advance - Thank You.

    Okay, in the past two days I have noticed some strange notepad, DAT and ini files that seem to have suddenly appeared. And they're everywhere. In my Administrator folders, User folders, download folders, pictures, video, etc..

    In the Admin and User folders, they are NTUSER DAT, ini and LOG files. In the other folders, they are desktop.ini's that list (of course the listings aren't empty) -

    [DeleteOnCopy]
    Owner=
    Personalized=
    PersonalizedName=
    [.ShellClassInfo]
    InfoTip=
    IconFile=
    IconIndex=

    Could it be that I am being keylogged?

    I have ran malware scans, my anti-virus & TDSS Rootkiller - with not a lot of results. My anti-virus, when set to hyper sensitive, came up with 2 instances of malware from an infection over two years ago.

    If you could let me know where to look, or what to download or what you'd like to see, I would be very appreciative.

    Also, just I have been typing this, a lot of my file folders now have suddenly highlighted (or greyed) themselves. The text files and ini's, as well. As if I were highlighting them just before opening, or something. Sheesh. :confused:
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,451
    First Name:
    Derek
  3. LosingSleep

    LosingSleep Thread Starter

    Joined:
    Jan 8, 2013
    Messages:
    4
    Okay, it was unchecked, which meant to show hidden files and folders. However, it doesn't show them all. Only files like NTUSER and ntuser.dat.log and the desktop.ini. These are then found over and over in folders like Administrator, User and what I listed above.
     
  4. LosingSleep

    LosingSleep Thread Starter

    Joined:
    Jan 8, 2013
    Messages:
    4
    I have gone through the control panel and chosen hide, I have gone through my computer icon on the desktop and chosen hide and I have made sure through regedit that the numerical values are correctly set for hide. These files are still showing and will not 'hide' themselves. I don't believe that I should delete them. And what is really bothering me is that I don't know why they showed up to begin with.

    What should I do here?
     
  5. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    11,882
    There are 2 settings in that dialog box. 1) Dont show hidden files, folder or drives. And 2) Hide protected operating system files
     
  6. LosingSleep

    LosingSleep Thread Starter

    Joined:
    Jan 8, 2013
    Messages:
    4
    Yes, I know of the 2 settings in the dialogue box. Both were marked not to show hidden files.

    Anyway, here's where I'm at now. After going through the control panel and making sure that both were checked to don't show, I went through the computer icon on the desktop and made sure both were marked to not show. Yet, the files were still showing. So then I went through regedit, to make sure that the #'s for not show were correct. They were. So then, I right-clicked each file, went thru properties and had to set them to Read Only and Hidden individually to make them hidden again.

    Okay, so now they are hidden. But why in the world did only those (NTUSER.DAT, NTUSER.LOG, desktop.ini, .recentl-used.xbel) show? I never messed with them. I haven't installed anything new on this pc, made any changes or monkeyed with anything.

    The .recently-used.xbel was modified on Jan.3, 2013 at 11:42AM by someone. I just noticed these recently appeared files on January 7th, which was the first time that I had been on this PC since January 2nd.

    Also, as of note, all of the NTUSER.DAT files that were unhidden, and scattered about in various folders, had notepad's that appeared to have content in them (4kb, 8kb .. etc), but when opened were blank. I don't know if that's something, or not.

    Is there a good spyware remover that you guys could recommend that's pretty effective at eliminating rootkits and items associated with a possible keylogg attack?

    I do have a HijackThis log, and could run a RootkitRevealer log, if someone from the site would like to have a look.
     
  7. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    11,882
    The NTUSER.DAT should appear only in C:\Users\<YourAccountName>. You say they were scattered about in more than 1 location. That is not normal.

    You also said "had notepad's that appeared to have content in them" Do you mean that NTUSER.DAT has a notepad icon ? If so, did you use "Open With" and then choose Notepad, and have Checkmarked "always use the selected program" ? Because, DAT files originally have no Associated Program to open them. The Notepad icon that appears next to the file name is there only because someone used Notepad to open it once, and also have it remember to use Notepad in the future.

    I dont think you should mark NTUSER.DAT as Readonly. Windows may need to change the content of that file. My NTUSER.DAT doesn't have Readonly checked.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1084269

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice