Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Keylogger Activity


  • Please log in to reply
19 replies to this topic

#1 Guest_krishari_*

Guest_krishari_*

  • Guests
  • OFFLINE
  •  

Posted 09 June 2010 - 01:03 AM

Few days back some1 accessed my gmail from china (gmail notified this). I did a full system scan using Eset Smart Security 4, but nothing found. Then, i uninstalled it and installed Kaspersky internet security 2010 and did a full scan. It notified me that, "behaviour similar to keylogger detected". but it did not removed automatically and there is no option to remove it manually.
Here the details:
Detection type : legal software that can be used by criminals for damaging your computer or personal data.
Name : PDM Keylogger
Action : Keylogger Activity.
Object : Kernel mode memory patch.

Now i installed Avast inter sec 5. i did a boot scan, No infections found.
Both kaspersky and Avast blocking some network intrusions. atleast 5 times a day (it showing some ip address)
I tried with Malwarebytes. nothing found.
Today i found "csrss.exe" running in background (found it in task manager and could not able to end the process). I google it, to know what exactly it is. Some say it is a trojan, keylogger & etc etc..
I need help..
I consider this is a threat to my security.

System info:
Windows 7 Ultimate.
Avast Internet sec 5.
Malwarebytes.

Here below is the DDS log file:


DDS (Ver_10-03-17.01) - NTFSx86
Run by HARI KRISHNAN at 10:57:43.39 on 09-Jun-10
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2010.1327 [GMT 5.5:30]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Alwil Software\Avast5\afwServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\HARI KRISHNAN\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.in/
uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60111
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\ctbr.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GR469A~1.DLL
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\ctbr.dll
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Crawler Search - tbr:iemenu
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GRA32A~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\ctbr.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GR469A~1.DLL
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\users\harikr~1\appdata\roaming\mozilla\firefox\profiles\mqcf44uk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - prefs.js: keyword.enabled - false
FF - component: c:\program files\crawler\firefox\components\xcomm.dll
FF - component: c:\program files\crawler\firefox\components\xshared.dll
FF - component: c:\program files\crawler\firefox\components\xsupport.dll
FF - component: c:\program files\crawler\firefox\components\xwsg.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2010-6-6 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [2010-6-6 190416]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2010-6-6 99280]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2010-6-6 307280]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-6 164048]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-3-23 95024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-6 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-6-6 51792]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-6 40384]
R2 avast! Firewall;avast! Firewall;c:\program files\alwil software\avast5\afwServ.exe [2010-6-6 119200]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-26 304464]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-6 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-6 40384]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-26 20952]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-12-19 249888]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [2010-5-15 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [2010-5-15 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [2010-5-15 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [2010-5-15 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [2010-5-15 98568]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-19 135664]
S4 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-3-12 583640]

=============== Created Last 30 ================

2010-06-08 18:45:17 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-08 18:45:17 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-08 18:45:14 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-08 18:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-08 18:44:56 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-08 07:52:35 0 d-----w- c:\users\harikr~1\appdata\roaming\AIMP
2010-06-08 07:52:19 0 d-----w- c:\program files\AIMP2
2010-06-06 18:04:39 307280 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-06-06 18:04:38 99280 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-06-06 18:04:23 190416 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-06-06 18:04:19 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-06-06 18:04:05 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2010-06-06 18:04:02 0 d-----w- c:\programdata\Alwil Software
2010-06-05 13:18:09 0 d-----w- c:\program files\Trend Micro
2010-06-04 17:58:59 3528 ---ha-w- C:\bootsqm.dat
2010-05-31 11:57:46 65536 --sha-w- c:\users\hari krishnan\ntuser.dat{70ed77b2-6ca3-11df-a621-001cc0e6a5e7}.TM.blf
2010-05-31 11:57:46 524288 --sha-w- c:\users\hari krishnan\ntuser.dat{70ed77b2-6ca3-11df-a621-001cc0e6a5e7}.TMContainer00000000000000000002.regtrans-ms
2010-05-31 11:57:46 524288 --sha-w- c:\users\hari krishnan\ntuser.dat{70ed77b2-6ca3-11df-a621-001cc0e6a5e7}.TMContainer00000000000000000001.regtrans-ms
2010-05-31 10:02:04 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-31 06:51:09 0 d-----w- c:\windows\system32\Adobe
2010-05-29 18:09:51 0 d-----w- c:\program files\CCleaner
2010-05-29 11:29:34 632 --sha-r- c:\users\hari krishnan\ntuser.pol
2010-05-26 18:31:32 207 ----a-w- c:\windows\POD.INI
2010-05-26 11:04:18 0 d-----w- c:\users\harikr~1\appdata\roaming\Malwarebytes
2010-05-26 11:04:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-26 11:04:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 11:04:08 0 d-----w- c:\programdata\Malwarebytes
2010-05-26 11:04:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-21 15:55:15 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-21 13:43:18 65536 --sha-w- c:\users\hari krishnan\ntuser.dat{412cbbd2-64bc-11df-a26a-001cc0e6a5e7}.TM.blf
2010-05-21 13:43:18 524288 --sha-w- c:\users\hari krishnan\ntuser.dat{412cbbd2-64bc-11df-a26a-001cc0e6a5e7}.TMContainer00000000000000000002.regtrans-ms
2010-05-21 13:43:18 524288 --sha-w- c:\users\hari krishnan\ntuser.dat{412cbbd2-64bc-11df-a26a-001cc0e6a5e7}.TMContainer00000000000000000001.regtrans-ms
2010-05-15 13:46:38 100488 ----a-w- c:\windows\system32\drivers\s115mgmt.sys
2010-05-15 13:46:37 12424 ----a-w- c:\windows\system32\drivers\s115cmnt.sys
2010-05-15 13:46:37 12424 ----a-w- c:\windows\system32\drivers\s115cm.sys
2010-05-15 13:46:36 98568 ----a-w- c:\windows\system32\drivers\s115obex.sys
2010-05-15 13:46:34 108680 ----a-w- c:\windows\system32\drivers\s115mdm.sys
2010-05-15 13:46:32 15112 ----a-w- c:\windows\system32\drivers\s115mdfl.sys
2010-05-15 13:46:31 83208 ----a-w- c:\windows\system32\drivers\s115bus.sys
2010-05-14 12:52:28 0 d-----w- c:\program files\Crawler
2010-05-11 18:29:36 524288 --sha-w- c:\users\hari krishnan\ntuser.dat{87e4bb29-5d2a-11df-84f7-001cc0e6a5e7}.TMContainer00000000000000000002.regtrans-ms
2010-05-11 18:29:36 524288 --sha-w- c:\users\hari krishnan\ntuser.dat{87e4bb29-5d2a-11df-84f7-001cc0e6a5e7}.TMContainer00000000000000000001.regtrans-ms
2010-05-11 18:29:35 65536 --sha-w- c:\users\hari krishnan\ntuser.dat{87e4bb29-5d2a-11df-84f7-001cc0e6a5e7}.TM.blf
2010-05-11 13:01:32 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-05-11 13:01:25 138184 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-05-11 12:47:22 183112 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-05-11 12:35:46 1498 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2010-05-11 10:28:14 0 d-----w- c:\windows\Downloaded Installations

==================== Find3M ====================

2010-06-07 06:34:10 701772 ----a-w- c:\windows\system32\perfh00A.dat
2010-06-07 06:34:10 139206 ----a-w- c:\windows\system32\perfc00A.dat
2010-03-14 18:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-07-18 02:15:12 41390 ----a-w- c:\windows\inf\perflib\0c0a\perfd.dat
2009-07-18 02:15:11 41390 ----a-w- c:\windows\inf\perflib\0c0a\perfc.dat
2009-07-18 02:15:11 341432 ----a-w- c:\windows\inf\perflib\0c0a\perfi.dat
2009-07-18 02:15:11 341432 ----a-w- c:\windows\inf\perflib\0c0a\perfh.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-12-13 18:44:42 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009120720091214\index.dat
2009-12-13 18:44:42 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009121420091215\index.dat
2009-12-16 10:10:40 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009121620091217\index.dat
2009-12-13 12:01:10 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\privacie\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 10:58:20.22 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost

Posted 13 June 2010 - 08:14 AM

Hi,

Your Kaspersky is up to date? Read this at the Kaspersky forum.

How Can I Reduce My Risk to Malware?


#3 Guest_krishari_*

Guest_krishari_*

  • Guests
  • OFFLINE
  •  

Posted 13 June 2010 - 12:44 PM

The kaspersky internet sec 2010 was fully updated when i did the scan. As i mentioned in my forum iam using Avast Internet Sec 5 now. I read the kaspersky forum. But what scaring me is the gmail a/c hacking (someone accessed it from china). can u guide me on this?

Edited by krishari, 13 June 2010 - 02:16 PM.


#4 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:08 AM

Posted 13 June 2010 - 02:42 PM

QUOTE
gmail a/c hacking


I would change your gmail log in password. csrss.exe (Windows System32 directory) is a legit Windows process that cant be terminated.

some guidelines for strong passwords:

At least fifteen (15) characters in length.
# Does not contain your user name, real name, organization name, family member's names or names of your pets.
# Does not contain your birth date.
# Does not contain a complete dictionary word.
# Is significantly different from your previous password.

Should contain three (3) of the following character types.

* Lowercase Alphabetical (a, b, c, etc.)
* Uppercase Alphabetical (A, B, C, etc.)
* Numerics (0, 1, 2, etc.)
* Special Characters (@, %, !, etc.)

How Can I Reduce My Risk to Malware?


#5 Guest_krishari_*

Guest_krishari_*

  • Guests
  • OFFLINE
  •  

Posted 13 June 2010 - 03:50 PM

Iam not concerning about the csrss.exe process.
I have changed my password.
What bothering me is my email hack. How can a person hack email password? How do they do it without installing a malware/spyware on my pc?
All i want to know is, Is my pc affected by malware / spyware? Have u analyzed my log? How to confirm that my pc is safe from threats?

Edited by krishari, 13 June 2010 - 03:51 PM.


#6 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost

Posted 13 June 2010 - 08:02 PM

E-mails can be hacked via malware on a computer. Your log looks ok as far as malware goes. Everything you scanned with came up clean other than the Kapersky scan.
E-mails can also be hacked via social engineering or phishing. You can do a scan with Dr Web:

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit icon to start the program.
* press start
* Allow the program to run the initial express scan
* This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
* Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
* Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
* During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
* Once the scan is complete, on the menu bar, click file and choose report list.
* Save the report to your desktop. The report will be called DrWeb.csv
* Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
* Close Dr.Web Cureit.
* Please post the Dr.Web.txt report in your next reply

How Can I Reduce My Risk to Malware?


#7 Guest_krishari_*

Guest_krishari_*

  • Guests
  • OFFLINE
  •  

Posted 15 June 2010 - 02:31 AM

Do i need to install the Dr.web software or it will run without install jus like "dds/gmer" ?

#8 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:08 AM

Posted 15 June 2010 - 04:31 PM

After its done downloading to your computer, double click the icon on your desktop to start it.
If for some reason it dosnt work you can try another online scanner:
'
ESET online scanner:
(uses Internet Explorer only)

http://www.eset.com/onlinescan/

check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update. This may take some time.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

How Can I Reduce My Risk to Malware?


#9 Guest_krishari_*

Guest_krishari_*

  • Guests
  • OFFLINE
  •  

Posted 16 June 2010 - 03:59 AM

Actually I was using Eset smart security 4 for 6 months. Nothing was found during scan. then only i uninstalled it and installed kaspersky.

#10 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost

Posted 16 June 2010 - 04:12 PM

Eset is usually the one I have people use. Since you had it installed at one time try this one instead.

F-secure scan:
http://support.f-secure.com/enu/home/ols.shtml

uses Internet Explorer only

click on the "start scanning button" near bottom of page.
click to accept/install the ActiveX applet
"accept" the License Agreement, click "full system scan"
Once the download of files completes,the scan will begin automatically.
The scan may take some time to finish.
When the scan completes, click the Automatic cleaning (recommended) button.



How Can I Reduce My Risk to Malware?


#11 Guest_krishari_*

Guest_krishari_*

  • Guests
  • OFFLINE
  •  

Posted 19 June 2010 - 02:08 AM

Hi, shelf life, I hav tried many Anti-virus and Anti-malware programs (kIS 2010, Eset SS 4, avast 5, malwarebytes all are updated). No Infections were found. Also i scanned for rootkit using Gmer, HJT TDSSkiller. Nothing suspicious was found. All showing that the pc is clean. But sometimes my pc behaving weird (for example : When i tried to login my computer admin user it logged on as a new user. new desktop opened. my settings were gone, then i restarted my pc and logged in to my user a/c normally. my old settings was there and new desktop is gone. this happened to my other user a/c also). So, these kind of activities are found on my pc.
All i want to know is, why this happening?
pls help me get rid of this..

Edited by krishari, 19 June 2010 - 03:56 AM.


#12 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:08 AM

Posted 20 June 2010 - 09:41 AM

Well it appears you must be clean based on all the tools. As for the account problems; was it a one time happening or was it happening more than once?

How Can I Reduce My Risk to Malware?


#13 Guest_krishari_*

Guest_krishari_*

  • Guests
  • OFFLINE
  •  

Posted 20 June 2010 - 02:01 PM

It happens 4 times for me..
If i restart my pc and logon to the a/c, its opening normally.

#14 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost

Posted 20 June 2010 - 03:33 PM

The only thing I can think of is your user account is corrupted? See if these links make any sense, if not then don't do what they suggest.

http://articles.techrepublic.com.com/5100-...11-5035219.html
http://support.microsoft.com/?kbid=318011

How Can I Reduce My Risk to Malware?


#15 Guest_krishari_*

Guest_krishari_*

  • Guests
  • OFFLINE
  •  

Posted 21 June 2010 - 03:54 AM

In my case It doesn't show any error msg and if i restart the computer and logon to my user a/c it loads normally with my settings.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users