Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"PDM.keylogger"


  • Please log in to reply
9 replies to this topic

#1 pleurebleu

pleurebleu

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:On the move
  • Local time:10:43 PM

Posted 21 June 2010 - 01:51 PM

Hello everyone,

About a month ago I found my email box filled with delivery status notification (failure) messages and so I concluded that somehow I was infected and that my machine was being used as a bot to send commercial mails.
Here's an extract:
Dear friend
Competitive prices, honest service and enjoy Paradise shopping,
The website is: www. zhchga. com


I changed my password right away and ran a compete virus scan but nothing was detected.

Since then I noticed that whenever I launched certain applications (games, in particular one called "league of legends" and "starcraft 2") I get a warning from kaspersky telling me the behavior of the process is similar to that of "PDM.keylogger"

I did not pay any attention to it since it was only a warning I figured it was not a problem.

But now here I am finding my email box flooded with these same emails proving to me that someone/something is using my machine again to send out spam and it ticks me off.

I once again changed my password, and I would really appreciate if anybody could help me to figure out what is happening on my machine.

I'd appreciate any help from anybody! Thanks much!

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:43 PM

Posted 21 June 2010 - 02:06 PM

Hello,

Let's see what we can find. Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.In your reply, please include the MBAM log and an update on how your computer is behaving.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 pleurebleu

pleurebleu
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:On the move
  • Local time:10:43 PM

Posted 21 June 2010 - 05:03 PM

Hello, thanks for helping out. After the quick scan nothing was detected and a log was automatically generated without me having to:

# Click on the Show Results button to see a list of any malware that was found.
# Make sure that everything is checked, and click Remove Selected.

Here's the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4222

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/21/2010 6:00:42 PM
mbam-log-2010-06-21 (18-00-42).txt

Scan type: Quick scan
Objects scanned: 133486
Time elapsed: 3 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 pleurebleu

pleurebleu
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:On the move
  • Local time:10:43 PM

Posted 21 June 2010 - 07:32 PM

Since the quick scan got nothing I went ahead and did a full scan, here's the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4222

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/21/2010 8:26:41 PM
mbam-log-2010-06-21 (20-26-41).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 388860
Time elapsed: 1 hour(s), 5 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{19987cee-dee8-49dc-98ec-f21380aa9e68} (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{19987cee-dee8-49dc-98ec-f21380aa9e6a} (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{19987cee-dee8-49dc-98ec-f21380aa9e6b} (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files (x86)\DivX\DivX Converter\AKGZIK.ddc (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files (x86)\DivX\DivX Plus DirectShow Filters\daac.ax (Trojan.Dropper) -> Quarantined and deleted successfully.


It did ask me to reboot but upon rebooting nothing special happened, it just started as usual.

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:43 PM

Posted 21 June 2010 - 10:32 PM

Hello,

Nothing found there that would relate to your e-mail spamming issue. I'm going to have you run a couple other things here. If we rule out malware causes, I'll provide other information that should take care of the problem. I know from personal experience that spam e-mail can be sent in your name even if you don't own a computer. We'll address that later.

For now,

Please download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.


Once you have done that, Please download SUPERAntiSpyware , Free Home Version using your regular user account. Save to the desktop.

DO NOT run yet.

Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
. Please use ONLY this method of getting into Safe Mode.

Scan with SUPER

Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 pleurebleu

pleurebleu
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:On the move
  • Local time:10:43 PM

Posted 22 June 2010 - 07:32 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/22/2010 at 08:24 AM

Application Version : 4.39.1002

Core Rules Database Version : 5102
Trace Rules Database Version: 2914

Scan type : Complete Scan
Total Scan Time : 00:13:38

Memory items scanned : 300
Memory threats detected : 0
Registry items scanned : 16760
Registry threats detected : 0
File items scanned : 39555
File threats detected : 119

Adware.Tracking Cookie
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@serving-sys[2].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@advertising[1].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@atdmt[9].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@yieldmanager[1].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@doubleclick[3].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@bs.serving-sys[1].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@ads.bridgetrack[1].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@atdmt[2].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@apmebf[1].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@mediaplex[3].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@atdmt[11].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@atdmt[5].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@atdmt[8].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@atdmt[7].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@atdmt[6].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@atdmt[10].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@atdmt[1].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@atdmt[3].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@atdmt[4].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@doubleclick[1].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\jeff@mediaplex[1].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\Low\jeff@statcounter[2].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\Low\jeff@atdmt[2].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\Low\jeff@apmebf[1].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\Low\jeff@ad.yieldmanager[2].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\Low\jeff@content.yieldmanager[1].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\Low\jeff@ads.ad4game[1].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\Low\jeff@cgm.adbureau[2].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\Low\jeff@247realmedia[2].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\Low\jeff@ad.wsod[2].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\Low\jeff@atdmt[1].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\Low\jeff@doubleclick[1].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\Low\jeff@imrworldwide[2].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\Low\jeff@mediaplex[2].txt
C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\Low\jeff@msnportal.112.2o7[1].txt
.serving-sys.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.bs.serving-sys.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.collective-media.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.collective-media.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.doubleclick.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.apmebf.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.mediaplex.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.fastclick.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.fastclick.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.fastclick.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.fastclick.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.game-advertising-online.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.atdmt.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.atdmt.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.atdmt.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.atdmt.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
www.googleadservices.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.adserver.adtechus.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.tacoda.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.tacoda.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.tacoda.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.tacoda.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.doubleclick.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.advertising.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.adserver.adtechus.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.advertising.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.advertising.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.advertising.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.advertising.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.advertising.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.at.atwola.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.at.atwola.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.revsci.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.revsci.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.msnaccountservices.112.2o7.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.msnportal.112.2o7.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.content.yieldmanager.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.adbrite.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.adbrite.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.adbrite.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.weborama.fr [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.boursoramabanque.solution.weborama.fr [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.boursoramabanque.solution.weborama.fr [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.boursoramabanque.solution.weborama.fr [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.boursoramabanque.solution.weborama.fr [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.revsci.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.revsci.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.revsci.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.revsci.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.mediaplex.com [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.2o7.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]
.2o7.net [ C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\9qfkarwt.default\cookies.sqlite ]

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:43 PM

Posted 22 June 2010 - 08:09 PM

Hello,

SAS found a bunch of tracking cookies, which are not a threat but may be a privacy concern. I'll outline some things to do to prevent those from installing later. Thus far, nothing has been found on the computer that would cause your computer to send spam e-mail.

There is one other thing I'm going to have you run, but first some questions.

Have you noticed a drop in your internet speeds? Have you noticed data transmission occurring that you did not cause or that were not caused by auto-updating of the OS or security products?

Are there other issues that you have been experiencing with the computer?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#8 pleurebleu

pleurebleu
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:On the move
  • Local time:10:43 PM

Posted 22 June 2010 - 08:46 PM

I have the "gadget" Network Meter installed on my desktop and it doesn't show any abnormal activities. Just a few spikes here and there when I'm idling but I assume that is normal.

I am not in the habit of turning off my machine and sometimes it turns itself off. Always while I am running a heavily CPU-bound application such has let's say a game. I assumed it was due to overheating and opened up to clean off the dust and found my heat sink very dusty. Since I cleaned up the machine it did not turn off even though I can't tell if that was really the problem because it is a rare event and only time will tell. But, when I turn ON the computer, half the times it fails to boot; Either the screen stays black and nothing happens, or the turret restarts itself for no reason, and windows give me the "your computer has failed to boot several times".

Except for that, everything is flawless.

By the way I did not get how TFC was able to remove over 600MB of temp files when I myself empty the temp file folder periodically and it never reaches even 100MB. Are there hidden temp files .. ?

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:43 PM

Posted 23 June 2010 - 09:29 PM

Hello,

Are you able to tell what is sending or receiving data when those spikes occur? If so, that information would be very helpful.

At this point, I suspect that your e-mail address has been compromised. This can be done in a couple ways. One, you posted your e-mail address on a website and it got harvested by a spambot. Spam is then sent making it look as though it were sent by you when it wasn't. The other possibility is that someone who has your e-mail address got infected and your e-mail address was gotten from that persons address book. Again, e-mail would be sent making it look as though it were from you when in fact it was not.

This is how spam can be sent in your name even though you don't have a computer or even if your computer isn't infected. That happened to me. The only way to stop that is to either change your e-mail address or contact your e-mail provider and request a change in user name because your account has been compromised.

As for the tracking cookies. Tracking cookies are not a threat, but there are privacy concerns. Tracking cookies are a kind of third party cookie, and most are completely unnecessary. You can read more about the kinds of cookies and how to block unwanted cookies in IE in the in this post: http://www.bleepingcomputer.com/forums/ind...st&p=702871

The links he provides will tell you how to block third party cookies in IE.

You can set up Firefox to block unwanted and unneeded cookies this way:

Click on Tools --> Options --> Privacy

Make sure there is a check mark by "Accept Cookies from Sites." Then in the box just below, make sure the window says "Ask me every time."

What this will do is that every time a site wants to put a cookie on your computer, a little window will pop up asking you if you want to accept it. The first time it shows up, click on "Show details". From then on, except when you reinstall Firefox or in some instances update it, the details will always be shown. There you can see who wants to put it on your computer and whether it is a session cookie or a permanent cookie.

You can add the site to your black list or white list by putting a check mark Use my choice for all cookies from this site and clicking on Deny which adds it to the black list or Allow for session or Allow. The latter choice means that any permanent cookies will stay on your computer until they expire or you delete them. The former choice means that the cookies will always go away when you close your browser. Either way, the sites will be added to the white list.

You can see what cookies are installed by clicking on the Show Cookies button on the privacy screen where you set the cookie options. When you click on Exceptions you will see the list of sites blocked from or permitted to set cookies. You can manually add sites to the block or allow list here, and you can also remove sites from the list.

Some suggestions:

Install Spywareblaster. It blocks a lot of cookies and other spyware from getting on your computer in the first place. It does not run actively, so it won't reduce computer performance any. Update it once a week and make sure you enable all protection.

[*]Spywareblaster - prevents spyware from being installed on your PC. - Tutorial: Using SpywareBlaster

Macromedia flash stores cookies and content on your computer, but the settings to control that are NOT on the computer. To control what gets stored or not stored, and to remove what IS stored, you need to go here: http://www.macromedia.com/support/document..._manager07.html

Overview of the various aspects is here: http://www.macromedia.com/support/document...gs_manager.html

I see that you use FireFox, so I would suggest installing the Extension NoScript. You can read about it here: http://noscript.net/

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:43 PM

Posted 23 June 2010 - 10:16 PM

Hello, let me interject a moment/

certain applications (games, in particular one called "league of legends" and "starcraft 2") I get a warning from kaspersky telling me the behavior of the process is similar to that of "PDM.keylogger"



Keyloggers may send your personal information (logins, passwords, credit card numbers) you enter using your keyboard to a cyber criminal. However, similar actions can be performed not only by malicious programs, but also by some other not malicious applications installed on your computer. Very often these actions are performed by means of hotkeys to access some functions of an application installed on your computer.

The process kernel mode memory patch (PID: 0) is not malicious. You can add this process to the exclusions list by clicking Add to exclusions.

KAspersky. go here to do so.

http://support.kaspersky.com/kis2010/proactive?qid=208281028


Are you using a router? Resetting it here may help.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users