Hi, I have recived a lot of private messages about 'basic tips' for remove a keylogger, so I'll try to explain it shortly...
What is a keylogger?
A keylogger is a program that looks for in your computer passwords/accounts, also register the pressed keys!, then the keylogger send the information to his owner.
Symptoms
A slow keyboard
Internet speed slow
Processes generally slow down
What should I do?
If you're infected the first thing you should do is stop the process, search for a strange process launched by your user. (Maybe "svechost.exe" or "bluewind.exe" process), you can use [Only registered and activated users can see links. Click Here To Register...] to know where the process was launched.
Then you should delete it, (maybe in "YourHomeDrive\Windows\System32").
Also the RunKey in Windows startup! "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run" (in your "regedit.exe"), this is an example, "KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Keylogger"
And check this dir (at Vista/Win7) -> "C:\Users\<YourUsername>\AppData\Local\Temp"
"[Only registered and activated users can see links. Click Here To Register...]" is a free tool that will erase all your temporal trash.
And, of course, a good scan! You should close your internet conection while you are scanning your computer! Also an Anti-spyware or software anti-keylogging. [Only registered and activated users can see links. Click Here To Register...] works right.
To prevent:
ATM, don't download anything new.
More information -> Here
That's all, I hope that this 'easy tips' will help you. Any question/something to add, feel free to comment.
Greetings.
Thanks to Honeysweet, FichteFoll, _Alastor_, Teiva, Forfirith for add.
@FichteFoll, nice! I'm from the old-school way xD
Add by FichteFoll:
You should try the [Only registered and activated users can see links. Click Here To Register...]. Download, unpack and start the [Only registered and activated users can see links. Click Here To Register...].
There you can enable all suspected programs (use the Tab "Logon").
Or just run the msconfig.exe and go to "Systemstart" (<- Dunno how Windows translates it to english).
Many Keyloggers/Trojans try to immitate the svchost themselves.
To give you some orientation:
[Only registered and activated users can see links. Click Here To Register...]
What I've marked:
1. This is usually started with windows.
2. This is extra-information on which you can identify the serviceHost. As I highlighted, this is a SERVICE-process from windows. So it has to be found inside the services.exe.
3. For more information you can look at the "Company Name" Tab or the "Path" (you can enable them manually). It's selfexplaining I think.
4. These 2 (and the explorer.exe) are also started from windows... and actually the last in the list (sort).
Any process AFTER them with a name like "csrrss.exe", "svchost.exe" or another version is obviously malware!
There also shouldn't be a "svchost.exe" here:
[Only registered and activated users can see links. Click Here To Register...]
Look at the Tooltip for this example. This is the sidebar in Windows 7, but otherwise there shouldn't be stuff from Windows here, cuz it's lauchned from somewhere else.
If you can't kill them or delete them from autostart (it also starts after you've deleted it), run Windows in "save mode" and delete the file itself, after checking the its path.
Add by Forfirith
What is csrss.exe?
A Microsoft Windows file stored in the c:\windows\system32 or c:\winnt\system32 directory that has the file description: "Client Server Runtime process." This file
Is this file a spyware, trojan, or virus?
The csrss.exe file included with Microsoft Windows is not spyware, a trojan, or a virus. However, like any file on your computer it can become corrupted by a virus, worm, or trojan. antivirus programs can detect and clean this file if it has become infected. Because this file is part of Microsoft Windows users should never delete or remove this file if they think it is infected, let the antivirus program handle it.
Is it safe to remove csrss.exe from the Task Manager processes?
No. The csrss.exe is a critical system process that cannot be removed from the Task Manager without causing issues with Windows. When attempting to End Process the csrss.exe you will receive the Unable to Terminate Process window with the error "This is a critical system process. Task Manager cannot end this process." It is normal to receive this error.
The csrss.exe file is using 99%, 100%, or other high abnormal percentage of CPU.
This issue is caused when your Microsoft Windows profile is corrupt. To resolve this issue requires that you delete and recreate the profile. To do this follow the below steps.
Backup all the files in My Documents as they will be lost. It's also recommended you backup any other important files you may be concerned about loosing.
Log out of the account that is causing the problem and into a different account. If you do not have another account you can create a new account through the User Accounts icon in the Control Panel.
Once in the other account right-click My Computer icon and click Properties.
In the Properties window click the Advanced tab.
In Advanced click the Settings button under User Profiles.
Finally, in the User Profiles window highlight the name of the profile that is encountering this issue and click the Delete button.
Once the profile has been deleted you can recreate it if you wish to use the same profile name.
What is a keylogger?
A keylogger is a program that looks for in your computer passwords/accounts, also register the pressed keys!, then the keylogger send the information to his owner.
Symptoms
A slow keyboard
Internet speed slow
Processes generally slow down
What should I do?
If you're infected the first thing you should do is stop the process, search for a strange process launched by your user. (Maybe "svechost.exe" or "bluewind.exe" process), you can use [Only registered and activated users can see links. Click Here To Register...] to know where the process was launched.
Then you should delete it, (maybe in "YourHomeDrive\Windows\System32").
Also the RunKey in Windows startup! "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run" (in your "regedit.exe"), this is an example, "KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Keylogger"
And check this dir (at Vista/Win7) -> "C:\Users\<YourUsername>\AppData\Local\Temp"
"[Only registered and activated users can see links. Click Here To Register...]" is a free tool that will erase all your temporal trash.
And, of course, a good scan! You should close your internet conection while you are scanning your computer! Also an Anti-spyware or software anti-keylogging. [Only registered and activated users can see links. Click Here To Register...] works right.
To prevent:
ATM, don't download anything new.
More information -> Here
That's all, I hope that this 'easy tips' will help you. Any question/something to add, feel free to comment.
Greetings.
Thanks to Honeysweet, FichteFoll, _Alastor_, Teiva, Forfirith for add.
@FichteFoll, nice! I'm from the old-school way xD
Add by FichteFoll:
You should try the [Only registered and activated users can see links. Click Here To Register...]. Download, unpack and start the [Only registered and activated users can see links. Click Here To Register...].
There you can enable all suspected programs (use the Tab "Logon").
Or just run the msconfig.exe and go to "Systemstart" (<- Dunno how Windows translates it to english).
Many Keyloggers/Trojans try to immitate the svchost themselves.
To give you some orientation:
[Only registered and activated users can see links. Click Here To Register...]
What I've marked:
1. This is usually started with windows.
2. This is extra-information on which you can identify the serviceHost. As I highlighted, this is a SERVICE-process from windows. So it has to be found inside the services.exe.
3. For more information you can look at the "Company Name" Tab or the "Path" (you can enable them manually). It's selfexplaining I think.
4. These 2 (and the explorer.exe) are also started from windows... and actually the last in the list (sort).
Any process AFTER them with a name like "csrrss.exe", "svchost.exe" or another version is obviously malware!
There also shouldn't be a "svchost.exe" here:
[Only registered and activated users can see links. Click Here To Register...]
Look at the Tooltip for this example. This is the sidebar in Windows 7, but otherwise there shouldn't be stuff from Windows here, cuz it's lauchned from somewhere else.
If you can't kill them or delete them from autostart (it also starts after you've deleted it), run Windows in "save mode" and delete the file itself, after checking the its path.
Add by Forfirith
What is csrss.exe?
A Microsoft Windows file stored in the c:\windows\system32 or c:\winnt\system32 directory that has the file description: "Client Server Runtime process." This file
Is this file a spyware, trojan, or virus?
The csrss.exe file included with Microsoft Windows is not spyware, a trojan, or a virus. However, like any file on your computer it can become corrupted by a virus, worm, or trojan. antivirus programs can detect and clean this file if it has become infected. Because this file is part of Microsoft Windows users should never delete or remove this file if they think it is infected, let the antivirus program handle it.
Is it safe to remove csrss.exe from the Task Manager processes?
No. The csrss.exe is a critical system process that cannot be removed from the Task Manager without causing issues with Windows. When attempting to End Process the csrss.exe you will receive the Unable to Terminate Process window with the error "This is a critical system process. Task Manager cannot end this process." It is normal to receive this error.
The csrss.exe file is using 99%, 100%, or other high abnormal percentage of CPU.
This issue is caused when your Microsoft Windows profile is corrupt. To resolve this issue requires that you delete and recreate the profile. To do this follow the below steps.
Backup all the files in My Documents as they will be lost. It's also recommended you backup any other important files you may be concerned about loosing.
Log out of the account that is causing the problem and into a different account. If you do not have another account you can create a new account through the User Accounts icon in the Control Panel.
Once in the other account right-click My Computer icon and click Properties.
In the Properties window click the Advanced tab.
In Advanced click the Settings button under User Profiles.
Finally, in the User Profiles window highlight the name of the profile that is encountering this issue and click the Delete button.
Once the profile has been deleted you can recreate it if you wish to use the same profile name.
