[Guide] About keyloggers

FichteFoll · 06/10/2010, 17:32

Quote:

Originally Posted by ero-Z

Anyways you can run an executable with SYSTEM user, so you have to follow these steps to know if it is a real service by SYSTEM.

Of course all these "tricks" will only work with "bad" malware. Real hackers use other methods to get on your system or get your passwords.

Avoiding easy ones is also easy by using an alternative firewall, which blocks EVERY connection until you allow it.

Beathoven · 06/10/2010, 20:21

Very nice Tut about **** keyloggers but i think you should add something:

If your PC is hopless infected so that you can't delete the keylogger (or another Virus) you should use a RecoveryDisc that you got with your PC.

This Disc will reset your System to the point as you started your PC the first time.

If you don't have such a RecoveryDisc you have the Recovery option in your PC.Just press the F8 Key at the beginning of the start of your PC and then press Repair Computer.

I think CCleaner won't help a lot in such a situation...also AntiVir isn't that good.

If you have questions you can ask me about this i wrote here.

I also speak german

ero-Z · 06/10/2010, 20:33

Quote:

Originally Posted by Beathoven

Very nice Tut about **** keyloggers but i think you should add something

But, FichteFoll say the same in another words anyways when I have time I'll add it (about recovery disk)

Teiva · 06/10/2010, 20:51

Quote:

Originally Posted by ero-Z

Bueno, si tienes razon, no habia leido tu post, de todas maneras el programa me lo paso _Alastor_ pero os dare thanks a los dos

No hay de que bro!. No era necesario igual que me dejaras thanks

.

Un abrazo muy buen aporte!.

Beathoven · 06/10/2010, 20:59

I forgot something and its the most important thing you have to do if your PC is infected:

Stay calm.The worst thing you can do if your PC is infected is when you delete things.You will destroy your PC much more as the Virus so stay calm and search for help (for example here).

~~*-Gianna-*~~ · 06/11/2010, 15:33

Nicht Bandwurm niemand xD s0n1k gebe ich alle auf

Steevie · 06/11/2010, 21:50

Sehr schöne Guide aber die Bilder von FichteFoll sind zu klein :/
Hast aber ein Thanks verdient^^

C4RB0N701 · 06/11/2010, 22:20

Quote:

Originally Posted by ero-Z

Any process AFTER them with a name like "csrrss.exe", "svchost.exe" or another version is obviously malware!

There also shouldn't be a "svchost.exe" here:

Look at the Tooltip for this example. This is the sidebar in Windows 7, but otherwise there shouldn't be stuff from Windows here, cuz it's lauchned from somewhere else.

If you can't kill them or delete them from autostart (it also starts after you've deleted it), run Windows in "save mode" and delete the file itself, after checking the its path.

I searched on the search function of my laptop (Vista) csrrss.exe and svchost.exe and i found svchost.exe. I am german, so i didn´t unterstand you good. Should I delete it, but if I scan it with my AVG anti vir , AGV says that there isn´t a problem...

Edit: I also find a program that´s called csrss.exe. If I search it, i´ld find it and if I start the task manager the process csrss.exe is running.
Is that bad?
Sorry for my bad english.

Forfirith · 06/11/2010, 23:42

Quote:

Originally Posted by C4RB0N701

I searched on the search function of my laptop (Vista) csrrss.exe and svchost.exe and i found svchost.exe. I am german, so i didn´t unterstand you good. Should I delete it, but if I scan it with my AVG anti vir , AGV says that there isn´t a problem...

Edit: I also find a program that´s called csrss.exe. If I search it, i´ld find it and if I start the task manager the process csrss.exe is running.
Is that bad?
Sorry for my bad english.

If you do a full extensive Antivirus search, and it comes Clean, it prolly means it's clean.
And only suspect svchost.exe if the description comes wrong, pex.: Bluewind/yupolo/etcetc.
And csrss.exe is USUALLY a SYSTEM file, very important to your OS, so DON'T remove if it's located in the C:\Windows\System32.
If its somewhere else like C:\Windows\ then its prolly a keylogger/trojan/virus/etc trying to imitate a known process name.
As I said, run your AV.

Quote:

What is csrss.exe?

A Microsoft Windows file stored in the c:\windows\system32 or c:\winnt\system32 directory that has the file description: "Client Server Runtime process." This file

Is this file a spyware, trojan, or virus?

The csrss.exe file included with Microsoft Windows is not spyware, a trojan, or a virus. However, like any file on your computer it can become corrupted by a virus, worm, or trojan. antivirus programs can detect and clean this file if it has become infected. Because this file is part of Microsoft Windows users should never delete or remove this file if they think it is infected, let the antivirus program handle it.

Is it safe to remove csrss.exe from the Task Manager processes?

No. The csrss.exe is a critical system process that cannot be removed from the Task Manager without causing issues with Windows. When attempting to End Process the csrss.exe you will receive the Unable to Terminate Process window with the error "This is a critical system process. Task Manager cannot end this process." It is normal to receive this error.

The csrss.exe file is using 99%, 100%, or other high abnormal percentage of CPU.

This issue is caused when your Microsoft Windows profile is corrupt. To resolve this issue requires that you delete and recreate the profile. To do this follow the below steps.

Backup all the files in My Documents as they will be lost. It's also recommended you backup any other important files you may be concerned about loosing.
Log out of the account that is causing the problem and into a different account. If you do not have another account you can create a new account through the User Accounts icon in the Control Panel.
Once in the other account right-click My Computer icon and click Properties.
In the Properties window click the Advanced tab.
In Advanced click the Settings button under User Profiles.
Finally, in the User Profiles window highlight the name of the profile that is encountering this issue and click the Delete button.
Once the profile has been deleted you can recreate it if you wish to use the same profile name.

FichteFoll · 06/12/2010, 13:16

Quote:

Originally Posted by Steevie

Sehr schöne Guide aber die Bilder von FichteFoll sind zu klein :/
Hast aber ein Thanks verdient^^

#edited

Thumbnails haben nicht richtig funktioniert.

Furialatina · 06/13/2010, 20:43

hEY Zero cuando encuentro el keylogger que le hago le cambio el valor o lo elimino ??? a ps te tengo en el msn y veo que me tienes bloqueado soy de youtube Apariencia123 mi nombre en s4 es Furialatina

ero-Z · 06/13/2010, 22:37

Quote:

Originally Posted by Furialatina

hEY Zero cuando encuentro el keylogger que le hago le cambio el valor o lo elimino ??? a ps te tengo en el msn y veo que me tienes bloqueado soy de youtube Apariencia123 mi nombre en s4 es Furialatina

No creo que te tenga bloqueado, bueno da igual, lo eliminas, todo esta escrito en la primera página del topic.

omr159 · 06/14/2010, 06:32

Thanks

~~[Jamal]~~ · 06/15/2010, 16:53

das sieht gut aus aber omg

~~freehuntx~~ · 08/07/2010, 00:38

"A keylogger is a program that looks for in your computer passwords/accounts, also register the pressed keys!, then the keylogger send the information to his owner."

No.

"A keylogger is a program that register all Pressed keys into an Lofile.txt on ur pc.
Then The Keylogger send this Logfile at an Ftp/E-Mail Account."

Btw. An Password Stealer, is a Completly other thing than Keylogger.
An Password Stealer Looks for Accountnames and Passwords saved on the Pc/Browser/Programms not an keylogger

hope u will fix it

Edit: Nice ur Thread was Sticked in S4-League Section, an my was first sticked than removed cuz it is in false section....
Fairness is so good.

btw. an Keylogger will inject into processes like explorer.exe, so it dont need to register in registry...

but in the msconfig...