Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Probable Keylogger Issue. Have log...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Probable Keylogger Issue. Have log...

Unread postby Masher » September 13th, 2010, 9:51 pm

For a while I have suspected that my PC has a trojan or keylogger and yesterday one of my gaming accounts was compromised. Here is my log, any help will be greatly appreciated. Thanks!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:54 PM, on 9/13/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\mobsync.exe
C:\Windows\System32\Ctxfihlp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe
C:\Windows\System32\spool\drivers\w32x86\3\E_FATIEJA.EXE
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Rafy\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Users\Rafy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Rafy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Rafy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [EPSON NX300 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIEJA.EXE /FU "C:\Windows\TEMP\E_SC2E2.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Rafy\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O13 - Gopher Prefix:
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwar ... /CTPID.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

--
End of file - 8065 bytes
Masher
Active Member
 
Posts: 6
Joined: September 13th, 2010, 9:25 pm
Advertisement
Register to Remove

Re: Probable Keylogger Issue. Have log...

Unread postby askey127 » September 14th, 2010, 1:45 pm

Hi Masher,
For the time being, at least, we need to remove some of the anti-spyware apps, until we determine what is going on.
------------------------------------------------
Remove Programs Using Control Panel
From Start, Control Panel, click on Uninstall a program under the Programs heading.
Right click each Entry, as follows, one by one, if it exists, choose Uninstall/Change, and give permission to Continue:

PCTools
Spyware Doctor
Spyware terminator

Take extra care in answering questions posed by any Uninstaller.
----------------------------------------------
Download and Run Temp File Cleaner (TFC.exe)
Download Temp File Cleaner and save it to your desktop.
Double click to run it. (Right click and Run as Administrator in Vista)
If you have a lot of junk files to remove, it could take a while, so please be patient and let it finish.
When it's done, if it asks to Reboot, choose to do so. This will remove files that could not be removed while Windows was running.
After Restart, log back in to your usual account.
-----------------------------------------------------------
Retrieve the List of Installed programs Using HJT
Open HijackThis, click Open The Misc Tools Section. Then scroll down the list if you need to, click Open Uninstall Manager and Save List...
The List of installed programs will automatically be saved as uninstall_list.txt in your HiJackThis folder.
In addition, the list opens in Notepad so you can also save as another name in another location if you wish.
Please paste the contents into your next reply.
------------------------------------------------------------
Please download the GMER Rootkit Scanner from Here.
  • XP : Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • VISTA/Win7: Right click the .exe file and chose Run as Administrator. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than the System drive (which is typically C:\)
    • Show All (don't miss this one)
      See image below
      Image
  • Then click the Scan button & wait for it to finish
    **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
Note: Do not run any other programs while Gmer is running.

So we are looking for the Installed programs list from HiJackThis, and the log from Gmer.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Probable Keylogger Issue. Have log...

Unread postby Masher » September 15th, 2010, 8:39 pm

Hi askey

Here is the list of installed programs at the moment...


ABBYY FineReader 6.0 Sprint
Acrobat.com
Acrobat.com
Active Sky X
ActiveSky2004.5 Update
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.3.4
Adobe Shockwave Player
Akamai NetSession Interface
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Panorama Maker 3
ASV - Upgrade from AS2004.5 Installer
avast! Free Antivirus
Bonjour
Bytescout XLS Viewer 2.20 (FREEWARE)
CDDRV_Installer
Choice Guard
City of Villains/City of Heroes (remove only)
Creative ALchemy
Creative Audio Control Panel
Creative Console Launcher
Creative Media Toolbox
Creative MediaSource 5
Creative Software AutoUpdate
Creative Sound Blaster Properties
Creative System Information
Creative WaveStudio 7
Driver Detective
Epson Easy Photo Print 2
EPSON NX300 Series Printer Uninstall
EPSON Scan
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java(TM) 6 Update 11
KhalInstallWrapper
Logitech SetPoint
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MixMeister CD-R Drivers
MixMeister Fusion + Video 7.0.5
Mozilla Firefox (3.6.9)
Mozilla Thunderbird (3.1.2)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Nikon Message Center
NVIDIA Drivers
NVIDIA PhysX
OGA Notifier 2.0.0048.0
OpenAL
QuickTime
Realtek High Definition Audio Driver
RepairSolutions
SopCast 3.0.3
Sound Blaster X-Fi
System Requirements Lab
TuneUp Utilities 2008
UltimateDefrag 2008
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC 9.0 Runtime
Veetle TV 0.9.17
VLC media player 1.0.5
VoiceOver Kit
Vuze
Winamp
Windows Installer Clean Up
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Player Firefox Plugin
WinPcap 4.0.2
WinRAR archiver
WinZip 12.1
X Graphics
Xilisoft PSP Video Converter
YouSendIt Express

I will post the other log later on. Also if I may add, after I posted my original message I decided to run avast in reboot mode and it found 4 infected files that I went ahead and deleted. Please let me know if I need to do anything extra, thanks!
Masher
Active Member
 
Posts: 6
Joined: September 13th, 2010, 9:25 pm

Re: Probable Keylogger Issue. Have log...

Unread postby askey127 » September 15th, 2010, 9:30 pm

That's OK.
I will give you another set of instructions as soon as I see the Gmer log.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Probable Keylogger Issue. Have log...

Unread postby Masher » September 17th, 2010, 5:21 pm

Here is the info you requested...

ABBYY FineReader 6.0 Sprint
Acrobat.com
Acrobat.com
Active Sky X
ActiveSky2004.5 Update
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.3.4
Adobe Shockwave Player
Akamai NetSession Interface
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Panorama Maker 3
ASV - Upgrade from AS2004.5 Installer
avast! Free Antivirus
Bonjour
Bytescout XLS Viewer 2.20 (FREEWARE)
CDDRV_Installer
Choice Guard
City of Villains/City of Heroes (remove only)
Creative ALchemy
Creative Audio Control Panel
Creative Console Launcher
Creative Media Toolbox
Creative MediaSource 5
Creative Software AutoUpdate
Creative Sound Blaster Properties
Creative System Information
Creative WaveStudio 7
Driver Detective
Epson Easy Photo Print 2
EPSON NX300 Series Printer Uninstall
EPSON Scan
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java(TM) 6 Update 11
KhalInstallWrapper
Logitech SetPoint
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MixMeister CD-R Drivers
MixMeister Fusion + Video 7.0.5
Mozilla Firefox (3.6.9)
Mozilla Thunderbird (3.1.2)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Nikon Message Center
NVIDIA Drivers
NVIDIA PhysX
OGA Notifier 2.0.0048.0
OpenAL
QuickTime
Realtek High Definition Audio Driver
RepairSolutions
SopCast 3.0.3
Sound Blaster X-Fi
System Requirements Lab
TuneUp Utilities 2008
UltimateDefrag 2008
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC 9.0 Runtime
Veetle TV 0.9.17
VLC media player 1.0.5
VoiceOver Kit
Vuze
Winamp
Windows Installer Clean Up
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Player Firefox Plugin
WinPcap 4.0.2
WinRAR archiver
WinZip 12.1
X Graphics
Xilisoft PSP Video Converter
YouSendIt Express



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-17 17:05:28
Windows 6.0.6002 Service Pack 2
Running: gls3x03l.exe; Driver: C:\Users\Rafy\AppData\Local\Temp\ugldypod.sys


---- System - GMER 1.0.15 ----

INT 0x51 ? A2BDF050
INT 0x52 ? A2BDF550
INT 0x53 ? A2BDF2D0
INT 0x64 ? A3D39CD0
INT 0x74 ? A2BDF7D0
INT 0x84 ? A3D397D0
INT 0x94 ? A3D39550
INT 0xA4 ? A4D2ECD0
INT 0xB0 ? A3D392D0
INT 0xB1 ? A2BDFCD0
INT 0xB4 ? A3D39050

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB4EFABAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xB4EFA9D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xB4EFAB0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver E3F75DF0 7 Bytes JMP B4EFAB10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject E3FE128F 5 Bytes JMP B4EF65D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject E403A063 5 Bytes JMP B4EF7FFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!NtCreateSection E403B905 7 Bytes JMP B4EFA9D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx E409B90A 7 Bytes JMP B4EFABB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1372] kernel32.dll!SetUnhandledExceptionFilter 7651A84F 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Files - GMER 1.0.15 ----

File C:\Users\Rafy\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\STSFTL8V\www.vavirginamerica.net.\flowplayer-3.0.5.swf 0 bytes
File C:\Users\Rafy\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.vavirginamerica.net.\settings.sol 94 bytes

---- EOF - GMER 1.0.15 ----


Thanks
Masher
Active Member
 
Posts: 6
Joined: September 13th, 2010, 9:25 pm

Re: Probable Keylogger Issue. Have log...

Unread postby askey127 » September 17th, 2010, 5:41 pm

Masher,
-----------------------------------------------
Please Note Our Policy on the Use of P2P (Person to Person / Peer to Peer) file sharing programs
It is posted here: http://malwareremoval.com/forum/viewtopic.php?p=491394#p491394
As a condition of receiving our help, I have included the P2P program Vuze in the removal instructions below, so we are not wasting our time.
If you have used this, you can be fairly confident this is a principal reason your computer is infected

It's really important, if you value your PC at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, Limewire, Vuze, Shareaza, Bitlord.
Criminals have "planted" thousands upon thousands of infections in the "free" shared files. Some of the recent infections can turn your machine into a doorstop.
It's also very important to avoid any "cracks" or "Keygens" that allow unauthorized use of programs. Besides being illegal, these files also are loaded with "planted" malware.
------------------------------------------------
Remove Programs Using Control Panel
From Start, Control Panel, click on Uninstall a program under the Programs heading.
Right click each Entry, as follows, one by one, if it exists, choose Uninstall/Change, and give permission to Continue:
Java(TM) 6 Update 11
Vuze

Take extra care in answering questions posed by any Uninstaller.
NEEDS LATEST JAVA TO RUN
Let's check whether you have any other leftover infected files or settings.
This scan can take a long time (hours), but it is very thorough. Please start it when you can let it finish.
It doesn't remove anything. The report, however, is very valuable.
------------------------------------------------------------
Download and Install the latest version of Java Runtime Environment from here : http://java.sun.com/javase/downloads/index.jsp, and install it to your computer.
In the first section on the page, labeled JDK 6 Update 21 (JDK or JRE), click on the button labeled Download JRE. Do NOT choose the button labeled "Download JDK".
Select the Platform Windows and check the box to agree to the license.
Choose the Windows Offline installation version and click on the link.
Download it, choose Save, and save it to your desktop.
Then doubleclick it on your desktop, (or right click and choose "Run as administrator") and it will install the newest version of Java for you to use.
You can then remove the Installer from your desktop.
-----------------------------------------------------
Run an Online Kaspersky WebScan
  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the Program and Database downloads have finished, (may take a while), Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post the contents of this log in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Probable Keylogger Issue. Have log...

Unread postby Masher » September 18th, 2010, 3:19 am

Saturday, September 18, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, September 17, 2010 19:43:35
Records in database: 4217979
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan statistics
Objects scanned 234745
Threats found 0
Infected objects found 0
Suspicious objects found 0
Scan duration 03:29:16

No threats found. Scanned area is clean.
Selected area has been scanned.
Masher
Active Member
 
Posts: 6
Joined: September 13th, 2010, 9:25 pm

Re: Probable Keylogger Issue. Have log...

Unread postby askey127 » September 18th, 2010, 6:46 am

Masher,
Machine looks OK so far.

I would NOT use the Tuneup Utilities 2008. In fact I would Uninstall it.
Utilities purporting to clean or optimize your registry won't do any good if they are perfect, and can break your machine if they are not.

If you are using a router, wired or wireless, you need to check the settings for your internet provider as if you were setting it up for first usage. Make sure there are no extra server addresses added. Then you need to be certain that the Router Administrator password has been changed from the default value. The default passwords are published and can allow remote hacking.

----------------------------------------------------------------------------------
Download and Run MalwareBytes' Anti-Malware
Please go here to the Download Location, click on Download.
  • After clicking on the download and choosing Save, the "Save to location" dialog will come up.
  • Click the browse folders button, then click on Desktop on the left as the location for the installer and click Save again. Close the dialog when the download is complete.
  • You should now have a desktop icon named mbam-setup.exe.
  • Right click it, choose Run as administrator and Continue
  • Let it install where it wants to, with the default settings, and click Finish.
  • If an update is found, it will download and install the latest version. A shield symbol will show on the desktop icon while it is updating, and will disappear when it's done.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program has started up, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it found any malware items, check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any "Scan" log listed to open its contents. The logs are listed and named by time/date stamp.

Let me know how it goes
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Probable Keylogger Issue. Have log...

Unread postby Masher » September 18th, 2010, 1:17 pm

Here is the next log...



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4646

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

9/18/2010 1:11:17 PM
mbam-log-2010-09-18 (13-11-17).txt

Scan type: Quick scan
Objects scanned: 142919
Time elapsed: 5 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Masher
Active Member
 
Posts: 6
Joined: September 13th, 2010, 9:25 pm

Re: Probable Keylogger Issue. Have log...

Unread postby askey127 » September 19th, 2010, 7:37 am

Masher,
Looks fine, as you can see.
I think your machine is OK.
-------------------------------------------
Reset System Restore Points
Click Start, Right Click on Computer, and select Properties.
In the left pane, click System Protection.
UNcheck the box labeled Local Disk C:
When asked if you are sure you want to turn off System restore, click Turn System Restore Off
Click Apply and OK.
-------------------------------
Now Reboot Your Machine
-------------------------------
Click Start, Right Click on Computer, and select Properties.
In the left pane, click System Protection.
Check the box labeled Local Disk C:
Click Apply and OK.

You can delete Gmer from your desktop
You can keep Malwarebytes Anti-Malware and Temp File Cleaner (TFC.exe) and run them every week or two.
You should be good to go.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Probable Keylogger Issue. Have log...

Unread postby Masher » September 19th, 2010, 8:45 am

askey


Thanks so much for your help!
Masher
Active Member
 
Posts: 6
Joined: September 13th, 2010, 9:25 pm

Re: Probable Keylogger Issue. Have log...

Unread postby askey127 » September 19th, 2010, 11:57 am

this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 62 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware