Jump to content

rootkit/possible keylogger

Recommended Posts

I wasn't having any problems lately until my email was hijacked and sent out a spam msg to all of my contacts. I immediately changed all passwords remotely and started running some scans to find the problem. Nothing came up on my Avira scan or MBAM but after downloading AVG the virus run found nothing but the Anti-Rootkit scanner found two items, both were listed as corrupted sections and neither could be removed because it said one was hidden and one was inaccessible. I have since followed the sticky instructions to clean my system and have run Hijack This, MBAM, Defogger, virus scans from two programs, DDS, and tried to run GMER but it crashed my system both times I tried. Any advice would be greatly appreciated, thank you!

Malwarebytes' Anti-Malware


Database version: 7882

Windows 6.0.6002 Service Pack 2

Internet Explorer 7.0.6002.18005

10/5/2011 3:31:20 PM

mbam-log-2011-10-05 (15-31-20).txt

Scan type: Quick scan

Objects scanned: 257331

Time elapsed: 24 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_25

Run by silvanamama at 22:50:06 on 2011-10-05


============== Running Processes ===============


C:\Program Files\AVG\AVG2012\avgrsx.exe

C:\Program Files\AVG\AVG2012\avgcsrvx.exe




C:\Program Files\AVAST Software\Avast\AvastSvc.exe





C:\Program Files\AVG\AVG2012\avgfws.exe


C:\Program Files\AVG\AVG2012\avgwdsvc.exe


C:\Program Files\AVAST Software\Avast\AvastUI.exe

C:\Program Files\AVG\AVG2012\avgtray.exe

C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\AVG\AVG2012\avgnsx.exe

C:\Program Files\AVG\AVG2012\avgemcx.exe



C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\AVG\AVG2012\avgcsrvx.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe



C:\Program Files\Mozilla Firefox\firefox.exe


C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup


============== Pseudo HJT Report ===============


uStart Page = hxxp://www.google.com/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Presario&pf=desktop

uInternet Settings,ProxyOverride = <local>;192.168.*.*

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Creative SB Monitoring Utility] RunDll32 sbavmon.dll,SBAVMonitor

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\windows\system32\wpclsp.dll

Trusted Zone: gametap.com

Trusted Zone: gametap.com\support

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer =

TCP: Interfaces\{0A8EF111-7950-4BD0-BF75-5D9C794C7E96} : DhcpNameServer =

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll

Notify: igfxcui - igfxdev.dll

Hosts: www.spywareinfo.com


================= FIREFOX ===================


FF - ProfilePath - c:\users\silvanamama\appdata\roaming\mozilla\firefox\profiles\37l4lc53.default\

FF - prefs.js: browser.startup.homepage - www.myyahoo.com

FF - prefs.js: network.proxy.type - 0

FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff4.dll

FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff5.dll

FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff6.dll

FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff7.dll

FF - component: c:\program files\mozilla firefox\extensions\yplayer@yummy.net\components\FYPlayer.dll

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll

FF - plugin: c:\users\silvanamama\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Yummy Games Player: YPlayer@yummy.net - c:\program files\mozilla firefox\extensions\YPlayer@yummy.net

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Blue Fox: {241aae70-0022-11de-87af-0800200c9a66} - %profile%\extensions\{241aae70-0022-11de-87af-0800200c9a66}

FF - Ext: <![CDATA[1-ClickWeather]]>: {DCBD1271-D228-4082-9FBC-36D9B7660B03} - %profile%\extensions\{DCBD1271-D228-4082-9FBC-36D9B7660B03}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

FF - Ext: OptimizeGoogle: optimizegoogle@optimizegoogle.com - %profile%\extensions\optimizegoogle@optimizegoogle.com

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF

FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\DivXHTML5

FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg2012\Firefox4

============= SERVICES / DRIVERS ===============


R? AdobeARMservice;Adobe Acrobat Update Service

R? Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service

R? Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service

R? FontCache;Windows Font Cache Service

R? MBAMProtector;MBAMProtector

R? MBAMService;MBAMService

R? motccgp;Motorola USB Composite Device Driver

R? motccgpfl;MotCcgpFlService

R? MotoHelper;MotoHelper Service

R? SBSDWSCService;SBSD Security Center Service

R? Stereo Service;NVIDIA Stereoscopic 3D Driver Service

S? aswFsBlk;aswFsBlk

S? aswMonFlt;aswMonFlt

S? aswSnx;aswSnx

S? aswSP;aswSP

S? avast! Antivirus;avast! Antivirus

S? Avgfwfd;AVG network filter service

S? avgfws;AVG Firewall






S? Avgldx86;AVG AVI Loader Driver

S? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield

S? Avgrkx86;AVG Anti-Rootkit Driver

S? Avgtdix;AVG TDI Driver

S? avgwd;AVG WatchDog

S? ksaud;Creative USB Audio Driver

S? sprtlisten;SupportSoft Listener Service


=============== Created Last 30 ================


2011-10-05 22:06:27 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE

2011-10-05 03:57:18 -------- d-----w- c:\users\silvanamama\appdata\roaming\AVG2012

2011-10-05 03:54:37 -------- d-----w- c:\windows\system32\drivers\AVG

2011-10-05 03:54:37 -------- d-----w- c:\programdata\AVG2012

2011-10-05 03:52:42 -------- d-----w- c:\program files\AVG

2011-10-05 03:48:10 -------- d--h--w- c:\programdata\Common Files

2011-10-05 03:47:57 -------- d-----w- c:\programdata\MFAData

2011-09-27 18:04:49 -------- d-----w- c:\users\silvanamama\appdata\local\DDMSettings

2011-09-20 04:03:19 -------- d-----w- c:\users\silvanamama\appdata\local\LEGO Software

2011-09-20 03:46:58 -------- d-----w- c:\users\silvanamama\appdata\local\Chromium

2011-09-20 03:46:28 -------- d-----w- c:\program files\LEGO Software

2011-09-20 03:46:04 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-09-15 02:07:23 -------- d-----w- c:\program files\LEGO Company

2011-09-13 13:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys


==================== Find3M ====================


2011-10-03 17:53:28 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-06 20:45:29 41184 ----a-w- c:\windows\avastSS.scr

2011-09-06 20:38:05 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-09-06 20:36:26 54616 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2011-09-05 18:47:25 444952 ----a-w- c:\windows\system32\wrap_oal.dll

2011-09-05 18:47:25 109080 ----a-w- c:\windows\system32\OpenAL32.dll

2011-09-01 00:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-22 20:51:50 94208 ----a-w- c:\windows\system32\dpl100.dll

2011-07-11 08:14:38 295248 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2011-07-11 08:14:02 24272 ----a-w- c:\windows\system32\drivers\AVGIDSFilter.sys

2011-07-11 08:14:02 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys

2011-07-11 08:14:00 23120 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys

2011-07-11 08:13:58 134736 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys

2011-07-11 08:13:46 229840 ----a-w- c:\windows\system32\drivers\avgldx86.sys


============= FINISH: 22:52:24.16 ===============

Link to post
Share on other sites

Are you running AVG and Avast now?

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!

The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.

Also because more than one Antivirus and Firewall installed are not compatible with each other, it can cause system performance problems and a serious system slowdown.


Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.