Help check my logs please essexboy

Hi,

Recently I was notified by my bank that my MasterCard had been accessed twice overnight, and it leads me to suspect that I have some kind of virus that was able to log my details, as I typed them in recently for an online purchase. So I ran Malwarebytes’ Anti-Malware, OTL and aswMBR.

Edit: perhaps I should mention that I ran the Kaspersky TDSSKiller scan with no threats, and a full scan with Kaspersky Internet Security also with no threats.

MBAM:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.29.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Tim_2 :: TIM-PC [limited]

30/03/2012 9:56:33 AM
mbam-log-2012-03-30 (09-56-33).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 168370
Time elapsed: 1 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
c:\users\tim\local settings\tempdir\betterinstaller.exe (PUP.BundleInstaller.Somoto) → Quarantined and deleted successfully.

(end)

aswMBR:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-30 09:36:38

09:36:38.699 OS Version: Windows x64 6.1.7601 Service Pack 1
09:36:38.699 Number of processors: 4 586 0x2A07
09:36:38.700 ComputerName: TIM-PC UserName: Tim
09:36:57.406 Initialize success
09:38:10.098 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
09:38:10.098 Disk 0 Vendor: WDC_WD10 15.0 Size: 953869MB BusType: 3
09:38:10.098 Disk 0 MBR read successfully
09:38:10.098 Disk 0 MBR scan
09:38:10.098 Disk 0 Windows 7 default MBR code
09:38:10.108 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
09:38:10.118 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848
09:38:10.128 Disk 0 scanning C:\Windows\system32\drivers
09:38:13.455 Service scanning
09:38:16.429 Service KL1 C:\Windows\system32\DRIVERS\kl1.sys LOCKED 5
09:38:16.429 Service kl2 C:\Windows\system32\DRIVERS\kl2.sys LOCKED 5
09:38:16.476 Service KLIM6 C:\Windows\system32\DRIVERS\klim6.sys LOCKED 5
09:38:16.510 Service klmouflt C:\Windows\system32\DRIVERS\klmouflt.sys LOCKED 5
09:38:20.679 Modules scanning
09:38:20.679 Disk 0 trace - called modules:
09:38:20.695 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
09:38:20.695 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8009d8a790]
09:38:20.695 3 CLASSPNP.SYS[fffff88001e1743f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa8007585050]
09:38:20.695 Scan finished successfully
09:39:50.757 Disk 0 MBR has been saved successfully to “C:\Users\Tim\Documents\MBR.dat”
09:39:50.760 The log file has been saved successfully to “C:\Users\Tim\Documents\aswMBR.txt”

The OTL log is attached.

Thanks a lot in advance!

check back tomorrow night when essexboy is here

Hi, not sure what the rules are, but thought I should bump this as it’s nearly on page 3. I’m just worried because my bank account was accessed — I’ve been using a virtual keyboard since then, but I think I could have something lurking in my computer.

Ok…essexboy must have missed this one…

I have sent him a note this time.

Great, thanks a lot.

He is usually in here late UK time…

Hi sorry I missed you

The logs are showing clean of any known password stealers/keyloggers

Could you use Kaspersky to generate an analysis log, then upload to a file sharing site for me to collect

Details here http://support.kaspersky.com/faq/?qid=208279710

Thanks a lot for checking.

The links for the log files are below, there is a .rar or .zip of the same file.

RAR: http://www.sendspace.com/file/ltxtwq

ZIP: http://www.sendspace.com/file/rrxvu0

Thanks :slight_smile:

That also shows clean, are you experiencing any problems with the computer ?

No, my computer seems fine. I just suspected I had a problem due to unauthorised access of my bank account, and I think the most likely explanation was a keylogger or something. But other than that, I have no reason to suspect any viruses. Thank you very much for checking :slight_smile:

Not a problem, always better safe than sorry ;D