Possible Keylogger

I have reason to believe there is/was a keylogger, or some kind of nasty thing on my laptop. I’ve had to change my email and ebay information a few times… very frustrating. Decided to run a full scan with MSE and MalewareBytes. MSE killed a few exploits/trojans for me, but MalewareBytes came up with nothing. Emsisoft seemed to only detect what was already in quarantine and Kaspersky AVPTool came up clean. TDSSKiller is telling me that “windows\system32\drivers\sptd.sys” could be a threat but i have no idea. Here is my aswMBR log, any help would be greatly appreciated!

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-08-07 01:41:55

01:41:55.358 OS Version: Windows x64 6.1.7601 Service Pack 1
01:41:55.359 Number of processors: 2 586 0x602
01:41:55.361 ComputerName: B UserName: B
01:41:56.279 Initialize success
01:42:29.878 AVAST engine defs: 13080601
01:42:35.865 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
01:42:35.867 Disk 0 Vendor: WDC_WD3200BEKT-60F3T1 12.01A12 Size: 305245MB BusType: 11
01:42:35.870 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP3T0L0-3
01:42:35.872 Disk 1 Vendor: WDC_WD3200BEKT-60F3T1 12.01A12 Size: 305245MB BusType: 11
01:42:35.881 Disk 0 MBR read successfully
01:42:35.884 Disk 0 MBR scan
01:42:35.889 Disk 0 unknown MBR code
01:42:35.928 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
01:42:35.969 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 289241 MB offset 409600
01:42:36.027 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 15700 MB offset 592775168
01:42:36.072 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 624928768
01:42:36.253 Disk 0 scanning C:\Windows\system32\drivers
01:43:08.688 Service scanning
01:43:48.833 Modules scanning
01:43:48.841 Disk 0 trace - called modules:
01:43:48.895 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys >>UNKNOWN [0xfffffa80036b12c0]<<sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
01:43:48.899 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa80046b4790]
01:43:48.904 3 CLASSPNP.SYS[fffff88000c2943f] → nt!IofCallDriver → [0xfffffa80046b36b0]
01:43:48.909 5 hpdskflt.sys[fffff880021e5289] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004674680]
01:43:48.914 \Driver\atapi[0xfffffa80044b75a0] → IRP_MJ_CREATE → 0xfffffa80036b12c0
01:43:50.060 AVAST engine scan C:\Windows
01:44:11.215 AVAST engine scan C:\Windows\system32
01:45:13.349 Disk 0 MBR has been saved successfully to “C:\Users\B\Documents\MBR.dat”
01:45:13.358 The log file has been saved successfully to “C:\Users\B\Documents\aswMBR.txt”
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-08-07 02:10:45

02:10:45.865 OS Version: Windows x64 6.1.7601 Service Pack 1
02:10:45.866 Number of processors: 2 586 0x602
02:10:45.874 ComputerName: B UserName: B
02:10:46.746 Initialize success
02:11:17.788 AVAST engine defs: 13080601
02:14:50.819 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
02:14:50.822 Disk 0 Vendor: WDC_WD3200BEKT-60F3T1 12.01A12 Size: 305245MB BusType: 11
02:14:50.829 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP3T0L0-3
02:14:50.832 Disk 1 Vendor: WDC_WD3200BEKT-60F3T1 12.01A12 Size: 305245MB BusType: 11
02:14:50.835 Disk 2 \Device\Harddisk2\DR2 → \Device\000000be
02:14:50.838 Disk 2 Vendor: Size: 305245MB BusType: 0
02:14:50.877 Disk 0 MBR read successfully
02:14:50.880 Disk 0 MBR scan
02:14:50.886 Disk 0 unknown MBR code
02:14:50.912 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
02:14:50.945 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 289241 MB offset 409600
02:14:51.003 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 15700 MB offset 592775168
02:14:51.031 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 624928768
02:14:51.111 Disk 0 scanning C:\Windows\system32\drivers
02:15:29.501 Service scanning
02:16:08.044 Modules scanning
02:16:08.050 Disk 0 trace - called modules:
02:16:08.080 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys >>UNKNOWN [0xfffffa80036b12c0]<<sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
02:16:08.086 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa80046b4790]
02:16:08.090 3 CLASSPNP.SYS[fffff88000c2943f] → nt!IofCallDriver → [0xfffffa80046b36b0]
02:16:08.095 5 hpdskflt.sys[fffff880021e5289] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004674680]
02:16:08.100 \Driver\atapi[0xfffffa80044b75a0] → IRP_MJ_CREATE → 0xfffffa80036b12c0
02:16:09.196 AVAST engine scan C:\Windows
02:16:35.033 AVAST engine scan C:\Windows\system32
02:23:40.475 AVAST engine scan C:\Windows\system32\drivers
02:24:08.868 AVAST engine scan C:\Users\B
02:53:51.778 AVAST engine scan C:\ProgramData
02:57:59.319 Scan finished successfully
03:01:58.738 Disk 0 MBR has been saved successfully to “C:\Users\B\Documents\MBR.dat”
03:01:58.842 The log file has been saved successfully to “C:\Users\B\Documents\aswMBR.txt”

Please attach your logs. (AdwCleaner, MBAM, and OTL…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

SPTD.sys is a cd emulator and its behaviour is very similar to a rootkit

Ok, these should be it… I’m just really paranoid after having my accounts stolen a few times :o

Could you attach the main OTL log please

oops forgot to add that one, here it is

I need to order some parts online tonight so I’m hoping this bombardment of antivirus has done the trick ;D

Eh? Why risk further trouble unless you know your system is clean? I’d wait for an all clear first if such can be gotten.

I can see no indication of a key logger, is your computer behaving normally ?

Yes everything s
eems fine now, I think my ebay and paypal were taken over when someone managed to get into my yahoomail a few weeks ago. Looking good now just being cautious

That is the problem with web based mail, unless your password is really strong it can be hacked

Delete AswMBR from the desktop
Run AdwCleaner and press uninstall
Run OTL and press cleanup

:slight_smile: