Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got a letter from my ISP that says I may have become infected by a zombiebot.


  • This topic is locked This topic is locked
11 replies to this topic

#1 Please Help Us

Please Help Us

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 30 December 2010 - 10:33 PM

As the topic says I got a letter from my ISP recently stating that I may have somehow acquired a malicious bot program onto my computer in some way, fashion, or form. I've been recently starting to get back into the use of IRC chat programs and the time the letter says I was infected matches around the time when I was trying out the IRC program (Icechat for those that are interested or if the information is asked for in advanced). I do believe this came up as a false positive, but before I start disregarding it I wish to have a second opinion. Even though the letter states itself that it also just may be a false positive on their part I rather rely on the wonderful team here that has never failed me in the past.

For what you're curious in what I've already done I've ran a full Avast Internet Security scan, a MalwareBytes scan, a Spybot Search and Destroy full scan, ran Trendmicro's RUBOTTED, and Dr. Web Cure It on all the computers in the household. So far none of these scans have not returned anything, and I'm wondering if there's anything else to reaffirm if I'm infected or not.

I'm just curious if there's anything else I may do to reassure myself, and the others in my household, that we have not become infected, and if we are to quickly get rid of it. Thank you once again for your help in advance.

Here's the DDS log as requested
Attach has been zipped and put in attachments.

Post edt: Also I'm on a 64 bit so as requested I skipped the Gmer step.

DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Spud at 21:23:35.03 on Thu 12/30/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.9207.7137 [GMT -6:00]

AV: avast! Internet Security *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Internet Security *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: avast! Internet Security *Enabled* {FB460EB6-4C6D-E564-6BF5-EEEF2B44B473}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Alwil Software\Avast5\afwServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\SysWOW64\PnkBstrB.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Secunia\PSI\sua.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\vds.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Program Files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Spud\Documents\Jon's\Yalls\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - C:\Program Files (x86)\TechSmith\Snagit 9\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - C:\Program Files (x86)\TechSmith\Snagit 9\SnagitIEAddin.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
mRun: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun: [ATICustomerCare] "c:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
mRunOnce: [DSUpdateLauncher] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe" /NOCONSOLE /D="C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate" /RUNAS "C:\Program Files (x86)\Dell

DataSafe Local Backup\Components\DSUpdate\DSUpd.exe"
mRunOnce: [STToasterLauncher] C:\Program Files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 9\DLLx64\SnagitBHO64.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB-X64: Snagit: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 9\DLLx64\SnagitIEAddin64.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
mRun-x64: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - C:\Users\Spud\AppData\Roaming\Mozilla\Firefox\Profiles\pgfv0gew.default\
FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

============= SERVICES / DRIVERS ===============

R0 aswNdis;avast! Firewall NDIS Filter Service;C:\Windows\System32\drivers\aswNdis.sys [2010-8-17 12368]
R0 aswNdis2;avast! Firewall Core Firewall Service;C:\Windows\System32\drivers\aswNdis2.sys [2010-8-17 250448]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-8-11 55280]
R1 aswFW;avast! TDI Firewall driver;C:\Windows\System32\drivers\aswFW.sys [2010-8-17 125520]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2010-8-17 472656]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2010-8-17 121936]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-12-15 203776]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2010-8-17 20048]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2010-8-17 61008]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-16 40384]
R2 avast! Firewall;avast! Firewall;C:\Program Files\Alwil Software\Avast5\afwServ.exe [2010-9-16 119200]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-12-22 1153368]
R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2010-12-21 987704]
R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2010-12-21 399416]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-4-24 483688]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-8-11 689472]
R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2010-12-15 8120320]
R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-12-15 289792]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2010-12-15 116752]
R3 avast! Mail Scanner;avast! Mail Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-16 40384]
R3 avast! Web Scanner;avast! Web Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-16 40384]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\System32\drivers\MijXfilt.sys [2010-11-30 97552]
R3 PSI;PSI;C:\Windows\System32\drivers\psi_mf.sys [2010-7-7 17976]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2010-8-11 216064]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-8-11 215040]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2010-4-24 721768]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2010-4-24 269672]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2010-4-24 25960]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2010-4-24 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-4-24 209768]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SessionLauncher;SessionLauncher;c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe --> c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [?]
S3 btusbflt;Bluetooth USB Filter;C:\Windows\System32\drivers\btusbflt.sys [2010-4-14 54824]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCom\RoxMediaDB10.exe [2009-6-26 1124848]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-8-17 1255736]

=============== Created Last 30 ================

2010-12-30 13:18:59 8199504 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{82606583-8878-43AE-8EEF-23DE1276D0DE}\mpengine.dll
2010-12-26 13:27:14 -------- d-----w- C:\Users\Spud\AppData\Local\CrashRpt
2010-12-26 13:27:06 -------- d-----w- C:\Users\Spud\AppData\Local\Procaster
2010-12-26 13:27:06 -------- d-----w- C:\Program Files (x86)\Livestream Procaster
2010-12-22 18:58:19 -------- d-----w- C:\Users\Spud\AppData\Local\IceChat
2010-12-22 18:58:06 109248 ----a-w- C:\Windows\SysWow64\mswinsck.ocx
2010-12-22 18:58:05 -------- d-----w- C:\Program Files (x86)\IceChat7
2010-12-22 18:49:10 -------- d-----w- C:\Users\Spud\AppData\Roaming\mIRC
2010-12-22 16:49:47 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2010-12-22 16:49:47 -------- d-----w- C:\PROGRA~3\Spybot - Search & Destroy
2010-12-22 01:16:01 -------- d-----w- C:\Users\Spud\AppData\Local\Secunia PSI
2010-12-22 01:15:57 -------- d-----w- C:\Program Files (x86)\Secunia
2010-12-21 07:52:23 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2010-12-21 07:52:19 -------- d-----w- C:\Users\Spud\AppData\Local\PunkBuster
2010-12-21 07:50:59 529424 ----a-w- C:\Windows\System32\d3dx10_37.dll
2010-12-18 06:52:12 -------- d-----w- C:\Users\Spud\AppData\Roaming\fltk.org
2010-12-17 09:42:52 -------- d-----w- C:\Program Files (x86)\SystemRequirementsLab
2010-12-16 04:28:04 648704 ----a-w- C:\Windows\System32\aticfx64.dll
2010-12-16 04:28:02 289792 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2010-12-16 04:28:01 21610496 ----a-w- C:\Windows\System32\atio6axx.dll
2010-12-16 04:28:00 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2010-12-16 04:28:00 249856 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2010-12-16 04:28:00 116752 ----a-w- C:\Windows\System32\drivers\AtihdW76.sys
2010-12-16 04:26:59 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2010-12-15 06:15:10 -------- d-----w- C:\Program Files (x86)\Aquaria
2010-12-03 03:54:01 -------- d-----w- C:\Users\Spud\AppData\Local\Yahoo
2010-12-03 03:52:08 -------- d-----w- C:\Program Files (x86)\Yahoo!
2010-12-02 18:58:48 2582888 ----a-w- C:\Windows\System32\D3DCompiler_42.dll
2010-12-02 18:58:48 1974616 ----a-w- C:\Windows\SysWow64\D3DCompiler_42.dll

==================== Find3M ====================

2010-12-21 11:32:55 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2010-12-21 08:24:48 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2010-12-21 08:05:20 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2010-12-21 07:51:23 2434856 ----a-w- C:\Windows\SysWow64\pbsvc_bc2.exe
2010-12-21 00:08:40 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2010-12-16 04:28:03 3460096 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2010-12-16 04:26:56 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2010-11-04 06:35:53 1194496 ----a-w- C:\Windows\System32\wininet.dll
2010-11-04 06:31:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-11-04 05:52:17 978944 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-11-04 05:16:14 482816 ----a-w- C:\Windows\System32\html.iec
2010-11-04 04:41:26 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-11-04 04:35:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-11-04 04:08:54 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-11-02 05:18:17 524288 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2010-11-02 05:17:38 473600 ----a-w- C:\Windows\System32\taskcomp.dll
2010-11-02 05:17:38 1169408 ----a-w- C:\Windows\System32\taskschd.dll
2010-11-02 05:16:53 1114624 ----a-w- C:\Windows\System32\schedsvc.dll
2010-11-02 05:10:47 464384 ----a-w- C:\Windows\System32\taskeng.exe
2010-11-02 05:10:32 285696 ----a-w- C:\Windows\System32\schtasks.exe
2010-11-02 04:40:36 496128 ----a-w- C:\Windows\SysWow64\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- C:\Windows\SysWow64\taskcomp.dll
2010-11-02 04:34:44 192000 ----a-w- C:\Windows\SysWow64\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- C:\Windows\SysWow64\schtasks.exe
2010-10-27 05:06:22 2048 ----a-w- C:\Windows\System32\tzres.dll
2010-10-27 04:32:36 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2010-10-24 03:50:55 332800 ----a-w- C:\Windows\System32\ATIODE.exe
2010-10-24 03:50:44 51200 ----a-w- C:\Windows\System32\ATIODCLI.exe
2010-10-21 21:11:04 97552 ----a-w- C:\Windows\System32\drivers\MijXfilt.sys
2010-10-20 05:20:01 46080 ----a-w- C:\Windows\System32\atmlib.dll
2010-10-20 04:54:18 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2010-10-20 03:09:15 3124224 ----a-w- C:\Windows\System32\win32k.sys
2010-10-20 03:05:46 367104 ----a-w- C:\Windows\System32\atmfd.dll
2010-10-20 02:58:41 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll
2010-10-19 16:41:44 270720 ------w- C:\Windows\System32\MpSigStub.exe
2010-10-16 05:23:13 112000 ----a-w- C:\Windows\System32\consent.exe
2010-10-16 05:19:41 395776 ----a-w- C:\Windows\System32\webio.dll
2010-10-16 04:36:10 314368 ----a-w- C:\Windows\SysWow64\webio.dll
2010-10-13 23:09:15 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll

============= FINISH: 21:24:04.00 ===============

Edited by Please Help Us, 30 December 2010 - 10:38 PM.


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:14 PM

Posted 07 January 2011 - 09:12 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 07 January 2011 - 09:21 AM

Well, like I said, all I have is a letter to go by that said I was infected by a zombiebot, and I was forwarded here from "Am I infected?" forum. I cannot run a GMER scan since I have a 64 bit system. What I've done since I last posted in this topic was a boot scan from Avast, several normal full scans Spybot Search and Destroy and Malware Anti-Bytes, and made sure everything was up to date with Secunia. Anyway, here is the DDS LOG, AND attach.zip will be at the bottom like always. Please read my first post whoever comes along to help me to get the rest of the facts, and I thank you beforehand for your services.

DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Spud at 8:14:41.60 on Fri 01/07/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.9207.6548 [GMT -6:00]

AV: avast! Internet Security *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Internet Security *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: avast! Internet Security *Enabled* {FB460EB6-4C6D-E564-6BF5-EEEF2B44B473}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Alwil Software\Avast5\afwServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\SysWOW64\PnkBstrB.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\Secunia\PSI\sua.exe
C:\Windows\system32\taskhost.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Program Files (x86)\IceChat7\IceChat7.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Spud\Documents\Jon's\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - C:\Program Files (x86)\TechSmith\Snagit 9\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - C:\Program Files (x86)\TechSmith\Snagit 9\SnagitIEAddin.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
mRun: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun: [ATICustomerCare] "c:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
mRunOnce: [DSUpdateLauncher] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe" /NOCONSOLE /D="C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate" /RUNAS "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe"
mRunOnce: [STToasterLauncher] C:\Program Files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 9\DLLx64\SnagitBHO64.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB-X64: Snagit: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 9\DLLx64\SnagitIEAddin64.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
mRun-x64: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - C:\Users\Spud\AppData\Roaming\Mozilla\Firefox\Profiles\pgfv0gew.default\
FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

============= SERVICES / DRIVERS ===============

R0 aswNdis;avast! Firewall NDIS Filter Service;C:\Windows\System32\drivers\aswNdis.sys [2010-8-17 12368]
R0 aswNdis2;avast! Firewall Core Firewall Service;C:\Windows\System32\drivers\aswNdis2.sys [2010-8-17 250448]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-8-11 55280]
R1 aswFW;avast! TDI Firewall driver;C:\Windows\System32\drivers\aswFW.sys [2010-8-17 125520]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2010-8-17 489552]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2010-8-17 271952]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-12-15 203776]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2010-8-17 20560]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2010-8-17 62032]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2011-1-1 40384]
R2 avast! Firewall;avast! Firewall;C:\Program Files\Alwil Software\Avast5\afwServ.exe [2011-1-1 119200]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-12-22 1153368]
R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2010-12-21 987704]
R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2010-12-21 399416]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-4-24 483688]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-8-11 689472]
R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2010-12-15 8120320]
R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-12-15 289792]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2010-12-15 116752]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\System32\drivers\MijXfilt.sys [2010-11-30 97552]
R3 PSI;PSI;C:\Windows\System32\drivers\psi_mf.sys [2010-7-7 17976]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2010-8-11 216064]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-8-11 215040]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2010-4-24 721768]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2010-4-24 269672]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2010-4-24 25960]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2010-4-24 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-4-24 209768]
RUnknown DwProt;DwProt; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SessionLauncher;SessionLauncher;c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe --> c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [?]
S3 btusbflt;Bluetooth USB Filter;C:\Windows\System32\drivers\btusbflt.sys [2010-4-14 54824]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCom\RoxMediaDB10.exe [2009-6-26 1124848]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-8-17 1255736]

=============== Created Last 30 ================

2011-01-07 13:14:58 8199504 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{DC2A74F6-A8A6-429F-BFEC-63F749C342F0}\mpengine.dll
2011-01-06 22:49:21 -------- d-----w- C:\Users\Spud\AppData\Roaming\.minecraft
2010-12-31 21:38:40 -------- d-----w- C:\Users\Spud\AppData\Local\Ubisoft
2010-12-26 13:27:14 -------- d-----w- C:\Users\Spud\AppData\Local\CrashRpt
2010-12-26 13:27:06 -------- d-----w- C:\Users\Spud\AppData\Local\Procaster
2010-12-26 13:27:06 -------- d-----w- C:\Program Files (x86)\Livestream Procaster
2010-12-22 18:58:19 -------- d-----w- C:\Users\Spud\AppData\Local\IceChat
2010-12-22 18:58:06 109248 ----a-w- C:\Windows\SysWow64\mswinsck.ocx
2010-12-22 18:58:05 -------- d-----w- C:\Program Files (x86)\IceChat7
2010-12-22 18:49:10 -------- d-----w- C:\Users\Spud\AppData\Roaming\mIRC
2010-12-22 16:49:47 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2010-12-22 16:49:47 -------- d-----w- C:\PROGRA~3\Spybot - Search & Destroy
2010-12-22 01:16:01 -------- d-----w- C:\Users\Spud\AppData\Local\Secunia PSI
2010-12-22 01:15:57 -------- d-----w- C:\Program Files (x86)\Secunia
2010-12-21 07:52:23 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2010-12-21 07:52:19 -------- d-----w- C:\Users\Spud\AppData\Local\PunkBuster
2010-12-21 07:50:59 529424 ----a-w- C:\Windows\System32\d3dx10_37.dll
2010-12-18 06:52:12 -------- d-----w- C:\Users\Spud\AppData\Roaming\fltk.org
2010-12-17 09:42:52 -------- d-----w- C:\Program Files (x86)\SystemRequirementsLab
2010-12-16 04:28:04 648704 ----a-w- C:\Windows\System32\aticfx64.dll
2010-12-16 04:28:02 289792 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2010-12-16 04:28:01 21610496 ----a-w- C:\Windows\System32\atio6axx.dll
2010-12-16 04:28:00 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2010-12-16 04:28:00 249856 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2010-12-16 04:28:00 116752 ----a-w- C:\Windows\System32\drivers\AtihdW76.sys
2010-12-16 04:26:59 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2010-12-15 06:15:10 -------- d-----w- C:\Program Files (x86)\Aquaria

==================== Find3M ====================

2010-12-31 20:06:36 38848 ----a-w- C:\Windows\avastSS.scr
2010-12-31 20:01:28 125520 ----a-w- C:\Windows\System32\drivers\aswFW.sys
2010-12-31 20:00:46 489552 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2010-12-31 20:00:16 250448 ----a-w- C:\Windows\System32\drivers\aswNdis2.sys
2010-12-31 19:56:41 62032 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2010-12-21 11:32:55 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2010-12-21 08:24:48 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2010-12-21 08:05:20 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2010-12-21 07:51:23 2434856 ----a-w- C:\Windows\SysWow64\pbsvc_bc2.exe
2010-12-21 00:08:40 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2010-12-16 04:28:03 3460096 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2010-12-16 04:26:56 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2010-11-13 00:53:06 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2010-11-04 06:35:53 1194496 ----a-w- C:\Windows\System32\wininet.dll
2010-11-04 06:31:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-11-04 05:52:17 978944 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-11-04 05:16:14 482816 ----a-w- C:\Windows\System32\html.iec
2010-11-04 04:41:26 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-11-04 04:35:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-11-04 04:08:54 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-11-02 05:18:17 524288 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2010-11-02 05:17:38 473600 ----a-w- C:\Windows\System32\taskcomp.dll
2010-11-02 05:17:38 1169408 ----a-w- C:\Windows\System32\taskschd.dll
2010-11-02 05:16:53 1114624 ----a-w- C:\Windows\System32\schedsvc.dll
2010-11-02 05:10:47 464384 ----a-w- C:\Windows\System32\taskeng.exe
2010-11-02 05:10:32 285696 ----a-w- C:\Windows\System32\schtasks.exe
2010-11-02 04:40:36 496128 ----a-w- C:\Windows\SysWow64\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- C:\Windows\SysWow64\taskcomp.dll
2010-11-02 04:34:44 192000 ----a-w- C:\Windows\SysWow64\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- C:\Windows\SysWow64\schtasks.exe
2010-10-27 05:06:22 2048 ----a-w- C:\Windows\System32\tzres.dll
2010-10-27 04:32:36 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2010-10-24 03:50:55 332800 ----a-w- C:\Windows\System32\ATIODE.exe
2010-10-24 03:50:44 51200 ----a-w- C:\Windows\System32\ATIODCLI.exe
2010-10-21 21:11:04 97552 ----a-w- C:\Windows\System32\drivers\MijXfilt.sys
2010-10-20 05:20:01 46080 ----a-w- C:\Windows\System32\atmlib.dll
2010-10-20 04:54:18 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2010-10-20 03:09:15 3124224 ----a-w- C:\Windows\System32\win32k.sys
2010-10-20 03:05:46 367104 ----a-w- C:\Windows\System32\atmfd.dll
2010-10-20 02:58:41 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll
2010-10-19 16:41:44 270720 ------w- C:\Windows\System32\MpSigStub.exe
2010-10-16 05:23:13 112000 ----a-w- C:\Windows\System32\consent.exe
2010-10-16 05:19:41 395776 ----a-w- C:\Windows\System32\webio.dll
2010-10-16 04:36:10 314368 ----a-w- C:\Windows\SysWow64\webio.dll

============= FINISH: 8:15:15.46 ===============

Edited by Please Help Us, 07 January 2011 - 09:22 AM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:14 PM

Posted 07 January 2011 - 11:12 AM

Hello there, lets first do some rootkit scanning to see whether or not someone might be using your computer as part of a Botnet.

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.Link 1
Link 2
Link 3
  • Double-click on MBRCheck.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • It will open a black screen with some data on it...please do not fix anything (if it gives you an option).
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will be created on the desktop.
  • Copy and paste the contents of that log in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 07 January 2011 - 11:15 AM

Alright then, here's the log. :)

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 64-bit
Base Board Manufacturer: DELL Inc.
BIOS Manufacturer: DELL INC.
System Manufacturer: DELL Inc.
System Product Name: Studio XPS 435T/9000
Logical Drives Mask: 0x0001000c

Kernel Drivers (total 160):
0x02C08000 \SystemRoot\system32\ntoskrnl.exe
0x031E4000 \SystemRoot\system32\hal.dll
0x00BC3000 \SystemRoot\system32\kdcom.dll
0x00CCC000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00D10000 \SystemRoot\system32\PSHED.dll
0x00D24000 \SystemRoot\system32\CLFS.SYS
0x00C00000 \SystemRoot\system32\CI.dll
0x00E1A000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00EBE000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00ECD000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x00F24000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x00F2D000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x00F37000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x00F44000 \SystemRoot\system32\DRIVERS\pci.sys
0x00F77000 \SystemRoot\System32\drivers\partmgr.sys
0x00F8C000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x00FA1000 \SystemRoot\System32\drivers\volmgrx.sys
0x00E00000 \SystemRoot\System32\drivers\mountmgr.sys
0x01010000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x0112C000 \SystemRoot\system32\DRIVERS\jraid.sys
0x01149000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0x01178000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x01183000 \SystemRoot\system32\drivers\fltmgr.sys
0x011CF000 \SystemRoot\system32\drivers\fileinfo.sys
0x011E3000 \SystemRoot\System32\Drivers\PxHlpa64.sys
0x01234000 \SystemRoot\System32\Drivers\Ntfs.sys
0x00D82000 \SystemRoot\System32\Drivers\msrpc.sys
0x013D7000 \SystemRoot\System32\Drivers\ksecdd.sys
0x0140C000 \SystemRoot\System32\Drivers\cng.sys
0x0147F000 \SystemRoot\System32\drivers\pcw.sys
0x01490000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x0149A000 \SystemRoot\system32\drivers\ndis.sys
0x0158C000 \SystemRoot\system32\drivers\NETIO.SYS
0x01688000 \SystemRoot\System32\Drivers\aswNdis2.sys
0x016C9000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01803000 \SystemRoot\System32\drivers\tcpip.sys
0x016F4000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x0173E000 \SystemRoot\system32\DRIVERS\aswNdis.sys
0x01745000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x01791000 \SystemRoot\System32\Drivers\spldr.sys
0x01799000 \SystemRoot\System32\drivers\rdyboost.sys
0x017D3000 \SystemRoot\System32\Drivers\mup.sys
0x017E5000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01600000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x0163A000 \SystemRoot\system32\DRIVERS\disk.sys
0x01650000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x02C00000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x02C2A000 \SystemRoot\System32\Drivers\aswSnx.SYS
0x02CA7000 \SystemRoot\System32\Drivers\Null.SYS
0x02CB0000 \SystemRoot\System32\Drivers\Beep.SYS
0x02CB7000 \SystemRoot\System32\drivers\vga.sys
0x01200000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x015EC000 \SystemRoot\System32\drivers\watchdog.sys
0x02CC5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x01400000 \SystemRoot\system32\drivers\rdpencdd.sys
0x01225000 \SystemRoot\system32\drivers\rdprefmp.sys
0x013F1000 \SystemRoot\System32\Drivers\Msfs.SYS
0x011EF000 \SystemRoot\System32\Drivers\Npfs.SYS
0x00DE0000 \SystemRoot\system32\DRIVERS\tdx.sys
0x01000000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x03C4F000 \SystemRoot\System32\Drivers\aswFW.SYS
0x03C71000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x03C81000 \SystemRoot\System32\DRIVERS\netbt.sys
0x03CC6000 \SystemRoot\system32\drivers\afd.sys
0x03D50000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x03D5A000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x03D63000 \SystemRoot\system32\DRIVERS\pacer.sys
0x03D89000 \SystemRoot\system32\DRIVERS\netbios.sys
0x03D98000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x03DB3000 \SystemRoot\system32\DRIVERS\termdd.sys
0x04278000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x042C9000 \SystemRoot\system32\drivers\nsiproxy.sys
0x042D5000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x042E0000 \SystemRoot\System32\drivers\discache.sys
0x042EF000 \SystemRoot\System32\Drivers\dfsc.sys
0x0430D000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x0431E000 \SystemRoot\System32\Drivers\aswSP.SYS
0x04367000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x0438D000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x043A3000 \SystemRoot\system32\DRIVERS\atikmpag.sys
0x04851000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x05062000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x05156000 \SystemRoot\System32\drivers\dxgmms1.sys
0x0519C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x051C0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x04200000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x051CD000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x04800000 \SystemRoot\system32\DRIVERS\Rt64win7.sys
0x03C00000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x04839000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x051DE000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x04256000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x03DC7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x051EE000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x0566A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x05699000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x056B4000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x056D5000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x056EF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x056FE000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x0570D000 \SystemRoot\system32\DRIVERS\swenum.sys
0x0570F000 \SystemRoot\system32\DRIVERS\ks.sys
0x05752000 \SystemRoot\system32\DRIVERS\circlass.sys
0x05764000 \SystemRoot\system32\DRIVERS\umbus.sys
0x05776000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x057D0000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x05600000 \SystemRoot\system32\drivers\AtihdW76.sys
0x05620000 \SystemRoot\system32\drivers\portcls.sys
0x0685A000 \SystemRoot\system32\drivers\drmk.sys
0x0687C000 \SystemRoot\system32\drivers\ksthunk.sys
0x06A11000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x06A00000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x06882000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x0689B000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x06A0E000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x068A4000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x068B1000 \SystemRoot\System32\Drivers\RtsUStor.sys
0x068EB000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x06908000 \SystemRoot\system32\drivers\usbaudio.sys
0x06923000 \SystemRoot\system32\DRIVERS\usbcir.sys
0x06942000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x06950000 \SystemRoot\system32\DRIVERS\MijXfilt.sys
0x0696C000 \SystemRoot\system32\DRIVERS\xusb21.sys
0x0697D000 \SystemRoot\system32\DRIVERS\hidir.sys
0x0698E000 \SystemRoot\System32\Drivers\crashdmp.sys
0x02CCE000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x0699C000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x00000000 \SystemRoot\System32\win32k.sys
0x069AF000 \SystemRoot\System32\drivers\Dxapi.sys
0x069BB000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00520000 \SystemRoot\System32\TSDDD.dll
0x00740000 \SystemRoot\System32\cdd.dll
0x069C9000 \SystemRoot\system32\drivers\luafv.sys
0x06800000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0x0683A000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0x06843000 \SystemRoot\system32\DRIVERS\Sftvollh.sys
0x0389C000 \SystemRoot\system32\drivers\WudfPf.sys
0x038BD000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x038D2000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x038EA000 \SystemRoot\system32\drivers\HTTP.sys
0x039B2000 \SystemRoot\system32\DRIVERS\bowser.sys
0x039D0000 \SystemRoot\System32\drivers\mpsdrv.sys
0x03800000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x0382D000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x07AAA000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x07ACD000 \SystemRoot\system32\drivers\peauth.sys
0x07B73000 \SystemRoot\System32\Drivers\secdrv.SYS
0x082D8000 \SystemRoot\system32\DRIVERS\Sftfslh.sys
0x0838F000 \SystemRoot\system32\DRIVERS\Sftplaylh.sys
0x08200000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x0822D000 \SystemRoot\System32\drivers\tcpipreg.sys
0x0823F000 \SystemRoot\System32\DRIVERS\srv2.sys
0x07A00000 \SystemRoot\System32\DRIVERS\srv.sys
0x07B7E000 \SystemRoot\System32\Drivers\fastfat.SYS
0x082A6000 \SystemRoot\system32\DRIVERS\Sftredirlh.sys
0x0A293000 \SystemRoot\system32\DRIVERS\psi_mf.sys
0x0A3D6000 \SystemRoot\system32\drivers\dwprot.sys
0x76ED0000 \Windows\System32\ntdll.dll
0x48570000 \Windows\System32\smss.exe
0xFF1F0000 \Windows\System32\apisetschema.dll

Processes (total 74):
0 System Idle Process
4 System
388 C:\Windows\System32\smss.exe
612 csrss.exe
680 C:\Windows\System32\wininit.exe
688 csrss.exe
736 C:\Windows\System32\winlogon.exe
788 C:\Windows\System32\services.exe
804 C:\Windows\System32\lsass.exe
812 C:\Windows\System32\lsm.exe
904 C:\Windows\System32\svchost.exe
996 C:\Windows\System32\svchost.exe
460 C:\Windows\System32\atiesrxx.exe
520 C:\Windows\System32\svchost.exe
472 C:\Windows\System32\svchost.exe
676 C:\Windows\System32\svchost.exe
1124 C:\Windows\System32\svchost.exe
1188 C:\Windows\System32\atieclxx.exe
1196 C:\Program Files\Dell\DellDock\DockLogin.exe
1384 C:\Windows\System32\svchost.exe
1440 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1468 C:\Program Files\Alwil Software\Avast5\afwServ.exe
1856 C:\Windows\System32\spoolsv.exe
1896 C:\Windows\System32\svchost.exe
1052 C:\Windows\System32\svchost.exe
1356 C:\Windows\SysWOW64\PnkBstrA.exe
1240 C:\Windows\SysWOW64\PnkBstrB.exe
1964 C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
2084 C:\Program Files (x86)\Secunia\PSI\psia.exe
2616 C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
2656 C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
2696 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2792 C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
2868 C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
2936 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
3100 C:\Windows\System32\taskhost.exe
3160 C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
3248 C:\Windows\System32\dwm.exe
3316 C:\Windows\explorer.exe
3548 C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
3564 C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
3688 C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
3736 C:\Windows\System32\conhost.exe
3480 C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
3448 C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
3432 C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
3680 C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
2324 C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
4132 C:\Windows\System32\SearchIndexer.exe
4152 C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
4180 C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
4228 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
4608 C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
2916 C:\Windows\System32\svchost.exe
4696 C:\Program Files\Windows Media Player\wmpnetwk.exe
5428 C:\Windows\System32\svchost.exe
5756 C:\Windows\System32\svchost.exe
6096 dllhost.exe
5224 C:\Program Files (x86)\Secunia\PSI\sua.exe
1816 C:\Windows\System32\taskhost.exe
3364 C:\Windows\SysWOW64\ctfmon.exe
7912 C:\Program Files (x86)\Skype\Phone\Skype.exe
6504 C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
4692 C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
5656 C:\Program Files (x86)\IceChat7\IceChat7.exe
6472 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
2380 C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
1080 C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
5264 C:\Windows\System32\audiodg.exe
5848 C:\Windows\System32\SearchProtocolHost.exe
6416 C:\Windows\System32\SearchFilterHost.exe
4680 C:\Windows\explorer.exe
5724 C:\Users\Spud\Documents\Jon's\MBRCheck.exe
5604 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`bae00000 (NTFS)
\\.\Q: --> error 5

PhysicalDrive0 Model Number: WDCWD1001FAES-75W7A0, Rev: 05.01D05

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 Dell Inspiron MBR code detected
SHA1: AE3E0A945D44C8EA304A19A8F50F69065C34344B


Done!

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:14 PM

Posted 07 January 2011 - 11:22 AM

That looks okay, lets run also this scan.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 07 January 2011 - 11:32 AM

Alright, I just ran the scan and nothing came up. Is there anything else you wish me to do to make sure that I'm not infected or does everything look good?

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:14 PM

Posted 07 January 2011 - 11:46 AM

Everything looks completely fine. Besides the letter from your ISP, is your computer having actual problems, like extreme slowness, pop ups, browser redirects?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 07 January 2011 - 11:50 AM

Nothing that I've been able to spot so far, everything looks completely normal on my end. I just wasn't sure because of the letter, but if you think things are fine I'll believe that since nothing else has come to my attention that supports my ISP's letter. Anything else you wish me to do or anymore questions you wish to ask? Also thank you for your time and help so far.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:14 PM

Posted 07 January 2011 - 12:12 PM

No, there really is nothing to worry about here. :)

I've heard that certain ISP's send letters like the one you mentioned to their customers with the recommendation to visit their site to get help removing the malware, which then lead to certain (paid) Antivirus products which you are encouraged to buy (or to pay for support).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 07 January 2011 - 12:17 PM

I wouldn't be surprised if that was the case, my ISP is associated with AT&T. I'm sure it happens with other ISPs as well, but oh well, thank you for you help, I certainly hope I haven't wasted your time. Have a nice day and thank you again for helping me. :)

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:14 PM

Posted 07 January 2011 - 12:29 PM

No problem at all, better check it out in order to be sure. :)

I will now close this topic. If you need it reopened, please send me a PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users