Virginian11
2013-04-09, 02:12
Thank you in advance for any help you can give. I have run Malwarebytes and Superantispyware, and Spybot Search and Destroy is the only malware program that is indicating a problem; it threw up a message indicating signs of a rootkit. The computer is not acting strangely except for some increased humming and loudness that may indicate unauthorized program activity.
I am running a Gateway AMD-A63620 2.20 GHz
4GB RAM, 64 bit
Windows 7 Home Premium SP1
Here is what the regular Spybot Search and Destroy scan told me:
Search results from Spybot - Search & Destroy
4/8/2013 10:45:23 AM
Scan took 01:17:02.
12 items found.
Right Media: [SBI $8E73A7FB] Tracking cookie (Internet Explorer (User): astraea) (Browser: Cookie, nothing done)
MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-218250134-4234375755-1195284414-1000\Software\Microsoft\Direct3D\MostRecentApplication\Name
MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name
MS Regedit: [SBI $C3B62FC1] Recent open key (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-218250134-4234375755-1195284414-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey
Windows: [SBI $1E4E2003] Drivers installation paths (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources
Windows: [SBI $1E4E2003] Drivers installation paths (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources
WinRAR: [SBI $0B56E92B] Recent file list (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-218250134-4234375755-1195284414-1000\Software\WinRAR\ArcHistory
WinRAR: [SBI $B84F9965] Last used directory (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-218250134-4234375755-1195284414-1000\Software\WinRAR\General\LastFolder
Cookie: [SBI $49804B54] Browser: Cookie (96) (Browser: Cookie, nothing done)
Cache: [SBI $49804B54] Browser: Cache (785) (Browser: Cache, nothing done)
History: [SBI $49804B54] Browser: History (291) (Browser: History, nothing done)
Cookie: [SBI $49804B54] Browser: Cookie (10) (Browser: Cookie, nothing done)
--- Spybot - Search & Destroy version: 2.0.12.131 DLL (build: 20121113) ---
2012-11-13 blindman.exe (2.0.12.151)
2012-11-13 explorer.exe (2.0.12.173)
2012-11-13 SDBootCD.exe (2.0.12.109)
2012-11-13 SDCleaner.exe (2.0.12.110)
2012-11-13 SDDelFile.exe (2.0.12.94)
2012-11-13 SDFiles.exe (2.0.12.135)
2012-11-13 SDFileScanHelper.exe (2.0.12.1)
2012-11-13 SDFSSvc.exe (2.0.12.205)
2012-11-13 SDImmunize.exe (2.0.12.130)
2012-11-13 SDLogReport.exe (2.0.12.107)
2012-11-13 SDPESetup.exe (2.0.12.3)
2012-11-13 SDPEStart.exe (2.0.12.86)
2012-11-13 SDPhoneScan.exe (2.0.12.27)
2012-11-13 SDPRE.exe (2.0.12.13)
2012-11-13 SDPrepPos.exe (2.0.12.10)
2012-11-13 SDQuarantine.exe (2.0.12.103)
2012-11-13 SDRootAlyzer.exe (2.0.12.116)
2012-11-13 SDSBIEdit.exe (2.0.12.39)
2012-11-13 SDScan.exe (2.0.12.173)
2012-11-13 SDScript.exe (2.0.12.53)
2012-11-13 SDSettings.exe (2.0.12.130)
2012-11-13 SDShred.exe (2.0.12.105)
2012-11-13 SDSysRepair.exe (2.0.12.101)
2012-11-13 SDTools.exe (2.0.12.150)
2012-11-13 SDTray.exe (2.0.12.127)
2012-11-13 SDUpdate.exe (2.0.12.89)
2012-11-13 SDUpdSvc.exe (2.0.12.76)
2012-11-13 SDWelcome.exe (2.0.12.126)
2012-11-13 SDWSCSvc.exe (2.0.12.2)
2013-03-10 unins000.exe (51.1052.0.0)
1999-12-02 xcacls.exe
2012-08-23 borlndmm.dll (10.0.2288.42451)
2012-09-05 DelZip190.dll (1.9.0.107)
2012-09-10 libeay32.dll (1.0.0.4)
2012-09-10 libssl32.dll (1.0.0.4)
2012-11-13 SDAdvancedCheckLibrary.dll (2.0.12.98)
2012-11-13 SDECon32.dll (2.0.12.113)
2012-11-13 SDECon64.dll (2.0.12.113)
2012-11-13 SDEvents.dll (2.0.12.2)
2012-11-13 SDFileScanLibrary.dll (2.0.12.9)
2012-11-13 SDHelper.dll (2.0.12.88)
2012-11-13 SDImmunizeLibrary.dll (2.0.12.2)
2012-11-13 SDLists.dll (2.0.12.4)
2012-11-13 SDResources.dll (2.0.12.7)
2012-11-13 SDScanLibrary.dll (2.0.12.131)
2012-11-13 SDTasks.dll (2.0.12.15)
2012-11-13 SDWinLogon.dll (2.0.12.0)
2012-08-23 sqlite3.dll
2012-09-10 ssleay32.dll (1.0.0.4)
2012-11-13 Tools.dll (2.0.12.36)
2012-11-13 UninsSrv.dll (2.0.12.52)
2012-12-18 Includes\Adware.sbi (*)
2013-03-05 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2012-11-14 Includes\Dialer.sbi (*)
2012-11-14 Includes\DialerC.sbi (*)
2012-11-14 Includes\HeavyDuty.sbi (*)
2012-11-14 Includes\Hijackers.sbi (*)
2012-11-14 Includes\HijackersC.sbi (*)
2012-11-14 Includes\iPhone.sbi (*)
2012-11-14 Includes\Keyloggers.sbi (*)
2012-12-18 Includes\KeyloggersC.sbi (*)
2012-11-21 Includes\Malware.sbi (*)
2013-03-12 Includes\MalwareC.sbi (*)
2012-11-14 Includes\PUPS.sbi (*)
2013-03-12 Includes\PUPSC.sbi (*)
2012-11-14 Includes\Security.sbi (*)
2012-11-14 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2012-11-14 Includes\Spyware.sbi (*)
2012-11-14 Includes\SpywareC.sbi (*)
2011-06-07 Includes\Tracks.sbi (*)
2012-11-19 Includes\Tracks.uti (*)
2013-01-16 Includes\Trojans.sbi (*)
2013-02-25 Includes\TrojansC-02.sbi (*)
2013-03-12 Includes\TrojansC-03.sbi (*)
2013-03-11 Includes\TrojansC-04.sbi (*)
2012-11-14 Includes\TrojansC-05.sbi (*)
2013-03-01 Includes\TrojansC.sbi (*)
____________________________________________________
Here is what the Spybot rootkit scan told me:
Quick Scan results: Clean except for Master Boot Records
5 MBR's checked
Unknown MBRs: Physical Drive 2, Physical Drive 3, Physical...
Deep Scan Results:
Type: File
Object: AUPEO:$WIMMOUNTDATA:$DATA
Location: C:\OEM\Preload\Autorun\APP\
Details: Unknown ADS
Type: File
Object: NOOK for PC:$WIMMOUNTDATA:$DATA
Location: C:\OEM\Preload\Autorun\APP\
Details: Unknown ADS
Type: Key
Object: Flyout
Location: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\
Details: No admin in ACL
Type: Key
Object: Svc
Location: HKLM\SOFTWARE\Wow6432Node\Microsoft\Security Center\
Details: No admin in ACL
_______________________________________________
Here is the DDS log:
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16470 BrowserJavaVersion: 10.17.2
Run by astraea at 18:23:53 on 2013-04-08
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3797.2203 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: COMODO Antivirus *Disabled/Outdated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\COMODO\COMODO Internet Security\cis.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\killswitch.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDRootAlyzer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://duckduckgo.com/
mStart Page = hxxp://www.bing.com/?pc=MAGW
mDefault_Page_URL = hxxp://www.bing.com/?pc=MAGW
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [Spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRunOnce: [SpybotDeletingE608] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDDelFile.exe" "C:\Windows\setupact.log"
mRunOnce: [GrpConv] grpconv -o
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files (x86)\Paltalk Messenger\Paltalk.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{E6DFE44E-3357-4168-BBD1-7FB5B84A510A} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{E6DFE44E-3357-4168-BBD1-7FB5B84A510A} : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{E6DFE44E-3357-4168-BBD1-7FB5B84A510A}\47865602D61647279687 : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{E6DFE44E-3357-4168-BBD1-7FB5B84A510A}\47865602D61647279687 : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{E6DFE44E-3357-4168-BBD1-7FB5B84A510A}\C696E6B6379737 : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{E6DFE44E-3357-4168-BBD1-7FB5B84A510A}\C696E6B6379737 : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{E6DFE44E-3357-4168-BBD1-7FB5B84A510A}\F6365616E6E6564777F627B6 : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{E6DFE44E-3357-4168-BBD1-7FB5B84A510A}\F6365616E6E6564777F627B6 : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{E89BB127-85DB-4EBA-B62D-28611AFDB7DA} : NameServer = 8.26.56.26,156.154.70.22
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
x64-mStart Page = hxxp://www.bing.com/?pc=MAGW
x64-mDefault_Page_URL = hxxp://www.bing.com/?pc=MAGW
x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\astraea\AppData\Roaming\Mozilla\Firefox\Profiles\yr5gely8.default-1363442161351\
FF - prefs.js: browser.startup.homepage - hxxps://duckduckgo.com/
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll
FF - ExtSQL: 2013-03-16 10:00; {73a6fe31-595d-460b-a920-fcc0f8843232}; C:\Users\astraea\AppData\Roaming\Mozilla\Firefox\Profiles\yr5gely8.default-1363442161351\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2013-03-16 10:00; firefox@ghostery.com; C:\Users\astraea\AppData\Roaming\Mozilla\Firefox\Profiles\yr5gely8.default-1363442161351\extensions\firefox@ghostery.com
FF - ExtSQL: 2013-03-16 10:03; {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}; C:\Users\astraea\AppData\Roaming\Mozilla\Firefox\Profiles\yr5gely8.default-1363442161351\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi
FF - ExtSQL: 2013-03-16 10:05; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; C:\Users\astraea\AppData\Roaming\Mozilla\Firefox\Profiles\yr5gely8.default-1363442161351\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-03-16 10:06; trackmenot@mrl.nyu.edu; C:\Users\astraea\AppData\Roaming\Mozilla\Firefox\Profiles\yr5gely8.default-1363442161351\extensions\trackmenot@mrl.nyu.edu.xpi
FF - ExtSQL: 2013-03-16 11:33; nosquint@urandom.ca; C:\Users\astraea\AppData\Roaming\Mozilla\Firefox\Profiles\yr5gely8.default-1363442161351\extensions\nosquint@urandom.ca.xpi
FF - ExtSQL: 2013-03-16 16:32; wrc@avast.com; C:\Program Files\AVAST Software\Avast\WebRep\FF
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2011-10-26 79488]
R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2011-10-26 40064]
R0 aswRvrt;aswRvrt;C:\Windows\System32\drivers\aswRvrt.sys [2013-3-9 65336]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2013-3-16 1025808]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2013-3-16 377920]
R1 cmderd;COMODO Internet Security Eradication Driver;C:\Windows\System32\drivers\cmderd.sys [2013-1-16 23176]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\System32\drivers\cmdguard.sys [2013-1-16 699880]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\System32\drivers\cmdhlp.sys [2013-1-16 48360]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-10-26 204288]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2013-3-16 33400]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-3-16 80816]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-3-16 45248]
R2 Live Updater Service;Live Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2011-10-25 244624]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-3-10 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-3-10 1369624]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-3-10 168384]
R3 amdhub30;AMD USB 3.0 Hub Driver;C:\Windows\System32\drivers\amdhub30.sys [2013-3-9 87168]
R3 amdxhc;AMD USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\amdxhc.sys [2013-3-9 188544]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2011-10-26 231440]
R3 netr7364;Belkin Wireless 54G USB Network Adapter Driver;C:\Windows\System32\drivers\netr7364.sys [2013-3-9 716800]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-10-25 533096]
RUnknown 14583096;14583096; [x]
RUnknown 8776183drv;8776183drv; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 aswVmm;aswVmm;C:\Windows\System32\drivers\aswVmm.sys [2013-3-9 178624]
S3 cmdvirth;COMODO Virtual Service Manager;C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2013-1-24 158928]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-3-9 1255736]
.
=============== Created Last 30 ================
.
2013-04-08 15:29:59 -------- d-----w- C:\ProgramData\Kaspersky Lab
2013-04-08 13:10:41 -------- d-sh--w- C:\Windows\System32\%APPDATA%
2013-04-07 06:25:30 -------- d-----w- C:\Program Files (x86)\ESET
2013-03-28 02:47:00 1656459 ----a-w- C:\Users\astraea\winrar-x64-420.exe
2013-03-28 02:41:12 -------- d-----w- C:\Program Files (x86)\Sims2Pack Clean Installer
2013-03-22 20:01:59 178800 ----a-w- C:\Windows\SysWow64\CmdLineExt_x64.dll
2013-03-20 20:18:37 -------- d-----w- C:\Program Files (x86)\EA GAMES
2013-03-20 20:18:33 442368 ----a-r- C:\Windows\SysWow64\vp6vfw.dll
2013-03-20 06:02:38 -------- d-----w- C:\Program Files (x86)\XMind
2013-03-17 21:55:13 -------- d-----w- C:\Users\astraea\AppData\Local\Diagnostics
2013-03-17 20:11:27 -------- d-----w- C:\Program Files (x86)\Core Services
2013-03-16 20:32:46 70992 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2013-03-16 20:32:45 80816 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2013-03-16 20:32:45 1025808 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2013-03-16 20:32:17 41664 ----a-w- C:\Windows\avastSS.scr
2013-03-16 06:53:43 19968 ----a-w- C:\Windows\System32\drivers\usb8023.sys
2013-03-16 06:47:52 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-16 06:37:17 963488 ----a-w- C:\Windows\System32\deployJava1.dll
2013-03-16 06:37:16 1085344 ----a-w- C:\Windows\System32\npDeployJava1.dll
2013-03-16 06:36:47 108448 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
2013-03-15 15:29:58 -------- d-----w- C:\Users\astraea\AppData\Roaming\Malwarebytes
2013-03-13 20:41:06 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service
2013-03-12 17:12:48 -------- d-----w- C:\Users\astraea\AppData\Roaming\LibreOffice
2013-03-10 05:38:45 -------- d-----w- C:\Program Files (x86)\Yahoo!
2013-03-10 05:29:17 -------- dc----w- C:\Users\astraea\AppData\Local\MigWiz
2013-03-10 05:27:09 -------- d-----w- C:\Users\astraea\AppData\Roaming\XMind
2013-03-10 05:26:27 782240 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-03-10 05:26:27 477168 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2013-03-10 05:21:59 -------- d-----w- C:\Program Files (x86)\LibreOffice 4.0
2013-03-10 05:08:12 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2013-03-10 05:08:03 17272 ----a-w- C:\Windows\System32\sdnclean64.exe
2013-03-10 05:07:56 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-03-10 04:47:03 -------- d-----w- C:\Program Files\Paint.NET
2013-03-10 04:46:47 -------- d-----w- C:\Users\astraea\AppData\Local\Paint.NET
2013-03-10 04:36:38 -------- d-----w- C:\ProgramData\Malwarebytes
2013-03-10 04:36:37 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-03-10 04:36:37 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-03-10 04:34:53 -------- d-----w- C:\Users\astraea\AppData\Local\Programs
2013-03-10 04:34:24 388096 ----a-r- C:\Users\astraea\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-03-10 04:34:24 -------- d-----w- C:\Program Files (x86)\Trend Micro
2013-03-10 04:26:54 -------- d-----w- C:\Users\astraea\AppData\Roaming\SUPERAntiSpyware.com
2013-03-10 04:26:17 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2013-03-10 04:26:17 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2013-03-10 04:23:23 -------- d-----w- C:\Program Files\CCleaner
2013-03-10 04:17:27 -------- d-----w- C:\Users\astraea\AppData\Local\Macromedia
2013-03-10 03:37:37 -------- d-----w- C:\Users\astraea\AppData\Roaming\Paltalk
2013-03-10 03:36:44 -------- d-----w- C:\Program Files (x86)\Paltalk Messenger
2013-03-10 03:23:23 -------- d-----w- C:\Users\astraea\AppData\Roaming\.purple
2013-03-10 03:22:28 -------- d-----w- C:\Program Files (x86)\Pidgin
2013-03-10 02:25:38 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-03-09 23:34:40 -------- d-----w- C:\Users\astraea\AppData\Local\Thunderbird
.
==================== Find3M ====================
.
2013-03-17 05:21:23 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-09 18:45:35 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2013-03-09 18:45:35 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2013-03-09 18:45:35 29480 ----a-w- C:\Windows\SysWow64\msxml3a.dll
2013-03-09 18:39:47 0 ----a-w- C:\Windows\ativpsrm.bin
2013-03-09 16:51:44 716800 ----a-w- C:\Windows\System32\drivers\netr7364.sys
2013-03-09 16:51:44 305152 ----a-w- C:\Windows\System32\RaCoInstx.dll
2013-03-06 23:33:21 65336 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys
2013-03-06 23:33:21 178624 ----a-w- C:\Windows\System32\drivers\aswVmm.sys
2013-02-28 07:14:20 773968 ----a-w- C:\Windows\SysWow64\msvcr100.dll
2013-02-28 07:14:20 421200 ----a-w- C:\Windows\SysWow64\msvcp100.dll
2013-02-02 06:57:02 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2013-02-02 06:47:24 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-02-02 06:47:19 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-02-02 06:42:18 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-02-02 06:41:51 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-02-02 06:38:01 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-02-02 03:38:35 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-02-02 03:30:32 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-02-02 03:30:21 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-02-02 03:26:47 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-02-02 03:26:21 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-02-02 03:23:28 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-01-25 03:43:04 43216 ----a-w- C:\Windows\System32\cmdcsr.dll
2013-01-25 03:43:02 461384 ----a-w- C:\Windows\System32\guard64.dll
2013-01-25 03:43:02 354752 ----a-w- C:\Windows\SysWow64\guard32.dll
2013-01-25 03:42:54 45776 ----a-w- C:\Windows\System32\cmdkbd64.dll
2013-01-25 03:42:54 326352 ----a-w- C:\Windows\System32\cmdvrt64.dll
2013-01-25 03:42:50 40656 ----a-w- C:\Windows\SysWow64\cmdkbd32.dll
2013-01-25 03:42:50 263888 ----a-w- C:\Windows\SysWow64\cmdvrt32.dll
2013-01-17 00:51:46 699880 ----a-w- C:\Windows\System32\drivers\cmdguard.sys
2013-01-17 00:51:46 48360 ----a-w- C:\Windows\System32\drivers\cmdhlp.sys
2013-01-17 00:51:44 23176 ----a-w- C:\Windows\System32\drivers\cmderd.sys
.
============= FINISH: 18:25:01.53 ===============
________________________________________
And here is aswMRB log:
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-04-08 18:35:10
-----------------------------
18:35:10.603 OS Version: Windows x64 6.1.7601 Service Pack 1
18:35:10.603 Number of processors: 4 586 0x100
18:35:10.603 ComputerName: MINT-PC UserName: astraea
18:35:12.584 Initialize success
18:35:12.927 AVAST engine defs: 13040802
18:35:20.618 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000063
18:35:20.618 Disk 0 Vendor: WDC_WD10 77.0 Size: 953869MB BusType: 11
18:35:20.727 Disk 0 MBR read successfully
18:35:20.727 Disk 0 MBR scan
18:35:20.727 Disk 0 Windows 7 default MBR code
18:35:20.743 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 13312 MB offset 2048
18:35:20.759 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 27265024
18:35:20.774 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 940455 MB offset 27469824
18:35:20.790 Disk 0 scanning C:\Windows\system32\drivers
18:35:24.596 Service scanning
18:35:33.785 Modules scanning
18:35:33.800 Disk 0 trace - called modules:
18:35:33.847 ntoskrnl.exe CLASSPNP.SYS disk.sys amd_xata.sys storport.sys hal.dll amd_sata.sys
18:35:33.847 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80049d7060]
18:35:34.175 3 CLASSPNP.SYS[fffff8800190e43f] -> nt!IofCallDriver -> [0xfffffa80039c0ac0]
18:35:34.190 5 amd_xata.sys[fffff88001158a1d] -> nt!IofCallDriver -> \Device\00000063[0xfffffa8004778530]
18:35:35.735 AVAST engine scan C:\Windows
18:35:38.808 AVAST engine scan C:\Windows\system32
18:37:31.581 AVAST engine scan C:\Windows\system32\drivers
18:37:59.239 AVAST engine scan C:\Users\astraea
18:42:23.925 Disk 0 MBR has been saved successfully to "C:\Users\astraea\Desktop\MBR.dat"
18:42:23.925 The log file has been saved successfully to "C:\Users\astraea\Desktop\aswMBR.txt"
Do I have a problem? Thank you very much for any help you can give. Being told there is a rootkit is scary.
I am running a Gateway AMD-A63620 2.20 GHz
4GB RAM, 64 bit
Windows 7 Home Premium SP1
Here is what the regular Spybot Search and Destroy scan told me:
Search results from Spybot - Search & Destroy
4/8/2013 10:45:23 AM
Scan took 01:17:02.
12 items found.
Right Media: [SBI $8E73A7FB] Tracking cookie (Internet Explorer (User): astraea) (Browser: Cookie, nothing done)
MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-218250134-4234375755-1195284414-1000\Software\Microsoft\Direct3D\MostRecentApplication\Name
MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name
MS Regedit: [SBI $C3B62FC1] Recent open key (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-218250134-4234375755-1195284414-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey
Windows: [SBI $1E4E2003] Drivers installation paths (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources
Windows: [SBI $1E4E2003] Drivers installation paths (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources
WinRAR: [SBI $0B56E92B] Recent file list (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-218250134-4234375755-1195284414-1000\Software\WinRAR\ArcHistory
WinRAR: [SBI $B84F9965] Last used directory (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-218250134-4234375755-1195284414-1000\Software\WinRAR\General\LastFolder
Cookie: [SBI $49804B54] Browser: Cookie (96) (Browser: Cookie, nothing done)
Cache: [SBI $49804B54] Browser: Cache (785) (Browser: Cache, nothing done)
History: [SBI $49804B54] Browser: History (291) (Browser: History, nothing done)
Cookie: [SBI $49804B54] Browser: Cookie (10) (Browser: Cookie, nothing done)
--- Spybot - Search & Destroy version: 2.0.12.131 DLL (build: 20121113) ---
2012-11-13 blindman.exe (2.0.12.151)
2012-11-13 explorer.exe (2.0.12.173)
2012-11-13 SDBootCD.exe (2.0.12.109)
2012-11-13 SDCleaner.exe (2.0.12.110)
2012-11-13 SDDelFile.exe (2.0.12.94)
2012-11-13 SDFiles.exe (2.0.12.135)
2012-11-13 SDFileScanHelper.exe (2.0.12.1)
2012-11-13 SDFSSvc.exe (2.0.12.205)
2012-11-13 SDImmunize.exe (2.0.12.130)
2012-11-13 SDLogReport.exe (2.0.12.107)
2012-11-13 SDPESetup.exe (2.0.12.3)
2012-11-13 SDPEStart.exe (2.0.12.86)
2012-11-13 SDPhoneScan.exe (2.0.12.27)
2012-11-13 SDPRE.exe (2.0.12.13)
2012-11-13 SDPrepPos.exe (2.0.12.10)
2012-11-13 SDQuarantine.exe (2.0.12.103)
2012-11-13 SDRootAlyzer.exe (2.0.12.116)
2012-11-13 SDSBIEdit.exe (2.0.12.39)
2012-11-13 SDScan.exe (2.0.12.173)
2012-11-13 SDScript.exe (2.0.12.53)
2012-11-13 SDSettings.exe (2.0.12.130)
2012-11-13 SDShred.exe (2.0.12.105)
2012-11-13 SDSysRepair.exe (2.0.12.101)
2012-11-13 SDTools.exe (2.0.12.150)
2012-11-13 SDTray.exe (2.0.12.127)
2012-11-13 SDUpdate.exe (2.0.12.89)
2012-11-13 SDUpdSvc.exe (2.0.12.76)
2012-11-13 SDWelcome.exe (2.0.12.126)
2012-11-13 SDWSCSvc.exe (2.0.12.2)
2013-03-10 unins000.exe (51.1052.0.0)
1999-12-02 xcacls.exe
2012-08-23 borlndmm.dll (10.0.2288.42451)
2012-09-05 DelZip190.dll (1.9.0.107)
2012-09-10 libeay32.dll (1.0.0.4)
2012-09-10 libssl32.dll (1.0.0.4)
2012-11-13 SDAdvancedCheckLibrary.dll (2.0.12.98)
2012-11-13 SDECon32.dll (2.0.12.113)
2012-11-13 SDECon64.dll (2.0.12.113)
2012-11-13 SDEvents.dll (2.0.12.2)
2012-11-13 SDFileScanLibrary.dll (2.0.12.9)
2012-11-13 SDHelper.dll (2.0.12.88)
2012-11-13 SDImmunizeLibrary.dll (2.0.12.2)
2012-11-13 SDLists.dll (2.0.12.4)
2012-11-13 SDResources.dll (2.0.12.7)
2012-11-13 SDScanLibrary.dll (2.0.12.131)
2012-11-13 SDTasks.dll (2.0.12.15)
2012-11-13 SDWinLogon.dll (2.0.12.0)
2012-08-23 sqlite3.dll
2012-09-10 ssleay32.dll (1.0.0.4)
2012-11-13 Tools.dll (2.0.12.36)
2012-11-13 UninsSrv.dll (2.0.12.52)
2012-12-18 Includes\Adware.sbi (*)
2013-03-05 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2012-11-14 Includes\Dialer.sbi (*)
2012-11-14 Includes\DialerC.sbi (*)
2012-11-14 Includes\HeavyDuty.sbi (*)
2012-11-14 Includes\Hijackers.sbi (*)
2012-11-14 Includes\HijackersC.sbi (*)
2012-11-14 Includes\iPhone.sbi (*)
2012-11-14 Includes\Keyloggers.sbi (*)
2012-12-18 Includes\KeyloggersC.sbi (*)
2012-11-21 Includes\Malware.sbi (*)
2013-03-12 Includes\MalwareC.sbi (*)
2012-11-14 Includes\PUPS.sbi (*)
2013-03-12 Includes\PUPSC.sbi (*)
2012-11-14 Includes\Security.sbi (*)
2012-11-14 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2012-11-14 Includes\Spyware.sbi (*)
2012-11-14 Includes\SpywareC.sbi (*)
2011-06-07 Includes\Tracks.sbi (*)
2012-11-19 Includes\Tracks.uti (*)
2013-01-16 Includes\Trojans.sbi (*)
2013-02-25 Includes\TrojansC-02.sbi (*)
2013-03-12 Includes\TrojansC-03.sbi (*)
2013-03-11 Includes\TrojansC-04.sbi (*)
2012-11-14 Includes\TrojansC-05.sbi (*)
2013-03-01 Includes\TrojansC.sbi (*)
____________________________________________________
Here is what the Spybot rootkit scan told me:
Quick Scan results: Clean except for Master Boot Records
5 MBR's checked
Unknown MBRs: Physical Drive 2, Physical Drive 3, Physical...
Deep Scan Results:
Type: File
Object: AUPEO:$WIMMOUNTDATA:$DATA
Location: C:\OEM\Preload\Autorun\APP\
Details: Unknown ADS
Type: File
Object: NOOK for PC:$WIMMOUNTDATA:$DATA
Location: C:\OEM\Preload\Autorun\APP\
Details: Unknown ADS
Type: Key
Object: Flyout
Location: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\
Details: No admin in ACL
Type: Key
Object: Svc
Location: HKLM\SOFTWARE\Wow6432Node\Microsoft\Security Center\
Details: No admin in ACL
_______________________________________________
Here is the DDS log:
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16470 BrowserJavaVersion: 10.17.2
Run by astraea at 18:23:53 on 2013-04-08
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3797.2203 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: COMODO Antivirus *Disabled/Outdated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\COMODO\COMODO Internet Security\cis.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\killswitch.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDRootAlyzer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://duckduckgo.com/
mStart Page = hxxp://www.bing.com/?pc=MAGW
mDefault_Page_URL = hxxp://www.bing.com/?pc=MAGW
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [Spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRunOnce: [SpybotDeletingE608] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDDelFile.exe" "C:\Windows\setupact.log"
mRunOnce: [GrpConv] grpconv -o
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files (x86)\Paltalk Messenger\Paltalk.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{E6DFE44E-3357-4168-BBD1-7FB5B84A510A} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{E6DFE44E-3357-4168-BBD1-7FB5B84A510A} : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{E6DFE44E-3357-4168-BBD1-7FB5B84A510A}\47865602D61647279687 : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{E6DFE44E-3357-4168-BBD1-7FB5B84A510A}\47865602D61647279687 : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{E6DFE44E-3357-4168-BBD1-7FB5B84A510A}\C696E6B6379737 : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{E6DFE44E-3357-4168-BBD1-7FB5B84A510A}\C696E6B6379737 : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{E6DFE44E-3357-4168-BBD1-7FB5B84A510A}\F6365616E6E6564777F627B6 : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{E6DFE44E-3357-4168-BBD1-7FB5B84A510A}\F6365616E6E6564777F627B6 : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{E89BB127-85DB-4EBA-B62D-28611AFDB7DA} : NameServer = 8.26.56.26,156.154.70.22
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
x64-mStart Page = hxxp://www.bing.com/?pc=MAGW
x64-mDefault_Page_URL = hxxp://www.bing.com/?pc=MAGW
x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\astraea\AppData\Roaming\Mozilla\Firefox\Profiles\yr5gely8.default-1363442161351\
FF - prefs.js: browser.startup.homepage - hxxps://duckduckgo.com/
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll
FF - ExtSQL: 2013-03-16 10:00; {73a6fe31-595d-460b-a920-fcc0f8843232}; C:\Users\astraea\AppData\Roaming\Mozilla\Firefox\Profiles\yr5gely8.default-1363442161351\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2013-03-16 10:00; firefox@ghostery.com; C:\Users\astraea\AppData\Roaming\Mozilla\Firefox\Profiles\yr5gely8.default-1363442161351\extensions\firefox@ghostery.com
FF - ExtSQL: 2013-03-16 10:03; {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}; C:\Users\astraea\AppData\Roaming\Mozilla\Firefox\Profiles\yr5gely8.default-1363442161351\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi
FF - ExtSQL: 2013-03-16 10:05; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; C:\Users\astraea\AppData\Roaming\Mozilla\Firefox\Profiles\yr5gely8.default-1363442161351\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-03-16 10:06; trackmenot@mrl.nyu.edu; C:\Users\astraea\AppData\Roaming\Mozilla\Firefox\Profiles\yr5gely8.default-1363442161351\extensions\trackmenot@mrl.nyu.edu.xpi
FF - ExtSQL: 2013-03-16 11:33; nosquint@urandom.ca; C:\Users\astraea\AppData\Roaming\Mozilla\Firefox\Profiles\yr5gely8.default-1363442161351\extensions\nosquint@urandom.ca.xpi
FF - ExtSQL: 2013-03-16 16:32; wrc@avast.com; C:\Program Files\AVAST Software\Avast\WebRep\FF
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2011-10-26 79488]
R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2011-10-26 40064]
R0 aswRvrt;aswRvrt;C:\Windows\System32\drivers\aswRvrt.sys [2013-3-9 65336]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2013-3-16 1025808]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2013-3-16 377920]
R1 cmderd;COMODO Internet Security Eradication Driver;C:\Windows\System32\drivers\cmderd.sys [2013-1-16 23176]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\System32\drivers\cmdguard.sys [2013-1-16 699880]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\System32\drivers\cmdhlp.sys [2013-1-16 48360]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-10-26 204288]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2013-3-16 33400]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-3-16 80816]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-3-16 45248]
R2 Live Updater Service;Live Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2011-10-25 244624]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-3-10 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-3-10 1369624]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-3-10 168384]
R3 amdhub30;AMD USB 3.0 Hub Driver;C:\Windows\System32\drivers\amdhub30.sys [2013-3-9 87168]
R3 amdxhc;AMD USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\amdxhc.sys [2013-3-9 188544]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2011-10-26 231440]
R3 netr7364;Belkin Wireless 54G USB Network Adapter Driver;C:\Windows\System32\drivers\netr7364.sys [2013-3-9 716800]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-10-25 533096]
RUnknown 14583096;14583096; [x]
RUnknown 8776183drv;8776183drv; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 aswVmm;aswVmm;C:\Windows\System32\drivers\aswVmm.sys [2013-3-9 178624]
S3 cmdvirth;COMODO Virtual Service Manager;C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2013-1-24 158928]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-3-9 1255736]
.
=============== Created Last 30 ================
.
2013-04-08 15:29:59 -------- d-----w- C:\ProgramData\Kaspersky Lab
2013-04-08 13:10:41 -------- d-sh--w- C:\Windows\System32\%APPDATA%
2013-04-07 06:25:30 -------- d-----w- C:\Program Files (x86)\ESET
2013-03-28 02:47:00 1656459 ----a-w- C:\Users\astraea\winrar-x64-420.exe
2013-03-28 02:41:12 -------- d-----w- C:\Program Files (x86)\Sims2Pack Clean Installer
2013-03-22 20:01:59 178800 ----a-w- C:\Windows\SysWow64\CmdLineExt_x64.dll
2013-03-20 20:18:37 -------- d-----w- C:\Program Files (x86)\EA GAMES
2013-03-20 20:18:33 442368 ----a-r- C:\Windows\SysWow64\vp6vfw.dll
2013-03-20 06:02:38 -------- d-----w- C:\Program Files (x86)\XMind
2013-03-17 21:55:13 -------- d-----w- C:\Users\astraea\AppData\Local\Diagnostics
2013-03-17 20:11:27 -------- d-----w- C:\Program Files (x86)\Core Services
2013-03-16 20:32:46 70992 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2013-03-16 20:32:45 80816 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2013-03-16 20:32:45 1025808 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2013-03-16 20:32:17 41664 ----a-w- C:\Windows\avastSS.scr
2013-03-16 06:53:43 19968 ----a-w- C:\Windows\System32\drivers\usb8023.sys
2013-03-16 06:47:52 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-16 06:37:17 963488 ----a-w- C:\Windows\System32\deployJava1.dll
2013-03-16 06:37:16 1085344 ----a-w- C:\Windows\System32\npDeployJava1.dll
2013-03-16 06:36:47 108448 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
2013-03-15 15:29:58 -------- d-----w- C:\Users\astraea\AppData\Roaming\Malwarebytes
2013-03-13 20:41:06 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service
2013-03-12 17:12:48 -------- d-----w- C:\Users\astraea\AppData\Roaming\LibreOffice
2013-03-10 05:38:45 -------- d-----w- C:\Program Files (x86)\Yahoo!
2013-03-10 05:29:17 -------- dc----w- C:\Users\astraea\AppData\Local\MigWiz
2013-03-10 05:27:09 -------- d-----w- C:\Users\astraea\AppData\Roaming\XMind
2013-03-10 05:26:27 782240 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-03-10 05:26:27 477168 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2013-03-10 05:21:59 -------- d-----w- C:\Program Files (x86)\LibreOffice 4.0
2013-03-10 05:08:12 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2013-03-10 05:08:03 17272 ----a-w- C:\Windows\System32\sdnclean64.exe
2013-03-10 05:07:56 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-03-10 04:47:03 -------- d-----w- C:\Program Files\Paint.NET
2013-03-10 04:46:47 -------- d-----w- C:\Users\astraea\AppData\Local\Paint.NET
2013-03-10 04:36:38 -------- d-----w- C:\ProgramData\Malwarebytes
2013-03-10 04:36:37 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-03-10 04:36:37 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-03-10 04:34:53 -------- d-----w- C:\Users\astraea\AppData\Local\Programs
2013-03-10 04:34:24 388096 ----a-r- C:\Users\astraea\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-03-10 04:34:24 -------- d-----w- C:\Program Files (x86)\Trend Micro
2013-03-10 04:26:54 -------- d-----w- C:\Users\astraea\AppData\Roaming\SUPERAntiSpyware.com
2013-03-10 04:26:17 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2013-03-10 04:26:17 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2013-03-10 04:23:23 -------- d-----w- C:\Program Files\CCleaner
2013-03-10 04:17:27 -------- d-----w- C:\Users\astraea\AppData\Local\Macromedia
2013-03-10 03:37:37 -------- d-----w- C:\Users\astraea\AppData\Roaming\Paltalk
2013-03-10 03:36:44 -------- d-----w- C:\Program Files (x86)\Paltalk Messenger
2013-03-10 03:23:23 -------- d-----w- C:\Users\astraea\AppData\Roaming\.purple
2013-03-10 03:22:28 -------- d-----w- C:\Program Files (x86)\Pidgin
2013-03-10 02:25:38 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-03-09 23:34:40 -------- d-----w- C:\Users\astraea\AppData\Local\Thunderbird
.
==================== Find3M ====================
.
2013-03-17 05:21:23 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-09 18:45:35 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2013-03-09 18:45:35 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2013-03-09 18:45:35 29480 ----a-w- C:\Windows\SysWow64\msxml3a.dll
2013-03-09 18:39:47 0 ----a-w- C:\Windows\ativpsrm.bin
2013-03-09 16:51:44 716800 ----a-w- C:\Windows\System32\drivers\netr7364.sys
2013-03-09 16:51:44 305152 ----a-w- C:\Windows\System32\RaCoInstx.dll
2013-03-06 23:33:21 65336 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys
2013-03-06 23:33:21 178624 ----a-w- C:\Windows\System32\drivers\aswVmm.sys
2013-02-28 07:14:20 773968 ----a-w- C:\Windows\SysWow64\msvcr100.dll
2013-02-28 07:14:20 421200 ----a-w- C:\Windows\SysWow64\msvcp100.dll
2013-02-02 06:57:02 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2013-02-02 06:47:24 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-02-02 06:47:19 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-02-02 06:42:18 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-02-02 06:41:51 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-02-02 06:38:01 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-02-02 03:38:35 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-02-02 03:30:32 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-02-02 03:30:21 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-02-02 03:26:47 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-02-02 03:26:21 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-02-02 03:23:28 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-01-25 03:43:04 43216 ----a-w- C:\Windows\System32\cmdcsr.dll
2013-01-25 03:43:02 461384 ----a-w- C:\Windows\System32\guard64.dll
2013-01-25 03:43:02 354752 ----a-w- C:\Windows\SysWow64\guard32.dll
2013-01-25 03:42:54 45776 ----a-w- C:\Windows\System32\cmdkbd64.dll
2013-01-25 03:42:54 326352 ----a-w- C:\Windows\System32\cmdvrt64.dll
2013-01-25 03:42:50 40656 ----a-w- C:\Windows\SysWow64\cmdkbd32.dll
2013-01-25 03:42:50 263888 ----a-w- C:\Windows\SysWow64\cmdvrt32.dll
2013-01-17 00:51:46 699880 ----a-w- C:\Windows\System32\drivers\cmdguard.sys
2013-01-17 00:51:46 48360 ----a-w- C:\Windows\System32\drivers\cmdhlp.sys
2013-01-17 00:51:44 23176 ----a-w- C:\Windows\System32\drivers\cmderd.sys
.
============= FINISH: 18:25:01.53 ===============
________________________________________
And here is aswMRB log:
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-04-08 18:35:10
-----------------------------
18:35:10.603 OS Version: Windows x64 6.1.7601 Service Pack 1
18:35:10.603 Number of processors: 4 586 0x100
18:35:10.603 ComputerName: MINT-PC UserName: astraea
18:35:12.584 Initialize success
18:35:12.927 AVAST engine defs: 13040802
18:35:20.618 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000063
18:35:20.618 Disk 0 Vendor: WDC_WD10 77.0 Size: 953869MB BusType: 11
18:35:20.727 Disk 0 MBR read successfully
18:35:20.727 Disk 0 MBR scan
18:35:20.727 Disk 0 Windows 7 default MBR code
18:35:20.743 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 13312 MB offset 2048
18:35:20.759 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 27265024
18:35:20.774 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 940455 MB offset 27469824
18:35:20.790 Disk 0 scanning C:\Windows\system32\drivers
18:35:24.596 Service scanning
18:35:33.785 Modules scanning
18:35:33.800 Disk 0 trace - called modules:
18:35:33.847 ntoskrnl.exe CLASSPNP.SYS disk.sys amd_xata.sys storport.sys hal.dll amd_sata.sys
18:35:33.847 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80049d7060]
18:35:34.175 3 CLASSPNP.SYS[fffff8800190e43f] -> nt!IofCallDriver -> [0xfffffa80039c0ac0]
18:35:34.190 5 amd_xata.sys[fffff88001158a1d] -> nt!IofCallDriver -> \Device\00000063[0xfffffa8004778530]
18:35:35.735 AVAST engine scan C:\Windows
18:35:38.808 AVAST engine scan C:\Windows\system32
18:37:31.581 AVAST engine scan C:\Windows\system32\drivers
18:37:59.239 AVAST engine scan C:\Users\astraea
18:42:23.925 Disk 0 MBR has been saved successfully to "C:\Users\astraea\Desktop\MBR.dat"
18:42:23.925 The log file has been saved successfully to "C:\Users\astraea\Desktop\aswMBR.txt"
Do I have a problem? Thank you very much for any help you can give. Being told there is a rootkit is scary.