Donbot?

[Jtaylor83]

Curse my rushed mood last night, I deleted it, will I have to redownload it somehow?

You can restore it with Recuva. (Disable avast! before running this program)

[polonus]

Hi Winter_Nights,


PLSRemote.exe is a remote administration program that allows you to remotely monitor and control your computer. This program may also be installed by various trojan for malicious purposes. It is recommended that you remove it if you don't want to remotely control your computer.
Security Issues:    Potentially Unwanted
it should be easy to remove.
Right click your Start button > Explore all users > Local Disk C > WINDOWS > System32
Click Search
Click All Files and Folders
Type in PLSRemote.exe
Click Search
Delete anything it finds

Next, click Start > Run > services.msc. Search for a service called PLSRemote Service (PLSRemoteSvc). When found, right click on it and select Properties. Then change the startup type to Disabled.

Open HijackThis, click Do a system scan only and place a check next to the following lines if present:

O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner -
Neutral only if you installed it (3.46 / 5.00)C:\WINDOWS\SYSTEM32\PLSRemote.exe

polonus

[Winter_Nights]

Thanks guys, I really appreciate this.  

Here's the VirusTotal results for PLSRemote.exe:  http://www.virustotal.com/analisis/05880d0edad3e4dceb5161f9277116de6c2e68194f97b03029080364593d2e51-1245710769

I'm setting up Recuva right now, and once I get the file back I will send it to VirusTotal.
And once again, thanks!

And I deleted the file with Malwarebytes', avast! didn't detect it.

[DavidR]

When you delete (correct term in MBAM is Remove) a file in MBAM it also places a copy in the Quarantine area, check the Quarantine tab in the MBAM settings.

This may save you some drama.

[Winter_Nights]

Thanks, but I checked and it wasn't there, next time I need to think before I perform an action.

[Tarq57]

Here you go. It's out of the same location in my Windows XP (Home) SP3.
I've renamed it to ".txt" so it would upload.
Save it, rename the extension to ".sys", place it in your C:\Windows\System32\drivers folder (check to see it's not already there- it may have recreated itself following a reboot, but unlikely) and you should be away laughing. I hope.

[Winter_Nights]

Thanks Tarq57, one thing I'm wondering about is that dmload was in C://Program Files(or Windows, I'm not sure)/Winnt/system32/dmload.sys, is there anything odd about that?

[Tarq57]

Good point. The original location according to you MBAM report (back a page) was"c:\minint\system32\drivers\dmload.sys (Trojan.Spambot)...."
So I am a bit curious as to what the "minint" folder is for.
Are you comfortable navigating with Windows Explorer?  Care to take a look at that folder?

[Winter_Nights]

This is odd...
When I try to look for it, it doesn't show up, and when I manually put it in the address bar, it says access is denied...

[Tarq57]

Are you running as admin?
Set your folder options to show hidden and system files.
Sounding possibly suspiciouser and suspiciouser.

[Winter_Nights]

I did that, and it still says access is denied.
 

[Tarq57]

I'd do another scan with MBAM, and if it still shows up, select it for removal.

Try also checking that you are able to navigate to C:\Windows\System32\Drivers, and see if that "dmload.sys" file actually exists. Should be about 6-8Kb. If access is denied to your system32 folder, it means something has hijacked you at some point, and stuff needs to be re-set.
PS, don't type it in the address bar, just navigate to it.

[Winter_Nights]

Thank you do much, dmload.sys 5.75 KB and under C:\WINDOWS\system32\drivers.
And thankfully I was able to access it as you can see 
And I'm running a MBAM scan as we speak.

[Winter_Nights]

Okay, I ran a MBAM scan, as well as an Ad-Aware scan, and nothing was found.

[micky77]

Did you / are you fixing the HJT entry ?