Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Botnet Infection


  • Please log in to reply

#1
Staind

Staind

    Member

  • Member
  • PipPip
  • 13 posts
I have 2 hard drives infected with Botnet Trojan.

Symptoms:

PC fan kicks into overdrive when computer is idle, and when in use. 100% CPU usage at all times.

PC takes a long time to shut down, or won’t shut down properly.

All programs are running very slowly, and Internet Explorer unstable and cannot download antivirus software updates / visit vendors’ websites.

Internet access slows to a crawl.

Cannot download operating system updates.

Windows Task manager shows programs with very cryptic names or descriptions, and multiple "international resricted" connections.

Onboard AVG 2012 Internet Security Suite (Paid for version) completely disabled.

Conventional detection tools i.e. Gmer, DDS, OTL, etc.. unable to find any signs of infection.

Bleeping Computer unable to resolve. Said must be registry corruption, or hardware isssue. (I know better.)

Per Active Kill Disk: a disk read error occured... Mbr is missing... Mbr is compressed...press Ctr+Alt+Del to restart...

Per EASYBcd: Partitions 1,2,&3 are unmounted.

Partition 1 (0x42_1 MiB)
Partition 2 (0x42_84 MiB)
Partition 3 (0x42_16 MiB)
Partition 4 (C:\ as NTFS_233GiB)

Per BCDedit:

Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device boot
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {eaa4fee8-3c4b-11e1-b74b-001e4fb3d2e8}
resumeobject {1f8184a2-14de-11df-9734-f08c6d8c50b0}
displayorder {eaa4fee8-3c4b-11e1-b74b-001e4fb3d2e8}
{2b97e348-3c4c-11e1-b74b-001e4fb3d2e8}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 10

Windows Boot Loader
-------------------
identifier {eaa4fee8-3c4b-11e1-b74b-001e4fb3d2e8}
device partition=C:
path \Windows\system32\winload.exe
description Microsoft Windows 7
locale en-US
osdevice partition=C:
systemroot \Windows
nx OptIn
pae Default
sos No
debug No

Windows Boot Loader
-------------------
identifier {2b97e348-3c4c-11e1-b74b-001e4fb3d2e8}
device partition=C:
path \Windows\system32\winload.exe
description Microsoft Windows 7
locale en-US
osdevice partition=C:
systemroot \Windows

Not sure why there are 2 Windows Boot Loaders in BCD store????

Please HELP!!!!

Edited by Staind, 12 January 2012 - 09:12 AM.

  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Could you give me a link to your BleepingComputer thread?

ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Rightclick on ComboFix and select Run As Administrator to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.


Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then right click and Run as Administrator

If TDSSKiller alerts you that the system needs to reboot, please consent.

Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download aswMBR.exe ( 511KB ) to your desktop.
Right click aswMBR.exe and Run as Administrator
uncheck trace disk IO calls
Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply



Run OTL (Vista or Win 7 => right click and Run As Administrator)

select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.


Get Process Explorer
http://live.sysinter...com/procexp.exe
Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator). Click once or twice on the CPU column header to sort things by CPU usage with the big hitters at the top. Wait 30 seconds or so for things to settle down then File, Save As, Save. Open the file Procexp.txt on your desktop and copy and paste the text to a reply.


Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application. Reboot.
Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:


cd  \windows\logs\cbs

copy  cbs.log  cbs.old

del  cbs.log

sfc  /scannow

findstr  /c:"[SR]"  cbs.log  >  junk.txt 




attach the file \windows\logs\cbs\junk.txt to your next reply.



1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Ron
  • 0

#3
Staind

Staind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I am infected with? W32 Swizzor-based.2!Maximus. I have attached 3 logs. RvsMessages.Zip Shows 44 detections: 3 Backdoor, 39 Viruses.
aswMBR.txt shows Hidden File: Trusted Intaller.exe.

Here is link to Bleeping Computer Thread:

http://www.bleepingc..._1#entry2529634

Also; Tech Support Forum said they were no longer able to help me? Link to that thread below:

http://www.techsuppo...tml#post3591390

P.S. I finally gave up on Bleeping Computer and told the analyst that I solved the problem to politely end the thread.

TDSSkiller has not detected anything on multiple scans (used as intructed by Bleeping Computer & Tech Support Forums).

Combo Fix has not detected anything on multiple scans (used as intructed by Bleeping Computer & Tech Support Forums).

Do you still want me to run these????

Sysinternals is going crazy; I have waited over 5 minutes and it has still not settled down. What does this mean? I has shown multiple hits in RED but they are going by so fast I can't read them in full. I saved it with comsurrogate in RED, hope it captured that.

Would you like my user name and passwords for both Bleeping Computer and Tech Support Forums?

Attached Files


Edited by Staind, 18 January 2012 - 02:32 PM.

  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
I need all of the logs I asked for. I can not read attachments at bleepingcomputer. Where did you get this RvsMessages.Zip? What program created it?
  • 0

#5
Staind

Staind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
RvSMessages is from Returnil 2012 virus scan. What can I do to help with the Bleeping Computer and Tech Support Formus thing? I have had to reinstall OS several times.
  • 0

#6
Staind

Staind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here VEW.txt & Junk.txt logs

Attached Files

  • Attached File  junk.txt   67.82KB   113 downloads
  • Attached File  VEW.txt   9.49KB   143 downloads

  • 0

#7
Staind

Staind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is Systinternals log.

Attached Files


  • 0

#8
Staind

Staind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
RKINNER,

I don't dare disable my antivirus protection as it has taken me a couple of days to setup what is keeping the Botnet guys at bay; (disabling it will put me in a world of hurt), and Combo Fix has previously been run; once for Bleeping Computer,and once for Tech Support Forums, and in each case they both said no evidence of malware.

TDSS killer has been run repeatedly and has detected absolutely nothing at all.

Have you by chance Googled W32/Swizzor-based.!maximus????? If not please do.

I have a Botnet infection, and as such someone has remote access to my PC. I have blocked that access by blocking their internet access to my PC via Comodo Internet Security Firewall Settings, and the use of Returnil Virtualization. I cannot tell you how frustrating it is to have your PC used as a Proxy/Zombie computer.

Edited by Staind, 18 January 2012 - 03:38 PM.

  • 0

#9
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
I don't need to read the attachments at BleepingComputer if you will just copy and paste the ones I ask for here. Please do not attach logs unless they are too big to copy and paste.

Combofix log?

OTL & Extras log?

Reason I ask is because this looks like it might be a false positive. Since I have never heard of this anti-virus I would like to uninstall it and install the free Avast.
http://www.avast.com...ivirus-download

Download, Save, and right click and Run As Administrator.

Once you have it installed and it has updated:

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?
Look in C:\ProgramData\Alwil Software\Avast5\report\aswboot.txt or C:\ProgramData\Avast Software\Avast5\report\aswboot.txt. That should be the text form of the report. Please copy and paste it if you can find it.
  • 0

#10
Staind

Staind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Again,
I cannot run Combo Fix. OTL has been run multiple times as well and has netted no results. Avast was what I was running when this all started, and I have run boot time scans which have netted nothing as well. I finally have the ability to use the Internet without being cut off every time I attempt to access a site like yours, and I do not want to lose it. You have no idea what I have gone through in getting to this stage. I have been dealing with this for 2 months now and am most hessitant to make reverse progress. Surely there must be some other tools in your arsenal to be utilized? I have been through so many with the other support sites. I know it must appear to you that I am being difficult; however this is not the case in the least. I want to cooperate with you in every capacity to bring resolution to my issue, but I can't allow my situation to revert back to what it was previously; which was beyond maddening!
Also, sorry about the attaching thing (It was what the other sites wanted, so force of habit), I will paste directly from now on.

Let me run OTL for you.

Edited by Staind, 18 January 2012 - 04:09 PM.

  • 0

Advertisements


#11
Staind

Staind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here it the link for Returnil Virtual System 2012:

http://download.cnet...latform=Windows

Here is the OTL log:

OTL logfile created on: 1/18/2012 9:11:51 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Seether\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

8.00 Gb Total Physical Memory | 6.20 Gb Available Physical Memory | 77.49% Memory free
15.99 Gb Paging File | 13.88 Gb Available in Paging File | 86.79% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 56.48 Gb Total Space | 19.61 Gb Free Space | 34.72% Space Free | Partition Type: NTFS
Drive E: | 60.33 Gb Total Space | 60.29 Gb Free Space | 99.95% Space Free | Partition Type: NTFS
Drive F: | 116.08 Gb Total Space | 94.51 Gb Free Space | 81.42% Space Free | Partition Type: NTFS
Drive Z: | 56.48 Gb Total Space | 18.92 Gb Free Space | 33.50% Space Free | Partition Type: NTFS

Computer Name: SEETHER-PC | User Name: Seether | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/18 21:11:10 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Seether\Desktop\OTL.exe
PRC - [2012/01/18 20:18:24 | 004,763,456 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Users\Seether\Desktop\procexp.exe
PRC - [2010/09/10 19:08:34 | 001,654,432 | ---- | M] (CJSC Returnil Software) -- C:\Program Files (x86)\Returnil\RVS3\rvsmon.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/12/19 18:59:00 | 002,779,416 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV:64bit: - [2011/11/23 09:27:10 | 001,267,000 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe -- (CLPSLS)
SRV:64bit: - [2009/07/14 00:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2010/09/10 19:08:34 | 001,654,432 | ---- | M] (CJSC Returnil Software) [Auto | Running] -- C:\Program Files (x86)\Returnil\RVS3\rvsmon.exe -- (RVSMONBL)
SRV - [2009/06/10 20:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/01/17 09:38:59 | 000,061,072 | ---- | M] (CJSC Returnil Software) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\rvsystem.sys -- (RVSystem)
DRV:64bit: - [2011/12/26 15:27:24 | 000,015,288 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\ampa.sys -- (ampa)
DRV:64bit: - [2011/12/19 18:59:16 | 000,022,696 | ---- | M] (COMODO) [File_System | System | Running] -- C:\Windows\SysNative\drivers\cmderd.sys -- (cmderd)
DRV:64bit: - [2010/09/03 14:56:44 | 000,021,920 | ---- | M] (CJSC Returnil Software) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rvsmonn2.sys -- (rvsmonn)
DRV:64bit: - [2010/09/03 14:56:42 | 001,555,592 | ---- | M] (CJSC Returnil Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\rvsmonf.sys -- (rvsmonf)
DRV:64bit: - [2010/09/03 14:56:40 | 000,164,640 | ---- | M] (CJSC Returnil Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\rvsmon.sys -- (rvsmon)
DRV:64bit: - [2009/07/14 00:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/14 00:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/14 00:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 00:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 00:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/14 00:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 19:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 19:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 19:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 19:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2011/12/26 15:27:22 | 000,012,728 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\ampa.sys -- (ampa)
DRV - [2009/07/14 00:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 30 09 8E A0 F9 D4 CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found



O1 HOSTS File: ([2009/06/10 20:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O4:64bit: - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [COMODO] C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLA.exe (COMODO)
O4 - HKLM..\Run: [CPA] C:\Program Files\COMODO\COMODO GeekBuddy\VALA.exe (COMODO)
O4 - HKLM..\Run: [WinPatrol] C:\desktop\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.220.0.10 24.220.0.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{89A97E5B-88F9-4012-AE4A-D2E845DB8148}: DhcpNameServer = 24.220.0.10 24.220.0.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{89A97E5B-88F9-4012-AE4A-D2E845DB8148}: NameServer = 8.26.56.26,156.154.70.22
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O20:64bit: - AppInit_DLLs: (C:\Windows\system32\guard64.dll) - C:\Windows\SysNative\guard64.dll (COMODO)
O20 - AppInit_DLLs: (C:\Windows\SysWOW64\guard32.dll) -C:\Windows\SysWOW64\guard32.dll (COMODO)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) -C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/18 21:11:09 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Seether\Desktop\OTL.exe
[2012/01/18 20:18:33 | 001,075,528 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Users\Seether\Desktop\procexp64.exe
[2012/01/18 20:18:16 | 004,763,456 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Users\Seether\Desktop\procexp.exe
[2012/01/18 19:53:13 | 000,061,440 | ---- | C] ( ) -- C:\Users\Seether\Desktop\VEW.exe
[2012/01/18 19:41:46 | 039,307,416 | ---- | C] (CJSC Returnil Software) -- C:\Users\Seether\Desktop\rss-2011.exe
[2012/01/18 17:26:55 | 000,000,000 | ---D | C] -- C:\Users\Seether\AppData\Local\Diagnostics
[2012/01/18 17:21:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
[2012/01/18 17:20:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\DESIGNER
[2012/01/18 17:20:05 | 000,000,000 | ---D | C] -- C:\Windows\PCHEALTH
[2012/01/18 17:20:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft.NET
[2012/01/18 17:17:53 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2012/01/18 17:16:55 | 000,000,000 | ---D | C] -- C:\Users\Seether\AppData\Local\Microsoft Help
[2012/01/18 17:16:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Office
[2012/01/18 17:16:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft Help
[2012/01/18 17:16:25 | 000,000,000 | RH-D | C] -- C:\MSOCache
[2012/01/18 14:40:22 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Wat
[2012/01/18 14:40:19 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Wat
[2012/01/17 15:19:17 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2012/01/17 15:17:07 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2012/01/17 15:16:29 | 000,000,000 | -HSD | C] -- C:\System Volume Information
[2012/01/17 15:15:54 | 000,000,000 | ---D | C] -- C:\Windows\Panther
[2012/01/17 09:53:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MiniTool Partition Wizard Home Edition 7.0
[2012/01/17 09:49:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NeoSmart Technologies
[2012/01/17 09:48:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Aomei Partition Assistant Home Edition 4.0
[2012/01/17 09:44:10 | 000,016,200 | ---- | C] (McAfee, Inc.) -- C:\Windows\stinger.sys
[2012/01/17 09:39:20 | 000,000,000 | ---D | C] -- C:\Users\Seether\AppData\Roaming\Returnil
[2012/01/17 09:39:03 | 000,021,920 | ---- | C] (CJSC Returnil Software) -- C:\Windows\SysNative\drivers\rvsmonn2.sys
[2012/01/17 09:39:02 | 001,555,592 | ---- | C] (CJSC Returnil Software) -- C:\Windows\SysNative\drivers\rvsmonf.sys
[2012/01/17 09:39:00 | 000,164,640 | ---- | C] (CJSC Returnil Software) -- C:\Windows\SysNative\drivers\rvsmon.sys
[2012/01/17 09:38:59 | 000,061,072 | ---- | C] (CJSC Returnil Software) -- C:\Windows\SysNative\drivers\rvsystem.sys
[2012/01/17 09:38:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Returnil
[2012/01/17 09:38:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Returnil
[2012/01/17 09:38:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Returnil
[2012/01/17 09:25:16 | 000,000,000 | -H-D | C] -- C:\Program Files (x86)\InstallShield Installation Information
[2012/01/17 09:25:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\LSoft Technologies Inc
[2012/01/17 09:25:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Active@ Partition Manager
[2012/01/17 09:21:05 | 000,000,000 | ---D | C] -- C:\Program Files\oavozwgh
[2012/01/17 09:20:37 | 000,000,000 | ---D | C] -- C:\ProgramData\PrevxCSI
[2012/01/17 08:55:27 | 000,000,000 | ---D | C] -- C:\Users\Seether\Pavark
[2012/01/17 08:54:41 | 000,000,000 | ---D | C] -- C:\ProgramData\CPA_VA
[2012/01/17 08:53:38 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\COMODO
[2012/01/17 08:52:45 | 000,000,000 | -H-D | C] -- C:\VritualRoot
[2012/01/17 08:48:19 | 009,027,648 | ---- | C] (McAfee Inc.) -- C:\Users\Seether\Desktop\stinger.exe
[2012/01/17 08:40:45 | 004,713,472 | ---- | C] (AVAST Software) -- C:\Users\Seether\Desktop\aswMBR.exe
[2012/01/17 08:34:56 | 003,470,688 | ---- | C] (TrueCrypt Foundation) -- C:\Users\Seether\Desktop\TrueCrypt Setup 7.1.exe
[2012/01/17 08:28:47 | 000,000,000 | ---D | C] -- C:\Users\Seether\AppData\Roaming\WinPatrol
[2012/01/17 08:28:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPatrol
[2012/01/17 08:28:43 | 000,000,000 | ---D | C] -- C:\ProgramData\InstallMate
[2012/01/17 08:28:43 | 000,000,000 | ---D | C] -- C:\desktop
[2012/01/17 08:26:10 | 000,000,000 | -HSD | C] -- C:\Windows\Installer
[2012/01/17 08:26:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Comodo
[2012/01/17 08:26:09 | 000,000,000 | ---D | C] -- C:\Program Files\COMODO
[2012/01/17 08:26:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Comodo
[2012/01/17 08:26:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Comodo
[2012/01/17 08:22:46 | 000,000,000 | R--D | C] -- C:\Users\Seether\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2012/01/17 08:22:46 | 000,000,000 | R--D | C] -- C:\Users\Seether\Searches
[2012/01/17 08:22:46 | 000,000,000 | R--D | C] -- C:\Users\Seether\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2012/01/17 08:22:46 | 000,000,000 | -H-D | C] -- C:\Users\Seether\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2012/01/17 08:22:37 | 000,000,000 | ---D | C] -- C:\Users\Seether\AppData\Roaming\Identities
[2012/01/17 08:22:35 | 000,000,000 | R--D | C] -- C:\Users\Seether\Contacts
[2012/01/17 08:22:33 | 000,000,000 | ---D | C] -- C:\Users\Seether\AppData\Local\VirtualStore
[2012/01/17 08:22:24 | 000,000,000 | --SD | C] -- C:\Users\Seether\AppData\Roaming\Microsoft
[2012/01/17 08:22:24 | 000,000,000 | R--D | C] -- C:\Users\Seether\Videos
[2012/01/17 08:22:24 | 000,000,000 | R--D | C] -- C:\Users\Seether\Saved Games
[2012/01/17 08:22:24 | 000,000,000 | R--D | C] -- C:\Users\Seether\Pictures
[2012/01/17 08:22:24 | 000,000,000 | R--D | C] -- C:\Users\Seether\Music
[2012/01/17 08:22:24 | 000,000,000 | R--D | C] -- C:\Users\Seether\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2012/01/17 08:22:24 | 000,000,000 | R--D | C] -- C:\Users\Seether\Links
[2012/01/17 08:22:24 | 000,000,000 | R--D | C] -- C:\Users\Seether\Favorites
[2012/01/17 08:22:24 | 000,000,000 | R--D | C] -- C:\Users\Seether\Downloads
[2012/01/17 08:22:24 | 000,000,000 | R--D | C] -- C:\Users\Seether\Documents
[2012/01/17 08:22:24 | 000,000,000 | R--D | C] -- C:\Users\Seether\Desktop
[2012/01/17 08:22:24 | 000,000,000 | R--D | C] -- C:\Users\Seether\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2012/01/17 08:22:24 | 000,000,000 | -HSD | C] -- C:\Users\Seether\AppData\Local\Temporary Internet Files
[2012/01/17 08:22:24 | 000,000,000 | -HSD | C] -- C:\Users\Seether\Templates
[2012/01/17 08:22:24 | 000,000,000 | -HSD | C] -- C:\Users\Seether\Start Menu
[2012/01/17 08:22:24 | 000,000,000 | -HSD | C] -- C:\Users\Seether\SendTo
[2012/01/17 08:22:24 | 000,000,000 | -HSD | C] -- C:\Users\Seether\Recent
[2012/01/17 08:22:24 | 000,000,000 | -HSD | C] -- C:\Users\Seether\PrintHood
[2012/01/17 08:22:24 | 000,000,000 | -HSD | C] -- C:\Users\Seether\NetHood
[2012/01/17 08:22:24 | 000,000,000 | -HSD | C] -- C:\Users\Seether\Documents\My Videos
[2012/01/17 08:22:24 | 000,000,000 | -HSD | C] -- C:\Users\Seether\Documents\My Pictures
[2012/01/17 08:22:24 | 000,000,000 | -HSD | C] -- C:\Users\Seether\Documents\My Music
[2012/01/17 08:22:24 | 000,000,000 | -HSD | C] -- C:\Users\Seether\My Documents
[2012/01/17 08:22:24 | 000,000,000 | -HSD | C] -- C:\Users\Seether\Local Settings
[2012/01/17 08:22:24 | 000,000,000 | -HSD | C] -- C:\Users\Seether\AppData\Local\History
[2012/01/17 08:22:24 | 000,000,000 | -HSD | C] -- C:\Users\Seether\Cookies
[2012/01/17 08:22:24 | 000,000,000 | -HSD | C] -- C:\Users\Seether\Application Data
[2012/01/17 08:22:24 | 000,000,000 | -HSD | C] -- C:\Users\Seether\AppData\Local\Application Data
[2012/01/17 08:22:24 | 000,000,000 | -H-D | C] -- C:\Users\Seether\AppData
[2012/01/17 08:22:24 | 000,000,000 | ---D | C] -- C:\Users\Seether\AppData\Local\Temp
[2012/01/17 08:22:24 | 000,000,000 | ---D | C] -- C:\Users\Seether\AppData\Local\Microsoft
[2012/01/17 08:22:24 | 000,000,000 | ---D | C] -- C:\Users\Seether\AppData\Roaming\Media Center Programs
[2012/01/17 08:22:13 | 000,000,000 | -HSD | C] -- C:\Recovery
[2012/01/17 07:59:15 | 000,000,000 | -HSD | C] -- C:\Boot

========== Files - Modified Within 30 Days ==========

[2012/01/18 21:11:10 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Seether\Desktop\OTL.exe
[2012/01/18 21:10:25 | 002,884,994 | ---- | M] () -- C:\Users\Seether\Desktop\otl4_htm.zip
[2012/01/18 21:07:27 | 001,474,832 | ---- | M] () -- C:\Windows\SysNative\drivers\sfi.dat
[2012/01/18 21:05:15 | 000,013,600 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/18 21:05:15 | 000,013,600 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/18 20:18:33 | 001,075,528 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Users\Seether\Desktop\procexp64.exe
[2012/01/18 20:18:24 | 004,763,456 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Users\Seether\Desktop\procexp.exe
[2012/01/18 19:53:13 | 000,061,440 | ---- | M] ( ) -- C:\Users\Seether\Desktop\VEW.exe
[2012/01/18 19:42:53 | 000,713,888 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/01/18 19:42:53 | 000,615,122 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/01/18 19:42:53 | 000,103,496 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/01/18 19:41:47 | 039,307,416 | ---- | M] (CJSC Returnil Software) -- C:\Users\Seether\Desktop\rss-2011.exe
[2012/01/18 19:37:52 | 000,290,280 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/01/18 19:37:48 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/01/18 19:37:31 | 2145,398,783 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/18 17:19:38 | 000,005,639 | ---- | M] () -- C:\Users\Seether\Desktop\RvsMessages.zip
[2012/01/18 17:10:03 | 000,101,888 | ---- | M] () -- C:\Users\Seether\Desktop\RvsMessages.xml
[2012/01/18 05:46:31 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2012/01/17 15:19:19 | 000,039,252 | ---- | M] () -- C:\Windows\SysWow64\license.rtf
[2012/01/17 15:19:19 | 000,039,252 | ---- | M] () -- C:\Windows\SysNative\license.rtf
[2012/01/17 09:53:27 | 000,001,013 | ---- | M] () -- C:\Users\Public\Desktop\MiniTool Partition Wizard Home Edition.lnk
[2012/01/17 09:49:23 | 000,000,944 | ---- | M] () -- C:\Users\Public\Desktop\EasyBCD 2.1.2.lnk
[2012/01/17 09:48:20 | 000,000,988 | ---- | M] () -- C:\Users\Public\Desktop\Aomei Partition Assistant Home Edition 4.0.lnk
[2012/01/17 09:46:41 | 000,000,041 | RH-- | M] () -- C:\Users\Seether\Desktop\stinger.opt
[2012/01/17 09:44:10 | 000,016,200 | ---- | M] (McAfee, Inc.) -- C:\Windows\stinger.sys
[2012/01/17 09:38:59 | 000,061,072 | ---- | M] (CJSC Returnil Software) -- C:\Windows\SysNative\drivers\rvsystem.sys
[2012/01/17 09:38:59 | 000,002,002 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RSS 2011.lnk
[2012/01/17 08:49:07 | 004,104,900 | ---- | M] () -- C:\Users\Seether\Desktop\RootkitBuster_5.00.1041.zip
[2012/01/17 08:48:27 | 009,027,648 | ---- | M] (McAfee Inc.) -- C:\Users\Seether\Desktop\stinger.exe
[2012/01/17 08:47:29 | 000,350,458 | ---- | M] () -- C:\Users\Seether\Desktop\RKDetector2.zip
[2012/01/17 08:45:46 | 000,002,968 | ---- | M] () -- C:\Users\Seether\Desktop\Update-SysinternalsSuite.ps1
[2012/01/17 08:40:45 | 004,713,472 | ---- | M] (AVAST Software) -- C:\Users\Seether\Desktop\aswMBR.exe
[2012/01/17 08:38:40 | 025,379,308 | ---- | M] () -- C:\Users\Seether\Desktop\cce_1.6.183539.73_x64.zip
[2012/01/17 08:34:58 | 003,470,688 | ---- | M] (TrueCrypt Foundation) -- C:\Users\Seether\Desktop\TrueCrypt Setup 7.1.exe
[2012/01/17 08:30:21 | 000,067,408 | ---- | M] () -- C:\Users\Seether\Desktop\cports.zip
[2012/01/17 08:26:53 | 001,328,072 | ---- | M] () -- C:\Users\Seether\Desktop\KeyScrambler_Setup.exe
[2012/01/17 08:26:15 | 000,001,846 | ---- | M] () -- C:\Users\Public\Desktop\COMODO Internet Security.lnk
[2012/01/17 08:26:10 | 000,001,079 | ---- | M] () -- C:\Users\Seether\Application Data\Microsoft\Internet Explorer\Quick Launch\COMODO GeekBuddy.lnk
[2012/01/17 08:23:03 | 000,001,447 | ---- | M] () -- C:\Users\Seether\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/12/29 08:08:08 | 001,523,128 | ---- | M] () -- C:\Windows\ampa.exe
[2011/12/26 15:27:24 | 000,015,288 | ---- | M] () -- C:\Windows\SysNative\ampa.sys
[2011/12/26 15:27:22 | 000,012,728 | ---- | M] () -- C:\Windows\SysWow64\ampa.sys

========== Files Created - No Company Name ==========

[2012/01/18 21:10:22 | 002,884,994 | ---- | C] () -- C:\Users\Seether\Desktop\otl4_htm.zip
[2012/01/18 17:19:38 | 000,005,639 | ---- | C] () -- C:\Users\Seether\Desktop\RvsMessages.zip
[2012/01/18 17:10:03 | 000,101,888 | ---- | C] () -- C:\Users\Seether\Desktop\RvsMessages.xml
[2012/01/17 17:15:50 | 000,008,192 | RHS- | C] () -- C:\BOOTSECT.BAK
[2012/01/17 15:19:10 | 000,001,345 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
[2012/01/17 15:19:04 | 000,001,326 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
[2012/01/17 15:16:29 | 2145,398,783 | -HS- | C] () -- C:\hiberfil.sys
[2012/01/17 09:53:27 | 000,001,013 | ---- | C] () -- C:\Users\Public\Desktop\MiniTool Partition Wizard Home Edition.lnk
[2012/01/17 09:49:23 | 000,000,944 | ---- | C] () -- C:\Users\Public\Desktop\EasyBCD 2.1.2.lnk
[2012/01/17 09:48:20 | 000,015,288 | ---- | C] () -- C:\Windows\SysNative\ampa.sys
[2012/01/17 09:48:20 | 000,012,728 | ---- | C] () -- C:\Windows\SysWow64\ampa.sys
[2012/01/17 09:48:20 | 000,000,988 | ---- | C] () -- C:\Users\Public\Desktop\Aomei Partition Assistant Home Edition 4.0.lnk
[2012/01/17 09:48:19 | 001,523,128 | ---- | C] () -- C:\Windows\ampa.exe
[2012/01/17 09:46:41 | 000,000,041 | RH-- | C] () -- C:\Users\Seether\Desktop\stinger.opt
[2012/01/17 09:38:59 | 000,002,002 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RSS 2011.lnk
[2012/01/17 08:49:06 | 004,104,900 | ---- | C] () -- C:\Users\Seether\Desktop\RootkitBuster_5.00.1041.zip
[2012/01/17 08:47:28 | 000,350,458 | ---- | C] () -- C:\Users\Seether\Desktop\RKDetector2.zip
[2012/01/17 08:45:46 | 000,002,968 | ---- | C] () -- C:\Users\Seether\Desktop\Update-SysinternalsSuite.ps1
[2012/01/17 08:38:40 | 025,379,308 | ---- | C] () -- C:\Users\Seether\Desktop\cce_1.6.183539.73_x64.zip
[2012/01/17 08:30:21 | 000,067,408 | ---- | C] () -- C:\Users\Seether\Desktop\cports.zip
[2012/01/17 08:27:00 | 001,474,832 | ---- | C] () -- C:\Windows\SysNative\drivers\sfi.dat
[2012/01/17 08:26:51 | 001,328,072 | ---- | C] () -- C:\Users\Seether\Desktop\KeyScrambler_Setup.exe
[2012/01/17 08:26:15 | 000,001,846 | ---- | C] () -- C:\Users\Public\Desktop\COMODO Internet Security.lnk
[2012/01/17 08:26:10 | 000,001,079 | ---- | C] () -- C:\Users\Seether\Application Data\Microsoft\Internet Explorer\Quick Launch\COMODO GeekBuddy.lnk
[2012/01/17 08:23:03 | 000,001,447 | ---- | C] () -- C:\Users\Seether\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/01/17 08:22:51 | 000,001,419 | ---- | C] () -- C:\Users\Seether\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
[2012/01/17 08:22:48 | 000,001,453 | ---- | C] () -- C:\Users\Seether\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2012/01/17 08:22:24 | 000,000,290 | ---- | C] () -- C:\Users\Seether\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2012/01/17 08:22:24 | 000,000,272 | ---- | C] () -- C:\Users\Seether\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2012/01/17 07:59:15 | 000,383,562 | RHS- | C] () -- C:\bootmgr
[2009/07/14 04:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 01:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/14 01:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/13 23:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 22:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 20:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 20:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat

========== LOP Check ==========

[2012/01/17 09:39:36 | 000,000,000 | ---D | M] -- C:\Users\Seether\AppData\Roaming\Returnil
[2012/01/17 08:28:47 | 000,000,000 | ---D | M] -- C:\Users\Seether\AppData\Roaming\WinPatrol
[2009/07/14 04:08:49 | 000,001,866 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

Here is Extras:

OTL Extras logfile created on: 1/18/2012 9:11:51 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Seether\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

8.00 Gb Total Physical Memory | 6.20 Gb Available Physical Memory | 77.49% Memory free
15.99 Gb Paging File | 13.88 Gb Available in Paging File | 86.79% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 56.48 Gb Total Space | 19.61 Gb Free Space | 34.72% Space Free | Partition Type: NTFS
Drive E: | 60.33 Gb Total Space | 60.29 Gb Free Space | 99.95% Space Free | Partition Type: NTFS
Drive F: | 116.08 Gb Total Space | 94.51 Gb Free Space | 81.42% Space Free | Partition Type: NTFS
Drive Z: | 56.48 Gb Total Space | 18.92 Gb Free Space | 33.50% Space Free | Partition Type: NTFS

Computer Name: SEETHER-PC | User Name: Seether | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{007811BF-E310-4285-BFC6-55DB29B3EDDE}" = WinPatrol
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{D6AB1F5B-FED6-49A9-9747-327BD28FB3C7}" = COMODO Internet Security

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02F850ED-FD0E-4ED1-BE0B-54981f5BD3D4}_is1" = Aomei Partition Assistant Home Edition 4.0
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{A98E3354-AD08-427C-A0AC-32221A3E6598}" = Active@ Partition Manager
"{BD2ED507-A630-449C-BAC1-852BF667F5B7}" = Returnil System Safe 2011
"{DE59B901-18EA-4CB9-ADE4-291BF5C1E12E}_is1" = MiniTool Partition Wizard Home Edition 7.0
"COMODO GeekBuddy" = COMODO GeekBuddy
"EasyBCD" = EasyBCD 2.1.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/17/2012 6:41:15 AM | Computer Name = Seether-PC | Source = Application Error | ID = 1000
Description = Faulting application name: RootkitRevealer.exe, version: 1.71.0.0,
time stamp: 0x44e255aa Faulting module name: RootkitRevealer.exe, version: 1.71.0.0,
time stamp: 0x44e255aa Exception code: 0xc0000005 Fault offset: 0x000040cd Faulting
process id: 0x974 Faulting application start time: 0x01ccd50486e761b0 Faulting application
path: C:\Users\Seether\Desktop\RootkitRevealer\RootkitRevealer.exe Faulting module
path: C:\Users\Seether\Desktop\RootkitRevealer\RootkitRevealer.exe Report Id: c72e6d90-40f7-11e1-bebe-001e4fb3d2e8

Error - 1/17/2012 6:41:21 AM | Computer Name = Seether-PC | Source = Application Error | ID = 1000
Description = Faulting application name: RootkitRevealer.exe, version: 1.71.0.0,
time stamp: 0x44e255aa Faulting module name: RootkitRevealer.exe, version: 1.71.0.0,
time stamp: 0x44e255aa Exception code: 0xc0000005 Fault offset: 0x000040cd Faulting
process id: 0xad0 Faulting application start time: 0x01ccd5048d1ff8d0 Faulting application
path: C:\Users\Seether\Desktop\RootkitRevealer\RootkitRevealer.exe Faulting module
path: C:\Users\Seether\Desktop\RootkitRevealer\RootkitRevealer.exe Report Id: cb0cc8d0-40f7-11e1-bebe-001e4fb3d2e8

Error - 1/17/2012 6:42:44 AM | Computer Name = Seether-PC | Source = Application Error | ID = 1000
Description = Faulting application name: RootkitRevealer.exe, version: 1.71.0.0,
time stamp: 0x44e255aa Faulting module name: RootkitRevealer.exe, version: 1.71.0.0,
time stamp: 0x44e255aa Exception code: 0xc0000005 Fault offset: 0x000040cd Faulting
process id: 0x820 Faulting application start time: 0x01ccd504bed1e550 Faulting application
path: C:\Users\Seether\Desktop\RootkitRevealer\RootkitRevealer.exe Faulting module
path: C:\Users\Seether\Desktop\RootkitRevealer\RootkitRevealer.exe Report Id: fcabaa50-40f7-11e1-bebe-001e4fb3d2e8

Error - 1/18/2012 4:42:14 PM | Computer Name = Seether-PC | Source = MsiInstaller | ID = 10005
Description =

Error - 1/18/2012 4:43:26 PM | Computer Name = Seether-PC | Source = MsiInstaller | ID = 1013
Description =

Error - 1/18/2012 4:43:50 PM | Computer Name = Seether-PC | Source = MsiInstaller | ID = 1013
Description =

Error - 1/18/2012 4:44:29 PM | Computer Name = Seether-PC | Source = MsiInstaller | ID = 10005
Description =

Error - 1/18/2012 5:14:21 PM | Computer Name = Seether-PC | Source = MsiInstaller | ID = 1013
Description =

[ System Events ]
Error - 1/18/2012 4:38:31 PM | Computer Name = Seether-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Windows
Search service to connect.

Error - 1/18/2012 4:38:31 PM | Computer Name = Seether-PC | Source = Service Control Manager | ID = 7000
Description = The Windows Search service failed to start due to the following error:
%%1053

Error - 1/18/2012 4:38:31 PM | Computer Name = Seether-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Windows
Search service to connect.

Error - 1/18/2012 4:38:31 PM | Computer Name = Seether-PC | Source = Service Control Manager | ID = 7000
Description = The Windows Search service failed to start due to the following error:
%%1053

Error - 1/18/2012 4:38:31 PM | Computer Name = Seether-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Windows
Search service to connect.

Error - 1/18/2012 4:38:31 PM | Computer Name = Seether-PC | Source = Service Control Manager | ID = 7000
Description = The Windows Search service failed to start due to the following error:
%%1053

Error - 1/18/2012 4:38:32 PM | Computer Name = Seether-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Windows
Search service to connect.

Error - 1/18/2012 4:38:32 PM | Computer Name = Seether-PC | Source = Service Control Manager | ID = 7000
Description = The Windows Search service failed to start due to the following error:
%%1053

Error - 1/18/2012 4:38:33 PM | Computer Name = Seether-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Windows
Search service to connect.

Error - 1/18/2012 4:38:33 PM | Computer Name = Seether-PC | Source = Service Control Manager | ID = 7000
Description = The Windows Search service failed to start due to the following error:
%%1053


< End of report >

Edited by Staind, 18 January 2012 - 04:22 PM.

  • 0

#12
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
OK. Submit the first file on the list to https://www.virustotal.com/

C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-IE-SETUP-SUPPORT_31BF3856AD364E35_8.0.7600.16385_NONE_E061527F36CED75C\IE4UINIT.EXE

Copy and paste the report that you get from them.
  • 0

#13
Staind

Staind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
SHA256: 558051539419a41de5e815715dcb5de4aa38eb53229c27a73a49e22f966f469d
SHA1: d18a28696a0860f93ad482d85bfec80001a6433d
MD5: 147956b92baafc39667d963ee535667e
File size: 9.7 KB ( 9949 bytes )
File type: Office Open XML Document
Detection ratio: 0 / 43
Analysis date: 2012-01-19 15:41:31 UTC ( 0 minutes ago )

00
Antivirus Result Update
AhnLab-V3 - 20120119
AntiVir - 20120119
Antiy-AVL - 20120119
Avast - 20120119
AVG - 20120119
BitDefender - 20120119
ByteHero - 20120111
CAT-QuickHeal - 20120119
ClamAV - 20120119
Commtouch - 20120119
Comodo - 20120119
DrWeb - 20120119
Emsisoft - 20120119
eSafe - 20120117
eTrust-Vet - 20120119
F-Prot - 20120118
F-Secure - 20120119
Fortinet - 20120119
GData - 20120119
Ikarus - 20120119
Jiangmin - 20120119
K7AntiVirus - 20120118
Kaspersky - 20120119
McAfee - 20120119
McAfee-GW-Edition - 20120119
Microsoft - 20120119
NOD32 - 20120119
Norman - 20120119
nProtect - 20120119
Panda - 20120118
PCTools - 20120119
Prevx - 20120119
Rising - 20120118
Sophos - 20120119
SUPERAntiSpyware - 20120119
Symantec - 20120119
TheHacker - 20120119
TrendMicro - 20120119
TrendMicro-HouseCall - 20120119
VBA32 - 20120119
VIPRE - 20120119
ViRobot - 20120119
VirusBuster - 20120118
  • 0

#14
Staind

Staind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I know you did not request this, but I believe it to be important. I have not been able to wipe this with multiple operating system reinstalls or low level formatting.

This is what ACTIVE KILL DISK revealed about a hidden sector on my hard drive that it was unable to wipe:

Floppy Disk 0
NO NAME (A:)
NAME:
VERSION:
SERIAL:
DEVICE GEOMETRY:
MODE LBA: NO
CYLINDERS: 80
TRACKS PER CYLINDER: 2
SECTORS PER TRACK: 36
TOTAL SECTORS: 5760
BYTES PER SECTOR: 512
TOTAL SIZE: 2.813 MB (2949120 bytes)
Writing Block (00)
CANNOT OVERWRITE
ERROR WRITING SECTORS 1 - 5760
ON FLOPPY DISK 0

Below is Image view of Floppy Disk 0:

-<<ROOT>> +$ EXTEND .HS... (Hidden, system, MFT)
$ Extend +$ RECYCLE.BIN .HS... (Hidden, system)
+$ Recycle.bin +$ SYSTEM ~ 1 .HS... (Hidden, system, resident)
System Volume Inf + $ EXTRA.!!! (Found)
+!!! Extra Deleted $ mft 262144 .HS... (Hidden, system, MFT)
$ mftmirr 4096 .HS... (Hidden, system, MFT)
$ logfile 4194304 .HS... (Hidden, system, MFT)
$ volume 0 .HS... (Hidden, system, resident)
$ attrdef 2560 .HS... (Hidden, system, MFT)
$ bitmap 1976752 .HS... (Hidden, system, MFT)
$ boot 8192 .HS... (Hidden, system, MFT)
$ badclus 0 .HS... (Hidden, system, resident)
$ Secure 0 .HS... (Hidden, system, MFT)
$ upcase 131072 .HS... (Hidden, system, MFT)

$ Extend $ quota .HSA.. (Archive, hidden, system, resident)
$ objid .HSA.. (Archive, hidden, system, resident)
$ reparse .HSA.. (Archive, hidden, system, resident)
+$ RECYCLE.BIN + S - 1 -5 - ~ 1 .hs...
+ S - 1 -5 - ~ 2 .hs...
+ S - 1 -5 - ~ 3 .hs...
SYSTEM VOLUME INF Tracking.log .HSA.. (Archive, hidden, system)
+!!! EXTRA DELETED +Folder 29 (Found)

I believe this is the HIDDEN virus that has replaced the original MBR on my operating system.

Edited by Staind, 19 January 2012 - 09:50 AM.

  • 0

#15
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Detection ratio: 0 / 43


So it was a false positive as I expected. You can submit the other files but I expect you will get the same 0/43 answer.

You say you can not run Combofix. Have you tried downloading and new copy and renaming it (call it george.exe)

Have you tried running it in Safe Mode with Networking?


(Reboot and when you see the maker's logo, hear a beep or it talks about F8, start tapping the F8 key slowly. Keep tapping until the Safe Mode Menu appears and choose Safe Mode with Networking. Login with your usual login.)

Have you tried using msconfig to do a Diagnostic Boot and then trying to run it?

Have you tried Start, (All) Programs, Accessories, Right click on Command Prompt and Run As Admin then type with an enter after the line:

"%userprofile%\Desktop\combofix.exe" /killall

(Make sure you put a space before the /killall)



You are using another tool I am not familiar with to look at your partitions. This one seems a bit confused as it is talking about a floppy drive rather than your hard drive:

Floppy Disk 0
NO NAME (A:)
NAME:
VERSION:
SERIAL:
DEVICE GEOMETRY:
MODE LBA: NO
CYLINDERS: 80
TRACKS PER CYLINDER: 2
SECTORS PER TRACK: 36
TOTAL SECTORS: 5760
BYTES PER SECTOR: 512
TOTAL SIZE: 2.813 MB (2949120 bytes)


If the rootkit infection is really smart it can fool any program that runs from Windows. Your best bet would be to try a program that boots from a CD. I like to use Hiren's Boot Disk:

http://www.hirensbootcd.org/download/
This a BIG! Zip File so save it (preferably on a different clean PC). Then right click on it and Extract all. Put a blank CD in the drive and then double click on BurnToCD.cmd. When it finishes you boot off it and run the MiniXP program. Under Start All Programs are several MBR utilities that will tell you a lot about the MBR and the partitions.

If you run MBRWizard then the command

MBRWiz /List

will show you all the partitions on the drive. Based on what aswMBR sees you should only have three partitions:

Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 118862 MB offset 2048
Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 61773 MB offset 243432945
Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 57833 MB offset 369950720

Partition 3 is the bootable one. All three should be of type: 07 or NTFS If you have anything else then there is cause for alarm. (If you have a digital camera you can take a picture of the screen and attach it to your next post.)

Another option if you can't get Hiren's to work is gparted:

http://sourceforge.n...-3.iso/download

This is another bootable CD program. It has a nicer interface than MBRWiz so should be easier to use.

Hiren's also has several anti-virus scans which you can try. Much harder for a virus to hide when Windows is not running.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP