help with resycled\ntldr.com error

Compaq / Ps284aa-abz sr1329it it51...
January 19, 2009 at 00:27:31
Specs: Microsoft Windows XP Home Edition, 2.21 GHz / 1535 MB
Hi,

since yesterday morning I have been experiencing the same problem that some of you have also run into. I could not access my computer drives due to a resycled\ntldr.com.

Yesterday I could not access the drives only. After following by heart the guideline in this thread http://www.computing.net/answers/se... this morning I get an error saying "resycled\ntldr.com is not a valid Win32 application" on both drives.

Can someone help me removing it?
I can post Malwarebytes' Anti-Malware and HijackThis logs.

Thanks in advance
ANT


See More: help with resycled\ntldr.com error

Report •


#1
January 19, 2009 at 03:43:23
Please post your logs.

Report •

#2
January 19, 2009 at 05:04:44
Malwarebytes' Anti-Malware 1.33
Versione del database: 1665
Windows 5.1.2600 Service Pack 3

18/01/2009 16.42.56
mbam-log-2009-01-18 (16-42-52).txt

Tipo di scansione: Scansione rapida
Elementi scansionati: 54418
Tempo trascorso: 4 minute(s), 45 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 1
Chiavi di registro infette: 1
Valori di registro infetti: 1
Elementi dato del registro infetti: 0
Cartelle infette: 1
File infetti: 10

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
C:\Programmi\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> No action taken.

Chiavi di registro infette:
HKEY_CLASSES_ROOT\videoplay (Trojan.DNSChanger) -> No action taken.

Valori di registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnxtrapp (Trojan.Agent) -> No action taken.

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
C:\resycled (Trojan.DNSChanger) -> No action taken.

File infetti:
C:\autorun.inf (Trojan.DNSChanger) -> No action taken.
C:\resycled\ntldr.com (Trojan.DNSChanger) -> No action taken.
C:\Programmi\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> No action taken.
C:\Programmi\Pirelli\Access Gateway USB Network\CnxTrApp.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\tempo-099.tmp (Trojan.DNSChanger) -> No action taken.
C:\WINDOWS\Temp\tempo-1CB.tmp (Trojan.DNSChanger) -> No action taken.
C:\WINDOWS\Temp\tempo-473.tmp (Trojan.DNSChanger) -> No action taken.
C:\WINDOWS\Temp\tempo-847.tmp (Trojan.DNSChanger) -> No action taken.
C:\WINDOWS\Temp\tempo-F1B.tmp (Trojan.DNSChanger) -> No action taken.
C:\WINDOWS\Temp\tempo-F8D.tmp (Trojan.DNSChanger) -> No action taken.

---

HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18.07.50, on 18/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Programmi\File comuni\InterVideo\SchSvr\SchSvr.exe
C:\Programmi\InterVideo\Common\Bin\WinRemote.exe
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\ALICET~1\vendors\AliceRE\content\template\driven~1\syncer\McciTrayApp.exe
C:\Programmi\QuickTime\QTTask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\LightScribe\LightScribeControlPanel.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\OpenOffice.org 3\program\soffice.exe
C:\Programmi\OpenOffice.org 3\program\soffice.bin
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Telecom Italia\WanMiniport1st\srvany.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Telecom Italia\WanMiniport1st\WanMiniport1st_srv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmi\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Outlook Express\msimn.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Proprietario\Documenti\Programmi installati\tools.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Programmi\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Programmi\File comuni\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] C:\Programmi\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AliceRE_McciTrayApp] C:\PROGRA~1\ALICET~1\vendors\AliceRE\content\template\driven~1\syncer\McciTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Programmi\File comuni\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Programmi\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Scarica con Free Download Manager - file://C:\Programmi\Free Download Manager\dllink.htm
O8 - Extra context menu item: Scarica i video con Free Download Manager - file://C:\Programmi\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Scarica selezionati con Free Download Manager - file://C:\Programmi\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Scarica tutto con Free Download Manager - file://C:\Programmi\Free Download Manager\dlall.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Network WanMiniport First Position - Unknown owner - C:\Programmi\Telecom Italia\WanMiniport1st\srvany.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 11769 bytes


Report •

#3
January 19, 2009 at 05:09:43
SORRY POSTED THE WRONG MBAM LOG

THIS IS THE RIGHT ONE

Malwarebytes' Anti-Malware 1.33
Versione del database: 1665
Windows 5.1.2600 Service Pack 3

18/01/2009 16.43.03
mbam-log-2009-01-18 (16-43-03).txt

Tipo di scansione: Scansione rapida
Elementi scansionati: 54418
Tempo trascorso: 4 minute(s), 45 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 1
Chiavi di registro infette: 1
Valori di registro infetti: 1
Elementi dato del registro infetti: 0
Cartelle infette: 1
File infetti: 10

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
C:\Programmi\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.

Chiavi di registro infette:
HKEY_CLASSES_ROOT\videoplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Valori di registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnxtrapp (Trojan.Agent) -> Quarantined and deleted successfully.

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

File infetti:
C:\autorun.inf (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\resycled\ntldr.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Programmi\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.
C:\Programmi\Pirelli\Access Gateway USB Network\CnxTrApp.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\tempo-099.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-1CB.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-473.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-847.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-F1B.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-F8D.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.


Report •

Related Solutions

#4
January 19, 2009 at 08:11:04
Hi, I've encounter the same problem.

It was just a while after i finished downloading a program to ty it out. So i supposed it was a virus problem.

I tried a couple of ways to fix the problem (disk-check, antivirus, etc.) but, no results.

So, I reinstalled windows XP but still, the problem persisted.

So, the way i finally fixed the problem was to "REFORMAT" my harddisks.

If you have two or more harddisks (let's assume "System disk" and "Files disk")...

Copy everything (or just the files you need) from "Files disk" to "System disk"... Then, FORMAT "Files disk" (right click on the "Files disk" and you should see the "format" option)


Then, copy everything (you've copied before to the "System disk", back to "Files disk"

The problem should be solved.

If the problem still persist, then you'll have to REFORMAT and RE-INSTALL windows also.

NOTE: If you re-install without REFORMATTING the problem MAY persist.

Perhaps you may want to find a more simple solution, but this way you will get the job done.

I did.

Greetings


Report •

#5
January 19, 2009 at 08:26:39
Maybe you want to try out the "Flash disinfector"

(People say it works...)

www./tools-resources/adware-tools/flash-disinfector/


Report •

#6
January 19, 2009 at 11:27:51
i just finished cleaning out a system with something very similar. this is has a root kit built in. here are the files it drops (related to just the rootkit and dns changer; there may be other files depending on what was dropped on your system):

c:\autorun.inf
(this is what keeps changing your shell execute command when you open up your c-drive)

c:\docs\user\localsets\temp\tmp***.tmp
(these are moved system files corresponding to advapi32.dll and another file I'm not quite sure)

c:\windows\temp\tempo****.tmp
(related files)

c:\windows\system32\gaopdxppjwvecb.dll
(file name may vary. this is hidden by system hooks as a rootkit. this and two other files are what keep reinfecting the system and controlling dns changes)

c:\windows\system32\drivers\gaopdxdvbrqhes.sys
c:\windows\system32\drivers\gaopdxdymrrnkv.sys
(these files are part of the rootkit as well)

Note: to see/remove rootkit files, i used RkU 3.7.3 and did a full file scan.
http://www.antirootkit.com/software...


affected registry keys:
HKLM\SOFTWARE\Classes\gaopdxvx
(hidden from Windows API)

HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys
(Hidden from Windows API)

HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys
(Hidden from Windows API)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell
(this key is added/altered. it is responsible for the ntldr.com messages. it can be safely deleted. BACKUP THIS KEY FIRST, just in case).

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{40936766-680c-11dd-ab01-806d6172696f}\Shell
(this key is added/altered. it is responsible for the ntldr.com messages. it can be safely deleted. BACKUP THIS KEY FIRST, just in case).

search registry for any more resycled\ntldr.com keys and delete.


and to all those that say why post such a technical answer here, of all places? well, google finds all and it took me here first. thus here is where i post. :P


Report •

#7
January 19, 2009 at 14:16:30
Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Avast antivirus, and any antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


Report •

#8
January 20, 2009 at 11:14:09
i have noticed that Combofix has reinstated Internet Explorer as the main browser and hidden the recent files shortcut in the start menu...

well, anyway here's the Combofix log.

ComboFix 09-01-19.05 - Compaq_Proprietario 2009-01-20 20.01.20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1040.18.1535.1042 [GMT 1:00]
Eseguito da: c:\documents and settings\Compaq_Proprietario\Documenti\Programmi installati\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090119-0] *On-access scanning disabled* (Updated)
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hpvaut32.dll
c:\windows\system32\hpvcp70.dll
c:\windows\system32\hpvcr70.dll
D:\Autorun.inf
D:\resycled
d:\resycled\ntldr.com

.
((((((((((((((((((((((((( Files Creati Da 2008-12-20 al 2009-01-20 )))))))))))))))))))))))))))))))))))
.

2009-01-18 16:36 . 2009-01-18 16:42 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware
2009-01-18 16:36 . 2009-01-18 16:36 <DIR> d-------- c:\documents and settings\Compaq_Proprietario\Dati applicazioni\Malwarebytes
2009-01-18 16:36 . 2009-01-18 16:36 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-01-18 16:36 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-18 16:36 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-18 10:44 . 2009-01-18 10:44 <DIR> d-------- c:\programmi\Panda Security
2009-01-18 10:44 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-17 23:40 . 2009-01-19 23:55 12 --a------ c:\windows\bthservsdp.dat
2009-01-17 23:34 . 2009-01-17 23:34 <DIR> d-------- c:\programmi\3M
2009-01-17 23:34 . 2009-01-17 23:34 <DIR> d-------- c:\documents and settings\Compaq_Proprietario\Dati applicazioni\3M
2009-01-17 19:41 . 2008-04-13 19:14 152,576 --a------ c:\windows\system32\irftp.exe
2009-01-17 19:41 . 2008-04-13 19:14 152,576 --a--c--- c:\windows\system32\dllcache\irftp.exe
2009-01-17 19:41 . 2008-04-13 19:13 29,696 --a------ c:\windows\system32\irmon.dll
2009-01-17 19:41 . 2008-04-13 19:13 29,696 --a--c--- c:\windows\system32\dllcache\irmon.dll
2009-01-17 19:41 . 2008-04-13 19:13 8,192 --a------ c:\windows\system32\wshirda.dll
2009-01-17 19:41 . 2008-04-13 19:13 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2009-01-17 11:20 . 2009-01-17 11:20 <DIR> d-------- c:\programmi\MixMeister BPM Analyzer
2008-12-31 18:08 . 2008-04-13 19:13 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-31 18:08 . 2001-08-30 23:07 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-23 21:58 . 2008-12-23 22:46 <DIR> d-------- c:\programmi\Macromedia
2008-12-23 21:58 . 2008-12-23 22:16 <DIR> d-------- c:\programmi\File comuni\Macromedia
2008-12-22 21:08 . 2008-12-22 21:08 <DIR> d-------- C:\Downloads
2008-12-21 00:00 . 2008-12-20 23:59 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-20 11:44 . 2008-12-20 11:44 <DIR> d-------- c:\programmi\File comuni\LightScribe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 21:31 --------- d-----w c:\programmi\eMule
2009-01-17 20:39 --------- d-----w c:\programmi\audiograbber
2009-01-16 10:32 --------- d-----w c:\documents and settings\Compaq_Proprietario\Dati applicazioni\Skype
2009-01-16 10:27 --------- d-----w c:\documents and settings\Compaq_Proprietario\Dati applicazioni\skypePM
2009-01-10 18:00 --------- d-----w c:\documents and settings\Compaq_Proprietario\Dati applicazioni\AdobeUM
2009-01-01 12:09 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\DVD Shrink
2008-12-26 11:09 --------- d-----w c:\documents and settings\Compaq_Proprietario\Dati applicazioni\Free Download Manager
2008-12-25 16:35 --------- d-----w c:\documents and settings\Compaq_Proprietario\Dati applicazioni\Intervideo
2008-12-24 21:49 --------- d-----w c:\documents and settings\Compaq_Proprietario\Dati applicazioni\Ahead
2008-12-20 22:59 --------- d-----w c:\programmi\Java
2008-12-18 22:17 --------- d-----w c:\programmi\EjoyStudio
2008-12-14 22:03 --------- d-----w c:\documents and settings\Compaq_Proprietario\Dati applicazioni\OpenOffice.org
2008-12-14 20:30 --------- d-----w c:\programmi\OpenOffice.org 3
2008-12-14 20:30 --------- d-----w c:\programmi\JRE
2008-12-14 20:23 --------- d-----w c:\programmi\Microsoft CAPICOM 2.1.0.2
2008-12-14 09:44 --------- d-----w c:\programmi\Eek! Records
2008-12-14 09:43 --------- d-----w c:\programmi\MSBuild
2008-12-14 09:40 --------- d-----w c:\programmi\Reference Assemblies
2008-12-14 09:33 --------- d-----w c:\programmi\DVD Shrink
2008-12-14 09:09 --------- d-----w c:\programmi\Windows Live
2008-12-14 09:07 --------- dcsh--w c:\programmi\File comuni\WindowsLiveInstaller
2008-12-14 09:05 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\WLInstaller
2008-12-14 09:04 --------- d-----w c:\programmi\Binarema
2008-12-14 09:02 286,720 ----a-w c:\windows\iun505.exe
2008-12-14 09:02 --------- d-----w c:\programmi\InterCover
2008-12-14 08:59 --------- d-----w c:\programmi\File comuni\xing shared
2008-12-14 08:59 --------- d-----w c:\programmi\File comuni\Real
2008-12-14 08:56 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-12-14 08:56 --------- d-----w c:\programmi\PC Inspector File Recovery
2008-12-14 08:55 --------- d-----w c:\programmi\mIRC
2008-12-14 08:55 --------- d-----w c:\documents and settings\Compaq_Proprietario\Dati applicazioni\mIRC
2008-12-14 08:54 --------- d-----w c:\programmi\Monkey's Audio
2008-12-14 08:53 --------- d-----w c:\programmi\Winamp
2008-12-14 08:51 --------- d-----w c:\programmi\GoldWave
2008-12-14 08:51 --------- d-----w c:\documents and settings\Compaq_Proprietario\Dati applicazioni\DivX
2008-12-13 22:58 --------- d-----w c:\programmi\MSXML 4.0
2008-12-13 22:55 --------- d-----w c:\programmi\FairUse Wizard 2
2008-12-13 22:49 --------- d-----w c:\programmi\Free Download Manager
2008-12-13 22:49 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\FreeDownloadManager.ORG
2008-12-13 22:41 --------- d-----w c:\programmi\YouTube Downloader
2008-12-13 22:40 --------- d-----w c:\programmi\DivX
2008-12-13 22:39 --------- d-----w c:\programmi\CDex_170b2
2008-12-13 22:29 --------- d-----w c:\programmi\Yahoo!
2008-12-13 22:29 --------- d-----w c:\programmi\jZip
2008-12-13 22:29 --------- d-----w c:\documents and settings\Compaq_Proprietario\Dati applicazioni\Yahoo!
2008-12-13 22:29 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Yahoo! Companion
2008-12-13 22:25 --------- d-----w c:\programmi\LitexMedia
2008-12-13 22:23 --------- d-----w c:\programmi\Audacity
2008-12-13 22:07 --------- d-----w c:\documents and settings\Compaq_Proprietario\Dati applicazioni\SiteClasses
2008-12-13 20:54 --------- d-----w c:\documents and settings\Compaq_Proprietario\Dati applicazioni\VMNTOOLBAR
2008-12-13 20:53 --------- d-----w c:\programmi\vmntoolbar
2008-12-13 20:52 --------- d-----w c:\documents and settings\Compaq_Proprietario\Dati applicazioni\Sites
2008-12-13 20:52 --------- d-----w c:\documents and settings\Compaq_Proprietario\Dati applicazioni\Dynamic
2008-12-13 20:51 --------- d-----w c:\programmi\Visicom Media
2008-12-13 20:51 --------- d-----w c:\programmi\CA VMN Anti-Spyware
2008-12-13 20:51 --------- d-----w c:\documents and settings\Compaq_Proprietario\Dati applicazioni\EmailNotifier
2008-12-13 20:51 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\EmailNotifier
2008-12-13 20:40 --------- d-----w c:\programmi\HP
2008-12-13 20:37 --------- d-----w c:\programmi\File comuni\HP
2008-12-13 20:35 --------- d-----w c:\programmi\Hewlett-Packard
2008-12-13 20:35 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Hewlett-Packard
2008-12-13 20:34 --------- d-----w c:\programmi\File comuni\Hewlett-Packard
2008-12-13 20:22 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\LightScribe
2008-12-13 20:18 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Ahead
2008-12-13 20:17 --------- d-----w c:\programmi\File comuni\Ahead
2008-12-13 20:15 --------- d-----w c:\programmi\Nero
2008-12-13 20:15 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Nero
2008-12-13 20:07 --------- d-----w c:\programmi\iTunes
2008-12-13 20:07 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Last.fm
2008-12-13 20:06 --------- d-----w c:\programmi\Last.fm
2008-12-13 19:53 --------- d-----w c:\programmi\Skype
2008-12-13 19:53 --------- d-----w c:\programmi\File comuni\Skype
2008-12-13 19:53 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Skype
2008-12-13 18:04 --------- d-----w c:\programmi\iPod
2008-12-13 18:04 --------- d-----w c:\programmi\File comuni\Apple
2008-12-13 18:04 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-13 18:03 --------- d-----w c:\programmi\QuickTime
2008-12-13 18:03 --------- d-----w c:\programmi\Bonjour
2008-12-13 18:03 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Apple Computer
2008-12-13 18:02 --------- d-----w c:\programmi\Apple Software Update
2008-12-13 18:02 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Apple
2008-12-13 17:15 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Motive
2008-12-13 17:14 --------- d-----w c:\documents and settings\Compaq_Proprietario\Dati applicazioni\Motive
2008-12-13 17:13 --------- d-----w c:\programmi\Telecom Italia
2008-12-13 17:13 --------- d-----w c:\programmi\File comuni\Motive
2008-12-13 17:13 --------- d-----w c:\programmi\Common Files
2008-12-13 17:13 --------- d-----w c:\programmi\Alice ti aiuta
2008-12-13 17:12 --------- d-----w c:\programmi\Motive
2008-12-13 16:53 --------- d-----w c:\programmi\Alwil Software
2008-12-13 16:44 155,995 ----a-w c:\windows\java\Packages\71JXBB1J.ZIP
2008-12-13 16:29 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Symantec
2008-12-13 16:12 --------- d-----w c:\programmi\Windows Media Connect 2
2008-12-13 15:44 52,864 ----a-w c:\windows\system32\drivers\CnxTrUsb.sys
2008-12-13 15:44 25,984 ----a-w c:\windows\system32\drivers\CnxTrLan.sys
2008-12-13 15:44 --------- d-----w c:\programmi\Pirelli
2008-12-13 12:53 --------- d-----w c:\programmi\File comuni\Adobe
2008-12-13 12:03 1,740 --sha-r c:\windows\system32\drivers\103C_HP_CPC_PS284AA-ABZ SR1329IT IT510_YC_0Pres_QCZB451_E51ITheREF2_47_ISalmon_SASUSTek Computer INC._V1.04_B3.04_T041029_WXH2_L410_M512_J200_7AMD_8Athlon 64_92.21_#050204_N10390900_Z11C1048C_G10DE0326.MRK
2008-12-13 12:01 --------- d-----w c:\programmi\InterVideo
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-21 21:47 9,464 ------w c:\windows\system32\drivers\cdralw2k.sys
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"LightScribe Control Panel"="c:\programmi\File comuni\LightScribe\LightScribeControlPanel.exe" [2008-12-06 2387968]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2008-12-20 136600]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Home Theater SchSvr"="c:\programmi\File comuni\InterVideo\SchSvr\SchSvr.exe" [2004-11-05 106496]
"WINREMOTE"="c:\programmi\InterVideo\Common\Bin\WinRemote.exe" [2004-11-05 192512]
"ISUSPM Startup"="c:\progra~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\programmi\File comuni\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-09-29 4603904]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Motive SmartBridge"="c:\progra~1\ALICET~1\SMARTB~1\MotiveSB.exe" [2006-04-21 438359]
"AliceRE_McciTrayApp"="c:\progra~1\ALICET~1\vendors\AliceRE\content\template\driven~1\syncer\McciTrayApp.exe" [2006-11-21 936960]
"QuickTime Task"="c:\programmi\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NeroFilterCheck"="c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\programmi\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"TkBellExe"="c:\programmi\File comuni\Real\Update_OB\realsched.exe" [2008-12-14 185872]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"nwiz"="nwiz.exe" [2004-09-29 c:\windows\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

c:\documents and settings\Compaq_Proprietario\Menu Avvio\Programmi\Esecuzione automatica\
OpenOffice.org 3.0.lnk - c:\programmi\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Alice ti aiuta.lnk - c:\programmi\Alice ti aiuta\bin\matcli.exe [2008-12-13 217088]
Avvio rapido di HP Image Zone.lnk - c:\programmi\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 53248]
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\Free Download Manager\\fdm.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-18 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-13 111184]
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [2005-01-01 24544]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-13 20560]
R4 Network WanMiniport First Position;Network WanMiniport First Position;c:\programmi\Telecom Italia\WanMiniport1st\srvany.exe [2008-12-13 8192]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\programmi\File comuni\LightScribe\LSRunOnce.exe"
.
Contenuto della cartella 'Scheduled Tasks'

2009-01-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

WebBrowser-{A057A204-BACC-4D26-8287-79A187E26987} - (no file)
HKLM-Run-VTTimer - VTTimer.exe


.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=IT_IT&c=Q105&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=IT_IT&c=Q105&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Scarica con Free Download Manager - file://c:\programmi\Free Download Manager\dllink.htm
IE: Scarica i video con Free Download Manager - file://c:\programmi\Free Download Manager\dlfvideo.htm
IE: Scarica selezionati con Free Download Manager - file://c:\programmi\Free Download Manager\dlselected.htm
IE: Scarica tutto con Free Download Manager - file://c:\programmi\Free Download Manager\dlall.htm
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Compaq_Proprietario\Dati applicazioni\Mozilla\Firefox\Profiles\[u]0[/u]hkld5jk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programmi\QuickTime\Plugins\npqtplugin8.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 20:04:05
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2009-01-20 20.05.14
ComboFix-quarantined-files.txt 2009-01-20 19:05:07

Pre-Run: 126.747.590.656 byte disponibili
Post-Run: 127,115,624,448 byte disponibili

250 --- E O F --- 2009-01-15 23:01:25

what should i do now?


Report •

#9
January 20, 2009 at 14:38:45
Ok.

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#10
January 28, 2009 at 21:21:33
What worked for me. Change folder view to view all files and folders, right click and uncheck "read only" on the file "autorun.inf". Then open the file in notepad and delete everything under "autorun" and click save. Do this on all HD's. Then click start and run regedit.
BACK UP THE REGISTRY BEFORE MAKING ANY CHANGES! Then click on "edit" and then "find". Type in the search block "resycled\ntldr.com" and hit enter. Delete all instances of that file\folder combination. Reboot computer and it should work fine. Worked for me. No problems.

Would also suggest getting a GOOD registry cleaner. I use WinCleaner myself.


Report •


Ask Question