Windows cannot find 'resycled\boot.com' [Solved]

Hello Rik111,

Welcome to Geeks to Go! My name is Fred21543 and I will be helping you fix your computer problem.

Take note that I'm still in training, and my posts will have to be checked by an expert. This may cause delays in between my responses, so I ask for your patience.
Please stick with me until we get your computer cleaned up.

I'm currently analyzing your log now, and I'll post back with a fix ASAP. Thanks for your patience.

Is your computer connected to a router?


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Yes it is.

I find it meaningful to include that my computer crashed (again... ) immediately after I accepted the terms and license agreement to the windows recovery console. Combofix did not ask me to fix this when I started back up.

combofix log-

ComboFix 08-12-31.01 - Rik 2009-01-01 11:30:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1712 [GMT -6:00]
Running from: c:\documents and settings\Rik\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\resycled
H:\Autorun.inf
H:\resycled
h:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2008-12-01 to 2009-01-01 )))))))))))))))))))))))))))))))
.

2009-01-01 03:44 . 2009-01-01 03:44 <DIR> d-------- c:\program files\Trend Micro
2009-01-01 03:00 . 2009-01-01 03:00 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-31 17:11 . 2008-12-31 17:11 <DIR> d-------- c:\documents and settings\Rik\Application Data\Apple Computer
2008-12-31 17:11 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-31 17:11 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-31 17:10 . 2008-12-31 17:11 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-12-31 17:10 . 2008-12-31 17:10 <DIR> d-------- c:\program files\QuickTime
2008-12-31 17:10 . 2008-12-31 17:11 <DIR> d-------- c:\program files\iTunes
2008-12-31 17:10 . 2008-12-31 17:10 <DIR> d-------- c:\program files\iPod
2008-12-31 17:10 . 2008-12-31 17:10 <DIR> d-------- c:\program files\Bonjour
2008-12-31 17:10 . 2008-12-31 17:10 <DIR> d-------- c:\program files\Apple Software Update
2008-12-31 17:10 . 2008-12-31 17:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-31 17:10 . 2008-12-31 17:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-31 17:09 . 2008-12-31 17:10 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-31 17:09 . 2008-12-31 17:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-31 14:24 . 2006-06-26 03:19 2,388,176 --a------ c:\windows\system\d3dx9_30.dll
2008-12-31 12:21 . 2008-12-31 12:21 <DIR> d-------- c:\program files\Realtek AC97
2008-12-31 12:21 . 2008-12-31 12:21 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-12-31 12:21 . 2008-12-31 12:21 <DIR> d-------- c:\program files\Common Files\InstallShield
2008-12-31 11:28 . 2008-12-31 11:28 <DIR> d-------- c:\program files\Microsoft Games
2008-12-31 03:07 . 2008-12-31 03:21 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-31 03:07 . 2008-12-31 03:07 <DIR> d-------- c:\program files\Lavasoft
2008-12-31 03:07 . 2008-12-31 03:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-31 03:07 . 2008-12-31 03:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-31 03:06 . 2008-12-31 03:06 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-31 03:05 . 2008-12-31 03:05 <DIR> d-------- c:\program files\Hamachi
2008-12-31 03:05 . 2008-12-31 03:05 <DIR> d-------- c:\documents and settings\Rik\Application Data\Hamachi
2008-12-31 03:05 . 2008-12-31 03:05 25,280 --a------ c:\windows\system32\drivers\hamachi.sys
2008-12-31 03:01 . 2008-12-31 03:01 <DIR> d-------- c:\program files\CCleaner
2008-12-31 02:43 . 2008-12-31 02:43 <DIR> d-------- c:\windows\system32\scripting
2008-12-31 02:43 . 2008-12-31 02:43 <DIR> d-------- c:\windows\system32\en
2008-12-31 02:43 . 2008-12-31 02:43 <DIR> d-------- c:\windows\system32\bits
2008-12-31 02:43 . 2008-12-31 02:43 <DIR> d-------- c:\windows\l2schemas
2008-12-31 02:42 . 2008-12-31 02:42 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-31 02:40 . 2008-12-31 02:43 <DIR> d-------- c:\program files\TGTSoft
2008-12-31 02:37 . 2008-12-31 02:37 <DIR> d-------- c:\windows\EHome
2008-12-31 02:24 . 2008-10-16 14:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-12-31 02:24 . 2007-04-17 03:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-31 02:24 . 2007-03-07 23:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-31 02:24 . 2008-10-16 14:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-12-31 02:24 . 2008-10-16 14:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-31 02:24 . 2008-10-16 14:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-12-31 02:24 . 2008-10-16 14:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-12-31 02:24 . 2008-10-16 14:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-31 02:24 . 2008-10-16 07:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-12-31 02:16 . 2004-08-03 22:29 701,440 --------- c:\windows\system32\drivers\ati2mtag.sys
2008-12-31 02:08 . 2008-09-15 06:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-12-31 02:08 . 2008-08-14 04:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-12-31 02:08 . 2008-12-31 02:08 0 --a------ c:\windows\nsreg.dat
2008-12-31 02:07 . 2008-04-11 13:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-12-31 02:07 . 2008-09-08 04:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-12-31 02:07 . 2008-06-13 05:05 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-31 02:07 . 2008-06-13 05:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-31 02:07 . 2008-05-08 08:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-12-31 02:07 . 2008-12-31 02:07 13,702 --a------ c:\windows\system32\wpa.bak
2008-12-31 02:06 . 2008-08-14 04:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-31 02:06 . 2008-08-14 04:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-31 02:06 . 2008-08-14 03:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-31 02:06 . 2008-08-14 03:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-31 02:06 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-31 02:06 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-12-31 02:03 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe
2008-12-31 02:02 . 2008-12-31 02:02 <DIR> d-------- c:\windows\nview
2008-12-31 02:02 . 2008-12-31 02:02 <DIR> d-------- C:\NVIDIA
2008-12-31 02:02 . 2008-10-02 10:07 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2008-12-31 02:02 . 2008-10-07 13:33 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-12-31 02:02 . 2009-01-01 11:30 200,819 --a------ c:\windows\system32\nvapps.xml
2008-12-31 02:02 . 2008-10-07 13:33 18,477 --a------ c:\windows\system32\nvdisp.nvu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 07:55 --------- d-----w c:\program files\SystemRequirementsLab
2008-12-31 07:20 --------- d-----w c:\program files\microsoft frontpage
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e1296ba-d760-11dd-b111-000f66e71a3a}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com d:
\Shell\Open\command - d:\resycled\boot.com d:

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local

c:\windows\Downloaded Program Files\sysreqlab_srl.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\sysreqlab.osd
FF - ProfilePath - c:\documents and settings\Rik\Application Data\Mozilla\Firefox\Profiles\ob36hont.default\
FF - prefs.js: browser.startup.homepage - google.com

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 11:32:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-01 11:33:08
ComboFix-quarantined-files.txt 2009-01-01 17:32:42

Pre-Run: 114,887,925,760 bytes free
Post-Run: 115,104,550,912 bytes free

159 --- E O F --- 2009-01-01 09:00:34

Plug in your D: drive before running this fix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
d:\resycled
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e1296ba-d760-11dd-b111-000f66e71a3a}]

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


It sounds like a case of Zlob/DNSchanger that change the router's DNS settings. Please download Malwarebytes' Anti-Malware from Here or Here

Next disconnect your system from the internet, and your router, then…

Double Click mbam-setup.exe to install the application.

• Launch Malwarebytes' Anti-Malware, then click Finish.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
===============================================

Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don’t know the router's default password, you can look it up HERE

However, if there are other Zlob-infected machines using the same router, they will need to be cleared with the above steps before resetting the router. Otherwise, the malware will simply go back and change the router's DNS settings. You also need to reconfigure any security settings you had in place prior to the reset. Check out this site here for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

Once you have ran Malwarebytes' Anti-Malware on the infected system, and reset the router to its default configuration you can reconnect to the internet, and router. Then return to this site to post your logs.

===============================================

Please post the Malwarebytes log and let me know how things are running now

My H: drive used to be my D: drive... but after I hooked up another hard drive to transfer some files for reformatting, it switched to H: ... that other hard drive is my friends' ... but i do still have it.

So I hook it back up? It has vista on it. If that's important at all.

It is not essential to plug in the removable drive, just continue with the steps listed in my last post please and post the required logs here

ok first report....

ComboFix 09-01-01.02 - Rik 2009-01-02 9:46:32.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1570 [GMT -6:00]
Running from: c:\documents and settings\Rik\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rik\Desktop\CFScript.txt.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

2009-01-01 03:44 . 2009-01-01 03:44 <DIR> d-------- c:\program files\Trend Micro
2009-01-01 03:00 . 2009-01-01 03:00 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-31 17:11 . 2008-12-31 17:11 <DIR> d-------- c:\documents and settings\Rik\Application Data\Apple Computer
2008-12-31 17:11 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-31 17:11 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-31 17:10 . 2008-12-31 17:11 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-12-31 17:10 . 2008-12-31 17:10 <DIR> d-------- c:\program files\QuickTime
2008-12-31 17:10 . 2008-12-31 17:11 <DIR> d-------- c:\program files\iTunes
2008-12-31 17:10 . 2008-12-31 17:10 <DIR> d-------- c:\program files\iPod
2008-12-31 17:10 . 2008-12-31 17:10 <DIR> d-------- c:\program files\Bonjour
2008-12-31 17:10 . 2008-12-31 17:10 <DIR> d-------- c:\program files\Apple Software Update
2008-12-31 17:10 . 2008-12-31 17:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-31 17:10 . 2008-12-31 17:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-31 17:09 . 2008-12-31 17:10 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-31 17:09 . 2008-12-31 17:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-31 14:24 . 2006-06-26 03:19 2,388,176 --a------ c:\windows\system\d3dx9_30.dll
2008-12-31 12:21 . 2008-12-31 12:21 <DIR> d-------- c:\program files\Realtek AC97
2008-12-31 12:21 . 2008-12-31 12:21 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-12-31 12:21 . 2008-12-31 12:21 <DIR> d-------- c:\program files\Common Files\InstallShield
2008-12-31 11:28 . 2008-12-31 11:28 <DIR> d-------- c:\program files\Microsoft Games
2008-12-31 03:07 . 2008-12-31 03:21 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-31 03:07 . 2008-12-31 03:07 <DIR> d-------- c:\program files\Lavasoft
2008-12-31 03:07 . 2008-12-31 03:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-31 03:07 . 2008-12-31 03:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-31 03:06 . 2008-12-31 03:06 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-31 03:05 . 2008-12-31 03:05 <DIR> d-------- c:\program files\Hamachi
2008-12-31 03:05 . 2008-12-31 03:05 <DIR> d-------- c:\documents and settings\Rik\Application Data\Hamachi
2008-12-31 03:05 . 2008-12-31 03:05 25,280 --a------ c:\windows\system32\drivers\hamachi.sys
2008-12-31 03:01 . 2008-12-31 03:01 <DIR> d-------- c:\program files\CCleaner
2008-12-31 02:43 . 2008-12-31 02:43 <DIR> d-------- c:\windows\system32\scripting
2008-12-31 02:43 . 2008-12-31 02:43 <DIR> d-------- c:\windows\system32\en
2008-12-31 02:43 . 2008-12-31 02:43 <DIR> d-------- c:\windows\system32\bits
2008-12-31 02:43 . 2008-12-31 02:43 <DIR> d-------- c:\windows\l2schemas
2008-12-31 02:42 . 2008-12-31 02:42 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-31 02:40 . 2008-12-31 02:43 <DIR> d-------- c:\program files\TGTSoft
2008-12-31 02:37 . 2008-12-31 02:37 <DIR> d-------- c:\windows\EHome
2008-12-31 02:24 . 2008-10-16 14:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-12-31 02:24 . 2007-04-17 03:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-31 02:24 . 2007-03-07 23:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-31 02:24 . 2008-10-16 14:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-12-31 02:24 . 2008-10-16 14:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-31 02:24 . 2008-10-16 14:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-12-31 02:24 . 2008-10-16 14:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-12-31 02:24 . 2008-10-16 14:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-31 02:24 . 2008-10-16 07:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-12-31 02:16 . 2004-08-03 22:29 701,440 --------- c:\windows\system32\drivers\ati2mtag.sys
2008-12-31 02:08 . 2008-09-15 06:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-12-31 02:08 . 2008-08-14 04:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-12-31 02:08 . 2008-12-31 02:08 0 --a------ c:\windows\nsreg.dat
2008-12-31 02:07 . 2008-04-11 13:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-12-31 02:07 . 2008-09-08 04:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-12-31 02:07 . 2008-06-13 05:05 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-31 02:07 . 2008-06-13 05:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-31 02:07 . 2008-05-08 08:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-12-31 02:07 . 2008-12-31 02:07 13,702 --a------ c:\windows\system32\wpa.bak
2008-12-31 02:06 . 2008-08-14 04:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-31 02:06 . 2008-08-14 04:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-31 02:06 . 2008-08-14 03:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-31 02:06 . 2008-08-14 03:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-31 02:06 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-31 02:06 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-12-31 02:03 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe
2008-12-31 02:02 . 2008-12-31 02:02 <DIR> d-------- c:\windows\nview
2008-12-31 02:02 . 2008-12-31 02:02 <DIR> d-------- C:\NVIDIA
2008-12-31 02:02 . 2008-10-02 10:07 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2008-12-31 02:02 . 2008-10-07 13:33 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-12-31 02:02 . 2009-01-01 11:30 200,819 --a------ c:\windows\system32\nvapps.xml
2008-12-31 02:02 . 2008-10-07 13:33 18,477 --a------ c:\windows\system32\nvdisp.nvu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 07:55 --------- d-----w c:\program files\SystemRequirementsLab
2008-12-31 07:20 --------- d-----w c:\program files\microsoft frontpage
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-01_11.32.17.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-01 10:33:20 40,196 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-01 17:34:05 40,196 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-01 10:33:20 311,934 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-01 17:34:05 311,934 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=


*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local

c:\windows\Downloaded Program Files\sysreqlab_srl.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\sysreqlab.osd
FF - ProfilePath - c:\documents and settings\Rik\Application Data\Mozilla\Firefox\Profiles\ob36hont.default\
FF - prefs.js: browser.startup.homepage - google.com

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 09:47:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-02 9:47:39
ComboFix-quarantined-files.txt 2009-01-02 15:47:37
ComboFix2.txt 2009-01-01 17:33:09

Pre-Run: 115,055,816,704 bytes free
Post-Run: 115,048,759,296 bytes free

156 --- E O F --- 2009-01-01 09:00:34





and...




Malwarebytes' Anti-Malware 1.31
Database version: 1596
Windows 5.1.2600 Service Pack 3

1/2/2009 9:51:27 AM
mbam-log-2009-01-02 (09-51-27).txt

Scan type: Quick Scan
Objects scanned: 42515
Time elapsed: 1 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Were you able to successfully reset your router as the instructions told you to do? How is everything running now?

Please click here to download AVP Tool by Kaspersky.

• Save it to your desktop.
• Reboot your computer into SafeMode.
  

  You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
  Use your up arrow key to highlight SafeMode then hit enter.

• Double click the setup file to run it.
• Click Next to continue.
• It will by default install it to your desktop folder.Click Next.
• Hit ok at the prompt for scanning in Safe Mode.
• It will then open a box There will be a tab that says Automatic scan.
• Under Automatic scan make sure these are checked.

• System Memory
• Startup Objects
• Disk Boot Sectors.
• My Computer.
• Also any other drives (Removable that you may have)

• Then click on Scan at the to right hand Corner.
• It will automatically Neutralize any objects found.
• If some objects are left unneutralized then click the button that says Neutralize all
• If it says it cannot be Neutralized then chooose The delete option when prompted.
• After that is done click on the reports button at the bottom and save it to file name it Kas.
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
  
  

  Note: This tool will self uninstall when you close it so please save the log before closing it.

Also can I please see a new HijackThis log?

dear lord. that took 15 hours to complete...

hjt-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:15 AM, on 1/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab3.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3268 bytes







@(#$)%*()!#&$%)(*&!)@#(*&$)!@#&$()!&@#)*%^!@#*%&()!@&#$





Scan
----
Scanned: 505136
Detected: 22
Untreated: 0
Start time: 1/3/2009 10:16:09 AM
Duration: 14:59:04
Finish time: 1/4/2009 1:15:13 AM


Detected
--------
Status Object
------ ------
deleted: Trojan program Backdoor.Win32.Ciadoor.arn File: C:\Documents and Settings\Rik\Desktop\Rik's\EA Sports\NHL08\nhl2008.exe
deleted: virus Worm.Win32.AutoRun.nuu File: C:\Qoobox\Quarantine\C\autorun.inf.vir
deleted: virus Worm.Win32.AutoRun.spw File: C:\Qoobox\Quarantine\H\autorun.inf.vir
deleted: adware not-a-virus:AdWare.Win32.MyWay.j File: H:\I386\Apps\APP20155\src\HPSummer2005.exe//WiseSFXDropper//WISE0016.BIN
deleted: virus Worm.Win32.AutoRun.onp File: H:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP5\A0002081.inf
deleted: virus Worm.Win32.AutoRun.onp File: H:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP5\A0002140.inf
deleted: virus Worm.Win32.AutoRun.onp File: H:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP7\A0002227.inf
deleted: virus Worm.Win32.AutoRun.onp File: H:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP8\A0002280.inf
deleted: virus Worm.Win32.AutoRun.onp File: H:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP8\A0009158.inf
deleted: virus Worm.Win32.AutoRun.onp File: H:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP9\A0009193.inf
deleted: virus Worm.Win32.AutoRun.onp File: H:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP9\A0010169.inf
deleted: virus Worm.Win32.AutoRun.onp File: H:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP14\A0022183.inf
deleted: virus Worm.Win32.AutoRun.onp File: H:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP17\A0025194.inf
deleted: virus Worm.Win32.AutoRun.onp File: H:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP18\A0025245.inf
deleted: virus Worm.Win32.AutoRun.onp File: H:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP18\A0026320.inf
deleted: virus Worm.Win32.AutoRun.onp File: H:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP19\A0026325.inf
deleted: virus Worm.Win32.AutoRun.onp File: H:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP20\A0026571.inf
deleted: virus Worm.Win32.AutoRun.spw File: H:\System Volume Information\_restore{35BC272B-1A7D-4B27-B23C-2C86DF0D9DFA}\RP9\A0003716.inf
deleted: virus Worm.Win32.AutoRun.spw File: H:\System Volume Information\_restore{35BC272B-1A7D-4B27-B23C-2C86DF0D9DFA}\RP10\A0003739.inf
deleted: virus Worm.Win32.AutoRun.spw File: H:\System Volume Information\_restore{35BC272B-1A7D-4B27-B23C-2C86DF0D9DFA}\RP13\A0007714.inf
deleted: adware not-a-virus:AdWare.Win32.MyWay.j File: H:\System Volume Information\_restore{35BC272B-1A7D-4B27-B23C-2C86DF0D9DFA}\RP14\A0009672.exe//WiseSFXDropper//WISE0016.BIN
deleted: adware not-a-virus:AdWare.Win32.MyWay.j File: H:\System Volume Information\_restore{35BC272B-1A7D-4B27-B23C-2C86DF0D9DFA}\RP14\A0009672.exe//WiseSFXDropper


Events
------
Time Name Status Reason
---- ---- ------ ------
1/3/2009 10:16:15 AM Running module: smss.exe\smss.exe ok scanned


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology No
Enable iSwift technology No
Show detected threats on "Detected" tab Yes
Rootkits search Yes
Deep rootkits search No
Use heuristic analyzer Yes


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----

Please answer the following questions:

Were you able to successfully reset your router? Also, how is your computer running now?


I would highly recommend you install an antivirus. Three good free choices are Avast, Antivir, or AVG. It is basically suicidal to be without an antivirus in today's world give all of the malware out there.

Let me know which one you decide to install, and once you have installed it, do a full system scan and post a report here (if its too large, just attach the log at the end of the post).

i'm going to run avast tonight... then post it tomorrow.

reset the router successfully.

computer still crashing randomly... 50/50 it's rebooted tomorrow and the scan's a wash.

well ... it worked... but i can't find the log file!!!

and i ran it twice!

Don't worry about the logfile.

Congrats! Your logs appear clean!

Follow these steps to uninstall Combofix and tools used in the removal of malware
* Click START then RUN
* Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


*Make sure you have an Internet Connection.
* Download OTCleanIt to your desktop and run it
* A list of tool components used in the Cleanup of malware will be downloaded.
* If your Firewall or Real Time protection attempts to block OTCleanUp to reach the Internet, please allow the application to do so.
* Click Yes to beging the Cleanup process and remove these components, including this application.
* You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Please delete any and all tools we used in cleaning up your computer that OTCleanIt may not remove.

Below are a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
Windows Update
This will ensure your computer has always the latest security updates available installed on your computer.

Make Internet Explorer more secure

*Click Start > Run
* Type Inetcpl.cpl & click OK
* Click on the Security tab
* Click Reset all zones to default level
* Make sure the Internet Zone is selected & Click Custom level
* In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
* Next Click OK, then Apply button and then OK to exit the Internet Properties page.


* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX controls.

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

To bolster your security go to Secunia.com to ensure essential programs are up to date.

*ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

*Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

*ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.


Stay safe!

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.