Jump to content

win32.tdss.rtk removal


bc98
 Share

Recommended Posts

I've tried running Spybot S&D, and it detects this trojan and says the problem is fixed, but when I restart, the problem comes back. Help!

malawarebytes log:

Malwarebytes' Anti-Malware 1.40

Database version: 2551

Windows 5.1.2600 Service Pack 2

8/10/2009 11:02:27 PM

mbam-log-2009-08-10 (23-02-23).txt

Scan type: Full Scan (C:\|)

Objects scanned: 201295

Time elapsed: 31 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{31B8BED5-9D7F-4557-ABBD-A1EED92B436E}\RP144\A0033811.dll (Adware.PopCap) -> No action taken.

hijack this log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:02:52 PM, on 8/10/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\IPSSVC.EXE

C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\ThinkPad\Tablet Shortcut\TSMService.exe

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\WINDOWS\System32\TPHDEXLG.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe

C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

c:\program files\lenovo\system update\suservice.exe

C:\Program Files\Common Files\Lenovo\Logger\logmon.exe

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\WINDOWS\SYSTEM32\WISPTIS.EXE

C:\WINDOWS\System32\tabbtnu.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\tp4serv.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\WINDOWS\system32\TpShocks.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files\Lenovo\AwayTask\AwaySch.EXE

C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

C:\Program Files\Lenovo\Client Security Solution\cssauth.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE

C:\Program Files\iTunes\iTunes.exe

C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnipMgr.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe

O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume

O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

O4 - HKLM\..\Run: [bLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [iBMTBCTL] "C:\Program Files\ThinkPad\Tablet Shortcut\IBMTBCTL.EXE" /r

O4 - HKLM\..\Run: [TSMResident] "C:\Program Files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE" /r

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i

O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE

O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe /start

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\RunOnce: [spybotDeletingA6712] command.com /c del "C:\WINDOWS\system32\drivers\SKYNETiotacjgo.sys_old"

O4 - HKLM\..\RunOnce: [spybotDeletingC903] cmd.exe /c del "C:\WINDOWS\system32\drivers\SKYNETiotacjgo.sys_old"

O4 - HKLM\..\RunOnce: [spybotDeletingA2644] command.com /c del "C:\WINDOWS\system32\drivers\SKYNETiotacjgo.sys"

O4 - HKLM\..\RunOnce: [spybotDeletingC9827] cmd.exe /c del "C:\WINDOWS\system32\drivers\SKYNETiotacjgo.sys"

O4 - HKLM\..\RunOnce: [spybotDeletingA3325] command.com /c del "C:\WINDOWS\system32\SKYNETddxroirq.dll_old"

O4 - HKLM\..\RunOnce: [spybotDeletingC3069] cmd.exe /c del "C:\WINDOWS\system32\SKYNETddxroirq.dll_old"

O4 - HKLM\..\RunOnce: [spybotDeletingA2742] command.com /c del "C:\WINDOWS\system32\SKYNETddxroirq.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC8755] cmd.exe /c del "C:\WINDOWS\system32\SKYNETddxroirq.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA495] command.com /c del "C:\WINDOWS\system32\SKYNETloguvion.dll_old"

O4 - HKLM\..\RunOnce: [spybotDeletingC97] cmd.exe /c del "C:\WINDOWS\system32\SKYNETloguvion.dll_old"

O4 - HKLM\..\RunOnce: [spybotDeletingA6930] command.com /c del "C:\WINDOWS\system32\SKYNETloguvion.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC2833] cmd.exe /c del "C:\WINDOWS\system32\SKYNETloguvion.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA1792] command.com /c del "C:\WINDOWS\system32\SKYNETpyuoyksb.dat_old"

O4 - HKLM\..\RunOnce: [spybotDeletingC503] cmd.exe /c del "C:\WINDOWS\system32\SKYNETpyuoyksb.dat_old"

O4 - HKLM\..\RunOnce: [spybotDeletingA1474] command.com /c del "C:\WINDOWS\system32\SKYNETpyuoyksb.dat"

O4 - HKLM\..\RunOnce: [spybotDeletingC1830] cmd.exe /c del "C:\WINDOWS\system32\SKYNETpyuoyksb.dat"

O4 - HKLM\..\RunOnce: [spybotDeletingA6707] command.com /c del "C:\WINDOWS\system32\SKYNETwtakdpal.dat_old"

O4 - HKLM\..\RunOnce: [spybotDeletingC1923] cmd.exe /c del "C:\WINDOWS\system32\SKYNETwtakdpal.dat_old"

O4 - HKLM\..\RunOnce: [spybotDeletingA6491] command.com /c del "C:\WINDOWS\system32\SKYNETwtakdpal.dat"

O4 - HKLM\..\RunOnce: [spybotDeletingC2739] cmd.exe /c del "C:\WINDOWS\system32\SKYNETwtakdpal.dat"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\RunOnce: [spybotDeletingB6210] command.com /c del "C:\WINDOWS\system32\drivers\SKYNETiotacjgo.sys_old"

O4 - HKCU\..\RunOnce: [spybotDeletingD3257] cmd.exe /c del "C:\WINDOWS\system32\drivers\SKYNETiotacjgo.sys_old"

O4 - HKCU\..\RunOnce: [spybotDeletingB798] command.com /c del "C:\WINDOWS\system32\drivers\SKYNETiotacjgo.sys"

O4 - HKCU\..\RunOnce: [spybotDeletingD9492] cmd.exe /c del "C:\WINDOWS\system32\drivers\SKYNETiotacjgo.sys"

O4 - HKCU\..\RunOnce: [spybotDeletingB1187] command.com /c del "C:\WINDOWS\system32\SKYNETddxroirq.dll_old"

O4 - HKCU\..\RunOnce: [spybotDeletingD1628] cmd.exe /c del "C:\WINDOWS\system32\SKYNETddxroirq.dll_old"

O4 - HKCU\..\RunOnce: [spybotDeletingB6317] command.com /c del "C:\WINDOWS\system32\SKYNETddxroirq.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD4285] cmd.exe /c del "C:\WINDOWS\system32\SKYNETddxroirq.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB7442] command.com /c del "C:\WINDOWS\system32\SKYNETloguvion.dll_old"

O4 - HKCU\..\RunOnce: [spybotDeletingD4190] cmd.exe /c del "C:\WINDOWS\system32\SKYNETloguvion.dll_old"

O4 - HKCU\..\RunOnce: [spybotDeletingB4295] command.com /c del "C:\WINDOWS\system32\SKYNETloguvion.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD8027] cmd.exe /c del "C:\WINDOWS\system32\SKYNETloguvion.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB6382] command.com /c del "C:\WINDOWS\system32\SKYNETpyuoyksb.dat_old"

O4 - HKCU\..\RunOnce: [spybotDeletingD4329] cmd.exe /c del "C:\WINDOWS\system32\SKYNETpyuoyksb.dat_old"

O4 - HKCU\..\RunOnce: [spybotDeletingB1214] command.com /c del "C:\WINDOWS\system32\SKYNETpyuoyksb.dat"

O4 - HKCU\..\RunOnce: [spybotDeletingD7132] cmd.exe /c del "C:\WINDOWS\system32\SKYNETpyuoyksb.dat"

O4 - HKCU\..\RunOnce: [spybotDeletingB9322] command.com /c del "C:\WINDOWS\system32\SKYNETwtakdpal.dat_old"

O4 - HKCU\..\RunOnce: [spybotDeletingD4528] cmd.exe /c del "C:\WINDOWS\system32\SKYNETwtakdpal.dat_old"

O4 - HKCU\..\RunOnce: [spybotDeletingB796] command.com /c del "C:\WINDOWS\system32\SKYNETwtakdpal.dat"

O4 - HKCU\..\RunOnce: [spybotDeletingD1717] cmd.exe /c del "C:\WINDOWS\system32\SKYNETwtakdpal.dat"

O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: VPN Client.lnk = ?

O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/amun/default/mjolauncher.cab

O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.tikgames.com/Portals/0/OnlineGa...pandaonline.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe

O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ASR Service (ASRSVC) - Lenovo Group Limited - C:\Program Files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe

O23 - Service: TABLET Service (TabletSVC) - Lenovo Group Limited - C:\Program Files\ThinkPad\Tablet Shortcut\TSMService.exe

O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe

O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe

O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe

O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe

O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O24 - Desktop Component 0: Ink Desktop - {80E95280-2D38-3CB8-A215-FB5F14C4343E}

--

End of file - 21872 bytes

Link to post
Share on other sites

  • Staff

Hi,

First of all, I see you are running AdWatch.

I suggest you disable it because it can interfere with the fixes.

To disable AdWatch - * Right click on the Ad-Watch icon in the system tray and select to Disable Adwatch Live.

Then, Flush your system restore points:

To do this, you have to disable systemrestore and enable it afterwards again.

(note: this will delete all your system restore points and malware that were present in it).

How to disable system restore in XP <= click me for instructions with screenshots

After you disabled System Restore.... Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now! :(

Then, after reboot, please update MalwareBytes, because the databaseversion is outdated.

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.