zeppox
2009-05-18, 04:07
Actually, it started with spywareprotect 2009.
Trying to get rid of it, I discovered that neither spybot nor malwarebytes would run, nor would they uninstall. McAfee, Lavasoft, and Windows Defender did no good, but McAfee's knowledge base told how to get rid of the iehelper.dll that spywareprotect uses, and these forums told me how to get spybot running again (.scr file).
Then Spybot got rid of spywareprotect, I think.
It also clears tdss.rtk, but the thing comes back when the computer is booted.
Also, malwarebytes still won't run. I did get it to uninstall, but the reinstall won't complete. There are no error messages nor event entries associated with this failure. It gets to the "finish" box, shows the blue progress bar filled, then stops. Task manager simply shows the installer as unresponsive.
I also ran ccleaner, something I do regularly anyway.
One more note: McAfee has to stay active on this PC because I use it to connect with my employer's VPN - they require installation of an enterprise version in which the on-access scan cannot be turned off.
Here is the HJT log, though this log is run after Spybot has (apparently) cleaned the tdss.rtk. Perhaps I should reboot and run it again?
Oh, yes -- I backed up the registery with erunt. Thanks for the sticky with the nice instructions and the download links.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:53 PM, on 5/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\Prot_srv.exe
C:\WINDOWS\system32\pstartSr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcMurocHlpr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://staffnet.rti.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://staffnet.rti.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://staffnet.rti.org
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://staffnet.rti.org/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SMSSiteRTP] wscript.exe //nologo "c:\Program Files\SMS\SMSSiteRTP.vbs"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\IBM\Workplace Forms\Viewer\2.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunOnce: [SpybotDeletingA8893] command.com /c del "C:\WINDOWS\system32\drivers\UACkvuxkjqedqumkqa.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2386] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACkvuxkjqedqumkqa.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9009] command.com /c del "C:\WINDOWS\system32\drivers\UACkvuxkjqedqumkqa.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4594] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACkvuxkjqedqumkqa.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9694] command.com /c del "C:\WINDOWS\system32\UACdmajlpfcpemdhpm.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2361] cmd.exe /c del "C:\WINDOWS\system32\UACdmajlpfcpemdhpm.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2736] command.com /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4795] cmd.exe /c del "C:\WINDOWS\system32\UACdmajlpfcpemdhpm.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6722] command.com /c del "C:\WINDOWS\system32\uacinit.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2867] cmd.exe /c del "C:\WINDOWS\system32\uacinit.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3771] command.com /c del "C:\WINDOWS\system32\uacinit.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7078] cmd.exe /c del "C:\WINDOWS\system32\uacinit.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7503] command.com /c del "C:\WINDOWS\system32\UACltlekjrmijqkmuh.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2537] cmd.exe /c del "C:\WINDOWS\system32\UACltlekjrmijqkmuh.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7731] command.com /c del "C:\WINDOWS\system32\UACltlekjrmijqkmuh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3726] cmd.exe /c del "C:\WINDOWS\system32\UACltlekjrmijqkmuh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6555] command.com /c del "C:\WINDOWS\system32\UACupoqtptukntpkrx.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5135] cmd.exe /c del "C:\WINDOWS\system32\UACupoqtptukntpkrx.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6080] command.com /c del "C:\WINDOWS\system32\UACupoqtptukntpkrx.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5862] cmd.exe /c del "C:\WINDOWS\system32\UACupoqtptukntpkrx.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8877] command.com /c del "C:\WINDOWS\system32\UACvfxlnfltnjgexux.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1775] cmd.exe /c del "C:\WINDOWS\system32\UACvfxlnfltnjgexux.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7993] command.com /c del "C:\WINDOWS\system32\UACvfxlnfltnjgexux.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4548] cmd.exe /c del "C:\WINDOWS\system32\UACvfxlnfltnjgexux.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1052] command.com /c del "C:\WINDOWS\system32\UACwqyjdcoxrnxowdy.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3775] cmd.exe /c del "C:\WINDOWS\system32\UACwqyjdcoxrnxowdy.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2018] command.com /c del "C:\WINDOWS\system32\UACwqyjdcoxrnxowdy.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2699] cmd.exe /c del "C:\WINDOWS\system32\UACwqyjdcoxrnxowdy.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9530] command.com /c del "C:\WINDOWS\system32\UACxlhjguyttrccngf.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2574] cmd.exe /c del "C:\WINDOWS\system32\UACxlhjguyttrccngf.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA242] command.com /c del "C:\WINDOWS\system32\UACxlhjguyttrccngf.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1815] cmd.exe /c del "C:\WINDOWS\system32\UACxlhjguyttrccngf.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9665] cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB4956] command.com /c del "C:\WINDOWS\system32\drivers\UACkvuxkjqedqumkqa.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7244] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACkvuxkjqedqumkqa.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9846] command.com /c del "C:\WINDOWS\system32\drivers\UACkvuxkjqedqumkqa.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5506] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACkvuxkjqedqumkqa.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8428] command.com /c del "C:\WINDOWS\system32\UACdmajlpfcpemdhpm.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4027] cmd.exe /c del "C:\WINDOWS\system32\UACdmajlpfcpemdhpm.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4631] command.com /c del "C:\WINDOWS\system32\UACdmajlpfcpemdhpm.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3006] cmd.exe /c del "C:\WINDOWS\system32\UACdmajlpfcpemdhpm.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9239] command.com /c del "C:\WINDOWS\system32\uacinit.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4322] cmd.exe /c del "C:\WINDOWS\system32\uacinit.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9597] command.com /c del "C:\WINDOWS\system32\uacinit.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9248] cmd.exe /c del "C:\WINDOWS\system32\uacinit.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1254] command.com /c del "C:\WINDOWS\system32\UACltlekjrmijqkmuh.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3241] cmd.exe /c del "C:\WINDOWS\system32\UACltlekjrmijqkmuh.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4806] command.com /c del "C:\WINDOWS\system32\UACltlekjrmijqkmuh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8211] cmd.exe /c del "C:\WINDOWS\system32\UACltlekjrmijqkmuh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5492] command.com /c del "C:\WINDOWS\system32\UACupoqtptukntpkrx.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3434] cmd.exe /c del "C:\WINDOWS\system32\UACupoqtptukntpkrx.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9831] command.com /c del "C:\WINDOWS\system32\UACupoqtptukntpkrx.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9526] cmd.exe /c del "C:\WINDOWS\system32\UACupoqtptukntpkrx.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7012] command.com /c del "C:\WINDOWS\system32\UACvfxlnfltnjgexux.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6736] cmd.exe /c del "C:\WINDOWS\system32\UACvfxlnfltnjgexux.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4781] command.com /c del "C:\WINDOWS\system32\UACvfxlnfltnjgexux.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5286] cmd.exe /c del "C:\WINDOWS\system32\UACvfxlnfltnjgexux.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5326] command.com /c del "C:\WINDOWS\system32\UACwqyjdcoxrnxowdy.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5148] cmd.exe /c del "C:\WINDOWS\system32\UACwqyjdcoxrnxowdy.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5750] command.com /c del "C:\WINDOWS\system32\UACwqyjdcoxrnxowdy.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2956] cmd.exe /c del "C:\WINDOWS\system32\UACwqyjdcoxrnxowdy.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8437] command.com /c del "C:\WINDOWS\system32\UACxlhjguyttrccngf.log_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD984] cmd.exe /c del "C:\WINDOWS\system32\UACxlhjguyttrccngf.log_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6446] command.com /c del "C:\WINDOWS\system32\UACxlhjguyttrccngf.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD467] cmd.exe /c del "C:\WINDOWS\system32\UACxlhjguyttrccngf.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2095] command.com /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6292] cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Skype] "c:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Bluetooth.lnk.disabled
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.aa.com
O15 - Trusted Zone: *.aaa.com
O15 - Trusted Zone: http://www.atilink.com
O15 - Trusted Zone: http://ddiwbt.click2learn.com
O15 - Trusted Zone: http://tv.corpu.com
O15 - Trusted Zone: bricks.coupons.com
O15 - Trusted Zone: http://www.ddiworld.com
O15 - Trusted Zone: *.digsigtrust.com
O15 - Trusted Zone: *.e-rewards.com
O15 - Trusted Zone: *.ebayobjects.com
O15 - Trusted Zone: www.evitamins.com
O15 - Trusted Zone: *.evitamins.com
O15 - Trusted Zone: *.fredandersontoyota.com
O15 - Trusted Zone: www.goldpointsplus.com
O15 - Trusted Zone: *.hellgatelondon.com
O15 - Trusted Zone: *.hilton1.com
O15 - Trusted Zone: http://www.ibm.com
O15 - Trusted Zone: mcr.us.icoke.com
O15 - Trusted Zone: *.identrust.com
O15 - Trusted Zone: http://www5.integrityatwork.net
O15 - Trusted Zone: http://www.integrityweb.net
O15 - Trusted Zone: customerpage.jmfamily.com
O15 - Trusted Zone: http://www.lgp-iraq.org
O15 - Trusted Zone: www.medicalert.com
O15 - Trusted Zone: *.nzone.com
O15 - Trusted Zone: http://survey.otxresearch.com
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: *.prillycharmin.com
O15 - Trusted Zone: *.questionmarket.com
O15 - Trusted Zone: www.radisson.com
O15 - Trusted Zone: http://meetingplace.rti.org
O15 - Trusted Zone: http://staffnet.rti.org
O15 - Trusted Zone: http://self.shi.com
O15 - Trusted Zone: http://*.shi.com
O15 - Trusted Zone: http://www.shipleywins.com
O15 - Trusted Zone: *.shopadidas.com
O15 - Trusted Zone: *.sonystyle.com
O15 - Trusted Zone: http://www.surveymonkey.com
O15 - Trusted Zone: *.surveywriter.net
O15 - Trusted Zone: http://www.thesolutioncenter.com
O15 - Trusted Zone: *.online.tns-global.com
O15 - Trusted Zone: http://www.transperfect.com
O15 - Trusted Zone: http://*.rti.org (HKLM)
O15 - Trusted Zone: http://self.shi.com (HKLM)
O15 - Trusted Zone: http://*.shi.com (HKLM)
O16 - DPF: {AF32F794-D1C1-11D2-AC8D-00A0C999560F} (PixDocView.DocumentView) - http://edms.rti.org/ExpenseAppr_code/mxview51.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RCC_NT.RTI.ORG
O17 - HKLM\Software\..\Telephony: DomainName = RCC_NT.RTI.ORG
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RCC_NT.RTI.ORG
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RCC_NT.RTI.ORG
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = RCC_NT.RTI.ORG
O20 - AppInit_DLLs: AMINIT.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Pointsec - Unknown owner - C:\WINDOWS\system32\Prot_srv.exe
O23 - Service: Pointsec Service Start (Pointsec_start) - Unknown owner - C:\WINDOWS\system32\pstartSr.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
--
End of file - 22644 bytes
Trying to get rid of it, I discovered that neither spybot nor malwarebytes would run, nor would they uninstall. McAfee, Lavasoft, and Windows Defender did no good, but McAfee's knowledge base told how to get rid of the iehelper.dll that spywareprotect uses, and these forums told me how to get spybot running again (.scr file).
Then Spybot got rid of spywareprotect, I think.
It also clears tdss.rtk, but the thing comes back when the computer is booted.
Also, malwarebytes still won't run. I did get it to uninstall, but the reinstall won't complete. There are no error messages nor event entries associated with this failure. It gets to the "finish" box, shows the blue progress bar filled, then stops. Task manager simply shows the installer as unresponsive.
I also ran ccleaner, something I do regularly anyway.
One more note: McAfee has to stay active on this PC because I use it to connect with my employer's VPN - they require installation of an enterprise version in which the on-access scan cannot be turned off.
Here is the HJT log, though this log is run after Spybot has (apparently) cleaned the tdss.rtk. Perhaps I should reboot and run it again?
Oh, yes -- I backed up the registery with erunt. Thanks for the sticky with the nice instructions and the download links.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:53 PM, on 5/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\Prot_srv.exe
C:\WINDOWS\system32\pstartSr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcMurocHlpr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://staffnet.rti.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://staffnet.rti.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://staffnet.rti.org
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://staffnet.rti.org/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SMSSiteRTP] wscript.exe //nologo "c:\Program Files\SMS\SMSSiteRTP.vbs"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\IBM\Workplace Forms\Viewer\2.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunOnce: [SpybotDeletingA8893] command.com /c del "C:\WINDOWS\system32\drivers\UACkvuxkjqedqumkqa.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2386] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACkvuxkjqedqumkqa.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9009] command.com /c del "C:\WINDOWS\system32\drivers\UACkvuxkjqedqumkqa.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4594] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACkvuxkjqedqumkqa.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9694] command.com /c del "C:\WINDOWS\system32\UACdmajlpfcpemdhpm.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2361] cmd.exe /c del "C:\WINDOWS\system32\UACdmajlpfcpemdhpm.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2736] command.com /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4795] cmd.exe /c del "C:\WINDOWS\system32\UACdmajlpfcpemdhpm.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6722] command.com /c del "C:\WINDOWS\system32\uacinit.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2867] cmd.exe /c del "C:\WINDOWS\system32\uacinit.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3771] command.com /c del "C:\WINDOWS\system32\uacinit.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7078] cmd.exe /c del "C:\WINDOWS\system32\uacinit.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7503] command.com /c del "C:\WINDOWS\system32\UACltlekjrmijqkmuh.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2537] cmd.exe /c del "C:\WINDOWS\system32\UACltlekjrmijqkmuh.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7731] command.com /c del "C:\WINDOWS\system32\UACltlekjrmijqkmuh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3726] cmd.exe /c del "C:\WINDOWS\system32\UACltlekjrmijqkmuh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6555] command.com /c del "C:\WINDOWS\system32\UACupoqtptukntpkrx.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5135] cmd.exe /c del "C:\WINDOWS\system32\UACupoqtptukntpkrx.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6080] command.com /c del "C:\WINDOWS\system32\UACupoqtptukntpkrx.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5862] cmd.exe /c del "C:\WINDOWS\system32\UACupoqtptukntpkrx.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8877] command.com /c del "C:\WINDOWS\system32\UACvfxlnfltnjgexux.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1775] cmd.exe /c del "C:\WINDOWS\system32\UACvfxlnfltnjgexux.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7993] command.com /c del "C:\WINDOWS\system32\UACvfxlnfltnjgexux.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4548] cmd.exe /c del "C:\WINDOWS\system32\UACvfxlnfltnjgexux.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1052] command.com /c del "C:\WINDOWS\system32\UACwqyjdcoxrnxowdy.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3775] cmd.exe /c del "C:\WINDOWS\system32\UACwqyjdcoxrnxowdy.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2018] command.com /c del "C:\WINDOWS\system32\UACwqyjdcoxrnxowdy.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2699] cmd.exe /c del "C:\WINDOWS\system32\UACwqyjdcoxrnxowdy.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9530] command.com /c del "C:\WINDOWS\system32\UACxlhjguyttrccngf.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2574] cmd.exe /c del "C:\WINDOWS\system32\UACxlhjguyttrccngf.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA242] command.com /c del "C:\WINDOWS\system32\UACxlhjguyttrccngf.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1815] cmd.exe /c del "C:\WINDOWS\system32\UACxlhjguyttrccngf.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9665] cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB4956] command.com /c del "C:\WINDOWS\system32\drivers\UACkvuxkjqedqumkqa.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7244] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACkvuxkjqedqumkqa.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9846] command.com /c del "C:\WINDOWS\system32\drivers\UACkvuxkjqedqumkqa.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5506] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACkvuxkjqedqumkqa.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8428] command.com /c del "C:\WINDOWS\system32\UACdmajlpfcpemdhpm.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4027] cmd.exe /c del "C:\WINDOWS\system32\UACdmajlpfcpemdhpm.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4631] command.com /c del "C:\WINDOWS\system32\UACdmajlpfcpemdhpm.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3006] cmd.exe /c del "C:\WINDOWS\system32\UACdmajlpfcpemdhpm.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9239] command.com /c del "C:\WINDOWS\system32\uacinit.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4322] cmd.exe /c del "C:\WINDOWS\system32\uacinit.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9597] command.com /c del "C:\WINDOWS\system32\uacinit.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9248] cmd.exe /c del "C:\WINDOWS\system32\uacinit.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1254] command.com /c del "C:\WINDOWS\system32\UACltlekjrmijqkmuh.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3241] cmd.exe /c del "C:\WINDOWS\system32\UACltlekjrmijqkmuh.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4806] command.com /c del "C:\WINDOWS\system32\UACltlekjrmijqkmuh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8211] cmd.exe /c del "C:\WINDOWS\system32\UACltlekjrmijqkmuh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5492] command.com /c del "C:\WINDOWS\system32\UACupoqtptukntpkrx.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3434] cmd.exe /c del "C:\WINDOWS\system32\UACupoqtptukntpkrx.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9831] command.com /c del "C:\WINDOWS\system32\UACupoqtptukntpkrx.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9526] cmd.exe /c del "C:\WINDOWS\system32\UACupoqtptukntpkrx.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7012] command.com /c del "C:\WINDOWS\system32\UACvfxlnfltnjgexux.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6736] cmd.exe /c del "C:\WINDOWS\system32\UACvfxlnfltnjgexux.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4781] command.com /c del "C:\WINDOWS\system32\UACvfxlnfltnjgexux.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5286] cmd.exe /c del "C:\WINDOWS\system32\UACvfxlnfltnjgexux.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5326] command.com /c del "C:\WINDOWS\system32\UACwqyjdcoxrnxowdy.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5148] cmd.exe /c del "C:\WINDOWS\system32\UACwqyjdcoxrnxowdy.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5750] command.com /c del "C:\WINDOWS\system32\UACwqyjdcoxrnxowdy.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2956] cmd.exe /c del "C:\WINDOWS\system32\UACwqyjdcoxrnxowdy.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8437] command.com /c del "C:\WINDOWS\system32\UACxlhjguyttrccngf.log_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD984] cmd.exe /c del "C:\WINDOWS\system32\UACxlhjguyttrccngf.log_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6446] command.com /c del "C:\WINDOWS\system32\UACxlhjguyttrccngf.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD467] cmd.exe /c del "C:\WINDOWS\system32\UACxlhjguyttrccngf.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2095] command.com /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6292] cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Skype] "c:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Bluetooth.lnk.disabled
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.aa.com
O15 - Trusted Zone: *.aaa.com
O15 - Trusted Zone: http://www.atilink.com
O15 - Trusted Zone: http://ddiwbt.click2learn.com
O15 - Trusted Zone: http://tv.corpu.com
O15 - Trusted Zone: bricks.coupons.com
O15 - Trusted Zone: http://www.ddiworld.com
O15 - Trusted Zone: *.digsigtrust.com
O15 - Trusted Zone: *.e-rewards.com
O15 - Trusted Zone: *.ebayobjects.com
O15 - Trusted Zone: www.evitamins.com
O15 - Trusted Zone: *.evitamins.com
O15 - Trusted Zone: *.fredandersontoyota.com
O15 - Trusted Zone: www.goldpointsplus.com
O15 - Trusted Zone: *.hellgatelondon.com
O15 - Trusted Zone: *.hilton1.com
O15 - Trusted Zone: http://www.ibm.com
O15 - Trusted Zone: mcr.us.icoke.com
O15 - Trusted Zone: *.identrust.com
O15 - Trusted Zone: http://www5.integrityatwork.net
O15 - Trusted Zone: http://www.integrityweb.net
O15 - Trusted Zone: customerpage.jmfamily.com
O15 - Trusted Zone: http://www.lgp-iraq.org
O15 - Trusted Zone: www.medicalert.com
O15 - Trusted Zone: *.nzone.com
O15 - Trusted Zone: http://survey.otxresearch.com
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: *.prillycharmin.com
O15 - Trusted Zone: *.questionmarket.com
O15 - Trusted Zone: www.radisson.com
O15 - Trusted Zone: http://meetingplace.rti.org
O15 - Trusted Zone: http://staffnet.rti.org
O15 - Trusted Zone: http://self.shi.com
O15 - Trusted Zone: http://*.shi.com
O15 - Trusted Zone: http://www.shipleywins.com
O15 - Trusted Zone: *.shopadidas.com
O15 - Trusted Zone: *.sonystyle.com
O15 - Trusted Zone: http://www.surveymonkey.com
O15 - Trusted Zone: *.surveywriter.net
O15 - Trusted Zone: http://www.thesolutioncenter.com
O15 - Trusted Zone: *.online.tns-global.com
O15 - Trusted Zone: http://www.transperfect.com
O15 - Trusted Zone: http://*.rti.org (HKLM)
O15 - Trusted Zone: http://self.shi.com (HKLM)
O15 - Trusted Zone: http://*.shi.com (HKLM)
O16 - DPF: {AF32F794-D1C1-11D2-AC8D-00A0C999560F} (PixDocView.DocumentView) - http://edms.rti.org/ExpenseAppr_code/mxview51.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RCC_NT.RTI.ORG
O17 - HKLM\Software\..\Telephony: DomainName = RCC_NT.RTI.ORG
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RCC_NT.RTI.ORG
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RCC_NT.RTI.ORG
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = RCC_NT.RTI.ORG
O20 - AppInit_DLLs: AMINIT.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Pointsec - Unknown owner - C:\WINDOWS\system32\Prot_srv.exe
O23 - Service: Pointsec Service Start (Pointsec_start) - Unknown owner - C:\WINDOWS\system32\pstartSr.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
--
End of file - 22644 bytes