Results 1 to 5 of 5

Thread: Win32.TDSS.rtk how I can clean my pc?

  1. #1
    Junior Member python64's Avatar
    Join Date
    Apr 2009
    Posts
    2

    Default Win32.TDSS.rtk how I can clean my pc?

    Hi to *,

    I find the Trojan in object, but spybot don't remove, because I run a lot of times but it found always....

    I follow the guide for a new post... then I copy the Hijackthis's log for your interpretations..

    Thank in advance to guy that help me.
    ************************************
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20.18.21, on 04/04/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Programmi\DisplayLink Core Software\DisplayLinkService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
    C:\Programmi\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programmi\McAfee\Common Framework\FrameworkService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Programmi\Tivoli\TSM\baclient\dsmcsvc.exe
    C:\Programmi\WINDEasyConnect\WTGService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Programmi\McAfee\Common Framework\UdaterUI.exe
    C:\Programmi\McAfee\Common Framework\McTray.exe
    C:\WINDOWS\vsnp2std.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Programmi\Palm\Hotsync.exe
    C:\Programmi\Kensington Display Adapter\DisplayLinkKensingtonSupport.exe
    C:\Programmi\DisplayLink Core Software\DisplayLinkUI.exe
    C:\Programmi\DisplayLink Core Software\DisplayLinkManager.exe
    C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
    C:\Programmi\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Administrator\Desktop\dds.scr
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\cscript.exe
    C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\Google Toolbar\gtb7E.tmp.exe
    C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.antiviruslab.com/search.php?v1=Win32:Trojan-gen%20{Other}&lang=gb
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmi\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Client Access Service] "C:\Programmi\IBM\Client Access\cwbsvstr.exe"
    O4 - HKLM\..\Run: [Client Access Help Update] "C:\Programmi\IBM\Client Access\cwbinhlp.exe"
    O4 - HKLM\..\Run: [Client Access Check Version] "C:\Programmi\IBM\Client Access\cwbckver.exe" LOGIN
    O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Programmi\IBM\Client Access\cwbwlwiz.exe"
    O4 - HKLM\..\Run: [Client Access PC5250 Sound] "C:\Programmi\IBM\Client Access\Emulator\pcssnd.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
    O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\RunOnce: [SpybotDeletingA9690] command.com /c del "C:\WINDOWS\system32\uacinit.dll"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC7225] cmd.exe /c del "C:\WINDOWS\system32\uacinit.dll"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\RunOnce: [SpybotDeletingB1366] command.com /c del "C:\WINDOWS\system32\uacinit.dll"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD8640] cmd.exe /c del "C:\WINDOWS\system32\uacinit.dll"
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
    O4 - HKUS\S-1-5-21-839522115-2111687655-682003330-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'pesce')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Programmi\ERUNT\AUTOBACK.EXE
    O4 - Global Startup: HotSync Manager.lnk = C:\Programmi\Palm\Hotsync.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1224512184436
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ROGGEROETORTIA.local
    O17 - HKLM\Software\..\Telephony: DomainName = ROGGEROETORTIA.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BC57226B-DBD7-40A8-927E-ED4099BFBEE3}: NameServer = 193.70.152.15
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ROGGEROETORTIA.local
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: DisplayLink Service (DisplayLinkService) - DisplayLink Corp. - C:\Programmi\DisplayLink Core Software\DisplayLinkService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Programmi\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: TSMSched - IBM Corporation - C:\Programmi\Tivoli\TSM\baclient\dsmcsvc.exe
    O23 - Service: WTGService - Unknown owner - C:\Programmi\WINDEasyConnect\WTGService.exe

    --
    End of file - 8667 bytes

    ********************************

    I waiting you help... thanks

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi python64

    Is that your personal system or one at workplace?
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member python64's Avatar
    Join Date
    Apr 2009
    Posts
    2

    Default

    Hi Blade81,

    the system is at workplace

  4. #4
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    In that case, please see post #5 of before you post -topic:
    Note:
    When the infected computer in question is a company machine in the workplace, and you are an employee.


    The intention of this forum is not to replace a company's IT department, nor can we anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

    The majority of the tools used in this forum are only free for Home Users and only tested on Home machines, they may well change settings that are required for a Company network. Another consideration is that company information may show in the logs.

    More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

    To prevent any possible loss or corruption of company information, please inform your IT department or Supervisor when a workplace computer has been infected, immediately.

    It's not that we don't want to help, but there are too many issues that could arise from a networked company machine that malware forum volunteers are not experienced in dealing with.

    Thank you for your understanding.
    --------------------------------------------
    As Malware removal forum volunteers are unable to assist users with infected Corporate, Government, Small Business or Institutional machines, please contact our office support so they may provide direct assistance for your needs. Thank you.

    Spybot S&D Corporate-Small Business Editions
    For more information, please send an email to licenses(at)spybot.info
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #5
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Due to inactivity, this thread will now be closed.

    Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

    If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •