w32.TDSS.rtk can't remove with Spybot

[csellers]

Hello,

SpyBot discovered a virus designated w32.TDSS.rtk. I became aware of the virus when my web searches kept being redirected to various sites. I also noticed that I was unable to launch antivirus/malware detection programs unless I renamed their executable file. Below is my HJT log file. Thank you for any help you can provide.

Sincerely,
Chris

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:13 PM, on 3/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7685] command.com /c del "C:\WINDOWS\system32\UACijytkqcn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC111] cmd.exe /c del "C:\WINDOWS\system32\UACijytkqcn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8204] command.com /c del "C:\WINDOWS\system32\UACijytkqcn.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4116] cmd.exe /c del "C:\WINDOWS\system32\UACijytkqcn.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5650] command.com /c del "C:\WINDOWS\system32\UACmdnhophb.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2728] cmd.exe /c del "C:\WINDOWS\system32\UACmdnhophb.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA169] command.com /c del "C:\WINDOWS\system32\UACmdnhophb.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC27] cmd.exe /c del "C:\WINDOWS\system32\UACmdnhophb.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2312] command.com /c del "C:\WINDOWS\system32\UACmtayskke.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2706] cmd.exe /c del "C:\WINDOWS\system32\UACmtayskke.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5199] command.com /c del "C:\WINDOWS\system32\UACplxvloep.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5137] cmd.exe /c del "C:\WINDOWS\system32\UACplxvloep.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2442] command.com /c del "C:\WINDOWS\system32\UACptjawpcv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7102] cmd.exe /c del "C:\WINDOWS\system32\UACptjawpcv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7994] command.com /c del "C:\WINDOWS\system32\UACxejtxkoa.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1594] cmd.exe /c del "C:\WINDOWS\system32\UACxejtxkoa.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8621] command.com /c del "C:\WINDOWS\system32\drivers\UACqotglkun.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8911] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACqotglkun.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8674] command.com /c del "C:\WINDOWS\system32\UACdwjcgsnq.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4347] cmd.exe /c del "C:\WINDOWS\system32\UACdwjcgsnq.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3787] command.com /c del "C:\WINDOWS\system32\UACdwjcgsnq.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4136] cmd.exe /c del "C:\WINDOWS\system32\UACdwjcgsnq.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8766] command.com /c del "C:\WINDOWS\system32\UACievrhrwr.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3212] cmd.exe /c del "C:\WINDOWS\system32\UACievrhrwr.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA888] command.com /c del "C:\WINDOWS\system32\UACievrhrwr.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5101] cmd.exe /c del "C:\WINDOWS\system32\UACievrhrwr.dat"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [SpybotDeletingB8647] command.com /c del "C:\WINDOWS\system32\UACijytkqcn.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7700] cmd.exe /c del "C:\WINDOWS\system32\UACijytkqcn.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3343] command.com /c del "C:\WINDOWS\system32\UACijytkqcn.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2952] cmd.exe /c del "C:\WINDOWS\system32\UACijytkqcn.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3291] command.com /c del "C:\WINDOWS\system32\UACmdnhophb.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4221] cmd.exe /c del "C:\WINDOWS\system32\UACmdnhophb.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9041] command.com /c del "C:\WINDOWS\system32\UACmdnhophb.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7373] cmd.exe /c del "C:\WINDOWS\system32\UACmdnhophb.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9920] command.com /c del "C:\WINDOWS\system32\UACmtayskke.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9496] cmd.exe /c del "C:\WINDOWS\system32\UACmtayskke.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5505] command.com /c del "C:\WINDOWS\system32\UACplxvloep.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3006] cmd.exe /c del "C:\WINDOWS\system32\UACplxvloep.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB667] command.com /c del "C:\WINDOWS\system32\UACptjawpcv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8129] cmd.exe /c del "C:\WINDOWS\system32\UACptjawpcv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2048] command.com /c del "C:\WINDOWS\system32\UACxejtxkoa.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5982] cmd.exe /c del "C:\WINDOWS\system32\UACxejtxkoa.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9491] command.com /c del "C:\WINDOWS\system32\drivers\UACqotglkun.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8418] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACqotglkun.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5264] command.com /c del "C:\WINDOWS\system32\UACdwjcgsnq.log_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6090] cmd.exe /c del "C:\WINDOWS\system32\UACdwjcgsnq.log_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB482] command.com /c del "C:\WINDOWS\system32\UACdwjcgsnq.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5686] cmd.exe /c del "C:\WINDOWS\system32\UACdwjcgsnq.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5461] command.com /c del "C:\WINDOWS\system32\UACievrhrwr.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8275] cmd.exe /c del "C:\WINDOWS\system32\UACievrhrwr.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4033] command.com /c del "C:\WINDOWS\system32\UACievrhrwr.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1505] cmd.exe /c del "C:\WINDOWS\system32\UACievrhrwr.dat"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1182577158904
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1182577218748
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/game...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDA70E79-D582-413E-AFAB-3304E125F02A}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: SqueezeMySQL - Unknown owner - C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe (file missing)

--
End of file - 9596 bytes

[Shaba]

Hi csellers

Please post next spybot report

[csellers]

Hello Shaba,

Here is the requested log from SpyBot.


--- Search result list ---
Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start

Win32.TDSS.rtk: [SBI $6FDF273A] File (File, fixed)
C:\WINDOWS\system32\UACijytkqcn.dll
Properties.size=0
Properties.md5=51BB024C51975821B307CDEECB070B0B

Win32.TDSS.rtk: [SBI $6FDF273A] File (File, fixed)
C:\WINDOWS\system32\UACmdnhophb.dll
Properties.size=0
Properties.md5=488DEF8D52CFE032CE57E6DAAB050216

Win32.TDSS.rtk: [SBI $6FDF273A] File (File, fixed)
C:\WINDOWS\system32\UACmtayskke.dll
Properties.size=0
Properties.md5=65BF93C12AE22B4A6B992BD0874E3FD4

Win32.TDSS.rtk: [SBI $6FDF273A] File (File, fixed)
C:\WINDOWS\system32\UACplxvloep.dll
Properties.size=0
Properties.md5=F0FCB36ABCD5E7CAA9C466798AE52C16

Win32.TDSS.rtk: [SBI $6FDF273A] File (File, fixed)
C:\WINDOWS\system32\UACptjawpcv.dll
Properties.size=0
Properties.md5=2D799A41206B454314B65463A7CBCD01

Win32.TDSS.rtk: [SBI $6FDF273A] File (File, fixed)
C:\WINDOWS\system32\UACxejtxkoa.dll
Properties.size=0
Properties.md5=3B1CF817D6558FE625F0A1A3EE59FBF2

Win32.TDSS.rtk: [SBI $F5C07D5F] File (File, fixed)
C:\WINDOWS\system32\drivers\UACqotglkun.sys
Properties.size=0
Properties.md5=434C423FB26944AEF891BFF1980B4A3B

Win32.TDSS.rtk: [SBI $A6C31C87] File (File, fixed)
C:\WINDOWS\system32\UACdwjcgsnq.log
Properties.size=0
Properties.md5=BD5D7CF7256C7CF7322159C3BA334BFA

Win32.TDSS.rtk: [SBI $4308E857] File (File, fixed)
C:\WINDOWS\system32\UACievrhrwr.dat
Properties.size=0
Properties.md5=1FBEC9F3386D24051B5FF0300C61FE3B

[Shaba]

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

[csellers]

Here is the requested ComboFix log and an updated Hijack This log.

ComboFix 09-03-15.01 - Chris 2009-03-17 22:57:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1628 [GMT -7:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFixs.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\UACqotglkun.sys
c:\windows\system32\UACafahvcot.db
c:\windows\system32\UACdwjcgsnq.log
c:\windows\system32\UACievrhrwr.dat
c:\windows\system32\UACijytkqcn.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmdnhophb.dll
c:\windows\system32\UACmtayskke.dll
c:\windows\system32\UACouqumssv.log
c:\windows\system32\UACplxvloep.dll
c:\windows\system32\UACptjawpcv.dll
c:\windows\system32\UACvrhdnlsr.log
c:\windows\system32\UACxejtxkoa.dll

----- BITS: Possible infected sites -----

hxxp://download.esd.intuit.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-02-18 to 2009-03-18 )))))))))))))))))))))))))))))))
.

2009-03-17 22:56 . 2009-03-17 23:01 630,816 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-03-17 22:56 . 2009-03-17 23:02 73,760 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-03-17 22:56 . 2009-03-17 23:01 6,008 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-03-17 22:56 . 2009-03-17 23:02 1,332 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-03-17 18:39 . 2009-03-17 18:45 101,287 --a------ c:\windows\system32\drivers\klin.dat
2009-03-17 18:39 . 2009-03-17 18:45 89,601 --a------ c:\windows\system32\drivers\klick.dat
2009-03-17 18:38 . 2009-03-17 18:38 <DIR> d-------- c:\program files\Kaspersky Lab
2009-03-17 18:38 . 2009-03-17 23:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-03-17 18:32 . 2009-03-17 18:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-03-16 19:47 . 2009-03-17 18:22 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-15 20:59 . 2009-03-15 20:59 <DIR> d-------- c:\program files\Trend Micro
2009-03-15 20:57 . 2009-03-15 20:57 <DIR> d-------- c:\program files\ERUNT
2009-03-15 17:20 . 2009-03-17 21:50 6,292 --a------ c:\windows\wininit.ini
2009-03-15 16:38 . 2009-03-17 21:01 1,896,749 --a------ c:\windows\system32\uactmp.db
2009-03-15 16:36 . 2009-03-17 21:26 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-15 16:36 . 2009-03-17 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-14 18:19 . 2009-03-14 18:28 <DIR> d-------- c:\documents and settings\Chris\Application Data\MySQL
2009-03-14 17:49 . 2009-03-15 18:17 <DIR> d-------- C:\Perl
2009-02-20 00:21 . 2009-02-20 00:23 <DIR> d-------- c:\documents and settings\Chris\Application Data\JPEGsnoop
2009-02-19 22:46 . 2009-02-19 22:46 <DIR> d-------- c:\documents and settings\Chris\Application Data\Leadertech
2009-02-18 19:40 . 2009-02-18 19:41 9,662 --a------ c:\windows\EPISME00.SWB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 03:37 --------- d-----w c:\program files\SoundTaxi
2009-03-18 01:45 33,808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-03-18 01:22 --------- d-----w c:\program files\Java
2009-03-17 03:17 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-13 19:11 --------- d-----w c:\documents and settings\Chris\Application Data\Move Networks
2009-03-02 14:39 --------- d-----w c:\documents and settings\Chris\Application Data\Azureus
2009-03-01 01:58 --------- d-----w c:\program files\Azureus
2009-02-18 05:10 --------- d-----w c:\program files\Common Files\Intuit
2009-02-18 05:05 --------- d-----w c:\program files\Reference Assemblies
2009-02-18 05:05 --------- d-----w c:\program files\MSBuild
2009-02-18 05:03 --------- d-----w c:\program files\MSXML 6.0
2009-02-18 04:37 --------- d-----w c:\documents and settings\Chris\Application Data\Intuit
2009-02-18 04:17 --------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-02-18 04:16 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-02-18 04:13 --------- d-----w c:\program files\TurboTax
2008-12-20 19:00 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 19:00 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 19:00 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 19:00 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 19:00 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM95\aim.exe" [2001-12-18 53248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-17 148888]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-03-17 206088]

c:\documents and settings\Chris\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2007-04-19 21:29 149024 c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-04-19 21:38 1945688 c:\program files\Seagate\DiscWizard\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2001-12-18 17:45 53248 c:\program files\AIM95\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
--a------ 2007-04-19 21:24 1169744 c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
--a------ 2006-12-15 14:13 31552 c:\program files\GIGABYTE\ET5\ETcall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4200 Series]
--a------ 2005-03-07 12:00 98304 c:\windows\system32\spool\drivers\w32x86\3\E_FATIAEA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
-ra------ 2005-11-27 22:52 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
-ra------ 2005-11-27 22:55 118784 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
-ra------ 2005-11-27 22:55 98304 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-03-17 19:24 184320 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RevoTaskbarApp]
--a------ 2004-06-14 16:58 221184 c:\windows\system32\RevoTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-10 17:36 185632 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-14 15:22 35328 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"SoundMovieServer"=3 (0x3)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"idsvc"=3 (0x3)
"SqueezeMySQL"=2 (0x2)
"IntuitUpdateService"=2 (0x2)
"AcrSch2Svc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59800:UDP"= 59800:UDP:Azur1
"59800:TCP"= 59800:TCP:Azur2
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp (UI)
"9090:TCP"= 9090:TCP:SqueezeCenter 9090 tcp (CLI)
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 33808]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-09 38144]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [2008-08-11 3768]
S3 MarkFun_NT;MarkFun_NT;c:\program files\GIGABYTE\ET5\MARKFUN.W32 [2007-06-23 13512]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S4 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2008-08-11 184320]
S4 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\fbwxptvq.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-17 23:02:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarkFun_NT]
"ImagePath"="\??\c:\program files\Gigabyte\ET5\markfun.w32"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1184)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-03-17 23:05:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-18 06:05:41

Pre-Run: 4,623,773,696 bytes free
Post-Run: 4,676,468,736 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

220 --- E O F --- 2008-08-12 03:44:19

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:18 PM, on 3/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1182577158904
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1182577218748
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 3396 bytes

[Shaba]

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:



5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.