w32.TDSS.rtk can't remove with Spybot

**csellers** · 2009-03-16, 05:16

Hello,

SpyBot discovered a virus designated w32.TDSS.rtk. I became aware of the virus when my web searches kept being redirected to various sites. I also noticed that I was unable to launch antivirus/malware detection programs unless I renamed their executable file. Below is my HJT log file. Thank you for any help you can provide.

Sincerely,
Chris

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:13 PM, on 3/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7685] command.com /c del "C:\WINDOWS\system32\UACijytkqcn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC111] cmd.exe /c del "C:\WINDOWS\system32\UACijytkqcn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8204] command.com /c del "C:\WINDOWS\system32\UACijytkqcn.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4116] cmd.exe /c del "C:\WINDOWS\system32\UACijytkqcn.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5650] command.com /c del "C:\WINDOWS\system32\UACmdnhophb.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2728] cmd.exe /c del "C:\WINDOWS\system32\UACmdnhophb.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA169] command.com /c del "C:\WINDOWS\system32\UACmdnhophb.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC27] cmd.exe /c del "C:\WINDOWS\system32\UACmdnhophb.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2312] command.com /c del "C:\WINDOWS\system32\UACmtayskke.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2706] cmd.exe /c del "C:\WINDOWS\system32\UACmtayskke.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5199] command.com /c del "C:\WINDOWS\system32\UACplxvloep.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5137] cmd.exe /c del "C:\WINDOWS\system32\UACplxvloep.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2442] command.com /c del "C:\WINDOWS\system32\UACptjawpcv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7102] cmd.exe /c del "C:\WINDOWS\system32\UACptjawpcv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7994] command.com /c del "C:\WINDOWS\system32\UACxejtxkoa.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1594] cmd.exe /c del "C:\WINDOWS\system32\UACxejtxkoa.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8621] command.com /c del "C:\WINDOWS\system32\drivers\UACqotglkun.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8911] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACqotglkun.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8674] command.com /c del "C:\WINDOWS\system32\UACdwjcgsnq.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4347] cmd.exe /c del "C:\WINDOWS\system32\UACdwjcgsnq.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3787] command.com /c del "C:\WINDOWS\system32\UACdwjcgsnq.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4136] cmd.exe /c del "C:\WINDOWS\system32\UACdwjcgsnq.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8766] command.com /c del "C:\WINDOWS\system32\UACievrhrwr.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3212] cmd.exe /c del "C:\WINDOWS\system32\UACievrhrwr.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA888] command.com /c del "C:\WINDOWS\system32\UACievrhrwr.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5101] cmd.exe /c del "C:\WINDOWS\system32\UACievrhrwr.dat"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [SpybotDeletingB8647] command.com /c del "C:\WINDOWS\system32\UACijytkqcn.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7700] cmd.exe /c del "C:\WINDOWS\system32\UACijytkqcn.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3343] command.com /c del "C:\WINDOWS\system32\UACijytkqcn.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2952] cmd.exe /c del "C:\WINDOWS\system32\UACijytkqcn.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3291] command.com /c del "C:\WINDOWS\system32\UACmdnhophb.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4221] cmd.exe /c del "C:\WINDOWS\system32\UACmdnhophb.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9041] command.com /c del "C:\WINDOWS\system32\UACmdnhophb.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7373] cmd.exe /c del "C:\WINDOWS\system32\UACmdnhophb.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9920] command.com /c del "C:\WINDOWS\system32\UACmtayskke.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9496] cmd.exe /c del "C:\WINDOWS\system32\UACmtayskke.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5505] command.com /c del "C:\WINDOWS\system32\UACplxvloep.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3006] cmd.exe /c del "C:\WINDOWS\system32\UACplxvloep.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB667] command.com /c del "C:\WINDOWS\system32\UACptjawpcv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8129] cmd.exe /c del "C:\WINDOWS\system32\UACptjawpcv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2048] command.com /c del "C:\WINDOWS\system32\UACxejtxkoa.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5982] cmd.exe /c del "C:\WINDOWS\system32\UACxejtxkoa.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9491] command.com /c del "C:\WINDOWS\system32\drivers\UACqotglkun.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8418] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACqotglkun.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5264] command.com /c del "C:\WINDOWS\system32\UACdwjcgsnq.log_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6090] cmd.exe /c del "C:\WINDOWS\system32\UACdwjcgsnq.log_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB482] command.com /c del "C:\WINDOWS\system32\UACdwjcgsnq.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5686] cmd.exe /c del "C:\WINDOWS\system32\UACdwjcgsnq.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5461] command.com /c del "C:\WINDOWS\system32\UACievrhrwr.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8275] cmd.exe /c del "C:\WINDOWS\system32\UACievrhrwr.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4033] command.com /c del "C:\WINDOWS\system32\UACievrhrwr.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1505] cmd.exe /c del "C:\WINDOWS\system32\UACievrhrwr.dat"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1182577158904
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1182577218748
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/game...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDA70E79-D582-413E-AFAB-3304E125F02A}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: SqueezeMySQL - Unknown owner - C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe (file missing)

--
End of file - 9596 bytes

**Shaba** · 2009-03-17, 12:47

Hi csellers

Please post next spybot report

**csellers** · 2009-03-18, 05:58

Hello Shaba,

Here is the requested log from SpyBot.

--- Search result list ---
Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start

Win32.TDSS.rtk: [SBI $6FDF273A] File (File, fixed)
C:\WINDOWS\system32\UACijytkqcn.dll
Properties.size=0
Properties.md5=51BB024C51975821B307CDEECB070B0B

Win32.TDSS.rtk: [SBI $6FDF273A] File (File, fixed)
C:\WINDOWS\system32\UACmdnhophb.dll
Properties.size=0
Properties.md5=488DEF8D52CFE032CE57E6DAAB050216

Win32.TDSS.rtk: [SBI $6FDF273A] File (File, fixed)
C:\WINDOWS\system32\UACmtayskke.dll
Properties.size=0
Properties.md5=65BF93C12AE22B4A6B992BD0874E3FD4

Win32.TDSS.rtk: [SBI $6FDF273A] File (File, fixed)
C:\WINDOWS\system32\UACplxvloep.dll
Properties.size=0
Properties.md5=F0FCB36ABCD5E7CAA9C466798AE52C16

Win32.TDSS.rtk: [SBI $6FDF273A] File (File, fixed)
C:\WINDOWS\system32\UACptjawpcv.dll
Properties.size=0
Properties.md5=2D799A41206B454314B65463A7CBCD01

Win32.TDSS.rtk: [SBI $6FDF273A] File (File, fixed)
C:\WINDOWS\system32\UACxejtxkoa.dll
Properties.size=0
Properties.md5=3B1CF817D6558FE625F0A1A3EE59FBF2

Win32.TDSS.rtk: [SBI $F5C07D5F] File (File, fixed)
C:\WINDOWS\system32\drivers\UACqotglkun.sys
Properties.size=0
Properties.md5=434C423FB26944AEF891BFF1980B4A3B

Win32.TDSS.rtk: [SBI $A6C31C87] File (File, fixed)
C:\WINDOWS\system32\UACdwjcgsnq.log
Properties.size=0
Properties.md5=BD5D7CF7256C7CF7322159C3BA334BFA

Win32.TDSS.rtk: [SBI $4308E857] File (File, fixed)
C:\WINDOWS\system32\UACievrhrwr.dat
Properties.size=0
Properties.md5=1FBEC9F3386D24051B5FF0300C61FE3B

**Shaba** · 2009-03-18, 06:15

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

**csellers** · 2009-03-18, 07:15

Here is the requested ComboFix log and an updated Hijack This log.

ComboFix 09-03-15.01 - Chris 2009-03-17 22:57:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1628 [GMT -7:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFixs.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\UACqotglkun.sys
c:\windows\system32\UACafahvcot.db
c:\windows\system32\UACdwjcgsnq.log
c:\windows\system32\UACievrhrwr.dat
c:\windows\system32\UACijytkqcn.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmdnhophb.dll
c:\windows\system32\UACmtayskke.dll
c:\windows\system32\UACouqumssv.log
c:\windows\system32\UACplxvloep.dll
c:\windows\system32\UACptjawpcv.dll
c:\windows\system32\UACvrhdnlsr.log
c:\windows\system32\UACxejtxkoa.dll

----- BITS: Possible infected sites -----

hxxp://download.esd.intuit.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-02-18 to 2009-03-18 )))))))))))))))))))))))))))))))
.

2009-03-17 22:56 . 2009-03-17 23:01 630,816 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-03-17 22:56 . 2009-03-17 23:02 73,760 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-03-17 22:56 . 2009-03-17 23:01 6,008 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-03-17 22:56 . 2009-03-17 23:02 1,332 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-03-17 18:39 . 2009-03-17 18:45 101,287 --a------ c:\windows\system32\drivers\klin.dat
2009-03-17 18:39 . 2009-03-17 18:45 89,601 --a------ c:\windows\system32\drivers\klick.dat
2009-03-17 18:38 . 2009-03-17 18:38 <DIR> d-------- c:\program files\Kaspersky Lab
2009-03-17 18:38 . 2009-03-17 23:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-03-17 18:32 . 2009-03-17 18:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-03-16 19:47 . 2009-03-17 18:22 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-15 20:59 . 2009-03-15 20:59 <DIR> d-------- c:\program files\Trend Micro
2009-03-15 20:57 . 2009-03-15 20:57 <DIR> d-------- c:\program files\ERUNT
2009-03-15 17:20 . 2009-03-17 21:50 6,292 --a------ c:\windows\wininit.ini
2009-03-15 16:38 . 2009-03-17 21:01 1,896,749 --a------ c:\windows\system32\uactmp.db
2009-03-15 16:36 . 2009-03-17 21:26 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-15 16:36 . 2009-03-17 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-14 18:19 . 2009-03-14 18:28 <DIR> d-------- c:\documents and settings\Chris\Application Data\MySQL
2009-03-14 17:49 . 2009-03-15 18:17 <DIR> d-------- C:\Perl
2009-02-20 00:21 . 2009-02-20 00:23 <DIR> d-------- c:\documents and settings\Chris\Application Data\JPEGsnoop
2009-02-19 22:46 . 2009-02-19 22:46 <DIR> d-------- c:\documents and settings\Chris\Application Data\Leadertech
2009-02-18 19:40 . 2009-02-18 19:41 9,662 --a------ c:\windows\EPISME00.SWB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 03:37 --------- d-----w c:\program files\SoundTaxi
2009-03-18 01:45 33,808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-03-18 01:22 --------- d-----w c:\program files\Java
2009-03-17 03:17 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-13 19:11 --------- d-----w c:\documents and settings\Chris\Application Data\Move Networks
2009-03-02 14:39 --------- d-----w c:\documents and settings\Chris\Application Data\Azureus
2009-03-01 01:58 --------- d-----w c:\program files\Azureus
2009-02-18 05:10 --------- d-----w c:\program files\Common Files\Intuit
2009-02-18 05:05 --------- d-----w c:\program files\Reference Assemblies
2009-02-18 05:05 --------- d-----w c:\program files\MSBuild
2009-02-18 05:03 --------- d-----w c:\program files\MSXML 6.0
2009-02-18 04:37 --------- d-----w c:\documents and settings\Chris\Application Data\Intuit
2009-02-18 04:17 --------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-02-18 04:16 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-02-18 04:13 --------- d-----w c:\program files\TurboTax
2008-12-20 19:00 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 19:00 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 19:00 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 19:00 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 19:00 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM95\aim.exe" [2001-12-18 53248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-17 148888]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-03-17 206088]

c:\documents and settings\Chris\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2007-04-19 21:29 149024 c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-04-19 21:38 1945688 c:\program files\Seagate\DiscWizard\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2001-12-18 17:45 53248 c:\program files\AIM95\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
--a------ 2007-04-19 21:24 1169744 c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
--a------ 2006-12-15 14:13 31552 c:\program files\GIGABYTE\ET5\ETcall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4200 Series]
--a------ 2005-03-07 12:00 98304 c:\windows\system32\spool\drivers\w32x86\3\E_FATIAEA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
-ra------ 2005-11-27 22:52 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
-ra------ 2005-11-27 22:55 118784 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
-ra------ 2005-11-27 22:55 98304 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-03-17 19:24 184320 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RevoTaskbarApp]
--a------ 2004-06-14 16:58 221184 c:\windows\system32\RevoTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-10 17:36 185632 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-14 15:22 35328 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"SoundMovieServer"=3 (0x3)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"idsvc"=3 (0x3)
"SqueezeMySQL"=2 (0x2)
"IntuitUpdateService"=2 (0x2)
"AcrSch2Svc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59800:UDP"= 59800:UDP:Azur1
"59800:TCP"= 59800:TCP:Azur2
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp (UI)
"9090:TCP"= 9090:TCP:SqueezeCenter 9090 tcp (CLI)
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 33808]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-09 38144]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [2008-08-11 3768]
S3 MarkFun_NT;MarkFun_NT;c:\program files\GIGABYTE\ET5\MARKFUN.W32 [2007-06-23 13512]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S4 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2008-08-11 184320]
S4 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe

.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\fbwxptvq.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-17 23:02:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarkFun_NT]
"ImagePath"="\??\c:\program files\Gigabyte\ET5\markfun.w32"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1184)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-03-17 23:05:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-18 06:05:41

Pre-Run: 4,623,773,696 bytes free
Post-Run: 4,676,468,736 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

220 --- E O F --- 2008-08-12 03:44:19

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:18 PM, on 3/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1182577158904
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1182577218748
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 3396 bytes

**Shaba** · 2009-03-18, 07:21

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

**csellers** · 2009-03-18, 07:27

Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Reader 8.1.0
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.2
Alive MP4 Converter (version 2.0.6.3)
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Any Video Converter 2.5.1
AOL Instant Messenger (SM)
Apple Mobile Device Support
Apple Software Update
Arasan 10.4
Arasan 9.5
Bonjour
BSPlayer
CCleaner (remove only)
CDex extraction audio
CDisplay 1.8
Compatibility Pack for the 2007 Office system
Diablo II
DMIView B06.1227.01
DWGeditor
EasyTune5
eDrawings 2006
EPSON CX 4200 4800 Guide
EPSON Printer Software
EPSON Scan
ERUNT 1.1j
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
i-Cool
Intel(R) Graphics Media Accelerator Driver
IrfanView (remove only)
iTunes
Japanese Fonts Support For Adobe Reader 8
Java(TM) 6 Update 12
Java(TM) 6 Update 2
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
Kaspersky Anti-Virus 2009
Kaspersky Anti-Virus 2009
Live 6.0.1
Luxor
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash Player 8
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office Professional Edition 2003
Microsoft Windows XP Video Decoder Checkup Utility
Monopoly Tycoon
Mozilla Firefox (2.0.0.20)
MSXML 6.0 Parser (KB933579)
Nero 6 Ultra Edition
PowerISO
QuickTime
RealPlayer
REALTEK GbE & FE Ethernet PCI NIC Driver
Revolution
Seagate DiscWizard
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
SolidWorks 2006 SP0
SoundTaxi 3.4.2
Spybot - Search & Destroy
StarCraft
The Rosetta Stone
TurboTax 2008
TurboTax 2008 wcaiper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax Deluxe 2007
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
VideoLAN VLC media player 0.8.6c
Winamp (remove only)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
Xvid 1.1.2 final uninstall

**csellers** · 2009-03-18, 07:30

BTW I uninstalled uTorrent and Azereus per your forum's policy on P2P programs.

**Shaba** · 2009-03-18, 07:54

Thank you

Open notepad and copy/paste the text in the codebox below into it:

Code:

Folder::
c:\documents and settings\Chris\Application Data\Azureus
c:\program files\Azureus
c:\Program Files\uTorrent

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=-
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
"c:\\Program Files\\Azureus\\Azureus.exe"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

**csellers** · 2009-03-18, 08:17

ComboFix 09-03-15.01 - Chris 2009-03-18 0:08:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1616 [GMT -7:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFixs.exe
Command switches used :: c:\documents and settings\Chris\Desktop\cfscript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chris\Application Data\Azureus
c:\documents and settings\Chris\Application Data\Azureus\.certs
c:\documents and settings\Chris\Application Data\Azureus\.keystore
c:\documents and settings\Chris\Application Data\Azureus\.lock
c:\documents and settings\Chris\Application Data\Azureus\active\50612960F11BCD0B0085C636B8D78831A9349651.dat
c:\documents and settings\Chris\Application Data\Azureus\active\50612960F11BCD0B0085C636B8D78831A9349651.dat.bak
c:\documents and settings\Chris\Application Data\Azureus\active\cache.dat
c:\documents and settings\Chris\Application Data\Azureus\azureus.config
c:\documents and settings\Chris\Application Data\Azureus\azureus.config.bak
c:\documents and settings\Chris\Application Data\Azureus\azureus.statistics
c:\documents and settings\Chris\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\Chris\Application Data\Azureus\banips.config
c:\documents and settings\Chris\Application Data\Azureus\cnetworks.config
c:\documents and settings\Chris\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Chris\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Chris\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Chris\Application Data\Azureus\dht\general.dat
c:\documents and settings\Chris\Application Data\Azureus\dht\version.dat
c:\documents and settings\Chris\Application Data\Azureus\downloads.config
c:\documents and settings\Chris\Application Data\Azureus\downloads.config.bak
c:\documents and settings\Chris\Application Data\Azureus\filters.config
c:\documents and settings\Chris\Application Data\Azureus\friends.config
c:\documents and settings\Chris\Application Data\Azureus\friends.config.bak
c:\documents and settings\Chris\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Chris\Application Data\Azureus\logs\alerts_1.log
c:\documents and settings\Chris\Application Data\Azureus\logs\AutoSpeed_1.log
c:\documents and settings\Chris\Application Data\Azureus\logs\AutoSpeed_2.log
c:\documents and settings\Chris\Application Data\Azureus\logs\AutoSpeedSearchHistory_1.log
c:\documents and settings\Chris\Application Data\Azureus\logs\AutoSpeedSearchHistory_2.log
c:\documents and settings\Chris\Application Data\Azureus\logs\CNetworks_1.log
c:\documents and settings\Chris\Application Data\Azureus\logs\debug_1.log
c:\documents and settings\Chris\Application Data\Azureus\logs\debug_2.log
c:\documents and settings\Chris\Application Data\Azureus\logs\Friends_1.log
c:\documents and settings\Chris\Application Data\Azureus\logs\Friends_2.log
c:\documents and settings\Chris\Application Data\Azureus\logs\MetaSearch_1.log
c:\documents and settings\Chris\Application Data\Azureus\logs\NetStatus_1.log
c:\documents and settings\Chris\Application Data\Azureus\logs\seltrace_1.log
c:\documents and settings\Chris\Application Data\Azureus\logs\SpeedMan_1.log
c:\documents and settings\Chris\Application Data\Azureus\logs\SpeedMan_2.log
c:\documents and settings\Chris\Application Data\Azureus\logs\Subscriptions_1.log
c:\documents and settings\Chris\Application Data\Azureus\logs\thread_1.log
c:\documents and settings\Chris\Application Data\Azureus\logs\thread_2.log
c:\documents and settings\Chris\Application Data\Azureus\logs\v3.ads_1.log
c:\documents and settings\Chris\Application Data\Azureus\logs\v3.CMsgr_1.log
c:\documents and settings\Chris\Application Data\Azureus\logs\v3.Friends_1.log
c:\documents and settings\Chris\Application Data\Azureus\logs\v3.Friends_2.log
c:\documents and settings\Chris\Application Data\Azureus\logs\v3.PMsgr_1.log
c:\documents and settings\Chris\Application Data\Azureus\logs\v3.Stream_1.log
c:\documents and settings\Chris\Application Data\Azureus\metasearch.config
c:\documents and settings\Chris\Application Data\Azureus\metasearch.config.bak
c:\documents and settings\Chris\Application Data\Azureus\net\pm_7132.dat
c:\documents and settings\Chris\Application Data\Azureus\net\pm_default.dat
c:\documents and settings\Chris\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Chris\Application Data\Azureus\sidebarauto.config.bak
c:\documents and settings\Chris\Application Data\Azureus\tables.config
c:\documents and settings\Chris\Application Data\Azureus\tables.config.bak
c:\documents and settings\Chris\Application Data\Azureus\timingstats.dat
c:\documents and settings\Chris\Application Data\Azureus\tmp\AZU60423.tmp
c:\documents and settings\Chris\Application Data\Azureus\tmp\AZU60424.tmp
c:\documents and settings\Chris\Application Data\Azureus\tmp\AZU60425.tmp
c:\documents and settings\Chris\Application Data\Azureus\tmp\AZU60426.tmp
c:\documents and settings\Chris\Application Data\Azureus\tmp\AZU60427.tmp
c:\documents and settings\Chris\Application Data\Azureus\tmp\AZU60428.tmp
c:\documents and settings\Chris\Application Data\Azureus\tmp\AZU60429.tmp
c:\documents and settings\Chris\Application Data\Azureus\tmp\AZU60430.tmp
c:\documents and settings\Chris\Application Data\Azureus\tmp\AZU60431.tmp\patch.jar
c:\documents and settings\Chris\Application Data\Azureus\tmp\AZU60433.tmp
c:\documents and settings\Chris\Application Data\Azureus\tmp\AZU60434.tmp
c:\documents and settings\Chris\Application Data\Azureus\tmp\AZU60436.tmp
c:\documents and settings\Chris\Application Data\Azureus\tmp\AZU60437.tmp
c:\documents and settings\Chris\Application Data\Azureus\tmp\AZU60438.tmp
c:\documents and settings\Chris\Application Data\Azureus\tmp\AZU60439.tmp
c:\documents and settings\Chris\Application Data\Azureus\tmp\AZU60440.tmp
c:\documents and settings\Chris\Application Data\Azureus\torrents\-_Demonoid.com_-Spirited_Away_[Anime][DvDRip]_eng_sub_DVD_Movie_torrent_4982640.6068.torrent
c:\documents and settings\Chris\Application Data\Azureus\torrents\((Demonoid.com))-Its_Always_Sunny_In_Philadelphia_Season_4_Complete_4982640.6068.torrent
c:\documents and settings\Chris\Application Data\Azureus\torrents\(Demonoid%2ecom)-Los_Teletubbies_09_Se_quieren_mucho__4982640%2e6068[1].torrent
c:\documents and settings\Chris\Application Data\Azureus\torrents\(Demonoid.com)-Watchmen_[complete]_(Alan_Moore)_4982640.6068.torrent
c:\documents and settings\Chris\Application Data\Azureus\torrents\++Demonoid.com++-John_Adams_HBO_Mini_Series_All_Episodes_4982640.6068.torrent
c:\documents and settings\Chris\Application Data\Azureus\torrents\++Demonoid.com++-SoundTaxi_Pro_VideoRip_3_4_2_mazuki_darksiderg_4982640.6068.torrent
c:\documents and settings\Chris\Application Data\Azureus\torrents\AZU11037.tmp
c:\documents and settings\Chris\Application Data\Azureus\torrents\AZU11040.tmp
c:\documents and settings\Chris\Application Data\Azureus\torrents\AZU18746.tmp
c:\documents and settings\Chris\Application Data\Azureus\torrents\AZU38295.tmp
c:\documents and settings\Chris\Application Data\Azureus\torrents\AZU43548.tmp
c:\documents and settings\Chris\Application Data\Azureus\torrents\AZU43554.tmp
c:\documents and settings\Chris\Application Data\Azureus\torrents\AZU58450.tmp
c:\documents and settings\Chris\Application Data\Azureus\torrents\AZU60432.tmp
c:\documents and settings\Chris\Application Data\Azureus\torrents\AZU60435.tmp
c:\documents and settings\Chris\Application Data\Azureus\torrents\AZU8869.tmp
c:\documents and settings\Chris\Application Data\Azureus\torrents\Its_Always_Sunny_In_Philadelphia_Seasons_1_3__O-Demonoid.com-O_4982640.6068.torrent
c:\documents and settings\Chris\Application Data\Azureus\torrents\Next[2007]DvDrip_AC3[Eng]_aXXo-(Demonoid.com)_4982640.6068.torrent
c:\documents and settings\Chris\Application Data\Azureus\torrents\O-Demonoid.com-O_Windows_XP_Pro_SP3_Integrated_Jul_08_With_Genuine_Key_4982640.6068.torrent
c:\documents and settings\Chris\Application Data\Azureus\torrents\Requiem_1_7_3_iTunes_DRM_Remover_(Older_Videos_Supported)-_=Demonoid.com=__4982640.6068.torrent
c:\documents and settings\Chris\Application Data\Azureus\torrents\Sandman_Neil_Gaiman_(DC)-++Demonoid.com++_4982640.6068.torrent
c:\documents and settings\Chris\Application Data\Azureus\torrents\Teletubbies-Again.Again_.PL.DVDRip.XviD-D020.avi.3979162.TPB[1].torrent
c:\documents and settings\Chris\Application Data\Azureus\torrents\Teletubbies_-_Here_Come_The_Teletubbies_-DK-S-FIN-_(1997).4110474.TPB[1].torrent
c:\documents and settings\Chris\Application Data\Azureus\torrents\Venture_Brothers_Season_3-(Demonoid.com)_4982640.6068.torrent
c:\documents and settings\Chris\Application Data\Azureus\torrents\Watchmen_[complete]_(Alan_Moore)-(Demonoid.com)_4982640.6068.torrent
c:\documents and settings\Chris\Application Data\Azureus\torrents\Zoolander_-Demonoid.com-__4982640.6068.torrent
c:\documents and settings\Chris\Application Data\Azureus\tracker.config
c:\documents and settings\Chris\Application Data\Azureus\tracker.config.bak
c:\documents and settings\Chris\Application Data\Azureus\unsentdata.config
c:\documents and settings\Chris\Application Data\Azureus\unsentdata.config.bak
c:\documents and settings\Chris\Application Data\Azureus\update.log
c:\documents and settings\Chris\Application Data\Azureus\update.properties
c:\documents and settings\Chris\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\Chris\Application Data\Azureus\v3.Friends.dat.bak
c:\documents and settings\Chris\Application Data\Azureus\VuzeActivities.config
c:\documents and settings\Chris\Application Data\Azureus\VuzeActivities.config.bak
c:\program files\Azureus
c:\program files\Azureus\plugins\azemp\azemp_2.0.14.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.14.zip
c:\program files\Azureus\plugins\azemp\azemp_2.0.16.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.16.zip
c:\program files\Azureus\plugins\azemp\azemp_2.0.32.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.32.zip
c:\program files\Azureus\plugins\azemp\azemp_2.0.34.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.34.zip
c:\program files\Azureus\plugins\azemp\azmplay.exe.bak
c:\program files\Azureus\plugins\azemp\cp1250-a.raw.bak
c:\program files\Azureus\plugins\azemp\cp1250-b.raw.bak
c:\program files\Azureus\plugins\azemp\font.desc.bak
c:\program files\Azureus\plugins\azemp\osd-mplayer-a.raw.bak
c:\program files\Azureus\plugins\azemp\osd-mplayer-b.raw.bak
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.14
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.16
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.32
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.34
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.1.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.1.zip
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.2.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.2.zip
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.5.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.5.zip
c:\program files\Azureus\plugins\azupnpav\plugin.properties_0.2.1
c:\program files\Azureus\plugins\azupnpav\plugin.properties_0.2.2
c:\program files\Azureus\plugins\azupnpav\plugin.properties_0.2.5

.
((((((((((((((((((((((((( Files Created from 2009-02-18 to 2009-03-18 )))))))))))))))))))))))))))))))
.

2009-03-17 22:56 . 2009-03-18 00:10 1,082,400 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-03-17 22:56 . 2009-03-18 00:12 196,640 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-03-17 22:56 . 2009-03-18 00:10 11,632 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-03-17 22:56 . 2009-03-18 00:12 1,724 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-03-17 18:39 . 2009-03-17 18:45 101,287 --a------ c:\windows\system32\drivers\klin.dat
2009-03-17 18:39 . 2009-03-17 18:45 89,601 --a------ c:\windows\system32\drivers\klick.dat
2009-03-17 18:38 . 2009-03-17 18:38 <DIR> d-------- c:\program files\Kaspersky Lab
2009-03-17 18:38 . 2009-03-18 00:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-03-17 18:32 . 2009-03-17 18:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-03-16 19:47 . 2009-03-17 18:22 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-15 20:59 . 2009-03-15 20:59 <DIR> d-------- c:\program files\Trend Micro
2009-03-15 20:57 . 2009-03-15 20:57 <DIR> d-------- c:\program files\ERUNT
2009-03-15 17:20 . 2009-03-17 21:50 6,292 --a------ c:\windows\wininit.ini
2009-03-15 16:38 . 2009-03-17 21:01 1,896,749 --a------ c:\windows\system32\uactmp.db
2009-03-15 16:36 . 2009-03-17 21:26 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-15 16:36 . 2009-03-17 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-14 18:19 . 2009-03-14 18:28 <DIR> d-------- c:\documents and settings\Chris\Application Data\MySQL
2009-03-14 17:49 . 2009-03-15 18:17 <DIR> d-------- C:\Perl
2009-02-20 00:21 . 2009-02-20 00:23 <DIR> d-------- c:\documents and settings\Chris\Application Data\JPEGsnoop
2009-02-19 22:46 . 2009-02-19 22:46 <DIR> d-------- c:\documents and settings\Chris\Application Data\Leadertech
2009-02-18 19:40 . 2009-02-18 19:41 9,662 --a------ c:\windows\EPISME00.SWB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 06:18 --------- d-----w c:\program files\BitLord
2009-03-18 03:37 --------- d-----w c:\program files\SoundTaxi
2009-03-18 01:45 33,808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-03-18 01:22 --------- d-----w c:\program files\Java
2009-03-17 03:17 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-13 19:11 --------- d-----w c:\documents and settings\Chris\Application Data\Move Networks
2009-02-18 05:10 --------- d-----w c:\program files\Common Files\Intuit
2009-02-18 05:05 --------- d-----w c:\program files\Reference Assemblies
2009-02-18 05:05 --------- d-----w c:\program files\MSBuild
2009-02-18 05:03 --------- d-----w c:\program files\MSXML 6.0
2009-02-18 04:37 --------- d-----w c:\documents and settings\Chris\Application Data\Intuit
2009-02-18 04:17 --------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-02-18 04:16 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-02-18 04:13 --------- d-----w c:\program files\TurboTax
2008-12-20 19:00 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 19:00 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 19:00 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 19:00 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 19:00 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-17_23.04.37.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2009-03-18\ERDNT.EXE
+ 2009-03-18 07:12:35 9,109,504 ----a-w c:\windows\ERDNT\AutoBackup\2009-03-18\Users\00000001\ntuser.dat
+ 2009-03-18 07:12:35 380,928 ----a-w c:\windows\ERDNT\AutoBackup\2009-03-18\Users\00000002\UsrClass.dat
+ 2009-03-18 07:11:53 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_550.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM95\aim.exe" [2001-12-18 53248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-17 148888]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-03-17 206088]

c:\documents and settings\Chris\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2007-04-19 21:29 149024 c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-04-19 21:38 1945688 c:\program files\Seagate\DiscWizard\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2001-12-18 17:45 53248 c:\program files\AIM95\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
--a------ 2007-04-19 21:24 1169744 c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
--a------ 2006-12-15 14:13 31552 c:\program files\GIGABYTE\ET5\ETcall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4200 Series]
--a------ 2005-03-07 12:00 98304 c:\windows\system32\spool\drivers\w32x86\3\E_FATIAEA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
-ra------ 2005-11-27 22:52 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
-ra------ 2005-11-27 22:55 118784 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
-ra------ 2005-11-27 22:55 98304 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-03-17 19:24 184320 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RevoTaskbarApp]
--a------ 2004-06-14 16:58 221184 c:\windows\system32\RevoTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-10 17:36 185632 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-14 15:22 35328 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"SoundMovieServer"=3 (0x3)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"idsvc"=3 (0x3)
"SqueezeMySQL"=2 (0x2)
"IntuitUpdateService"=2 (0x2)
"AcrSch2Svc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59800:UDP"= 59800:UDP:Azur1
"59800:TCP"= 59800:TCP:Azur2
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp (UI)
"9090:TCP"= 9090:TCP:SqueezeCenter 9090 tcp (CLI)
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 33808]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-09 38144]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [2008-08-11 3768]
S3 MarkFun_NT;MarkFun_NT;c:\program files\GIGABYTE\ET5\MARKFUN.W32 [2007-06-23 13512]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S4 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2008-08-11 184320]
S4 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\fbwxptvq.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-18 00:12:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarkFun_NT]
"ImagePath"="\??\c:\program files\Gigabyte\ET5\markfun.w32"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1176)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-03-18 0:15:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-18 07:15:00
ComboFix2.txt 2009-03-18 06:05:46

Pre-Run: 4,703,342,592 bytes free
Post-Run: 4,642,230,272 bytes free

334 --- E O F --- 2008-08-12 03:44:19

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:39 AM, on 3/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1182577158904
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1182577218748
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 3309 bytes

Thread: w32.TDSS.rtk can't remove with Spybot

Thread Tools

Display

w32.TDSS.rtk can't remove with Spybot

Posting Permissions