Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:18:34 PM, on 12/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\PROGRA~1\McAfee\MHN\McENUI.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\system32\shrhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Seekeen\seekeen.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Seekeen\seekeen.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {2bae58c2-79f9-45d1-a286-81f911301c3a} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: (no name) - {3900a616-4b10-4c73-a9c3-de0dd25307b2} - C:\WINDOWS\system32\divimuvo.dll
O2 - BHO: {d99d} - {3de33de5-5138-4c72-81c2-5102a0775c04} - C:\WINDOWS\system32\iilssd.dll
O2 - BHO: {95e20ab1-58af-ef08-7a34-a3f320dcdb96} - {69bdcd02-3f3a-43a7-80fe-fa851ba02e59} - C:\WINDOWS\system32\hlyzwg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {9C102887-B01C-4292-8FCA-487D6612732F} - C:\WINDOWS\system32\iifCussQ.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: agadoo browser optimizer - {dec5c5e3-5fe1-b880-1779-e28b7e071efe} - C:\WINDOWS\system32\svyhegbfwoccrjkj.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2bae58c2-79f9-45d1-a286-81f911301c3a} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [Syncronization Task] shrhost.exe
O4 - HKLM\..\Run: [Bar] C:\DOCUME~1\ertd\LOCALS~1\Temp\wcrmsxenoa.tmp
O4 - HKLM\..\Run: [mukujemowa] Rundll32.exe "C:\WINDOWS\system32\pubinibu.dll",s
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunServices: [Syncronization Task] shrhost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [mukujemowa] Rundll32.exe "C:\WINDOWS\system32\pubinibu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [mukujemowa] Rundll32.exe "C:\WINDOWS\system32\pubinibu.dll",s (User 'NETWORK SERVICE')
O4 - Startup: reminder-ScanSoft Product Registration.lnk.disabled
O4 - Global Startup: Pagis Schedule Monitor.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\Program,Files\RelevantKnowledge\rlai.dll,C:\Program Files\RelevantKnowledge\rlai.dll,C:\WINDOWS\system32\zobedagu.dll hlyzwg.dll
O20 - Winlogon Notify: pmnolKAR - pmnolKAR.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Seekeen Service - Seekeen.com - C:\Program Files\Seekeen\seekeen.exe

--
End of file - 8991 bytes

Hi kmfecteau

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

ComboFix 08-12-06.06 - ertd 2008-12-07 12:34:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.204 [GMT -6:00]
Running from: c:\documents and settings\ertd\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\ertd\Application Data\IUpd721
c:\documents and settings\ertd\Application Data\IUpd721\Logs\scns.log
c:\documents and settings\ertd\Application Data\NI.GSCNS
c:\documents and settings\ertd\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\ertd\Application Data\NI.GSCNS\settings.ini
c:\documents and settings\ertd\Local Settings\Temporary Internet Files\fbk.sts
c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\temp\tn3
c:\windows\system32\_svyhegbfwoccrjkj.dll
c:\windows\system32\bin
c:\windows\system32\dkdvfnes.dll
c:\windows\system32\drivers\core.cache(2).dsk
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Drivers\TDSSlmnagpji.sys
c:\windows\system32\geBtTNGx.dll
c:\windows\system32\gside.exe
c:\windows\system32\hlyzwg.dll
c:\windows\system32\iifCussQ.dll
c:\windows\system32\iilssd.dll
c:\windows\system32\jqvogwld.dll
c:\windows\system32\jxgdisjr.dll_old
c:\windows\system32\ki3
c:\windows\system32\ki3\RI2ES6i.exe
c:\windows\system32\ljlvewou.dll
c:\windows\system32\mfkbgene.dll
c:\windows\system32\nulgds.dll
c:\windows\system32\nusayuta.dll
c:\windows\system32\packet.dll
c:\windows\system32\pedanawe.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\QssuCfii(2).ini
c:\windows\system32\rqwnw64k.exe
c:\windows\system32\rsscac.dll
c:\windows\system32\sosafimi.dll
c:\windows\system32\TDSSducnsxhp.log
c:\windows\system32\TDSSemapevrd.dat
c:\windows\system32\TDSShywtqnwr.dll
c:\windows\system32\TDSSjctqrsmj.dll
c:\windows\system32\TDSSmdjxyjlk.dll
c:\windows\system32\TDSSmxefvcpw.dll
c:\windows\system32\TDSSvnmwxglw.dll
c:\windows\system32\uv9
c:\windows\system32\uv9\peco85IV.exe
c:\windows\system32\VC
c:\windows\system32\winpfz33.sys
c:\windows\system32\wpcap.dll
c:\windows\Tasks\lqroyxgh.job
c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_NPF
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-07 12:42 . 2008-12-07 12:42 240,240 --a------ c:\windows\system32\wpcap.dll
2008-12-07 12:42 . 2008-12-07 12:42 88,704 --a------ c:\windows\system32\packet.dll
2008-12-07 12:41 . 2008-12-07 12:41 <DIR> d-------- c:\temp\tn3
2008-12-05 19:00 . 2008-12-05 19:00 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SiteAdvisor
2008-12-04 19:17 . 2008-12-04 19:17 <DIR> d-------- c:\program files\Trend Micro
2008-12-04 10:44 . 2008-12-04 10:44 <DIR> d-------- c:\windows\system32\Lang
2008-12-04 10:44 . 2008-12-04 10:44 940,794 --a------ c:\windows\system32\LoopyMusic.wav
2008-12-04 10:44 . 2008-12-04 10:44 146,650 --a------ c:\windows\system32\BuzzingBee.wav
2008-12-04 10:44 . 2008-12-04 10:44 60,416 --a------ c:\windows\ALCFDRTM.VER
2008-12-04 10:44 . 2008-12-04 10:44 60,416 --a------ c:\windows\ALCFDRTM.EXE
2008-12-03 18:17 . 2008-12-07 04:10 1,383 --a------ c:\windows\wininit.ini
2008-12-03 16:55 . 2008-12-03 16:55 34,816 --a------ c:\windows\system32\urqOIbCV.dll
2008-12-03 16:49 . 2008-12-03 16:49 32,768 --a------ c:\windows\system32\byXRllKE.dll
2008-12-03 16:41 . 2008-12-03 16:41 548,928 --a------ c:\windows\system32\kcnttsdl.exe
2008-12-03 16:41 . 2008-12-03 16:41 153,404 --a------ c:\windows\system32\g85.exe
2008-12-03 16:41 . 2008-12-03 16:41 86,272 --a------ c:\windows\system32\drivers\swmidii.sys
2008-12-03 16:41 . 2008-12-07 12:41 932 --------- c:\windows\system32\drivers\core.cache.dsk
2008-12-03 16:40 . 2008-12-07 12:41 <DIR> d-------- C:\Temp
2008-11-30 14:43 . 2008-12-07 12:42 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-30 14:31 . 2008-11-30 14:31 <DIR> d-------- c:\documents and settings\ertd\Application Data\Yahoo!
2008-11-30 14:31 . 2008-11-30 14:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-30 13:52 . 2008-11-30 13:52 <DIR> d-------- c:\program files\Yahoo!
2008-11-30 13:52 . 2008-12-07 11:40 <DIR> d-------- c:\program files\Seekeen
2008-11-30 10:13 . 2008-11-30 10:13 0 --a------ c:\windows\nsreg.dat
2008-11-30 09:17 . 2008-11-30 09:17 <DIR> d-------- c:\program files\Conduit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 18:42 42,512 ----a-w c:\windows\system32\drivers\npf.sys
2008-12-07 17:29 --------- d-----w c:\documents and settings\ertd\Application Data\SiteAdvisor
2008-12-05 00:22 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-04 12:54 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-28 12:36 591,296 ----a-w C:\WebmailPlugin.dll
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-14 02:28 --------- d-----w c:\program files\Google
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-03-02 15:39 769,536 ----a-w c:\documents and settings\ertd\Application Data\sfdnwin.dll
2007-06-13 10:23 933,888 --sha-r c:\windows\system32\shrhost.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 36640]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-07-22 1160480]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SansaDispatch"="c:\program files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 75584]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"InstantAccess"="c:\progra~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE" [2000-05-31 31744]
"RegisterDropHandler"="c:\progra~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE" [2000-05-31 22528]
"SoundMan"="SOUNDMAN.EXE" [2006-08-02 c:\windows\soundman.exe]
"Syncronization Task"="shrhost.exe" [2007-06-13 c:\windows\system32\shrhost.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="c:\progra~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE" [2000-05-31 22528]
"Syncronization Task"="shrhost.exe" [2007-06-13 c:\windows\system32\shrhost.exe]

c:\documents and settings\ertd\Start Menu\Programs\Startup\
reminder-ScanSoft Product Registration.lnk.disabled [2008-04-15 855]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Pagis Schedule Monitor.lnk.disabled [2008-04-15 771]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Weather"=c:\program files\AWS\WeatherBug\Weather.exe 1
"DelayShred"=c:\progra~1\mcafee\mshr\ShrCL.EXE /P7 /q c:\docume~1\ertd\LOCALS~1\TEMPOR~1\Content.IE5\U5AL09QV\343735~1.SH! c:\docume~1\ertd\LOCALS~1\TEMPOR~1\Content.IE5\4D6F0PAX\FF2_1_~1.SH! c:\docume~1\ertd\LOCALS~1\TEMPOR~1\Content.IE5\EHYRANA5\343735~1.SH! c:\docume~1\ertd\LOCALS~1\TEMPOR~1\Content.IE5\49290L6F\INCLUD~1.SH!
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Name of App"=c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe r
"{ce336510-0be5-46d5-61c8-77a694d426bf}"=c:\windows\System32\Rundll32.exe "c:\windows\system32\svyhegbfwoccrjkj.dll" DllStart
"mukujemowa"=Rundll32.exe "c:\windows\system32\pubinibu.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\Mcshield.exe"=
"c:\\Program Files\\McAfee\\MPF\\MpfSrv.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Seekeen\\seekeen.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\Program Files\\McAfee\\MBK\\MBackMonitor.exe"=
"c:\\Program Files\\McAfee\\MHN\\McENUI.exe"=

R1 swmidii;swmidii;c:\windows\system32\drivers\swmidii.sys [2008-12-03 86272]
R2 Seekeen Service;Seekeen Service;"c:\program files\Seekeen\seekeen.exe" "c:\program files\Seekeen\seekeen.dll" Service []
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2008-12-07 42512]
S3 pmxscan;PrimaScan USB Kernel;c:\windows\system32\DRIVERS\usbscan.sys [2008-04-15 15104]
S3 ptiusbf;PTI USB Filter;c:\windows\system32\DRIVERS\PTIUSBF.SYS [2001-04-13 22474]
S3 w89c940;Winbond W89C940 PCI Ethernet Adapter Driver;c:\windows\system32\DRIVERS\w940nd.sys [2008-03-01 16925]
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-10-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-12-04 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 14:45]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{2bae58c2-79f9-45d1-a286-81f911301c3a} - (no file)
BHO-{3900a616-4b10-4c73-a9c3-de0dd25307b2} - c:\windows\system32\nusayuta.dll
BHO-{3de33de5-5138-4c72-81c2-5102a0775c04} - c:\windows\system32\iilssd.dll
BHO-{8a92145e-a0ce-41dc-839f-0fb2a776729c} - c:\windows\system32\rsscac.dll
BHO-{dec5c5e3-5fe1-b880-1779-e28b7e071efe} - c:\windows\system32\svyhegbfwoccrjkj.dll
BHO-{E3EE3C43-FC24-4B45-96A6-1FFF417A2F4B} - c:\windows\system32\iifCussQ.dll
Toolbar-{2bae58c2-79f9-45d1-a286-81f911301c3a} - (no file)
WebBrowser-{2BAE58C2-79F9-45D1-A286-81F911301C3A} - (no file)
HKLM-Run-mukujemowa - c:\windows\system32\hujepaka.dll
Notify-pmnolKAR - pmnolKAR.dll



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 12:41:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\system32\wpcap.dll 240240 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\McAfee\MBK\MBackMonitor.exe
c:\program files\McAfee\MHN\McENUI.exe
c:\program files\ScanSoft\TextBridge Pro 9.0\Bin\InstantAccess.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Seekeen\seekeen.exe
c:\program files\Seekeen\seekeen.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-12-07 12:45:04 - machine was rebooted [ertd]
ComboFix-quarantined-files.txt 2008-12-07 18:44:59

Pre-Run: 63,765,446,656 bytes free
Post-Run: 64,476,303,360 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

240 --- E O F --- 2008-11-30 16:10:29


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:59 PM, on 12/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\PROGRA~1\McAfee\MHN\McENUI.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\system32\shrhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Seekeen\seekeen.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Seekeen\seekeen.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [Syncronization Task] shrhost.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunServices: [Syncronization Task] shrhost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk.disabled
O4 - Global Startup: Pagis Schedule Monitor.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Seekeen Service - Unknown owner - C:\Program Files\Seekeen\seekeen.exe

--
End of file - 7576 bytes

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

sorry it took awhile to reply-had to get to secure net connection... I would appreciate any help cleaning the pc-I don't have my windows disks to reinstall so that is my best option. I have changed my passwords on my financial accounts and won't use my pc for that until I wipe my hard drive-but I still need my internet for other things in the mean time.
THANX!

Please print out and follow these instructions: "How to use SDFix (http://www.bleepingcomputer.com/forums/topic131299.html)". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
Disconnect from the Internet and temporarily disable your anti-virus (http://www.bleepingcomputer.com/forums/topic114351.html), script blocking and any real time protection programs before performing a scan.
When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
Please copy and paste the contents of Report.txt in your next reply.
Be sure to renable you anti-virus and and other security programs before connecting to the Internet.-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

Post:

- a fresh HijackThis log
- sdfix report

Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.