[andrewjones011]

McAfee refuses to enable On-Access scanning after running Combofix to remove Vundo. Am I not as clear as I thought I was? Thanks so much in advance. Log follows:

ComboFix 09-04-14.08 - Andrew Jones 04/14/2009 8:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1346 [GMT -4:00]
Running from: c:\documents and settings\Andrew Jones\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew Jones\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\fuyawadu.dll
c:\windows\system32\guneyani.dll
c:\windows\yilizoge.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

2009-04-14 12:22 . 2009-04-14 12:22 -------- d-sh--w c:\documents and settings\Andrew Jones\PrivacIE
2009-04-14 03:41 . 2009-04-14 03:41 0 --sha-w c:\program files\lohezudu.dll
2009-04-07 23:33 . 2009-04-07 23:33 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-07 23:32 . 2009-04-07 23:32 -------- d-sh--w c:\documents and settings\Andrew Jones\IETldCache
2009-04-07 16:34 . 2009-04-07 16:34 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-02 18:15 . 2009-04-02 18:15 -------- d-----w c:\windows\ie8updates
2009-04-02 18:12 . 2009-04-02 18:14 -------- dc-h--w c:\windows\ie8
2009-04-02 18:09 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll
2009-03-31 00:54 . 2009-03-31 00:54 54 ----a-w C:\Boot.img.errorlog
2009-03-30 22:03 . 2009-03-30 22:03 23392 ----a-w c:\windows\system32\nscompat.tlb
2009-03-30 22:03 . 2009-03-30 22:03 16832 ----a-w c:\windows\system32\amcompat.tlb
2009-03-23 21:40 . 2009-03-23 21:40 -------- d-----w c:\program files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 12:54 . 2006-09-12 07:12 1758 ----a-w C:\hpqp.ini
2009-04-14 12:54 . 2006-09-12 07:12 39 ----a-w C:\XP_TV.ini
2009-04-14 06:33 . 2009-01-22 00:16 -------- d-----w c:\documents and settings\Andrew Jones\Application Data\Skype
2009-04-14 06:29 . 2007-09-05 13:55 -------- d-----w c:\program files\Google
2009-04-14 06:27 . 2009-03-13 02:16 -------- d-----w c:\documents and settings\Andrew Jones\Application Data\NBC Direct
2009-04-14 06:27 . 2009-03-13 02:15 -------- d-----w c:\documents and settings\All Users\Application Data\NBC Direct
2009-04-14 06:27 . 2009-03-13 02:15 -------- d---a-w c:\program files\NBC Direct
2009-04-14 06:26 . 2009-03-13 02:16 -------- d-----w c:\program files\Pando Networks
2009-04-14 06:24 . 2006-09-12 05:33 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-14 06:20 . 2007-04-15 18:14 -------- d-----w c:\program files\Kodak
2009-04-14 06:15 . 2009-01-31 01:09 -------- d-----w c:\program files\Acoustica Mixcraft 4
2009-04-14 04:14 . 2009-01-22 00:18 -------- d-----w c:\documents and settings\Andrew Jones\Application Data\skypePM
2009-04-14 03:07 . 2009-01-14 03:07 107008 --sha-w c:\windows\system32\bikokere.dll
2009-04-14 03:07 . 2009-01-14 03:07 107008 --sha-w c:\windows\system32\bikokere.dll
2009-04-14 03:07 . 2009-01-14 03:07 63488 --sha-w c:\windows\system32\pufoponu.exe
2009-04-14 03:07 . 2009-01-14 03:07 63488 --sha-w c:\windows\system32\pufoponu.exe
2009-04-12 21:51 . 2008-02-25 14:11 81 ----a-w C:\DVDPATH.TXT
2009-04-11 02:05 . 2006-09-12 05:33 -------- d-----w c:\program files\Java
2009-04-03 01:28 . 2008-02-10 01:53 -------- d-----w c:\documents and settings\Andrew Jones\Application Data\Move Networks
2009-03-30 01:52 . 2006-09-12 07:29 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-28 23:18 . 2007-07-25 04:46 -------- d-----w c:\documents and settings\Andrew Jones\Application Data\Azureus
2009-03-23 21:40 . 2009-01-22 00:15 -------- d-----r c:\program files\Skype
2009-03-23 21:40 . 2009-01-22 00:15 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-03-14 21:53 . 2009-03-14 21:53 -------- d-----w c:\program files\PopCap Games
2009-03-13 02:35 . 2009-03-13 02:16 -------- d-----w c:\documents and settings\Andrew Jones\Application Data\IDM
2009-03-12 23:02 . 2009-03-12 23:01 -------- d-----w c:\program files\iTunes
2009-03-12 23:02 . 2009-03-12 23:01 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-12 23:01 . 2009-03-12 23:01 -------- d-----w c:\program files\iPod
2009-03-12 23:01 . 2008-12-01 01:30 -------- d-----w c:\program files\Common Files\Apple
2009-03-12 23:00 . 2009-03-12 23:00 -------- d-----w c:\program files\Bonjour
2009-03-12 22:59 . 2009-03-12 22:58 -------- d-----w c:\program files\QuickTime
2009-03-12 21:53 . 2007-09-11 20:48 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-09 09:19 . 2008-09-23 05:16 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 18:09 . 2006-11-07 07:27 391536 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 18:09 . 2006-10-17 16:04 638816 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-03-08 08:41 . 2006-10-23 15:34 5937152 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-03-08 08:39 . 2007-05-09 01:44 11063808 ----a-w c:\windows\system32\dllcache\ieframe.dll
2009-03-08 08:34 . 2006-10-23 15:34 914944 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-08 08:34 . 2006-03-16 04:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2006-10-23 15:34 1206784 ----a-w c:\windows\system32\dllcache\urlmon.dll
2009-03-08 08:34 . 2006-11-08 01:03 236544 ----a-w c:\windows\system32\dllcache\webcheck.dll
2009-03-08 08:34 . 2006-10-17 16:05 43008 ----a-w c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 08:34 . 2006-03-16 04:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:34 . 2006-10-17 16:05 105984 ----a-w c:\windows\system32\dllcache\url.dll
2009-03-08 08:34 . 2006-10-23 15:34 193536 ----a-w c:\windows\system32\dllcache\msrating.dll
2009-03-08 08:34 . 2006-10-17 16:04 109568 ----a-w c:\windows\system32\dllcache\occache.dll
2009-03-08 08:33 . 2006-09-18 14:15 759296 ----a-w c:\windows\system32\dllcache\VGX.dll
2009-03-08 08:33 . 2009-03-08 08:33 18944 ------w c:\windows\system32\dllcache\corpol.dll
2009-03-08 08:33 . 2006-03-16 04:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2006-10-23 15:34 25600 ----a-w c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 08:33 . 2008-05-09 10:53 726528 ----a-w c:\windows\system32\dllcache\jscript.dll
2009-03-08 08:33 . 2006-11-07 07:27 229376 ----a-w c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 08:33 . 2008-05-09 10:53 420352 ----a-w c:\windows\system32\dllcache\vbscript.dll
2009-03-08 08:33 . 2006-03-16 04:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:33 . 2006-11-07 07:26 125952 ----a-w c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 08:32 . 2006-11-07 07:26 72704 ----a-w c:\windows\system32\dllcache\admparse.dll
2009-03-08 08:32 . 2006-03-16 04:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2006-11-07 07:26 173056 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 08:32 . 2006-11-07 07:25 163840 ----a-w c:\windows\system32\dllcache\ieakui.dll
2009-03-08 08:32 . 2006-11-07 07:26 71680 ----a-w c:\windows\system32\dllcache\iesetup.dll
2009-03-08 08:32 . 2006-11-07 07:26 55808 ----a-w c:\windows\system32\dllcache\iernonce.dll
2009-03-08 08:32 . 2006-03-16 04:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:32 . 2006-11-07 07:26 128512 ----a-w c:\windows\system32\dllcache\advpack.dll
2009-03-08 08:32 . 2006-10-23 15:34 94720 ----a-w c:\windows\system32\dllcache\inseng.dll
2009-03-08 08:32 . 2007-05-09 01:44 594432 ----a-w c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 08:32 . 2007-05-09 01:44 1985024 ----a-w c:\windows\system32\dllcache\iertutil.dll
2009-03-08 08:32 . 2006-10-23 15:34 611840 ----a-w c:\windows\system32\dllcache\mstime.dll
2009-03-08 08:24 . 2006-10-17 15:44 68608 ----a-w c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 08:22 . 2006-11-08 01:03 156160 ----a-w c:\windows\system32\dllcache\msls31.dll
2009-03-08 08:22 . 2006-03-16 04:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-08 08:11 . 2007-05-09 01:44 445952 ----a-w c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 03:59 . 2009-03-12 22:56 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2008-12-01 01:30 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-02-28 01:23 . 2007-07-25 04:45 -------- d-----w c:\program files\Azureus
2009-02-09 11:13 . 2008-10-14 18:42 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2006-03-16 04:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 01:07 . 2007-05-09 01:44 3698584 ----a-w c:\windows\system32\dllcache\ieapfltr.dat
2009-01-11 21:15 . 2006-09-12 06:39 150760 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-22 04:53 . 2006-12-31 03:59 15656 ----a-w c:\documents and settings\Andrew Jones\Application Data\wklnhst.dat
2007-12-22 19:54 . 2007-04-11 12:22 140928 -c--a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-04-11 12:22 . 2007-04-11 12:22 128 -c--a-w c:\documents and settings\Guest\Local Settings\Application Data\fusioncache.dat
2007-01-31 03:05 . 2007-01-31 03:05 251 -c--a-w c:\program files\wt3d.ini
2006-12-26 07:16 . 2006-12-26 07:14 135 ----a-w c:\documents and settings\Andrew Jones\Local Settings\Application Data\fusioncache.dat
2006-09-12 07:53 . 2006-12-26 07:14 51192 -c--a-w c:\documents and settings\Andrew Jones\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-09-12 06:39 . 2006-09-12 06:39 136 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e4903124-b231-40e2-9d16-8970288890c7}]
2009-01-14 03:02 69632 --sha-w c:\windows\system32\gurujize.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Andrew Jones\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-19 133104]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-16 24095528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-08-25 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-09 184320]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 57344]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-29 583048]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-23 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 45056]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"KerberosIdentityFinder"="c:\program files\MIT\Kerberos\bin\KerberosIdentityFinder.vbs" [2008-04-30 12365]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-09-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-09-06 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-09-06 94208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-11 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"yugefikila"="c:\windows\system32\pijutiji.dll" [2009-01-14 69632]
"CPM32e3c26f"="c:\windows\system32\bikokere.dll" [2009-04-14 107008]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-07-27 61952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\bikokere.dll" [2009-04-14 107008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bikokere.dll [2009-04-14 107008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AfsLogon]
2008-03-21 18:41 87400 ----a-w c:\program files\OpenAFS\Client\Program\afslogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MIT_KFW]
2007-10-22 13:32 23040 ----a-w c:\windows\system32\kfwlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\bikokere.dll,c:\windows\system32\dojonilu.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\dojonilu.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
Domestic Security Version 4.87

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\lsass.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7001:UDP"= 7001:UDP:AFS CacheManager Callback (UDP)

R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\Drivers\5U870CAP.sys [2006-06-06 61952]
R3 iComp;HP Analog TV Tuner;c:\windows\system32\DRIVERS\p2usbwdm.sys [2005-10-13 1527808]
R3 Tcpc2h;Tcpc2h; [x]
S2 U3SHLPDR;U3SHLPDR;c:\windows\System32\Drivers\U3SHLPDR.SYS [2007-01-23 3445]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d75c48a7-7477-11dd-8366-0018dea385f6}]
\Shell\AutoRun\command - H:\PortableVault.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1238730878-4098613907-3068013729-1005.job
- c:\documents and settings\Andrew Jones\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-19 03:08]

2009-04-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2009-04-14 c:\windows\Tasks\User_Feed_Synchronization-{F7845907-D1BD-4B75-B349-E2B4F3D8A821}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-googletalk - c:\program files\Google\Google Talk\googletalk.exe
HKLM-Run-Psepixiwuhuq - c:\windows\Pgoqesebeva.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: {{A6E07A82-436A-11d3-83B6-00902747E82E} - c:\windows\PeoplePC\hta\peopledialer.hta
IE: {{A6E07A80-436A-11d3-83B6-00902747E82E} - {A6E07A81-436A-11d3-83B6-00902747E82E} - c:\windows\system32\shdocvw.dll
IE: {{F05B7DAE-337E-11D3-83B6-00E0980647AC} - {F05B7DAE-337E-11D3-83B6-00E0980647AC} - c:\windows\PeoplePC\BIN\PAYMEN~1.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 08:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????T??????????????|?M?|?????M?|&?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1238730878-4098613907-3068013729-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:33,75,b5,cc,0a,83,d1,ff,53,b4,0e,e2,0d,d3,ae,71,ec,c6,90,4b,3c,1c,9c,
46,20,93,c8,ea,d9,ea,aa,c5,b0,80,82,b7,e0,e7,63,22,62,aa,a9,b3,72,e0,af,7c,\
"??"=hex:32,6d,17,bd,ce,bc,fe,c7,b0,58,a8,8f,4a,f8,bf,a3
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\program files\MIT\Kerberos\bin\krb5_32.dll
c:\program files\MIT\Kerberos\bin\comerr32.dll
c:\program files\MIT\Kerberos\bin\k5sprt32.dll
c:\program files\MIT\Kerberos\bin\xpprof32.dll
c:\program files\MIT\Kerberos\bin\krb524.dll
c:\program files\MIT\Kerberos\bin\leashw32.dll
c:\program files\MIT\Kerberos\bin\krbcc32.dll
c:\program files\MIT\Kerberos\bin\krbv4w32.dll
c:\windows\system32\kfwlogon.dll

- - - - - - - > 'lsass.exe'(984)
c:\windows\system32\dojonilu.dll

- - - - - - - > 'explorer.exe'(564)
c:\windows\system32\pijutiji.dll
c:\windows\system32\dojonilu.dll
c:\windows\system32\bikokere.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\MIT\Kerberos\bin\krbcc32s.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\progra~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
c:\program files\OpenAFS\Client\Program\afsd_service.exe
c:\windows\system32\searchindexer.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: ~,10time:~,-3machine was rebootedCombobatch-by
ComboFix-quarantined-files.txt 2009-04-14 13:00

Pre-Run: 15,292,624,896 bytes free
Post-Run: 15,446,429,696 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

333 --- E O F --- 2009-04-13 16:01

[Advertisements]

1. Please open Notepad

• If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
Tcpc2h

File::
c:\program files\lohezudu.dll
C:\hpqp.ini
C:\XP_TV.ini
c:\windows\system32\bikokere.dll
c:\windows\system32\pufoponu.exe
c:\windows\system32\gurujize.dll
c:\windows\system32\pijutiji.dll
c:\windows\system32\bikokere.dll
c:\windows\system32\dojonilu.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e4903124-b231-40e2-9d16-8970288890c7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"yugefikila"=-
"CPM32e3c26f"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d75c48a7-7477-11dd-8366-0018dea385f6}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

[fenzodahl512]

1. Please open Notepad

• If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
Tcpc2h

File::
c:\program files\lohezudu.dll
C:\hpqp.ini
C:\XP_TV.ini
c:\windows\system32\bikokere.dll
c:\windows\system32\pufoponu.exe
c:\windows\system32\gurujize.dll
c:\windows\system32\pijutiji.dll
c:\windows\system32\bikokere.dll
c:\windows\system32\dojonilu.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e4903124-b231-40e2-9d16-8970288890c7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"yugefikila"=-
"CPM32e3c26f"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d75c48a7-7477-11dd-8366-0018dea385f6}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

[fenzodahl512]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.