I've come across your site because somebody else was having the same problem. I ran the Combofix and GooredFix. Here are the logs. I need help in understanding what it means and what steps to take on next. Thanks!
Combofix Log:
ComboFix 09-04-01.01 - user 2009-04-01 17:05:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.673 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 )))))))))))))))))))))))))))))))
.
2009-04-01 15:54 . 2009-04-01 15:56 <DIR> d-------- c:\documents and settings\user\Application Data\TweakNow RegCleaner
2009-03-31 13:51 . 2009-04-01 15:58 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-31 13:51 . 2009-04-01 15:58 <DIR> d-------- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-03-31 13:51 . 2009-03-31 13:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-31 13:26 . 2009-03-31 13:50 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TweakNow RegCleaner
2009-03-31 13:21 . 2009-03-31 13:21 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2009-03-31 13:10 . 2009-03-31 13:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-31 13:10 . 2009-03-31 13:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-31 13:08 . 2009-03-31 13:25 <DIR> d-------- c:\documents and settings\Administrator
2009-03-31 00:05 . 2009-04-01 08:22 <DIR> d-------- C:\QUARANTINE
2009-03-25 21:30 . 2008-04-13 20:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-03-25 21:30 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-03-25 21:30 . 2008-04-13 14:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-03-25 21:30 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-03-04 23:22 . 2009-03-04 23:22 <DIR> d-------- c:\program files\McAfee
2009-03-04 23:22 . 2009-03-04 23:22 <DIR> d-------- c:\program files\Common Files\McAfee
2009-03-04 23:22 . 2009-03-04 23:22 <DIR> d-------- c:\program files\Common Files\Cisco Systems
2009-03-04 23:22 . 2009-03-04 23:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-03-04 23:22 . 2006-11-17 04:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll
2009-03-04 23:22 . 2008-01-24 21:50 171,400 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-03-04 23:22 . 2008-01-24 21:50 72,936 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-03-04 23:22 . 2008-01-24 21:50 64,232 --a------ c:\windows\system32\drivers\mfeapfk.sys
2009-03-04 23:22 . 2008-01-24 21:50 52,104 --a------ c:\windows\system32\drivers\mfetdik.sys
2009-03-04 23:22 . 2008-01-24 21:50 33,960 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-03-04 23:22 . 2006-11-17 04:06 280 --a------ c:\windows\system32\epoPGPsdk.dll.sig
2009-03-04 23:16 . 2009-03-04 23:16 <DIR> d-------- c:\windows\Internet Logs
2009-03-04 23:16 . 2007-01-31 14:45 127,376 --a------ c:\windows\system32\drivers\dne2000.sys
2009-03-04 23:16 . 2007-01-31 14:45 101,904 --a------ c:\windows\system32\dneinobj.dll
2009-03-04 23:15 . 2009-03-04 23:15 <DIR> d-------- c:\program files\Common Files\Deterministic Networks
2009-03-04 23:15 . 2009-03-04 23:15 <DIR> d-------- c:\program files\Cisco Systems
2009-03-04 23:15 . 2009-03-04 23:16 1,594 --a------ c:\windows\VPNInstall.MIF
2009-03-02 21:26 . 2009-03-02 21:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\EPSON
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-01 21:08 --------- d-----w c:\documents and settings\user\Application Data\StarOffice8
2009-04-01 04:01 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-31 03:09 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-31 03:03 --------- d-----w c:\program files\Common Files\Adobe
2009-03-28 15:21 --------- d-----w c:\program files\Spyware Doctor
2009-03-05 03:42 --------- d-----w c:\program files\Google
2009-02-08 23:16 --------- d-----w c:\documents and settings\user\Application Data\GARMIN
2009-02-08 23:15 --------- d-----w c:\program files\Garmin GPS Plugin
2009-02-08 23:15 --------- d-----w c:\program files\Garmin
2009-02-08 23:15 --------- d-----w c:\program files\DIFX
2008-04-24 01:33 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-01 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-03 136600]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-23 29744]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-09-15 185632]
"Broadcom Wireless Manager"="c:\windows\system32\wltray.exe" [2007-03-02 1282048]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 61440]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-04 c:\windows\RTHDCPL.EXE]
c:\documents and settings\user\Start Menu\Programs\Startup\
StarOffice 8.lnk - c:\program files\Sun\StarOffice 8\program\quickstart.exe [2007-02-02 122880]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
Dynex Wireless Networking Utility.lnk - c:\program files\Dynex Enhanced G Desktop Card Adapter\DynexWCUI.exe [2008-09-04 1462272]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-03-04 6144]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\cygwin\\usr\\X11R6\\bin\\XWin.exe"=
"c:\\ruby\\bin\\ruby.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\cvpnd.exe"=
"c:\\WINDOWS\\system32\\bcmwltry.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\WINDOWS\\system32\\drwtsn32.exe"=
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2007-09-01 29744]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-03-26 356920]
.
Contents of the 'Scheduled Tasks' folder
2009-04-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-25 22:42]
2008-12-26 c:\windows\Tasks\Norton Security Scan for user.job
- c:\program files\Norton Security Scan\Nss.exe [2008-12-11 18:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\xj7ts1li.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\xj7ts1li.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-01 17:08:04
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1212)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wltrysvc.exe
c:\windows\system32\bcmwltry.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Sun\StarOffice 8\program\soffice.exe
c:\program files\Sun\StarOffice 8\program\soffice.bin
.
**************************************************************************
.
Completion time: 2009-04-01 17:10:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-01 21:10:43
Pre-Run: 93,897,084,928 bytes free
Post-Run: 95,097,413,632 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
167 --- E O F --- 2009-03-14 20:12:33
Goodred Log:
GooredFix v1.92 by jpshortstuff
Log created at 17:17 on 01/04/2009 running Option #1 (user)
Firefox version 3.0.8 (en-US)
=====Suspect Goored Entries=====
C:\Program Files\Mozilla Firefox\extensions\{B4F1714A-558A-4C95-8058-95A36C30A673}
C:\Program Files\Mozilla Firefox\extensions\{499D8CEF-5348-4530-BA7A-8AF3EFF7971E}
C:\Program Files\Mozilla Firefox\extensions\{02E20DF3-6A66-4271-A30A-9A7F69525779}
=====Dumping Registry Values=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"[email protected]"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3112ca9c-de6d-4884-a869-9855de68056c}"="C:\Documents and Settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}"
Sign In
Create Account
