ComboFix 08-07-05.1 - Kevin Mayer 2008-07-07 22:39:01.8 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247 [GMT -6:00] Running from: C:\Documents and Settings\Kevin Mayer\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-06-08 to 2008-07-08 ))))))))))))))))))))))))))))))) . 2008-07-05 09:44 . 2008-07-05 09:45 63,995,208 --a------ C:\registry070508.reg 2008-07-05 09:36 . 2008-07-05 09:54 32,768 --a------ C:\OK.doc 2008-06-09 21:38 . 2008-06-09 21:45 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-06-09 21:38 . 2008-06-09 21:38 d-------- C:\Documents and Settings\Kevin Mayer\Application Data\Malwarebytes 2008-06-09 21:38 . 2008-06-09 21:38 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-09 21:38 . 2008-06-09 20:13 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys 2008-06-09 21:38 . 2008-06-09 20:13 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-08 04:08 --------- d-----w C:\Program Files\CallWave 2008-07-08 04:08 --------- d-----w C:\Documents and Settings\Kevin Mayer\Application Data\OpenOffice.org2 2008-05-20 04:22 --------- d-----w C:\Documents and Settings\Kevin Mayer\Application Data\ScamBlocker 2008-05-20 04:18 --------- d-----w C:\Program Files\PeoplePC Accelerated 2008-05-20 04:14 --------- d-----w C:\Program Files\PeoplePC 2008-05-20 04:14 --------- d-----w C:\Program Files\Common Files\PeoplePC 2008-04-17 05:40 50,688 ----a-w C:\ATF-Cleaner.exe 2008-03-01 01:24 0 ----a-w C:\Documents and Settings\Kevin Mayer\INDEX.DAT 2007-08-29 16:28 11,390,509 ----a-w C:\Program Files\apache-ant-1.7.0-bin.zip . ((((((((((((((((((((((((((((( snapshot@2008-05-18_22.06.34.84 ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-19 03:59:14 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT + 2008-07-08 04:08:02 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT - 2000-08-31 14:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe + 2000-08-31 14:00:00 89,504 ----a-w C:\WINDOWS\fdsv.exe - 2000-08-31 14:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe + 2000-08-31 14:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe + 2004-06-29 17:44:52 28,160 ----a-w C:\WINDOWS\SYSTEM32\accUNIN.EXE - 2004-09-18 00:37:47 7,168 ------w C:\WINDOWS\SYSTEM32\PopWait.exe + 2007-08-07 22:16:08 28,504 ------w C:\WINDOWS\SYSTEM32\PopWait.exe + 2007-08-07 22:16:08 40,656 ------w C:\WINDOWS\SYSTEM32\PPCClean.exe + 2007-08-07 22:16:08 23,896 ------w C:\WINDOWS\SYSTEM32\PPCInfo.exe + 2007-08-07 22:37:02 47,960 ------w C:\WINDOWS\SYSTEM32\PPCOUNIN.exe + 2005-07-07 20:11:00 43,008 ----a-w C:\WINDOWS\SYSTEM32\unACC.exe + 2005-07-07 20:11:00 43,520 ----a-w C:\WINDOWS\SYSTEM32\unMAX.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}] 2008-05-19 22:24 237056 --a------ c:\program files\peoplepc\toolbar\ppctoolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= "c:\program files\peoplepc\toolbar\ppctoolbar.dll" [2008-05-19 22:24 237056] [HKEY_CLASSES_ROOT\clsid\{a8fb8eb3-183b-4598-924d-86f0e5e37085}] [HKEY_CLASSES_ROOT\PeoplePC.Toolbar.1] [HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}] [HKEY_CLASSES_ROOT\PeoplePC.Toolbar] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= "c:\program files\peoplepc\toolbar\ppctoolbar.dll" [2008-05-19 22:24 237056] [HKEY_CLASSES_ROOT\clsid\{a8fb8eb3-183b-4598-924d-86f0e5e37085}] [HKEY_CLASSES_ROOT\PeoplePC.Toolbar.1] [HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}] [HKEY_CLASSES_ROOT\PeoplePC.Toolbar] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 06:51 306688] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-04-24 20:09 3334144] "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928] "IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12 221184] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01 110592] "MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 07:50 131072] "mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 07:50 53248] "VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2005-03-02 19:19 143360] "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 19:29 303104] "MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 15:26 212992] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-04-12 01:25 26112] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05 127035] "VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2005-03-18 20:28 196608] "MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-04-05 14:41 950272] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576] "Bart Station"="C:\Program Files\PeoplePC\ISP6630\BIN\PPCOLink.exe" [2007-08-07 16:15 25944] C:\Documents and Settings\Kevin Mayer\Start Menu\Programs\Startup\ OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 23:57:56 393216] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-04-12 01:25:06 156784] CallWave.lnk - C:\Program Files\CallWave\IAM.exe [2005-06-02 22:07:30 1590352] NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2005-04-16 15:26:41 118784] QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-09-19 11:36:08 960032] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\America Online 9.0\\waol.exe"= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\CallWave\\IAM.exe"= R0 cgldeduc;cgldeduc;C:\WINDOWS\system32\drivers\cgldeduc.dat [] S3 Tomcat6;Apache Tomcat;C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe [2007-07-19 20:20] *Newly Created Service* - CATCHME . Contents of the 'Scheduled Tasks' folder "2007-11-08 16:00:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2005-04-16 21:13:00 C:\WINDOWS\Tasks\ISP signup reminder 1.job" - C:\WINDOWS\system32\OOBE\OOBEBALN.EXE "2008-07-08 04:08:09 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DDR93871-Kevin Mayer).job" - c:\program files\mcafee.com\vso\mcmnhdlr.exe . - - - - ORPHANS REMOVED - - - - BHO-{256A9C1F-F38D-4E22-BA27-D943236786EC} - c:\windows\system32\avwavp.dll BHO-{96147EDE-CE4F-4172-A719-80F811DF98CB} - C:\WINDOWS\system32\DX8VBe.dll Toolbar-ID - (no file) Notify-lznytwib - avwavp.dll ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-07 22:42:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\cgldeduc] "ImagePath"="system32\drivers\cgldeduc.dat" . Completion time: 2008-07-07 22:44:11 ComboFix-quarantined-files.txt 2008-07-08 04:43:47 ComboFix2.txt 2008-06-23 02:21:04 ComboFix3.txt 2008-06-03 04:13:12 ComboFix4.txt 2008-05-28 02:32:43 ComboFix5.txt 2008-05-26 15:18:08 Pre-Run: 66,899,353,600 bytes free Post-Run: 66,938,789,888 bytes free 150