ComboFix 08-05-12.1 - Kevin Mayer 2008-05-21 21:27:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.249 [GMT -6:00]
Running from: C:\Documents and Settings\Kevin Mayer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kevin Mayer\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\avwavp.dll
C:\WINDOWS\system32\drivers\qkotrtbz.dat
C:\WINDOWS\system32\DX8VBe.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\qkotrtbz.dat
C:\WINDOWS\system32\avwavp.dll . . . . failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CGLDEDUC
-------\Service_cgldeduc
((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.
2008-05-19 22:21 . 2008-05-19 22:22
d-------- C:\Documents and Settings\Kevin Mayer\Application Data\ScamBlocker
2008-05-19 22:18 . 2008-05-19 22:18 d-------- C:\Program Files\PeoplePC Accelerated
2008-05-19 22:14 . 2008-05-19 22:14 d-------- C:\Program Files\PeoplePC
2008-05-19 22:14 . 2008-05-19 22:14 d-------- C:\Program Files\Common Files\PeoplePC
2008-05-19 22:14 . 2007-08-07 16:37 47,960 --------- C:\WINDOWS\SYSTEM32\PPCOUNIN.exe
2008-05-19 22:14 . 2007-08-07 16:16 40,960 --------- C:\WINDOWS\SYSTEM32\ppcpanel.cpl
2008-05-19 22:14 . 2007-08-07 16:16 40,656 --------- C:\WINDOWS\SYSTEM32\PPCClean.exe
2008-05-19 22:14 . 2007-08-07 16:16 23,896 --------- C:\WINDOWS\SYSTEM32\PPCInfo.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 03:32 --------- d-----w C:\Program Files\CallWave
2008-05-22 03:32 --------- d-----w C:\Documents and Settings\Kevin Mayer\Application Data\OpenOffice.org2
2008-04-18 01:19 --------- d-----w C:\Program Files\Common Files\Mozilla Shared
2008-04-18 01:19 --------- d-----w C:\Documents and Settings\Kevin Mayer\Application Data\cgtzjets
2008-04-17 05:40 50,688 ----a-w C:\ATF-Cleaner.exe
2008-04-11 03:02 --------- d-----w C:\Program Files\Panda Security
2008-03-08 16:22 1,303,855 ----a-w C:\SmitfraudFix.exe
2008-03-01 01:24 0 ----a-w C:\Documents and Settings\Kevin Mayer\INDEX.DAT
2007-08-29 16:28 11,390,509 ----a-w C:\Program Files\apache-ant-1.7.0-bin.zip
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\Documents and Settings\Kevin Mayer\Application Data\cgtzjets ----
2008-04-18 21:51 9149 --a------ C:\Documents and Settings\Kevin Mayer\Application Data\cgtzjets\Profiles\lqs3oj8o.default\pluginreg.dat
2008-04-18 21:51 126976 --a------ C:\Documents and Settings\Kevin Mayer\Application Data\cgtzjets\Profiles\lqs3oj8o.default\places.sqlite
2008-04-18 21:51 0 --a------ C:\Documents and Settings\Kevin Mayer\Application Data\cgtzjets\Profiles\lqs3oj8o.default\places.sqlite-journal
2008-04-18 21:50 95669 --a------ C:\Documents and Settings\Kevin Mayer\Application Data\cgtzjets\Profiles\lqs3oj8o.default\xpti.dat
2008-04-18 21:50 367 --a------ C:\Documents and Settings\Kevin Mayer\Application Data\cgtzjets\Profiles\lqs3oj8o.default\prefs.js
2008-04-18 21:50 207 --a------ C:\Documents and Settings\Kevin Mayer\Application Data\cgtzjets\Profiles\lqs3oj8o.default\compatibility.ini
2008-04-18 21:50 126626 --a------ C:\Documents and Settings\Kevin Mayer\Application Data\cgtzjets\Profiles\lqs3oj8o.default\compreg.dat
2008-04-18 21:50 0 --a------ C:\Documents and Settings\Kevin Mayer\Application Data\cgtzjets\Profiles\lqs3oj8o.default\parent.lock
2008-04-17 20:11 8192 --a------ C:\Documents and Settings\Kevin Mayer\Application Data\cgtzjets\Profiles\lqs3oj8o.default\formhistory.sqlite
2008-04-17 19:19 65536 --a------ C:\Documents and Settings\Kevin Mayer\Application Data\cgtzjets\Profiles\lqs3oj8o.default\cert8.db
2008-04-17 19:19 2048 --a------ C:\Documents and Settings\Kevin Mayer\Application Data\cgtzjets\Profiles\lqs3oj8o.default\permissions.sqlite
2008-04-17 19:19 2048 --a------ C:\Documents and Settings\Kevin Mayer\Application Data\cgtzjets\Profiles\lqs3oj8o.default\cookies.sqlite
2008-04-17 19:19 169 --a------ C:\Documents and Settings\Kevin Mayer\Application Data\cgtzjets\Profiles\lqs3oj8o.default\localstore.rdf
2008-04-17 19:19 16384 --a------ C:\Documents and Settings\Kevin Mayer\Application Data\cgtzjets\Profiles\lqs3oj8o.default\secmod.db
2008-04-17 19:19 16384 --a------ C:\Documents and Settings\Kevin Mayer\Application Data\cgtzjets\Profiles\lqs3oj8o.default\key3.db
2008-04-17 19:19 111 --a------ C:\Documents and Settings\Kevin Mayer\Application Data\cgtzjets\profiles.ini
((((((((((((((((((((((((((((( snapshot@2008-05-18_22.06.34.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-19 03:59:14 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-05-22 03:32:08 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2004-06-29 17:44:52 28,160 ----a-w C:\WINDOWS\SYSTEM32\accUNIN.EXE
- 2004-09-18 00:37:47 7,168 ------w C:\WINDOWS\SYSTEM32\PopWait.exe
+ 2007-08-07 22:16:08 28,504 ------w C:\WINDOWS\SYSTEM32\PopWait.exe
+ 2005-07-07 20:11:00 43,008 ----a-w C:\WINDOWS\SYSTEM32\unACC.exe
+ 2005-07-07 20:11:00 43,520 ----a-w C:\WINDOWS\SYSTEM32\unMAX.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{256A9C1F-F38D-4E22-BA27-D943236786EC}]
2004-08-04 04:00 82432 --a------ c:\windows\system32\avwavp.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96147EDE-CE4F-4172-A719-80F811DF98CB}]
C:\WINDOWS\system32\DX8VBe.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]
2008-05-19 22:24 237056 --a------ c:\program files\peoplepc\toolbar\ppctoolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= "c:\program files\peoplepc\toolbar\ppctoolbar.dll" [2008-05-19 22:24 237056]
[HKEY_CLASSES_ROOT\clsid\{a8fb8eb3-183b-4598-924d-86f0e5e37085}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= c:\program files\peoplepc\toolbar\ppctoolbar.dll [2008-05-19 22:24 237056]
[HKEY_CLASSES_ROOT\clsid\{a8fb8eb3-183b-4598-924d-86f0e5e37085}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 06:51 306688]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-04-24 20:09 3334144]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12 221184]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01 110592]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 07:50 131072]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 07:50 53248]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2005-03-02 19:19 143360]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 19:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 15:26 212992]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-04-12 01:25 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05 127035]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2005-03-18 20:28 196608]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-04-05 14:41 950272]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"Bart Station"="C:\Program Files\PeoplePC\ISP6630\BIN\PPCOLink.exe" [2007-08-07 16:15 25944]
C:\Documents and Settings\Kevin Mayer\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 23:57:56 393216]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-04-12 01:25:06 156784]
CallWave.lnk - C:\Program Files\CallWave\IAM.exe [2005-06-02 22:07:30 1590352]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2005-04-16 15:26:41 118784]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-09-19 11:36:08 960032]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lznytwib]
avwavp.dll 2004-08-04 04:00 82432 C:\WINDOWS\SYSTEM32\avwavp.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\CallWave\\IAM.exe"=
R0 cgldeduc;cgldeduc;C:\WINDOWS\system32\drivers\cgldeduc.dat []
S3 Tomcat6;Apache Tomcat;"C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe" //RS//Tomcat6 []
*Newly Created Service* - CGLDEDUC
.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 16:00:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2005-04-16 21:13:00 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\OOBEBALN.EXE
"2008-05-22 03:32:42 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DDR93871-Kevin Mayer).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 21:32:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cgldeduc]
"ImagePath"="system32\drivers\cgldeduc.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
C:\Program Files\PeoplePC\ISP6630\Browser\BartShel.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\PeoplePC\ISP6630\Browser\PPShared.exe
C:\WINDOWS\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2008-05-21 21:38:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-22 03:38:40
ComboFix2.txt 2008-05-19 04:07:04
Pre-Run: 67,011,960,832 bytes free
Post-Run: 67,032,195,072 bytes free
196