ComboFix 10-01-28.05 - richard forster 01/29/2010 19:53:17.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.472 [GMT 11:00] Running from: c:\documents and settings\richard forster\Desktop\ComboFix.exe AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} * Resident AV is active . PEV Error: LocalAppDataFile PEV Error: LocalAppDataFolder ((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-29 ))))))))))))))))))))))))))))))) . 2010-01-29 03:28 . 2010-01-29 03:28 -------- d-----w- C:\!FixIEDef 2010-01-29 02:42 . 2010-01-29 02:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2010-01-29 02:01 . 2010-01-29 02:01 -------- d-----w- c:\documents and settings\richard forster\Application Data\Malwarebytes 2010-01-29 02:01 . 2010-01-07 05:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-29 02:01 . 2010-01-29 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-01-29 02:01 . 2010-01-07 05:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-29 02:01 . 2010-01-29 02:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-29 02:00 . 2010-01-29 02:00 -------- d-----w- c:\windows\erunt 2010-01-29 01:58 . 2010-01-29 01:59 -------- d-----w- c:\program files\ERUNT 2010-01-27 02:46 . 2010-01-27 02:46 52224 ----a-w- c:\documents and settings\richard forster\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-01-27 02:46 . 2010-01-27 02:46 117760 ----a-w- c:\documents and settings\richard forster\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-01-27 02:44 . 2010-01-27 02:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-01-27 02:44 . 2010-01-27 02:44 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-01-27 02:44 . 2010-01-27 02:44 -------- d-----w- c:\documents and settings\richard forster\Application Data\SUPERAntiSpyware.com 2010-01-27 02:43 . 2010-01-27 02:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2010-01-27 02:23 . 2010-01-27 02:23 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-01-27 02:15 . 2010-01-27 02:15 -------- d-----w- c:\documents and settings\richard forster\Application Data\CheckPoint 2010-01-27 02:13 . 2010-01-29 09:09 -------- d-----w- c:\windows\Internet Logs 2010-01-27 00:19 . 2010-01-28 22:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-01-27 00:19 . 2010-01-28 22:35 -------- d-----w- c:\program files\SpywareBlaster 2010-01-27 00:17 . 2010-01-27 00:17 388096 ----a-r- c:\documents and settings\richard forster\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe 2010-01-27 00:17 . 2010-01-27 00:17 -------- d-----w- c:\program files\TrendMicro 2010-01-27 00:02 . 2010-01-27 00:34 -------- d-----w- C:\fdfa49f63f00a04acfb23c2e3220 2010-01-26 22:42 . 2010-01-26 22:42 -------- d-----w- c:\windows\ie8updates 2010-01-26 22:41 . 2009-12-21 19:14 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll 2010-01-26 22:41 . 2009-12-21 19:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll 2010-01-26 22:41 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2010-01-26 22:41 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2010-01-26 22:41 . 2009-12-21 19:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll 2010-01-26 22:41 . 2009-12-21 19:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll 2010-01-26 12:08 . 2010-01-26 12:08 -------- d-sh--w- c:\documents and settings\richard forster\IECompatCache 2010-01-26 12:08 . 2010-01-26 12:08 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2010-01-26 12:07 . 2010-01-26 12:07 -------- d-sh--w- c:\documents and settings\richard forster\PrivacIE 2010-01-26 12:03 . 2010-01-26 12:03 -------- d-sh--w- c:\documents and settings\richard forster\IETldCache 2010-01-26 11:58 . 2010-01-26 11:59 -------- dc-h--w- c:\windows\ie8 2010-01-25 11:46 . 2010-01-20 01:14 52224 ----a-w- c:\documents and settings\richard forster\Application Data\Mozilla\Firefox\Profiles\trd00lju.default\extensions\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}\components\FFExternalAlert.dll 2010-01-25 11:46 . 2010-01-20 01:14 101376 ----a-w- c:\documents and settings\richard forster\Application Data\Mozilla\Firefox\Profiles\trd00lju.default\extensions\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}\components\RadioWMPCore.dll 2010-01-25 11:46 . 2010-01-25 11:46 -------- d-----w- c:\program files\Conduit 2010-01-25 11:46 . 2010-01-25 11:46 -------- d-----w- c:\documents and settings\richard forster\Local Settings\Application Data\Conduit 2010-01-02 03:47 . 2010-01-02 03:47 -------- d-----w- c:\documents and settings\richard forster\Local Settings\Application Data\Identities . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-29 08:39 . 2010-01-27 03:59 7920936 ----a-w- c:\windows\Internet Logs\tvDebug.Zip 2010-01-29 05:16 . 2010-01-29 05:17 1649664 ----a-w- c:\windows\Internet Logs\xDB3.tmp 2010-01-29 05:16 . 2010-01-29 05:17 102400 ----a-w- c:\windows\Internet Logs\xDB2.tmp 2010-01-29 02:38 . 2010-01-29 02:55 881152 ----a-w- c:\windows\Internet Logs\xDB1.tmp 2010-01-29 02:23 . 2009-12-02 03:31 -------- d-----w- c:\documents and settings\richard forster\Application Data\Skype 2010-01-27 02:14 . 2010-01-27 02:14 -------- d-----w- c:\program files\CheckPoint 2010-01-27 02:14 . 2010-01-27 02:14 4212 ---ha-w- c:\windows\system32\zllictbl.dat 2010-01-27 02:14 . 2010-01-27 02:14 -------- d-----w- c:\program files\Zone Labs 2010-01-25 11:34 . 2009-12-02 03:09 -------- d-----w- c:\program files\QuickTime 2010-01-25 10:21 . 2008-04-15 03:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-01-25 10:21 . 2008-04-15 03:00 96512 ----a-w- c:\windows\system32\drivers\atapi.svs 2009-12-30 00:12 . 2009-12-30 00:12 -------- d-----w- c:\program files\Windows Media Connect 2 2009-12-25 13:00 . 2009-12-04 23:51 -------- d-----w- c:\documents and settings\richard forster\Application Data\skypePM 2009-12-23 07:29 . 2009-12-02 03:16 60592 ----a-w- c:\documents and settings\richard forster\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-12-23 07:26 . 2008-07-08 17:53 -------- d-----w- c:\program files\McAfee 2009-12-21 19:14 . 2008-04-15 03:00 916480 ----a-w- c:\windows\system32\wininet.dll 2009-12-14 03:23 . 2009-12-14 03:23 131072 --sha-r- c:\windows\system32\aneyrei.dll 2009-12-11 07:57 . 2008-07-08 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-12-09 20:58 . 2009-12-06 00:01 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore 2009-12-09 09:30 . 2008-07-08 18:02 -------- d-----w- c:\program files\Microsoft Works 2009-12-06 06:53 . 2009-12-06 06:53 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore 2009-12-06 06:49 . 2008-07-08 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor 2009-12-05 23:45 . 2008-07-08 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-12-04 23:51 . 2009-12-04 23:51 56 ---ha-w- c:\windows\system32\ezsidmv.dat 2009-12-02 19:56 . 2009-12-02 19:56 0 ----a-w- c:\windows\nsreg.dat 2009-12-02 19:41 . 2009-12-02 19:41 -------- d-----w- c:\program files\MSXML 4.0 2009-12-02 18:38 . 2009-12-02 18:38 -------- d-----w- c:\documents and settings\richard forster\Application Data\Yahoo! 2009-12-02 18:38 . 2009-12-02 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion 2009-12-02 07:21 . 2009-12-02 07:16 -------- d-----w- c:\program files\3 MobileBroadband 2009-12-02 04:13 . 2009-12-02 04:13 -------- d-----w- c:\program files\Common Files\Windows Live 2009-12-02 03:24 . 2009-12-02 03:24 -------- d-----w- c:\program files\tbh 2009-12-02 03:21 . 2009-12-02 03:20 -------- d-----r- c:\program files\Skype 2009-12-02 03:20 . 2009-12-02 03:20 -------- d-----w- c:\program files\Common Files\Skype 2009-12-02 03:16 . 2009-12-02 03:13 -------- d-----w- c:\documents and settings\richard forster\Application Data\Apple Computer 2009-12-02 03:13 . 2009-12-02 03:11 -------- d-----w- c:\program files\iTunes 2009-12-02 03:13 . 2009-12-02 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-12-02 03:12 . 2009-12-02 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype 2009-12-02 03:11 . 2009-12-02 03:11 -------- d-----w- c:\program files\iPod 2009-12-02 03:11 . 2009-12-02 03:06 -------- d-----w- c:\program files\Common Files\Apple 2009-12-02 03:11 . 2009-12-02 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2009-12-02 03:08 . 2009-12-02 03:08 -------- d-----w- c:\program files\Apple Software Update 2009-12-02 03:06 . 2009-12-02 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-11-22 04:42 . 2010-01-27 02:14 1238408 ----a-w- c:\windows\system32\zpeng25.dll 2009-11-22 04:42 . 2010-01-27 02:14 69000 ----a-w- c:\windows\system32\zlcomm.dll 2009-11-22 04:42 . 2010-01-27 02:14 103816 ----a-w- c:\windows\system32\zlcommdb.dll 2009-11-21 15:51 . 2008-04-15 03:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll 2009-11-12 06:07 . 2009-11-12 06:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Mobile Partner"="c:\program files\3 MobileBroadband\3 MobileBroadband.exe" [2009-12-02 110592] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-04 2002160] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [X] "M3000Mnt"="M3000Rmv.dll " [X] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752] "RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720] "AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992] "LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768] "eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192] "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480] c:\documents and settings\All Users\Start Menu\Programs\Startup\ InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-5 114688] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-12 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 03:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"= "c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5191:TCP"= 5191:TCP:The Browser Highlighter XCOM R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480] R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/15/2009 12:30 AM 25208] R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/15/2009 12:30 AM 476528] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/6/2009 10:45 AM 93320] R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 1:57 PM 70952] R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/5/2008 6:01 PM 254976] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408] S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [5/21/2008 7:11 PM 96856] . Contents of the 'Scheduled Tasks' folder 2009-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34] 2010-01-14 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-07-25 02:32] 2008-07-08 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-07-25 02:32] . . ------- Supplementary Scan ------- . uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2086743 uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: {4F20E4FA-C86E-4C8D-9118-C093661C0E59} = 10.176.66.71 10.188.66.103 FF - ProfilePath - c:\documents and settings\richard forster\Application Data\Mozilla\Firefox\Profiles\trd00lju.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2086743&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - PHPNukeEN Customized Web Search FF - prefs.js: browser.startup.homepage - www.google.com FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2086743&q= FF - component: c:\documents and settings\richard forster\Application Data\Mozilla\Firefox\Profiles\trd00lju.default\extensions\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}\components\FFExternalAlert.dll FF - component: c:\documents and settings\richard forster\Application Data\Mozilla\Firefox\Profiles\trd00lju.default\extensions\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}\components\RadioWMPCore.dll FF - component: c:\documents and settings\richard forster\Application Data\Mozilla\Firefox\Profiles\trd00lju.default\extensions\browserhighlighter@ebay.com\components\Shim.dll FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-29 20:08 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(752) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll - - - - - - - > 'lsass.exe'(808) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll - - - - - - - > 'explorer.exe'(3396) c:\windows\system32\WININET.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-01-29 20:15:15 ComboFix-quarantined-files.txt 2010-01-29 09:15 Pre-Run: 2,810,626,048 bytes free Post-Run: 2,779,664,384 bytes free - - End Of File - - C31E4C73C0682806FE623B1B4A0D8CE7