ComboFix 10-07-11.03 - Dad 07/11/2010 23:25:39.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.315 [GMT -4:00] Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\Dad\LOCALS~1\Temp\dca4.tmp c:\documents and settings\Dad\Local Settings\Temp\dca4.tmp c:\documents and settings\Justin & Andrew\Application Data\Microsoft\update.exe . ((((((((((((((((((((((((( Files Created from 2010-06-12 to 2010-07-12 ))))))))))))))))))))))))))))))) . 2010-07-12 01:03 . 2010-07-12 01:03 2395452 ----a-w- C:\MGtools.exe 2010-07-12 00:57 . 2010-07-12 00:57 -------- d-----w- c:\program files\Common Files\Java 2010-07-12 00:57 . 2010-07-12 00:57 61440 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-41191905-n\decora-sse.dll 2010-07-12 00:57 . 2010-07-12 00:57 503808 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7f082d36-n\msvcp71.dll 2010-07-12 00:57 . 2010-07-12 00:57 499712 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7f082d36-n\jmc.dll 2010-07-12 00:57 . 2010-07-12 00:57 348160 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7f082d36-n\msvcr71.dll 2010-07-12 00:57 . 2010-07-12 00:57 12800 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-41191905-n\decora-d3d.dll 2010-07-12 00:56 . 2010-07-12 00:56 423656 ----a-w- c:\windows\system32\deployJava1.dll 2010-07-12 00:56 . 2010-07-12 00:56 -------- d-----w- c:\program files\Java 2010-07-12 00:50 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys 2010-07-12 00:50 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys 2010-07-11 23:00 . 2010-07-11 23:02 52224 ----a-w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-07-11 22:59 . 2010-07-12 00:51 117760 ----a-w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-07-11 22:59 . 2010-07-11 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-07-11 22:59 . 2010-07-11 22:59 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-07-11 22:59 . 2010-07-11 22:59 -------- d-----w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com 2010-07-11 22:58 . 2010-07-11 22:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2010-07-11 22:54 . 2010-07-11 22:54 134635170 ----a-w- C:\registrybackup.reg 2010-07-11 22:46 . 2010-07-11 22:46 -------- d-----w- c:\program files\CCleaner 2010-07-11 21:28 . 2010-07-11 21:28 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes 2010-07-11 21:28 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-07-11 21:28 . 2010-07-11 21:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-07-11 21:28 . 2010-07-11 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-07-11 21:28 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-07-11 21:25 . 2010-07-11 21:25 389120 ----a-w- c:\windows\system32\CF13992.exe 2010-07-11 19:23 . 2010-07-12 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-07-11 19:23 . 2010-07-11 19:25 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-06-12 22:42 . 2010-06-12 22:42 -------- d-----w- c:\program files\Common Files\Skype . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-12 03:31 . 2009-05-12 00:26 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll 2010-07-12 03:30 . 2003-09-16 17:42 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000003-00000000-0000000A-00001102-00000004-00541102}.dat 2010-07-12 03:30 . 2003-09-16 17:42 288 ----a-w- c:\windows\system32\DVCState-{00000003-00000000-0000000A-00001102-00000004-00541102}.dat 2010-07-12 03:30 . 2008-12-31 21:31 -------- d-----w- c:\documents and settings\Dad\Application Data\Skype 2010-07-11 19:16 . 2008-11-03 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint 2010-06-26 20:16 . 2008-12-31 21:34 -------- d-----w- c:\documents and settings\Dad\Application Data\skypePM 2010-06-18 01:17 . 2009-02-13 01:01 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-06-05 20:39 . 2009-03-05 00:21 -------- d-----w- c:\program files\Microsoft Silverlight 2010-05-30 02:12 . 2009-05-12 00:31 -------- d-----w- c:\documents and settings\Dad\Application Data\Apple Computer 2010-05-15 23:15 . 2010-05-15 23:15 -------- d-----w- c:\program files\iTunes 2010-05-15 23:15 . 2010-05-15 23:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-05-15 23:15 . 2010-05-15 23:15 -------- d-----w- c:\program files\iPod 2010-05-15 23:15 . 2008-11-05 23:00 -------- d-----w- c:\program files\Common Files\Apple 2010-05-15 23:11 . 2003-09-16 21:01 -------- d-----w- c:\program files\QuickTime 2010-05-15 23:07 . 2010-05-15 23:07 -------- d-----w- c:\program files\Bonjour 2010-05-15 23:04 . 2010-05-15 23:04 250840 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe 2010-05-13 23:39 . 2010-05-13 23:39 -------- d-----w- c:\documents and settings\Mike\Application Data\Template 2010-05-06 10:41 . 2006-06-23 19:33 916480 ----a-w- c:\windows\system32\wininet.dll 2010-05-02 05:22 . 2003-09-16 17:29 1851264 ----a-w- c:\windows\system32\win32k.sys 2010-04-20 05:30 . 2003-09-16 17:29 285696 ----a-w- c:\windows\system32\atmfd.dll 2010-04-16 12:33 . 2009-04-05 22:21 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll 2010-04-16 12:33 . 2008-11-05 23:00 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1FB2F9A-D35E-11DD-8935-E46A56D89593}] 2009-05-08 19:00 86016 ----a-w- c:\program files\oovootb\oovoodx.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{A1FB2F9A-D35E-11DD-8935-E46A56D89593}"= "c:\program files\oovootb\oovoodx.dll" [2009-05-08 86016] [HKEY_CLASSES_ROOT\clsid\{a1fb2f9a-d35e-11dd-8935-e46a56d89593}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26370014] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-08-19 4841472] "nwiz"="nwiz.exe" [2003-08-19 323584] "CTHelper"="CTHELPER.EXE" [2003-07-03 28672] "ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-14 50176] "ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-06 513502] "sHotKey"="c:\program files\SONY\sHotKey\sHotKey.exe" [2003-08-22 45056] "ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960] "ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-24 1409024] "VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-25 28672] "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 213474] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 599518] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 426452] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "SetDefaultMidi"="MIDIDEF.EXE" [2003-07-03 226778] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624] Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-30 234964] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Kodak\\Digital Display\\KodakDigitalDisplaySoftware.exe"= "c:\\Program Files\\Kodak\\Digital Display\\OrbKodakLauncher\\DllStartupService.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\ooVoo\\ooVoo.exe"= "c:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "4721:UDP"= 4721:UDP:Windows Media Format SDK (iexplore.exe) "4720:UDP"= 4720:UDP:Windows Media Format SDK (iexplore.exe) "443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443 "37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674 "37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674 "37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675 "37676:TCP"= 37676:TCP:*:Disabled:ooVoo TCP port 37676 "37676:UDP"= 37676:UDP:*:Disabled:ooVoo UDP port 37676 "37677:UDP"= 37677:UDP:*:Disabled:ooVoo UDP port 37677 R0 SonyLSM;LED State Service;c:\windows\system32\drivers\SonyLSM.sys [9/16/2003 1:30 PM 4736] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944] R2 KodakDigitalDisplayService;KodakDigitalDisplayService;c:\program files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe [8/14/2008 1:10 PM 98304] S2 mrtRate;mrtRate; [x] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408] . Contents of the 'Scheduled Tasks' folder 2010-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2008-11-03 c:\windows\Tasks\Registration reminder 2.job - c:\windows\System32\OOBE\oobebaln.exe [2003-09-16 10:42] 2008-11-03 c:\windows\Tasks\Registration reminder 3.job - c:\windows\System32\OOBE\oobebaln.exe [2003-09-16 10:42] . . ------- Supplementary Scan ------- . IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . - - - - ORPHANS REMOVED - - - - AddRemove-Creative Driver - c:\windows\System32\ctdrvins ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-07-11 23:33 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(704) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(1988) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\System32\nvsvc32.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe c:\program files\Sony\Sony TV Tuner Library\SMceMan.exe c:\program files\Sony\Sony TV Tuner Library\RM_SV.exe c:\windows\system32\imapi.exe c:\windows\ehome\ehmsas.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-07-11 23:39:01 - machine was rebooted ComboFix-quarantined-files.txt 2010-07-12 03:38 Pre-Run: 56,219,365,376 bytes free Post-Run: 57,834,172,416 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn - - End Of File - - 2A5E2A8EB87CE27A957D07F23A2CD59D