here it is
ComboFix 09-04-14.01 - Natasha 14/04/2009 0:14.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.1013.302 [GMT -5:00]
Running from: c:\users\Natasha\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Natasha\Desktop\CFScript.txt
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\gxvxccounter
.
((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.
2009-04-14 04:14 . 2009-04-14 04:14 -------- d-----w c:\users\Natasha\AppData\Roaming\Malwarebytes
2009-04-14 01:57 . 2009-04-14 01:57 -------- d-----w c:\program files\NVT Malware Remover Tool
2009-04-14 01:29 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-14 01:29 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 01:29 . 2009-04-14 01:29 -------- d-----w c:\users\All Users\Malwarebytes
2009-04-14 01:29 . 2009-04-14 01:29 -------- d-----w c:\programdata\Malwarebytes
2009-04-14 01:29 . 2009-04-14 01:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 22:05 . 2009-04-13 22:07 -------- d-----w C:\ComboFix
2009-04-12 00:01 . 2009-04-13 00:49 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-11 23:58 . 2009-04-13 00:49 -------- d-----w c:\users\All Users\Lavasoft
2009-04-11 23:58 . 2009-04-13 00:49 -------- d-----w c:\programdata\Lavasoft
2009-04-10 14:35 . 2009-04-13 19:39 14040 ----a-w c:\windows\cfgall.ini
2009-04-10 14:05 . 2009-04-10 14:05 -------- d-----w C:\Quarantine
2009-04-10 14:04 . 2009-04-10 14:04 -------- d-----w c:\windows\system32\log
2009-04-10 14:03 . 2009-04-13 00:01 -------- d-----w c:\program files\Trend Micro
2009-04-10 13:52 . 2009-04-10 13:52 -------- d-----w c:\users\Natasha\AppData\Roaming\InstallShield
2009-04-02 02:29 . 2009-04-02 02:29 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 05:19 . 2007-06-28 17:46 16384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2009-04-14 05:19 . 2007-06-28 17:46 16384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2009-04-14 05:19 . 2007-06-28 17:46 131072 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2009-04-14 05:19 . 2009-04-14 05:19 2048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
2009-04-14 05:19 . 2009-04-14 05:19 2048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2009-04-14 04:10 . 2008-02-12 22:41 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-14 04:08 . 2008-02-12 22:42 -------- d-----w c:\programdata\Symantec
2009-04-13 02:20 . 2009-04-13 03:04 15087689 ----a-w c:\program files\PROCESSLIST.DB
2009-04-13 02:20 . 2009-04-13 03:04 1143446 ----a-w c:\program files\PROCESSLISTRELATED.DB
2009-04-13 00:22 . 2009-04-12 14:05 444 ----a-w C:\aaw7boot.log
2009-04-10 14:07 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat
2009-04-10 14:07 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstrng.dat
2009-04-10 14:07 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat
2009-03-12 14:57 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-03-12 14:16 . 2007-07-26 21:43 -------- d-----w c:\programdata\Microsoft Help
2009-02-27 17:34 . 2007-09-27 19:53 32768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2009-02-27 17:34 . 2007-09-27 19:53 16384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2009-02-27 17:34 . 2007-09-27 19:53 16384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2009-02-21 17:53 . 2008-03-08 03:09 -------- d-----w c:\program files\Windows Live
2009-02-09 03:10 . 2009-03-11 14:46 2033152 ----a-w c:\windows\System32\win32k.sys
2009-02-07 00:52 . 2009-02-07 00:52 49504 ----a-w c:\windows\System32\sirenacm.dll
2009-01-15 06:11 . 2009-02-12 03:53 827392 ----a-w c:\windows\System32\wininet.dll
2008-12-19 09:01 . 2008-05-26 14:56 680 ----a-w c:\users\Natasha\AppData\Local\d3d9caps.dat
2008-12-19 02:52 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2007-07-27 16:46 . 2007-06-28 04:00 112408 ----a-w c:\users\Natasha\AppData\Local\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( SnapShot@2009-04-13_22.33.35.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-06 23:40 . 2009-04-14 05:21 45788 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-04-14 05:21 61744 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2007-06-28 04:01 . 2009-04-14 03:23 10836 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-381672913-1497699758-3801013932-1000_UserData.bin
+ 2007-06-28 04:01 . 2009-04-14 05:21 10836 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-381672913-1497699758-3801013932-1000_UserData.bin
+ 2007-06-28 17:46 . 2009-04-14 05:19 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-06-28 17:46 . 2009-04-14 03:21 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-06-28 17:46 . 2009-04-14 05:19 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-06-28 17:46 . 2009-04-14 03:21 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-04-14 03:21 . 2009-04-14 03:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-04-14 05:19 . 2009-04-14 05:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-04-14 05:19 . 2009-04-14 05:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-04-14 03:21 . 2009-04-14 03:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-04-14 05:20 . 2008-11-27 20:52 296224 c:\windows\temp\TZ5345.EXE
- 2006-11-02 12:43 . 2009-04-14 03:09 262144 c:\windows\System32\config\systemprofile\ntuser.dat
+ 2006-11-02 12:43 . 2009-04-14 05:13 262144 c:\windows\System32\config\systemprofile\ntuser.dat
+ 2007-06-28 17:46 . 2009-04-14 05:19 131072 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-28 17:46 . 2009-04-14 03:21 131072 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 12:47 . 2009-04-14 05:22 262144 c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2006-11-02 12:47 . 2009-04-14 03:23 262144 c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2006-11-02 12:47 . 2009-04-14 03:23 262144 c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2006-11-02 12:47 . 2009-04-14 05:22 262144 c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2007-06-28 04:10 . 2009-04-14 03:19 729848 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2007-06-28 04:10 . 2009-04-14 05:18 729848 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-10 417792]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-07 3885408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2008-01-19 2153472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-06 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-06 81920]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-12 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-12 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-12 530552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2008-11-27 718120]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2006-11-07 3772416]
"NDSTray.exe"="NDSTray.exe" [BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{29DF42F3-06E5-4AF2-8F87-01E0CA882130}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{48B3A74E-4778-4E18-BAF0-32A825034145}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{50C363D8-B98A-4FD4-9ED7-889E9B7E8B41}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{5BA02A87-7C49-47E6-9A1E-F75B19E442C5}c:\\program files\\gamehouse\\texttwist\\texttwist.exe"= UDP:c:\program files\gamehouse\texttwist\texttwist.exe:Super TextTwist
"UDP Query User{A838F259-EA07-402D-9C96-64E3B1E37CC4}c:\\program files\\gamehouse\\texttwist\\texttwist.exe"= TCP:c:\program files\gamehouse\texttwist\texttwist.exe:Super TextTwist
"{ED272B27-4716-433F-9940-EA6C64A86A2F}"= UDP:c:\users\Natasha\AppData\Local\Temp\7zSD2E8.tmp\SymNRT.exe:Norton Removal Tool
"{0A6322AA-EAA4-43F4-8775-C76C9D4AD2A5}"= TCP:c:\users\Natasha\AppData\Local\Temp\7zSD2E8.tmp\SymNRT.exe:Norton Removal Tool
"{76D597C6-402F-46BE-997F-F89B5E58B1AC}"= UDP:11050:Trend Micro OfficeScan Listener
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2008-08-21 652552]
S2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2008-11-26 205328]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2008-11-26 36368]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
.
Contents of the 'Scheduled Tasks' folder
2009-04-13 c:\windows\Tasks\User_Feed_Synchronization-{2863D096-11F2-4FDE-893A-3C671B4EAF22}.job
- c:\windows\system32\msfeedssync.exe [2008-06-12 07:33]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-04-14 00:22
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\windows\System32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\windows\temp\TZ5345.EXE
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\windows\System32\conime.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Toshiba\ConfigFree\CFSwMgr.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: ~,10time:~,-3machine was rebootedCombobatch-by
ComboFix-quarantined-files.txt 2009-04-14 05:33
ComboFix2.txt 2009-04-14 03:35
Pre-Run: 71,636,881,408 bytes free
Post-Run: 71,556,997,120 bytes free
188 --- E O F --- 2009-04-14 00:44