Thanks for your help thus far.
---
ComboFix 11-06-19.0r1 - Thomas 21/06/2011 15:19:20.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.1014.171 [GMT 10:00]
Running from: c:\users\Thomas\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Thomas\AppData\Local\Microsoft\Windows\Temporary Internet Files\0Mn75pnaY.jpg
c:\users\Thomas\AppData\Local\Microsoft\Windows\Temporary Internet Files\0mPm6.jpg
c:\users\Thomas\AppData\Local\Microsoft\Windows\Temporary Internet Files\4xl61.jpg
c:\users\Thomas\AppData\Local\Microsoft\Windows\Temporary Internet Files\8bx82.jpg
c:\users\Thomas\AppData\Local\Microsoft\Windows\Temporary Internet Files\m4XYn.jpg
c:\users\Thomas\AppData\Local\Microsoft\Windows\Temporary Internet Files\oAPLj.jpg
c:\users\Thomas\AppData\Local\Microsoft\Windows\Temporary Internet Files\pby0Mll8A.jpg
c:\users\Thomas\AppData\Local\Microsoft\Windows\Temporary Internet Files\Xpxp3.jpg
c:\users\Thomas\AppData\Roaming\.#
c:\users\Thomas\AppData\Roaming\.#\MBX@1044@AD2768.###
c:\users\Thomas\AppData\Roaming\.#\MBX@1044@AD2798.###
c:\users\Thomas\AppData\Roaming\.#\MBX@1514@E72768.###
c:\users\Thomas\AppData\Roaming\.#\MBX@1514@E72798.###
c:\users\Thomas\AppData\Roaming\.#\MBX@16CC@1652768.###
c:\users\Thomas\AppData\Roaming\.#\MBX@16CC@1652798.###
c:\users\Thomas\AppData\Roaming\.#\MBX@1778@15F2768.###
c:\users\Thomas\AppData\Roaming\.#\MBX@1778@15F2798.###
c:\users\Thomas\AppData\Roaming\.#\MBX@8C4@1712768.###
c:\users\Thomas\AppData\Roaming\.#\MBX@8C4@1712798.###
c:\users\Thomas\AppData\Roaming\.#\MBX@AC4@12D2768.###
c:\users\Thomas\AppData\Roaming\.#\MBX@AC4@12D2798.###
c:\users\Thomas\AppData\Roaming\.#\MBX@B40@1602768.###
c:\users\Thomas\AppData\Roaming\.#\MBX@B40@1602798.###
c:\users\Thomas\AppData\Roaming\.#\MBX@F6C@1672768.###
c:\users\Thomas\AppData\Roaming\.#\MBX@F6C@1672798.###
c:\users\Thomas\AppData\Roaming\.#\MBX@FFC@1582768.###
c:\users\Thomas\AppData\Roaming\.#\MBX@FFC@1582798.###
c:\windows\security\Database\tmp.edb
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2011-05-21 to 2011-06-21 )))))))))))))))))))))))))))))))
.
.
2011-06-21 05:34 . 2011-06-21 05:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-20 11:05 . 2011-05-24 09:12 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{13092EAC-740E-46C5-890E-D7E699B1ADE4}\mpengine.dll
2011-06-19 09:34 . 2011-06-20 08:46 -------- d-----w- c:\windows\system32\MpEngineStore
2011-06-19 07:09 . 2011-06-19 07:09 -------- d-----w- c:\users\Thomas\AppData\Roaming\Intel
2011-06-15 07:05 . 2011-05-02 17:16 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-15 07:05 . 2011-04-30 06:09 758784 ----a-w- c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
2011-06-15 07:05 . 2011-04-29 13:24 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-15 07:05 . 2011-04-29 13:24 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-15 07:05 . 2011-04-29 13:24 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-15 07:03 . 2011-05-02 12:02 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-28 23:11 . 2010-11-23 12:44 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-24 09:14 . 2009-10-02 16:12 222080 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-01-22 417792]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-29 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-29 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-29 133912]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-14 4399104]
"NDSTray.exe"="NDSTray.exe" [BU]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-19 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-03-22 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-03-23 538744]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-03-21 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-27 148888]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-28 1047656]
"TRUUpdater"="c:\program files\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe" [2009-08-25 562456]
"WatcherHelper"="c:\program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe" [2009-08-26 62744]
"Skytel"="Skytel.exe" [2007-03-13 1822720]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-28 1047656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
My Place.lnk - c:\program files\Telstra\Telstra Turbo Connection Manager\welcome.exe [2009-8-31 4547944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-05-28 39984]
R3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\DRIVERS\swnc8ua3.sys [2009-07-22 197504]
R3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\DRIVERS\swumxa3.sys [2009-07-22 148992]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bigpond.com/homepage/
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-{3F837810-2DC6-11D9-6784-1843DF7018BE} - c:\league manager\Uninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2011-06-21 15:35
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????????\p??(?>?P?>???>???>???
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-06-21 15:41:37
ComboFix-quarantined-files.txt 2011-06-21 05:41
.
Pre-Run: 92,207,267,840 bytes free
Post-Run: 93,728,055,296 bytes free
.
- - End Of File - - 267170DE5D99F526D57D44FAF73DC1F4