Total Vista Security and Antivirus Plus are killing me!

Hi Dragonmaster,
I don't want to jinx anything, but it would appear that combofix was successful. Here's the log:

ComboFix 10-04-04.01 - John 04/05/2010 1:47.4.2 - x86 NETWORK
Microsoft Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.2519.1926 [GMT -7:00]
Running from: c:\users\John\Desktop\commy.exe
Command switches used :: /killall
AV: Symantec Endpoint Protection *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec Endpoint Protection *disabled* (Outdated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1419061039-1915680080-1251473730-500
c:\program files\Adobe\1299942462.old
c:\program files\Adobe\2915299.old
c:\program files\Adobe\317025.old
c:\program files\Adobe\acrotray .exe
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
c:\users\John\AppData\Local\av.exe
c:\users\John\AppData\Local\ave.exe
c:\users\John\AppData\Roaming\avp.ico
c:\windows\system32\app_dll.dll
c:\windows\system32\certstore.dat
c:\windows\system32\drivers\ayemgy.sys
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\joyapate.dll
c:\windows\system32\kahijoye.exe
c:\windows\system32\kayukore.exe
c:\windows\system32\kojofaba.exe
c:\windows\system32\lipewedi.exe
c:\windows\system32\msapps\comsrvr.exe
c:\windows\system32\mupigijo.dll
c:\windows\system32\nilujete.dll
c:\windows\system32\nuyakete.dll
c:\windows\system32\pebehiti.dll
c:\windows\system32\pemivubu.dll
c:\windows\system32\rigebevu.dll
c:\windows\system32\risowupa.dll
c:\windows\system32\rukabipe.dll
c:\windows\system32\seagate.sys
c:\windows\system32\spool\prtprocs\w32x86\000019c6.tmp
c:\windows\system32\spool\prtprocs\w32x86\00003ca7.tmp
c:\windows\system32\spool\prtprocs\w32x86\00003cf2.tmp
c:\windows\system32\spool\prtprocs\w32x86\00007d5b.tmp
c:\windows\system32\tesawuzo.dll
c:\windows\system32\Thumbs.db
c:\windows\system32\tojedela.exe
c:\windows\system32\tpshocks .exe
c:\windows\system32\uyjudh0bkp.dll
c:\windows\system32\yakituro.dll
c:\windows\system32\yevilido.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
Q:\AUTORUN.INF
S:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SEAGATE
-------\Service_seagate
-------\Legacy_ayemgy
-------\Service_ayemgy
-------\Service_COMServer


((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
.

2010-04-05 08:55 . 2010-04-05 08:58 -------- d-----w- c:\users\John\AppData\Local\temp
2010-04-05 08:55 . 2010-04-05 08:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-05 08:41 . 2010-04-05 08:45 -------- d-----w- C:\32788R22FWJFW
2010-04-03 08:51 . 2010-04-03 08:51 -------- d-----w- C:\A
2010-04-02 16:06 . 2010-04-02 16:06 4 ----a-w- c:\program files\2676150.dat
2010-04-02 15:20 . 2010-04-02 15:20 -------- d-----w- c:\program files\WhoCrashed
2010-04-02 15:10 . 2010-04-02 16:06 27648 ----a-w- c:\windows\system32\tpshocks.exe
2010-04-02 15:03 . 2010-04-02 15:03 4 ----a-w- c:\program files\104193.dat
2010-03-25 16:12 . 2010-03-25 16:12 -------- d-----w- C:\_OTL
2010-03-24 23:01 . 2010-03-24 23:01 27648 ----a-w- c:\windows\tsnp2uvc.exe
2010-03-24 17:48 . 2010-03-24 17:57 -------- d-----w- c:\program files\Mbytes
2010-03-24 17:47 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-24 17:47 . 2010-03-24 17:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 17:47 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-24 17:45 . 2010-03-24 17:45 -------- d-----w- c:\program files\CCleaner
2010-03-24 16:35 . 2010-03-24 21:12 203776 --sha-w- c:\users\John\AppData\Local\128822158.dll
2010-03-24 10:06 . 2010-04-05 08:55 -------- d-----w- c:\windows\system32\msapps

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-03 08:53 . 2009-07-04 09:17 12 ----a-w- c:\windows\bthservsdp.dat
2010-04-03 08:28 . 2009-07-09 22:30 2032 ----a-w- c:\users\John\AppData\Local\d3d9caps.dat
2010-04-02 16:06 . 2009-07-04 09:35 -------- d-----w- c:\program files\Lenovo Fingerprint Software
2010-04-02 15:26 . 2009-08-13 02:47 -------- d-----w- c:\program files\iTunes
2010-04-02 15:26 . 2009-07-06 20:34 -------- d-----w- c:\program files\QuickTime
2010-04-02 15:26 . 2009-07-04 09:29 27648 ----a-w- c:\windows\system32\igfxpers.exe
2010-04-02 15:26 . 2009-07-04 09:29 27648 ----a-w- c:\windows\system32\hkcmd.exe
2010-04-02 15:26 . 2009-07-04 09:29 27648 ----a-w- c:\windows\system32\igfxtray.exe
2010-04-02 15:26 . 2009-07-14 20:13 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-24 14:57 . 2010-01-20 19:40 -------- d-----w- c:\program files\uTorrent
2010-03-24 12:37 . 2010-01-20 19:40 -------- d-----w- c:\users\John\AppData\Roaming\uTorrent
2010-03-16 02:37 . 2009-11-25 09:56 -------- d-----w- c:\program files\PC-Doctor
2010-03-10 21:30 . 2009-07-04 09:41 -------- d-----w- c:\programdata\Roxio
2010-03-10 21:30 . 2009-07-04 09:41 -------- d-----w- c:\program files\Roxio
2010-03-10 21:30 . 2009-07-04 09:41 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-03-10 21:30 . 2009-07-04 09:41 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-03-10 21:26 . 2009-07-06 22:01 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-03-10 21:22 . 2009-09-12 01:57 -------- d-----w- c:\program files\Binary News Reaper
2010-03-09 09:11 . 2009-07-06 19:23 135128 ----a-w- c:\users\John\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-09 09:05 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-05 18:39 . 2010-02-05 18:39 251376 ----a-w- c:\users\John\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-02-01 22:44 . 2010-02-01 22:44 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-02-01 19:52 . 2010-02-05 10:20 15424 ----a-w- c:\programdata\Lenovo\MessageCenterPlus\LocalRepository\Messages\MCPToLTT2\LTTCheck.exe
2010-01-25 12:48 . 2010-02-24 07:54 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:48 . 2010-02-24 07:54 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:48 . 2010-02-24 07:54 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:48 . 2010-02-24 07:54 472064 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 12:45 . 2010-02-24 07:54 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:35 . 2010-02-24 07:54 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35 . 2010-02-24 07:54 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:34 . 2010-02-24 07:54 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:34 . 2010-02-24 07:54 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:44 . 2010-02-24 07:55 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-15 18:13 . 2010-01-15 18:13 218864 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-15 17:18 . 2010-01-15 17:18 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2010-01-06 11:12 . 2010-01-31 18:59 24304 ------w- c:\windows\system32\drivers\DOZEHDD.SYS
2010-01-06 11:12 . 2009-07-04 09:50 382312 ------w- c:\windows\PWMBTHLV.EXE
2010-01-06 11:12 . 2009-07-04 09:50 11552 ------w- c:\windows\system32\drivers\TPPWR32V.SYS
1601-01-01 00:03 . 1601-01-01 00:03 70144 --sha-w- c:\windows\System32\bamezafu.dll
1601-01-01 00:03 . 1601-01-01 00:03 66560 --sha-w- c:\windows\System32\dobazusi.dll
1601-01-01 00:03 . 1601-01-01 00:03 70144 --sha-w- c:\windows\System32\fafakaza.dll
2010-01-02 15:03 . 2010-01-02 15:03 96256 --sha-w- c:\windows\System32\gahejeyu.dll
1601-01-01 00:03 . 1601-01-01 00:03 83456 --sha-w- c:\windows\System32\gahejeyu.exe
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\System32\gamibefe.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\System32\halulohi.dll
2010-01-02 16:03 . 2010-01-02 16:03 42496 --sha-w- c:\windows\System32\hayaheta.dll
1601-01-01 00:03 . 1601-01-01 00:03 95744 --sha-w- c:\windows\System32\henijuve.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\System32\hovolile.dll
2010-01-02 15:03 . 2010-01-02 15:03 42496 --sha-w- c:\windows\System32\hujepaka.dll
1601-01-01 00:03 . 1601-01-01 00:03 48640 --sha-w- c:\windows\System32\jelasisa.dll
2010-01-03 07:46 . 2010-01-03 07:46 42496 --sha-w- c:\windows\System32\kevidobi.dll
2010-01-02 16:03 . 2010-01-02 16:03 82944 --sha-w- c:\windows\System32\kunozole.exe
1601-01-01 00:03 . 1601-01-01 00:03 46080 --sha-w- c:\windows\System32\nozuzito.dll
2010-01-02 17:03 . 2010-01-02 17:03 42496 --sha-w- c:\windows\System32\pafikiwu.dll
1601-01-01 00:03 . 1601-01-01 00:03 95744 --sha-w- c:\windows\System32\pehuraba.dll
1601-01-01 00:03 . 1601-01-01 00:03 95744 --sha-w- c:\windows\System32\poroyoju.dll
2010-01-03 08:46 . 2010-01-03 08:46 42496 --sha-w- c:\windows\System32\pubinibu.dll
2010-01-02 00:49 . 2010-01-02 00:49 28672 --sha-w- c:\windows\System32\rivesogo.dll
2010-01-02 16:03 . 2010-01-02 16:03 96256 --sha-w- c:\windows\System32\sekoseye.dll
2010-01-01 16:20 . 2010-01-01 16:20 31744 --sha-w- c:\windows\System32\sizesare.dll
1601-01-01 00:03 . 1601-01-01 00:03 82944 --sha-w- c:\windows\System32\sosagatu.exe
2010-01-02 00:49 . 2010-01-02 00:49 42496 --sha-w- c:\windows\System32\tajokigu.dll
1601-01-01 00:03 . 1601-01-01 00:03 201728 --sha-w- c:\windows\System32\tesifoti.exe
2010-01-01 16:20 . 2010-01-01 16:20 42496 --sha-w- c:\windows\System32\toteduba.dll
1601-01-01 00:03 . 1601-01-01 00:03 6144 --sha-w- c:\windows\System32\vohelipe.dll
2010-01-02 15:03 . 2010-01-02 15:03 82944 --sha-w- c:\windows\System32\yaponema.exe
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\System32\yasijote.dll
1601-01-01 00:03 . 1601-01-01 00:03 66560 --sha-w- c:\windows\System32\yofamoyu.dll
2009-07-04 08:57 . 2009-07-04 08:55 8192 --sh--w- c:\windows\Users\Default\NTUSER.DAT
.


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-02 27648]
"Google Update"="c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-04-02 27648]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe \s" [X]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2010-04-02 27648]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2010-04-02 27648]
"TpShocks"="TpShocks.exe" [2010-04-02 27648]
"tsnp2uvc"="c:\windows\tsnp2uvc.exe" [2010-03-24 27648]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-04-14 15136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-19 1434920]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2010-04-02 27648]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2010-04-02 27648]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2010-04-02 27648]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2010-04-02 27648]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2010-01-06 869736]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2010-01-06 214576]
"CreateLMBCShortCut"="c:\program files\Lenovo\Mobile Broadband Connect\UserShortcutCreator.exe" [2010-04-02 27648]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2010-04-02 27648]
"ACWlIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWlIcon.exe" [2010-04-02 27648]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2010-04-02 27648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-04-02 27648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-02 27648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-02 27648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-02 27648]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-02 27648]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2010-04-02 27648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-02 27648]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-04-02 27648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-02 27648]
"kidewukaru"="yamisepa.dll" [N/A]
"wufayaveh"="c:\windows\system32\lihawefi.dll" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
""="" [N/A]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-7-4 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2009-07-14 19:40 75064 ------w- c:\program files\Citrix\GoToAssist Express Customer\177\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AntiVirus Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AntiVirus Plus.lnk
backup=c:\windows\pss\AntiVirus Plus.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^John^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^AntiVirus Plus.lnk]
path=c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AntiVirus Plus.lnk
backup=c:\windows\pss\AntiVirus Plus.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
2009-01-08 15:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiVirus Plus]
c:\users\John\AppData\Roaming\AntiVirus Plus\AntiVirus Plus.55532.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsa8ffushf83hoigjhs98jgijg9sd8e]
c:\users\John\appdata\local\temp\w51he5h6lc .exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf87efjhdsf87f3jfsdi7fhsujfd]
c:\users\John\AppData\Local\Temp\win32.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2009-02-27 13:40 1202448 ------w- c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-02 15:26 27648 ----a-w- c:\program files\iTunes\ituneshelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-24 15:02 27648 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WordPerfect Office 1215]
2010-03-24 17:02 27648 ----a-w- c:\program files\WordPerfect Office 12\Programs\registration .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wufayaveh]
c:\windows\system32\lihawefi.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YVIBBBHA8C]
c:\users\John\appdata\local\temp\pdp .exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001

R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2009-03-19 1680632]
R3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2009-03-19 106496]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2009-04-01 4172288]
R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2009-04-01 88576]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-03-20 482176]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2010-04-02 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]

2010-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1419061039-1915680080-1251473730-1003Core.job
- c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 16:05]

2010-04-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1419061039-1915680080-1251473730-1003UA.job
- c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 16:05]

2010-03-19 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\pcdlauncher.exe [2009-11-20 10:12]

2010-03-24 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdr5cuiw32.exe [2010-02-18 00:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.live.com
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\gz7jgimt.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\John\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\John\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{6d792e9e-f4e0-41d6-8455-cf11104e3f3d} - pebehiti.dll
SharedTaskScheduler-{8bf43728-1c39-40de-bca6-eb599b0be168} - c:\windows\system32\lihawefi.dll
SSODL-kulofiwiv-{8bf43728-1c39-40de-bca6-eb599b0be168} - c:\windows\system32\lihawefi.dll
SafeBoot-Symantec Antvirus
AddRemove-HijackThis - c:\users\John\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-05 01:59
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys >>UNKNOWN [0x879C68C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x893ca322
\Driver\ACPI -> acpi.sys @ 0x80696d4c
\Driver\atapi -> ataport.SYS @ 0x805aaa14
\Driver\iaStor -> iaStor.sys @ 0x807660ac
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK
copy of MBR has been found in sector 1 !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,ee,cb,61,e1,3d,66,49,be,00,b7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,ee,cb,61,e1,3d,66,49,be,00,b7,\

[HKEY_USERS\S-1-5-21-1419061039-1915680080-1251473730-1003\Software\SecuROM\License information*]
"datasecu"=hex:b9,4e,26,92,2e,dd,e7,30,28,1a,24,e4,7a,11,f6,77,22,99,41,3b,32,
c4,ef,d9,e3,6b,0c,0b,a1,e4,f4,82,02,e3,e9,76,9e,cb,82,ec,3a,a0,1d,98,a7,13,\
"rkeysecu"=hex:4e,69,3d,c5,d4,a0,7e,91,01,a3,18,1c,98,7a,04,49

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(776)
c:\program files\ThinkPad\Bluetooth Software\btncopy.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\Taskmgr.exe
c:\windows\helppane.exe
.
**************************************************************************
.
Completion time: 2010-04-05 02:05:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-05 09:05

Pre-Run: 28,265,226,240 bytes free
Post-Run: 27,925,299,200 bytes free

- - End Of File - - 2B4F55684CF021AAB1F9359D9DBBC660

1. ComboFix re-run

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open notepad and copy/paste the text in the box below into it:
  
  

  Code:

  killall::

Files::
c:\users\John\AppData\Local\128822158.dll
c:\windows\System32\bamezafu.dll
c:\windows\System32\dobazusi.dll
c:\windows\System32\fafakaza.dll
c:\windows\System32\gahejeyu.dll
c:\windows\System32\gahejeyu.exe
c:\windows\System32\gamibefe.dll
c:\windows\System32\halulohi.dll
c:\windows\System32\hayaheta.dll
c:\windows\System32\henijuve.dll
c:\windows\System32\hovolile.dll
c:\windows\System32\hujepaka.dll
c:\windows\System32\jelasisa.dll
c:\windows\System32\kevidobi.dll
c:\windows\System32\kunozole.exe
c:\windows\System32\nozuzito.dll
c:\windows\System32\pafikiwu.dll
c:\windows\System32\pehuraba.dll
c:\windows\System32\poroyoju.dll
c:\windows\System32\pubinibu.dll
c:\windows\System32\rivesogo.dll
c:\windows\System32\sekoseye.dll
c:\windows\System32\sizesare.dll
c:\windows\System32\sosagatu.exe
c:\windows\System32\tajokigu.dll
c:\windows\System32\tesifoti.exe
c:\windows\System32\toteduba.dll
c:\windows\System32\vohelipe.dll
c:\windows\System32\yaponema.exe
c:\windows\System32\yasijote.dll
c:\windows\System32\yofamoyu.dll
c:\users\John\appdata\local\temp\w51he5h6lc .exe
c:\users\John\AppData\Local\Temp\win32.exe
c:\users\John\appdata\local\temp\pdp .exe
c:\windows\system32\lihawefi.dll

RenV::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\CONEXANT\SAII\saiicpl .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Lenovo\Client Security Solution\cssauth .exe
c:\program files\Lenovo\Message Center Plus\mcplaunch .exe
c:\program files\Lenovo\Mobile Broadband Connect\usershortcutcreator .exe
c:\program files\Lenovo\NPDIRECT\tpfnf7sp .exe
c:\program files\Lenovo Fingerprint Software\fpapp .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\ThinkPad\ConnectUtilities\actray .exe
c:\program files\ThinkPad\ConnectUtilities\acwlicon .exe
c:\program files\ThinkPad\Utilities\ezejmnap .exe
c:\program files\ThinkPad\Utilities\tpkmapap .exe
c:\program files\ThinkVantage\PrdCtr\lpmgr .exe
c:\program files\ThinkVantage\PrdCtr\lpmlchk .exe
c:\program files\WordPerfect Office 12\Programs\registration  .exe
c:\program files\WordPerfect Office 12\Programs\registration .exe

DirLook::
C:\A

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-
"kidewukaru"=-
"wufayaveh"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiVirus Plus]
[-HKLM\~\startupfolder\C:^Users^John^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^AntiVirus Plus.lnk]
[-HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AntiVirus Plus.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsa8ffushf83hoigjhs98jgijg9sd8e]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf87efjhdsf87f3jfsdi7fhsujfd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wufayaveh]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YVIBBBHA8C]

MBR::

Reboot::
  
  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
  
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

2. Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

3. Post logs

Make sure to post these logs for my review:

• ComboFix log
  
• ESET Scan log

Also, let me know how your computer is running.

Thanks!

Hey there,
I'm running the online scan now, but in the interim, here's the Combofix log:

ComboFix 10-04-04.01 - John 04/05/2010 10:12:22.5.2 - x86 NETWORK
Microsoft Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.2519.2070 [GMT -7:00]
Running from: c:\users\John\Desktop\Commy.exe
Command switches used :: c:\users\John\Desktop\CFscript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec Endpoint Protection *disabled* (Outdated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
.

2010-04-05 17:19 . 2010-04-05 17:24 -------- d-----w- c:\users\John\AppData\Local\temp
2010-04-05 17:19 . 2010-04-05 17:19 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-05 17:19 . 2010-04-05 17:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-05 17:05 . 2010-04-05 17:08 -------- d-----w- C:\32788R22FWJFW
2010-04-03 08:51 . 2010-04-03 08:51 -------- d-----w- C:\A
2010-04-02 16:06 . 2010-04-02 16:06 4 ----a-w- c:\program files\2676150.dat
2010-04-02 15:20 . 2010-04-02 15:20 -------- d-----w- c:\program files\WhoCrashed
2010-04-02 15:10 . 2010-04-02 16:06 27648 ----a-w- c:\windows\system32\tpshocks.exe
2010-04-02 15:03 . 2010-04-02 15:03 4 ----a-w- c:\program files\104193.dat
2010-03-25 16:12 . 2010-03-25 16:12 -------- d-----w- C:\_OTL
2010-03-24 23:01 . 2010-03-24 23:01 27648 ----a-w- c:\windows\tsnp2uvc.exe
2010-03-24 17:48 . 2010-03-24 17:57 -------- d-----w- c:\program files\Mbytes
2010-03-24 17:47 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-24 17:47 . 2010-03-24 17:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 17:47 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-24 17:45 . 2010-03-24 17:45 -------- d-----w- c:\program files\CCleaner
2010-03-24 16:35 . 2010-03-24 21:12 203776 --sha-w- c:\users\John\AppData\Local\128822158.dll
2010-03-24 10:06 . 2010-04-05 08:55 -------- d-----w- c:\windows\system32\msapps

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 17:22 . 2009-07-04 09:17 12 ----a-w- c:\windows\bthservsdp.dat
2010-04-05 17:11 . 2009-07-06 20:34 -------- d-----w- c:\program files\QuickTime
2010-04-05 17:11 . 2009-08-13 02:47 -------- d-----w- c:\program files\iTunes
2010-04-05 17:11 . 2009-07-04 09:35 -------- d-----w- c:\program files\Lenovo Fingerprint Software
2010-04-05 17:11 . 2009-07-14 20:13 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-03 08:28 . 2009-07-09 22:30 2032 ----a-w- c:\users\John\AppData\Local\d3d9caps.dat
2010-04-02 15:26 . 2009-07-04 09:29 27648 ----a-w- c:\windows\system32\igfxpers.exe
2010-04-02 15:26 . 2009-07-04 09:29 27648 ----a-w- c:\windows\system32\hkcmd.exe
2010-04-02 15:26 . 2009-07-04 09:29 27648 ----a-w- c:\windows\system32\igfxtray.exe
2010-03-24 14:57 . 2010-01-20 19:40 -------- d-----w- c:\program files\uTorrent
2010-03-24 12:37 . 2010-01-20 19:40 -------- d-----w- c:\users\John\AppData\Roaming\uTorrent
2010-03-16 02:37 . 2009-11-25 09:56 -------- d-----w- c:\program files\PC-Doctor
2010-03-10 21:30 . 2009-07-04 09:41 -------- d-----w- c:\programdata\Roxio
2010-03-10 21:30 . 2009-07-04 09:41 -------- d-----w- c:\program files\Roxio
2010-03-10 21:30 . 2009-07-04 09:41 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-03-10 21:30 . 2009-07-04 09:41 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-03-10 21:26 . 2009-07-06 22:01 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-03-10 21:22 . 2009-09-12 01:57 -------- d-----w- c:\program files\Binary News Reaper
2010-03-09 09:11 . 2009-07-06 19:23 135128 ----a-w- c:\users\John\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-09 09:05 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-05 18:39 . 2010-02-05 18:39 251376 ----a-w- c:\users\John\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-02-01 22:44 . 2010-02-01 22:44 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-02-01 19:52 . 2010-02-05 10:20 15424 ----a-w- c:\programdata\Lenovo\MessageCenterPlus\LocalRepository\Messages\MCPToLTT2\LTTCheck.exe
2010-01-25 12:48 . 2010-02-24 07:54 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:48 . 2010-02-24 07:54 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:48 . 2010-02-24 07:54 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:48 . 2010-02-24 07:54 472064 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 12:45 . 2010-02-24 07:54 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:35 . 2010-02-24 07:54 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35 . 2010-02-24 07:54 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:34 . 2010-02-24 07:54 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:34 . 2010-02-24 07:54 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:44 . 2010-02-24 07:55 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-15 18:13 . 2010-01-15 18:13 218864 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-15 17:18 . 2010-01-15 17:18 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2010-01-06 11:12 . 2010-01-31 18:59 24304 ------w- c:\windows\system32\drivers\DOZEHDD.SYS
2010-01-06 11:12 . 2009-07-04 09:50 382312 ------w- c:\windows\PWMBTHLV.EXE
2010-01-06 11:12 . 2009-07-04 09:50 11552 ------w- c:\windows\system32\drivers\TPPWR32V.SYS
1601-01-01 00:03 . 1601-01-01 00:03 70144 --sha-w- c:\windows\System32\bamezafu.dll
1601-01-01 00:03 . 1601-01-01 00:03 66560 --sha-w- c:\windows\System32\dobazusi.dll
1601-01-01 00:03 . 1601-01-01 00:03 70144 --sha-w- c:\windows\System32\fafakaza.dll
2010-01-02 15:03 . 2010-01-02 15:03 96256 --sha-w- c:\windows\System32\gahejeyu.dll
1601-01-01 00:03 . 1601-01-01 00:03 83456 --sha-w- c:\windows\System32\gahejeyu.exe
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\System32\gamibefe.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\System32\halulohi.dll
2010-01-02 16:03 . 2010-01-02 16:03 42496 --sha-w- c:\windows\System32\hayaheta.dll
1601-01-01 00:03 . 1601-01-01 00:03 95744 --sha-w- c:\windows\System32\henijuve.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\System32\hovolile.dll
2010-01-02 15:03 . 2010-01-02 15:03 42496 --sha-w- c:\windows\System32\hujepaka.dll
1601-01-01 00:03 . 1601-01-01 00:03 48640 --sha-w- c:\windows\System32\jelasisa.dll
2010-01-03 07:46 . 2010-01-03 07:46 42496 --sha-w- c:\windows\System32\kevidobi.dll
2010-01-02 16:03 . 2010-01-02 16:03 82944 --sha-w- c:\windows\System32\kunozole.exe
1601-01-01 00:03 . 1601-01-01 00:03 46080 --sha-w- c:\windows\System32\nozuzito.dll
2010-01-02 17:03 . 2010-01-02 17:03 42496 --sha-w- c:\windows\System32\pafikiwu.dll
1601-01-01 00:03 . 1601-01-01 00:03 95744 --sha-w- c:\windows\System32\pehuraba.dll
1601-01-01 00:03 . 1601-01-01 00:03 95744 --sha-w- c:\windows\System32\poroyoju.dll
2010-01-03 08:46 . 2010-01-03 08:46 42496 --sha-w- c:\windows\System32\pubinibu.dll
2010-01-02 00:49 . 2010-01-02 00:49 28672 --sha-w- c:\windows\System32\rivesogo.dll
2010-01-02 16:03 . 2010-01-02 16:03 96256 --sha-w- c:\windows\System32\sekoseye.dll
2010-01-01 16:20 . 2010-01-01 16:20 31744 --sha-w- c:\windows\System32\sizesare.dll
1601-01-01 00:03 . 1601-01-01 00:03 82944 --sha-w- c:\windows\System32\sosagatu.exe
2010-01-02 00:49 . 2010-01-02 00:49 42496 --sha-w- c:\windows\System32\tajokigu.dll
1601-01-01 00:03 . 1601-01-01 00:03 201728 --sha-w- c:\windows\System32\tesifoti.exe
2010-01-01 16:20 . 2010-01-01 16:20 42496 --sha-w- c:\windows\System32\toteduba.dll
1601-01-01 00:03 . 1601-01-01 00:03 6144 --sha-w- c:\windows\System32\vohelipe.dll
2010-01-02 15:03 . 2010-01-02 15:03 82944 --sha-w- c:\windows\System32\yaponema.exe
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\System32\yasijote.dll
1601-01-01 00:03 . 1601-01-01 00:03 66560 --sha-w- c:\windows\System32\yofamoyu.dll
2009-07-04 08:57 . 2009-07-04 08:55 8192 --sh--w- c:\windows\Users\Default\NTUSER.DAT
.


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\A ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768]
"Google Update"="c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-04-02 27648]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe \s" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-10-07 256576]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-05-28 61728]
"TpShocks"="TpShocks.exe" [2010-04-02 27648]
"tsnp2uvc"="c:\windows\tsnp2uvc.exe" [2010-03-24 27648]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-04-14 15136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-19 1434920]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-24 487424]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-01-28 185688]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-01-28 124248]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2010-01-06 869736]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2010-01-06 214576]
"CreateLMBCShortCut"="c:\program files\Lenovo\Mobile Broadband Connect\UserShortcutCreator.exe" [2009-05-15 40960]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2009-12-11 435560]
"ACWlIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWlIcon.exe" [2009-12-11 181608]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2009-03-05 3093816]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-03-20 115560]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-02 27648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-02 27648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-02 27648]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-02-27 992816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
""="" [N/A]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-7-4 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2009-07-14 19:40 75064 ------w- c:\program files\Citrix\GoToAssist Express Customer\177\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
2009-01-08 15:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2009-02-27 13:40 1202448 ------w- c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\ituneshelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-24 16:42 27648 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WordPerfect Office 1215]
c:\program files\wordperfect office 12\programs\registration .exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001

R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
R1 tvtumon;tvtumon;c:\windows\system32\DRIVERS\tvtumon.sys [2008-07-11 48192]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2009-03-19 1680632]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [2010-01-06 132456]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2009-03-19 98304]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-03-30 45424]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2010-01-06 75112]
R2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-04-02 62320]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2008-05-24 520192]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2009-02-12 2058776]
R3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2009-03-19 106496]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2009-04-01 4172288]
R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2009-04-01 88576]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-03-20 482176]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-02-27 29736]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2009-03-20 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-10-29 102448]
R3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\177\g2ax_service.exe Start=service [x]
R3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd32.sys [2009-04-01 2473472]
R3 MUXP;My WiFi PAN Mux-IM Protocol Driver;c:\windows\system32\DRIVERS\mux.sys [2009-02-18 30768]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2009-02-27 211216]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-25 1120752]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2008-02-22 37312]
R4 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [2008-10-09 360448]
S0 DozeHDD;DozeHDD;c:\windows\System32\DRIVERS\DozeHDD.sys [2010-01-06 24304]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-01-29 20520]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2009-03-27 221824]
S3 MUXMP;My WiFi PAN MUX-IM Virtual Miniport Driver;c:\windows\system32\DRIVERS\mux.sys [2009-02-18 30768]
S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2009-03-04 4232704]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2010-04-02 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]

2010-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1419061039-1915680080-1251473730-1003Core.job
- c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 16:05]

2010-04-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1419061039-1915680080-1251473730-1003UA.job
- c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 16:05]

2010-03-19 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\pcdlauncher.exe [2009-11-20 10:12]

2010-03-24 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdr5cuiw32.exe [2010-02-18 00:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.live.com
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\gz7jgimt.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\John\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\John\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-05 10:25
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,ee,cb,61,e1,3d,66,49,be,00,b7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,ee,cb,61,e1,3d,66,49,be,00,b7,\

[HKEY_USERS\S-1-5-21-1419061039-1915680080-1251473730-1003\Software\SecuROM\License information*]
"datasecu"=hex:b9,4e,26,92,2e,dd,e7,30,28,1a,24,e4,7a,11,f6,77,22,99,41,3b,32,
c4,ef,d9,e3,6b,0c,0b,a1,e4,f4,82,02,e3,e9,76,9e,cb,82,ec,3a,a0,1d,98,a7,13,\
"rkeysecu"=hex:4e,69,3d,c5,d4,a0,7e,91,01,a3,18,1c,98,7a,04,49

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(152)
c:\program files\ThinkPad\Bluetooth Software\btncopy.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
.
**************************************************************************
.
Completion time: 2010-04-05 10:30:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-05 17:30
ComboFix2.txt 2010-04-05 09:05

Pre-Run: 28,012,945,408 bytes free
Post-Run: 27,928,064,000 bytes free

- - End Of File - - 14F4534B678E5C6F03D1CD2C5600FE32

Hi Dragonmaster,
Just so you know, ESET has finished scanning. It found 66 threats, all of which it deleted off the computer. However, without thinking I chose to uninstall the program upon closing, which deleted the log file. :sad: I'm running the scan again now, and will post the results when I'm done.

Hi there,
Here's the log from eset:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - delete file error:Access is denied.

OnlineScanner.ocx - copy file error :The process cannot access the file because it is being used by another process.

OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=2b0294d4d303e54587e499765c21481c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-06 12:29:49
# local_time=2010-04-05 05:29:49 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776638 100 100 22114347 107115949 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=158312
# found=0
# cleaned=0
# scan_time=5368

As you can see, it looks like the infections are gone! However, I'm still hesitant to run the computer in normal mode (I've been in safe mode) because of what happened last time I ran it in normal--the infections reinstalled themselves. What do you think, is it safe? Or perhaps should I just upgrade to Win7 right now, without even risking normal mode?

Thanks again for all of your help.

They are not gone. Please re-run that CFScript.

Here's the Combofix log:

ComboFix 10-04-05.05 - John 04/06/2010 2:57.6.2 - x86 NETWORK
Microsoft Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.2519.1667 [GMT -7:00]
Running from: c:\users\John\Desktop\Commy.exe
Command switches used :: c:\users\John\Desktop\CFscript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec Endpoint Protection *disabled* (Outdated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-03-06 to 2010-04-06 )))))))))))))))))))))))))))))))
.

2010-04-06 10:03 . 2010-04-06 10:07 -------- d-----w- c:\users\John\AppData\Local\temp
2010-04-06 10:03 . 2010-04-06 10:03 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-06 10:03 . 2010-04-06 10:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-06 09:49 . 2010-04-06 09:54 -------- d-----w- C:\32788R22FWJFW
2010-04-05 17:35 . 2010-04-05 17:35 -------- d-----w- c:\program files\ESET
2010-04-03 08:51 . 2010-04-03 08:51 -------- d-----w- C:\A
2010-04-02 16:06 . 2010-04-02 16:06 4 ----a-w- c:\program files\2676150.dat
2010-04-02 15:20 . 2010-04-02 15:20 -------- d-----w- c:\program files\WhoCrashed
2010-04-02 15:03 . 2010-04-02 15:03 4 ----a-w- c:\program files\104193.dat
2010-03-25 16:12 . 2010-03-25 16:12 -------- d-----w- C:\_OTL
2010-03-24 17:48 . 2010-03-24 17:57 -------- d-----w- c:\program files\Mbytes
2010-03-24 17:47 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-24 17:47 . 2010-03-24 17:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 17:47 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-24 17:45 . 2010-03-24 17:45 -------- d-----w- c:\program files\CCleaner
2010-03-24 10:06 . 2010-04-05 08:55 -------- d-----w- c:\windows\system32\msapps

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 10:05 . 2009-07-04 09:17 12 ----a-w- c:\windows\bthservsdp.dat
2010-04-06 03:01 . 2009-07-09 22:30 2032 ----a-w- c:\users\John\AppData\Local\d3d9caps.dat
2010-04-05 17:59 . 2009-07-06 20:34 -------- d-----w- c:\program files\QuickTime
2010-04-05 17:53 . 2009-07-04 09:35 -------- d-----w- c:\program files\Lenovo Fingerprint Software
2010-04-05 17:11 . 2009-08-13 02:47 -------- d-----w- c:\program files\iTunes
2010-04-05 17:11 . 2009-07-14 20:13 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-24 14:57 . 2010-01-20 19:40 -------- d-----w- c:\program files\uTorrent
2010-03-24 12:37 . 2010-01-20 19:40 -------- d-----w- c:\users\John\AppData\Roaming\uTorrent
2010-03-16 02:37 . 2009-11-25 09:56 -------- d-----w- c:\program files\PC-Doctor
2010-03-10 21:30 . 2009-07-04 09:41 -------- d-----w- c:\programdata\Roxio
2010-03-10 21:30 . 2009-07-04 09:41 -------- d-----w- c:\program files\Roxio
2010-03-10 21:30 . 2009-07-04 09:41 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-03-10 21:30 . 2009-07-04 09:41 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-03-10 21:26 . 2009-07-06 22:01 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-03-10 21:22 . 2009-09-12 01:57 -------- d-----w- c:\program files\Binary News Reaper
2010-03-09 09:11 . 2009-07-06 19:23 135128 ----a-w- c:\users\John\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-09 09:05 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-05 18:39 . 2010-02-05 18:39 251376 ----a-w- c:\users\John\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-02-01 22:44 . 2010-02-01 22:44 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-02-01 19:52 . 2010-02-05 10:20 15424 ----a-w- c:\programdata\Lenovo\MessageCenterPlus\LocalRepository\Messages\MCPToLTT2\LTTCheck.exe
2010-01-25 12:48 . 2010-02-24 07:54 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:48 . 2010-02-24 07:54 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:48 . 2010-02-24 07:54 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:48 . 2010-02-24 07:54 472064 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 12:45 . 2010-02-24 07:54 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:35 . 2010-02-24 07:54 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35 . 2010-02-24 07:54 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:34 . 2010-02-24 07:54 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:34 . 2010-02-24 07:54 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:44 . 2010-02-24 07:55 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-15 18:13 . 2010-01-15 18:13 218864 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-15 17:18 . 2010-01-15 17:18 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2010-01-06 11:12 . 2010-01-31 18:59 24304 ------w- c:\windows\system32\drivers\DOZEHDD.SYS
2010-01-06 11:12 . 2009-07-04 09:50 382312 ------w- c:\windows\PWMBTHLV.EXE
2010-01-06 11:12 . 2009-07-04 09:50 11552 ------w- c:\windows\system32\drivers\TPPWR32V.SYS
2010-01-02 15:03 . 2010-01-02 15:03 96256 --sha-w- c:\windows\System32\gahejeyu.dll
2010-01-02 16:03 . 2010-01-02 16:03 42496 --sha-w- c:\windows\System32\hayaheta.dll
2010-01-02 15:03 . 2010-01-02 15:03 42496 --sha-w- c:\windows\System32\hujepaka.dll
2010-01-03 07:46 . 2010-01-03 07:46 42496 --sha-w- c:\windows\System32\kevidobi.dll
1601-01-01 00:03 . 1601-01-01 00:03 46080 --sha-w- c:\windows\System32\nozuzito.dll
2010-01-02 17:03 . 2010-01-02 17:03 42496 --sha-w- c:\windows\System32\pafikiwu.dll
2010-01-03 08:46 . 2010-01-03 08:46 42496 --sha-w- c:\windows\System32\pubinibu.dll
2010-01-02 00:49 . 2010-01-02 00:49 28672 --sha-w- c:\windows\System32\rivesogo.dll
2010-01-02 16:03 . 2010-01-02 16:03 96256 --sha-w- c:\windows\System32\sekoseye.dll
2010-01-01 16:20 . 2010-01-01 16:20 31744 --sha-w- c:\windows\System32\sizesare.dll
2010-01-01 16:20 . 2010-01-01 16:20 42496 --sha-w- c:\windows\System32\toteduba.dll
1601-01-01 00:03 . 1601-01-01 00:03 6144 --sha-w- c:\windows\System32\vohelipe.dll
2009-07-04 08:57 . 2009-07-04 08:55 8192 --sh--w- c:\windows\Users\Default\NTUSER.DAT
.


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\A ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe \s" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-10-07 256576]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-05-28 61728]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-04-14 15136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-19 1434920]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-24 487424]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-01-28 185688]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-01-28 124248]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2010-01-06 869736]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2010-01-06 214576]
"CreateLMBCShortCut"="c:\program files\Lenovo\Mobile Broadband Connect\UserShortcutCreator.exe" [2009-05-15 40960]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2009-12-11 435560]
"ACWlIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWlIcon.exe" [2009-12-11 181608]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2009-03-05 3093816]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-03-20 115560]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-02-27 992816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
""="" [N/A]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-7-4 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2009-07-14 19:40 75064 ------w- c:\program files\Citrix\GoToAssist Express Customer\177\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
2009-01-08 15:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2009-02-27 13:40 1202448 ------w- c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\ituneshelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\QTTask.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WordPerfect Office 1215]
c:\program files\wordperfect office 12\programs\registration .exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001

R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
R1 tvtumon;tvtumon;c:\windows\system32\DRIVERS\tvtumon.sys [2008-07-11 48192]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2009-03-19 1680632]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [2010-01-06 132456]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2009-03-19 98304]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-03-30 45424]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2010-01-06 75112]
R2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-04-02 62320]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2008-05-24 520192]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2009-02-12 2058776]
R3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2009-03-19 106496]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2009-04-01 4172288]
R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2009-04-01 88576]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-03-20 482176]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-02-27 29736]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2009-03-20 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-10-29 102448]
R3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\177\g2ax_service.exe Start=service [x]
R3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd32.sys [2009-04-01 2473472]
R3 MUXP;My WiFi PAN Mux-IM Protocol Driver;c:\windows\system32\DRIVERS\mux.sys [2009-02-18 30768]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2009-02-27 211216]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-25 1120752]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2008-02-22 37312]
R4 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [2008-10-09 360448]
S0 DozeHDD;DozeHDD;c:\windows\System32\DRIVERS\DozeHDD.sys [2010-01-06 24304]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-01-29 20520]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2009-03-27 221824]
S3 MUXMP;My WiFi PAN MUX-IM Virtual Miniport Driver;c:\windows\system32\DRIVERS\mux.sys [2009-02-18 30768]
S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2009-03-04 4232704]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2010-04-02 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]

2010-03-19 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\pcdlauncher.exe [2009-11-20 10:12]

2010-03-24 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdr5cuiw32.exe [2010-02-18 00:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.live.com
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\gz7jgimt.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\John\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\John\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-ESET Online Scanner - c:\program files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-06 03:08
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\John\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys >>UNKNOWN [0x877A18C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x891d2322
\Driver\ACPI -> acpi.sys @ 0x8069dd4c
\Driver\atapi -> ataport.SYS @ 0x828eca14
\Driver\iaStor -> iaStor.sys @ 0x8284f0ac
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK
copy of MBR has been found in sector 1 !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,ee,cb,61,e1,3d,66,49,be,00,b7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,ee,cb,61,e1,3d,66,49,be,00,b7,\

[HKEY_USERS\S-1-5-21-1419061039-1915680080-1251473730-1003\Software\SecuROM\License information*]
"datasecu"=hex:b9,4e,26,92,2e,dd,e7,30,28,1a,24,e4,7a,11,f6,77,22,99,41,3b,32,
c4,ef,d9,e3,6b,0c,0b,a1,e4,f4,82,02,e3,e9,76,9e,cb,82,ec,3a,a0,1d,98,a7,13,\
"rkeysecu"=hex:4e,69,3d,c5,d4,a0,7e,91,01,a3,18,1c,98,7a,04,49

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(836)
c:\program files\ThinkPad\Bluetooth Software\btncopy.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
.
**************************************************************************
.
Completion time: 2010-04-06 03:13:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-06 10:13
ComboFix2.txt 2010-04-05 17:30
ComboFix3.txt 2010-04-05 09:05

Pre-Run: 27,812,536,320 bytes free
Post-Run: 27,801,346,048 bytes free

- - End Of File - - BC84501A5E9C31E6748955D59E1BE5CC

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

Hi Dragonmaster,
Here's the eset log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=2b0294d4d303e54587e499765c21481c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-07 09:29:32
# local_time=2010-04-07 02:29:32 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776638 100 100 22232977 107234579 0 0
# compatibility_mode=8192 67108863 100 0 51703 51703 0 0
# scanned=158322
# found=0
# cleaned=0
# scan_time=5521

Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop.

• Right-click on mbr.exe and click Run as Administrator to start the program.
  
• When done scanning, it will save a log on the Desktop called mbr.log.
  
• Please post the contents of that log in your next reply.

Here's the log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 1 !

Please open Command Prompt (Start > Run and type CMD and press OK [Vista/7: Start search: CMD and right-click on the result and click on Run as Administrator.)
Enter the following in to the black box, pressing enter after each line:



Post a log (MBR.log).

Here's the log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 1 !

Do you think that the fact that I'm running this from safe mode has anything to do with this?

Not sure. Can Normal Mode boot now?

Sorry it took me so long to respond. I assume I can run in normal mode, but the last time I tried, the virus re-installed itself on my system (presumably because it was still alive and well in the registry). Is it safe to take a chance now, or are there some other things we should try first?

Go ahead and let me know how it works.

Well, I booted in normal mode, and the virus did not reinstall itself! Unfortunately, the mbr log is still the same. Do you think it's safe at this point to either 1) Upgrade to Win7, or 2)Reinstall Vista from the partition on the drive, and then immediately upgrade?

Eiter way, here's the log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 1 !

Hold on.

Please open Command Prompt (Start > Run and type CMD and press OK [Vista/7: Start search: CMD and press enter])
Enter the following in to the black box, pressing enter after each line:



Post a log (MBR.log).

Unfortunately, those are exactly the steps I took. I just ran it again, and the log was the same. Is is safe to upgrade?

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 1 !

Go ahead.

Thanks a lot for your help, Dragonmaster! I really appreciate you taking the time!