Inactive Virus removal help needed

[Bobbye]

Quite a lot of entries were removed> are you running better now?

Please run the following:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\program files\Viewpoint\Common\ViewpointService.exe
Folder::
c:\documents and settings\Claire\Local Settings\Application Data\Sunbelt Software

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-

Driver::
Viewpoint Manager Service

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
c:\windows\ServicePackFiles\i386\userinit.exe | c:\windows\system32\userinit.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

===============================================
Consider the following: some entries were preloaded before the computer shipped. Others were added later and are being started by the Registry. Some, you may not use at all and others don't need to start on boot and run in the background:
Microsoft Works\wkssb.exe (2000)>> The Works Portfolio tool lets you collect and organize text and pictures from the Web or your favorite program
Microsoft Works\WkDetect.exe (2000) auto update checks
Microsoft Works\wkfud.exe (2000)>> A marketing program for MS Works
S3Tray2.exe (2002)>> S3 Video card task tray utility
TP4EX.exe (2002)>> Adds accessibility options for an IBM TrackPoint
Sonic\Update Manager\sgtray.exe (2003)
Canon\SolutionMenu\CNSLMAIN.EXE (added 2007)
YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe (added 2006)>> a memory management utility which frequently uses high resources.
GIGABYTE\GBTUpd\PreRun.exe (added 2008)>> auto-update

And the following Services are set to Automatic, but can be changed to Manual or Disabled.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IJPLMSVC"=2 (0x2)>> Cannon Pixma Service
"GoogleDesktopManager-
"IDriverT">> Program associated with InstallShield. This startup should only be created when a software that uses install shield is being installed. If you are not in the middle of installing a program, you can disable this entry.=3 (0x3)
"gusvc" and "gupdate1c9967e6b8fdeaa"= >> Google and Goole toolbar updater
================================
My point for the above entries are that none of them need to start on boot. As for auto-updates, I don't recommend any except for antivirus and also Windows if you choose.

 

[napol3on]

Yes, the system is running much better. Almost as new. Here is the Combofix log. The Norton Antivirus program kept trying to run so I hope that it did not interrupt anything when I had to open it again and shut off any bit that was still on.

ComboFix 10-08-29.04 - Claire 08/30/2010 21:42:57.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.134 [GMT 2:00]
Running from: c:\documents and settings\Claire\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Claire\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
* Created a new restore point

FILE ::
"c:\program files\Viewpoint\Common\ViewpointService.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Claire\Local Settings\Application Data\Sunbelt Software
c:\program files\Viewpoint\Common\ViewpointService.exe

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\System32\drivers\atapi.sys
c:\windows\ServicePackFiles\i386\userinit.exe --> c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-30 )))))))))))))))))))))))))))))))
.

2010-08-29 09:38 . 2010-08-29 09:41 -------- d-----w- C:\32788R22FWJFW.1.tmp
2010-08-28 14:49 . 2010-08-28 14:52 -------- d-----w- c:\program files\QuickTime
2010-08-28 14:37 . 2010-08-28 14:40 -------- d-----w- c:\program files\iTunes
2010-08-28 14:37 . 2010-08-28 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-28 13:51 . 2010-08-28 13:52 -------- d-----w- c:\program files\Bonjour
2010-08-28 13:46 . 2010-08-28 13:46 -------- d-----w- c:\documents and settings\Claire\.java
2010-08-28 10:37 . 2010-08-28 10:37 -------- d-----w- c:\documents and settings\Claire\Application Data\Malwarebytes
2010-08-28 10:36 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-28 10:35 . 2010-08-28 10:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-28 10:35 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-28 10:35 . 2010-08-28 10:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-16 19:48 . 2010-08-16 19:48 -------- d-----w- c:\program files\Trend Micro
2010-08-15 23:27 . 2010-07-12 08:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-15 20:04 . 2010-07-12 08:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-15 20:04 . 2010-08-15 20:04 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-15 19:55 . 2010-08-15 19:56 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-13 19:54 . 2010-08-13 19:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-08-13 19:45 . 2010-08-13 19:45 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-08-13 19:32 . 2010-08-13 19:33 -------- d-----w- c:\documents and settings\Claire\Application Data\181E1E3F17457910F65DBD9D24359169

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-30 19:24 . 2009-07-05 16:12 -------- d-----w- c:\documents and settings\Claire\Application Data\Skype
2010-08-30 19:12 . 2009-07-05 16:23 -------- d-----w- c:\documents and settings\Claire\Application Data\skypePM
2010-08-29 11:52 . 2009-06-14 20:27 -------- d-----w- c:\documents and settings\Claire\Application Data\Apple Computer
2010-08-28 14:38 . 2009-06-14 20:24 -------- d-----w- c:\program files\iPod
2010-08-28 14:38 . 2009-06-14 20:04 -------- d-----w- c:\program files\Common Files\Apple
2010-08-28 13:27 . 2010-08-28 13:27 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-16 19:49 . 2010-08-16 19:49 388096 ----a-r- c:\documents and settings\Claire\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-15 19:53 . 2009-06-15 02:56 -------- d-----w- c:\program files\Lavasoft
2010-08-15 19:53 . 2009-06-15 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-03 18:53 . 2010-08-03 18:53 61440 ----a-w- c:\documents and settings\Claire\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-729743f2-n\decora-sse.dll
2010-08-03 18:53 . 2010-08-03 18:53 503808 ----a-w- c:\documents and settings\Claire\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6833b5d4-n\msvcp71.dll
2010-08-03 18:53 . 2010-08-03 18:53 499712 ----a-w- c:\documents and settings\Claire\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6833b5d4-n\jmc.dll
2010-08-03 18:53 . 2010-08-03 18:53 348160 ----a-w- c:\documents and settings\Claire\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6833b5d4-n\msvcr71.dll
2010-08-03 18:53 . 2010-08-03 18:53 12800 ----a-w- c:\documents and settings\Claire\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-729743f2-n\decora-d3d.dll
2010-07-12 08:56 . 2010-08-15 19:55 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-06-30 12:31 . 1980-01-01 04:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 1980-01-01 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 1980-01-01 04:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 1980-01-01 04:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 1980-01-01 04:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2003-02-20 13:10 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-14 07:41 . 1980-01-01 04:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-11 14:51 . 2010-06-11 14:51 3055600 ----a-w- c:\documents and settings\Claire\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 14:36 . 2010-06-11 14:36 275952 ----a-w- c:\documents and settings\Claire\Application Data\Mozilla\plugins\npgoogletalk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"Google Update"="c:\documents and settings\Claire\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-25 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2008-03-04 92960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-07-30 118784]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 897024]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-08-06 94208]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 208896]
"UC_Start"="c:\program files\IBM\Updater\\ucstartup.exe" [2004-06-25 36864]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-09-02 127035]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2004-03-19 90112]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2004-08-18 81920]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-07-29 110592]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2004-07-29 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-07-29 395776]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-07-30 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-6-14 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2004-08-18 07:30 258048 ----a-w- c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-12-25 19:43 135664 ----atw- c:\documents and settings\Claire\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 13:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2000-08-08 20:00 311350 ----a-w- c:\program files\Microsoft Works\wkssb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2000-08-08 20:00 28739 ----a-w- c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 03:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3TRAY2]
2001-10-12 03:32 69632 ----a-w- c:\windows\system32\S3Tray2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
2002-09-04 05:05 53248 ----a-w- c:\windows\system32\TP4EX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 05:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2000-08-08 20:00 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\java.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Claire\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Claire\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/15/2010 10:04 PM 64288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1008000.029\SymEFA.sys [2/7/2010 1:13 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1008000.029\BHDrvx86.sys [2/7/2010 1:13 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1008000.029\cchpx86.sys [2/7/2010 1:11 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100827.001\IDSXpx86.sys [8/28/2010 3:34 AM 331640]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [6/14/2009 7:36 PM 16384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 10:55 AM 1355416]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe [2/7/2010 1:12 AM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/26/2010 10:00 AM 102448]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1/1/1980 6:00 AM 22568]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/15/2010 10:04 PM 15008]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [6/14/2009 7:34 PM 12288]
.
Contents of the 'Scheduled Tasks' folder

2010-08-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 20:04]

2010-08-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-14 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2009-06-14 05:37]

2010-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2308305695-2515139700-4276091907-1005Core.job
- c:\documents and settings\Claire\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-25 19:43]

2010-08-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2308305695-2515139700-4276091907-1005UA.job
- c:\documents and settings\Claire\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-25 19:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
uInternet Settings,ProxyOverride = *.local
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/56.20/uploader2.cab
FF - ProfilePath - c:\documents and settings\Claire\Application Data\Mozilla\Firefox\Profiles\wf7v1w6y.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoomail.com/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\Claire\Application Data\Mozilla\Firefox\Profiles\wf7v1w6y.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Claire\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Claire\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Claire\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-30 21:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(828)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\QCONSVC.EXE
c:\windows\system32\RegSrvc.exe
c:\windows\system32\TpKmpSVC.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\RunDll32.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-08-30 22:07:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-30 20:07
ComboFix2.txt 2010-08-29 10:49

Pre-Run: 30,976,290,816 bytes free
Post-Run: 31,011,524,608 bytes free

- - End Of File - - 9276D909F427455E5203DB5477A25369

 

[napol3on]

I ran the ESET scan through Firefox because it didnt launcy in IE. It found 2 infected files. Once Ive completed this virus cleaning process, I will go through the list of files that dont need to run immediatly on startup and delete/adjust.

Also, most of my music and photo files are stored on an external hardrive that has not been connected since I realized that I had virus. How can I be sure that the external HD is not affected and will not reinfect my computer if I plug it in again?

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85a6394d97b6f146b6f7e02a5e01b180
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-08-30 09:32:09
# local_time=2010-08-30 11:32:09 (+0100, W. Europe Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 1211889 1211889 0 0
# compatibility_mode=3587 16777189 100 94 1262105 32277254 0 0
# compatibility_mode=8192 67108863 100 0 210 210 0 0
# scanned=58907
# found=2
# cleaned=0
# scan_time=3910
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\redbook.sys.vir Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP152\A0040359.sys Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I

 

[Bobbye]

The Eset log is clean. Qoobox is where Combofix uts quarantined files and System Volume is restore point. Both will be removed at end and neither are active in the system.

You still have a lot of updaters loading from the Registry. I listed them in end of Post #26 under:

Consider the following: some entries were preloaded before the computer shipped. Others were added later and are being started by the Registry

Look it over- I can move those with script in Combofix if you want. As for the external drive you stored on, you should be able to run it same as we disinfect flash drive:

• 
  [1]. Download Flash_Disinfector and save it to your Desktop.
  [2]. After downloading, double-click on Flash_Disinfector to run it.
  [3]. Just follow the prompts and continue until it begin scanning.
  
  
  
  [4]. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
  [5]. It will scan removable drives, wait for the scan to finish. Done.

 

[napol3on]

Thanks! Should I disable my antivirus software before running Flash-Disinfector? When I run it Ad-Aware blocks Nircmd.exe and Trojan.Win.32.Generic!BT. I think that these are part of the Flash Disinfector but just wanted to be sure.

 

[napol3on]

I did disable Ad-Aware and Flash-Disinfector ran and almost immediatly was done. In this case, I think my problem has been resolved!

I will go through the list of updaters with a friend, but thanks for offering to help with that as well.

On final question, do you recomend changing all of my passwords, or do you think that would be unnecissary considering the infection on my computer?

Thanks!

 

[Bobbye]

Yes, I do recommend that you change your passwords.

You can now remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin