WiniBlue Soft removal

here is the last part


c:\windows\Help\OEM\scripts\HC_TotalCareAdvisorUpdate.exe
2009-03-30 21:30 . 2009-04-22 16:29 17160 ----a-w- c:\windows\Help\OEM\scripts\HC_DanzkaDubraBIOSUpdate.exe
2009-03-20 00:37 . 2009-03-20 00:37 34062 ----a-w- c:\users\Allen P Butler\AppData\Roaming\Move Networks\ie_bin\Uninst.exe
2009-03-19 20:32 . 2009-04-10 20:15 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-17 03:38 . 2009-06-09 14:10 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-06-09 14:10 24064 ----a-w- c:\windows\system32\amxread.dll
2009-03-16 20:03 . 2009-03-16 20:03 533880 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-8988-34A187E2698B}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-03-20 1773568]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-25 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2008-01-19 2153472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-31 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-31 151552]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-31 126976]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-03-29 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-03-06 180224]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-10 518488]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2007-04-24 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\users\Allen P Butler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B89089E0-93F3-4AAF-88BC-A77D8C0CE919}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6D8029B1-4EAB-4DD3-A2EE-20CE97784762}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{01805BF0-44B0-4852-82C2-4371FC760EB0}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{B0E7ADF8-5A75-41E5-A2CA-A5BF5D3E553D}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{5263EB6C-C32D-42ED-85BA-6ACF0EFA275E}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4CA7B5A8-30FA-4D1A-93BF-9ADCC28BACEC}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9F854534-00F2-4FC6-9DCE-27D00FE51D06}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{EA468C31-1C10-4FED-A10C-B6C3D4C56FE1}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{18CDF69B-2AC8-47E5-A6D8-4D581A618267}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{84964846-0ADE-4863-A648-CE7765AD75F2}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D54D72DF-5B78-4592-A43B-CDB974B692CF}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{1B93D466-8C9E-4BED-B0A5-1AE708A1D28C}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{23D3D96F-0199-4117-B0EA-CBD607B1B971}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{D15CC401-1941-4CD3-8FC4-372E82D6E8C7}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{341627A5-2511-40F1-B92F-C9CBA3FB8F27}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{B91C10C5-1B9A-4D35-9732-9E90D4F38511}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{8B135C10-D6A0-4945-AD4A-A7849EF03D08}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{ED5041E8-94B3-486F-902D-F83A8E0050EA}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{FCBD9011-3D9C-48FA-9D2D-09F245F2A080}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{35B970EE-824B-4B76-BB8A-0CF9C76DCA24}c:\\program files\\rhapsody\\rhapsody.exe"= UDP:c:\program files\rhapsody\rhapsody.exe:RealNetworks Rhapsody
"UDP Query User{FCAB759C-292B-4F1D-9A76-90A7BF7F4949}c:\\program files\\rhapsody\\rhapsody.exe"= TCP:c:\program files\rhapsody\rhapsody.exe:RealNetworks Rhapsody
"{A0ABA86B-A419-4DF6-8384-4B12113648F9}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{8DDC40CF-B16C-4935-B6E9-F9AE5F7D5325}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{B7041966-FC8A-4C76-9953-3A1B1EAD11C4}"= UDP:c:\program files\1stWORKS\pc2me\BIN\pc2me.exe:PC2Me
"{CB0C0261-2C62-41E1-9100-99E15A2579EA}"= TCP:c:\program files\1stWORKS\pc2me\BIN\pc2me.exe:PC2Me
"{31EB4B14-CEB6-48F5-8803-E029AFA1AA4A}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E363862D-2F94-4457-B8E1-541DAB4D6344}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D3EA381E-E7AF-4B34-A545-708AA769B89D}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{7049FAF1-FB1A-4A05-9B80-2291B9247CBF}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{7C6A9DCC-D8BC-42D6-AA89-78EF9D5E790E}"= c:\program files\Rosetta Stone\Rosetta Stone Version 3\RosettaStoneVersion3.exe:Rosetta Stone Version 3 Application
"{F99D3905-0CC0-42AD-B05D-5282BA6BB6DB}"= c:\program files\Rosetta Stone\Rosetta Stone Version 3\support\bin\win\RosettaStoneLtdServices.exe:Rosetta Stone Ltd Services
"{C4E6E488-17E7-4926-8391-36F96E97C7D1}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{8D3B9629-B68E-4BB9-9419-49AEBD6FD357}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\N360\0300000.086\SymEFA.sys [6/7/2009 11:43 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\N360\0300000.086\BHDrvx86.sys [6/7/2009 11:43 AM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\N360\0300000.086\cchpx86.sys [6/7/2009 11:43 AM 482352]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSvix86.sys [6/8/2009 2:24 PM 292912]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1005904]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe [6/7/2009 11:43 AM 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/7/2009 11:43 AM 101936]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\N360\0300000.086\symndisv.sys [6/7/2009 11:43 AM 39984]
S0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [6/10/2009 2:25 PM 64160]
S2 gupdate1c9999199297b30;Google Update Service (gupdate1c9999199297b30);c:\program files\Google\Update\GoogleUpdate.exe [2/28/2009 6:44 AM 133104]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\System32\drivers\libusb0.sys [4/19/2009 11:52 PM 28672]
.
Contents of the 'Scheduled Tasks' folder

2009-06-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 18:24]

2009-06-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-25 05:41]

2009-06-10 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-28 10:43]

2008-12-16 c:\windows\Tasks\HPCeeScheduleForAllen P Butler.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-04-24 21:23]

2009-06-10 c:\windows\Tasks\User_Feed_Synchronization-{A653F827-0705-42A6-AE63-EE9BB8493479}.job
- c:\windows\system32\msfeedssync.exe [2008-09-20 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-10 21:35
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-06-11 21:42
ComboFix-quarantined-files.txt 2009-06-11 01:42

Pre-Run: 15,902,486,528 bytes free
Post-Run: 15,975,706,624 bytes free

987 --- E O F --- 2009-06-10 07:09

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\.exe
c:\windows\9057s9am5otz.exe

Folder::
c:\program files\LimeWire
c:\users\Allen P Butler\AppData\Roaming\LimeWire

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D54D72DF-5B78-4592-A43B-CDB974B692CF}"=-
"{1B93D466-8C9E-4BED-B0A5-1AE708A1D28C}"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

Ok I did the drag and drop on the combo fix and it took about 10 minutes and created a log but my programs did not come back up there was just a background with no icons or programs. I waited a while and the computer just restarted but when It came back up I couldnt find the log. It said it was saved and i searched for the name but it didnt come up. Should I scan it again?

No, it would of still done it's job.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

ok so that removed the combo fix and the computer seems to be doing pretty good. Thanks a lot. So is the WiniBlue Soft completely gone from my computer now.

Yep, I'd say it is.