various infections?

Ewido reported that rock.exe was found in my computer. I’ve got rid of most of it, but have got the following report from Ewido: C:\system volume restore.\RP317\A0023607.exe/keyms.exe Not-a-virus.PSW Tool.Win32.RAS.a The file c:\System Volume information\_restore{B37680B2-BAOA-4E5D-BF30-83E44C588624}RP317\A0023607.exe/xpkey.exe cannot be removed because it is embedded in the archive c:\System Volume Information….etc.etc Do you want to remove the whole archive? I can’t find this archive in the computer, so I don’t know what else it contains. Is it safe to tell Ewido to remove the whole archive? Scans by Spyware Doctor produced a staggering total of 3259 infections – which turned out to be all the files in Vcom Fixit. For some reason the Doctor seems suddenly to think that Fixit is an infection and, altho’ it [Fixit] was running ok earlier today, part of it its AV [Trend-Micro] has been uninstalled and PC Dr is now refusing even to let it open. And now PC Dr won’t run either. Earlier today MS AntiSpyware removed Rivarts.A - twice, even tho' I hadn't been online between the 2 scans. PC Doctor removed Fast Video Player Dialer. This is the first time I have found any malware in either of my computers. The only unusual thing that has happened in the last couple of days is that Dell fitted a replacement video card and updated the drivers online. I hadn't been able to use the computer during the 3 wks it took Dell to get the replacement to me, so he went online before I could update all my protection. Help will be much appreciated. Dell Dimension 8300, 2.92GHz, 1024 MB RAM. XP Home SP1 Ms Antispyware, Ad-Aware, Spybot, PC Tools Spyware Dr, Spyware Blaster, ewido (trial), Trend-Micro AV, ZA

 

Thanks, chaslang. Have been thro’ the cleaning procedure. Scan reports attached, + HJT log (looks nasty).

MS Antispy found and removed Rivarts.A
Ewido still can’t remove the 3 infections without deleting the entire archive in which they are embedded (see my original query)
SpyBot found nothing
Ad-Aware found and deleted Alexa
(PC Doctor found FastVideo dialer but can’t remove it. No other app. found this. I have now uninstalled the Dr as it was behaving erratically)

I have replaced ZA and Trend-Micro AV with BitDefender 8 Pro Plus, which I was already using on my other computer and is clearly better than what I had on this one. BitD’s online scan wasn’t able to remove all the infections, and ‘delete’ wasn’t an option, but I deleted them using the program I have installed. BitDef confirmed deletion. This morning I ran another scan and they are still there.

NB My ISP runs a virus check on all mail and notifies me when it has deleted messages that were infected. My internal AV also checks mail. Up till now I have had no infections, apart from the occasional Alexa reported by Ad-Aware, which it removes. I check every day for AV updates and once or twice a week for the other progs, and run daily or weekly scans. All clean until now.

For info’: I couldn’t use this computer since 1 March, when the video card stopped working and it took until 28 March for Dell to supply a new one. The Dell technician went online to download new drivers before I could update all the protection. I updated everything and, having earlier downloaded mail on my other computer went online once that day to check my inbox, which had only 3 or 4 messages.

After completing the cleaning procedure I booted into normal mode, and, still offline, modem disconnected, I opened Thunderbird. Instead of the few messages left in my inbox, 34 unread messages had appeared, the oldest dated 9 Feb 2004, the newest 27 Feb 06. Most of these were spam, others from regular senders. I have deleted them all – but where did they come from? And they seem to be the source of the infections listed by BitDef.

Today another irritation. When I was trying to convince Dell that my problem was a video card and not the monitor I ran the Dell diagnostic from their disk. This morning I keep getting interrupted by a box telling me the computer can’t find the Dell disk.

Sorry for long post, but hope details may be helpful.

 

Sorry this is taking ages because I’ve been trying to do it in between trying to meet 2 work deadlines (which is probably why I didn’t notice that I hadn’t already unpacked the HJT zip when I clicked on it).

I have followed instructions, but C:\windows\system32\gehmkl.exe is not there. Instead there is a text file named C:\windows\system32\gehmkl.exe-up
which reads:
windows error Access is denied.000
at z:\projects\Molestudio\Molebox\molebox\bootup\mbx_DLL.cpp(540)0

Shall I delete this in safe mode?

New HJT log attached.

Still 3 infections in System Volume...... Will they go when Sys. Restore is disabled?

 

A v. big thank you for sorting this out for me.

All seems ok now apart from the vanished Word icons in My Docs, but that's a minor inconvenience, so I have disabled/re-enabled System Restore.

I read through the How to Protect doc and I already do all of this, except that I had to uninstal SP2, which almost killed this computer.

Thanks again.