spoo1.exe

[pacman2004]

Hello FreewheelinFrank

No luck at all.

I have done boot scan... detect nothing.  TrojanHunter, WinPatrol doesn't work.  The trendmicro online scanner did not detect this also.

Any particular reason why HjackThis caused spoo1sv.exe to "revive" ?

What next   ?

[FreewheelinFrank]

Hi Pacman2004,

To recap:

You have virus-like symptoms on your computer and you have found a file spoo1sv.exe which you think is responsible. This file is identified on the web as part of the SoulJet Trojan, but when you uploaded it to Jotti's scanner, all the tests were negative. The file came back when deleted (even when you removed the start-up entry with HijackThis!)- so it certainly behaves like malware. None of the programs I recommended has detected or removed this file.

Well, it looks like this might be a new variant of the Trojan, not yet recognised by anti-virus or anti-Trojan programs.

If it is like SoulJet, it will install itself as a Windows service, so that deleting the file will be useless, as services run even in safe mode- the Trojan can simply recreate the file later on. If it is doing this, the service is not appearing in HijackThis!, so we haven't seen it.

There are several things to do:

Submit the file to avast! for analysis. Follow DavidR's instructions in this thread:

http://forum.avast.com/index.php?topic=14717.msg124035#msg124035

Check to see if other anti-virus programs identify the Trojan. This usually takes from a few hours to a few days. Can you submit the file again to Jotti's scanner and see if it is identified as malware by any of the programs? Repeat this daily, because eventually one of the programs should identify it.

Try some more online scanners and see if any pick it up. You can try these:

http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm

http://support.f-secure.com/enu/home/ols.shtml

and of course the Housecall scanner again.

Finally, you could search the registry for these entries:

    * HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
      Enum>Root>LEGACY_NETMM
    * HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
      Services>Netmm

If you find these, it is the Trojan service as described by Trend Micro. Do not delete these keys, but tell me if you find them.

Please let me know what happens.

[pacman2004]

Hello FreewheelinFrank

I noticed something peculiar when I open MS Words.  It seems that the "copy" function has been activated everytime I open MS Words.  There is this icon with an " I" and three small vertical lines appearing.  Normally this appears when we copy and paste things in Ms Words. 

So I clicked "paste " function and this web address appeared : http//www.18hicom/123.exe (Happens eveytime when I do this in MS Words)  This is the webpage page that the virus was installed from!

I didn't go into detail earlier about how my PC was infected.  It was like this :  I received a e-mail from a friend.  There are no attachments in the e-mail except for the web address above.  So I opened Explorer and keyed in this address.  Some message appeared (can't remember what it was - probably about running some program) and I clicked OK.  That's when all the trouble starts.  On hindsight,  it's really my stupidity that caused my PC to be infected.

I will try out what you have recommended and will inform you if there are new developments.  Really appreciate your advice and instructions

 

[FreewheelinFrank]

Hi Pacman2004,

Could you also try these rootkit detection programs, just to see if you have a rootkit hiding malware programs and registry entrirs?

http://www.sysinternals.com/Utilities/RootkitRevealer.html

http://www.f-secure.com/blacklight/

Edit: Please carry out the scans in my second posting first, as I think they will be more productive!

[FreewheelinFrank]

Hi Pacman2004,

A web search on 123.exe brings up some interesting results!

eTrust describe a Trojan called Sinister Uploader 1.0 which uses an install file name 123.exe, is hidden from the user, and produces task bar blink- all of which fits what you describe.

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453075414

Panda call this Trojan Trj/W32.Apher, so it will be interesing to see if the Panda scanner detects anything.

http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=vis&idvirus=38228

eTrust also have an online scanner, so I recommend trying that:

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Sophos describe a Trojan called Troj/VB-GX which downloads a file called 123.exe from a remote location. Symptoms include the start page being set to "about:blank" which you describe. This is a new Trojan, emerging last month, and only added to the Sophos definitions this month, so this might also be the culprit!

http://www.sophos.com/virusinfo/analyses/trojvbgx.html

Sophos have a downloadable scanner you can try called SAV32CLI. You have to downloaded it, un zip the folder and copy it to a CD. You then boot into safe mode with command prompt and run the following commands:

D:

CD SAV32CLI

SAV32CLI -REMOVE -P=C:\LOGFILE.TXT

Full instructions on this page:

http://www.sophos.com/support/disinfection/trojan.html

So, run the Panda and eTrust online scanners, and download and run the Sophos scanner- I think we'll get a result this time!

[pacman2004]

Hello FreewheelinFrank

I happened to chance on a chinese forum describing this file spoo1sv.exe. 

I will give a rough translation : spoo1sv.exe created 2 files, win.dll and windll.dll, in c:\windows\system subfolder.  After repairing, deleting and restarting, the problem is solved.

I am tempted to delete these 2 files but I am not sure about the "repairing" part.  How to "repair" before I delete the files ?

And are these 2 files suppose to be located in the system folder in the first place ?

[Eddy]

spoo1sv.exe is the Souljet trojan that steals passwords from your system.
Too remove it:

1) Disable System Restore (Windows Me/XP).
2) Update the virus definitions.
3) Restart the computer in Safe mode or VGA mode.
4) Run a full system scan and delete all the files detected as PWSteal.Souljet.
5) Reverse the changes made to the registry.
( HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\spoo1sv.exe )
6) Change all your passwords

[pacman2004]

Hello Eddy, FreewheelinFrank

I think the problem is solved.  Virus is TROJ_VB.FN

Solution can be found at :

http://de.trendmicro-europe.com/enterprise/vinfo/encyclopedia.php?VName=TROJ_VB.FN

This is my latest scan :

Logfile of HijackThis v1.99.1
Scan saved at 11:44:33 PM, on 7/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Utilities\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Utilities\Ahead\InCD\InCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\NotifyPhoneBook.exe
C:\Documents and Settings\Teh Kek Lin\My Documents\My Download Files\Software\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Utilities\SpywareGuard\sgmain.exe
C:\Utilities\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Utilities\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-sg\msntb.dll
O3 - Toolbar: ó?ò?°é??(&V) - {4647E382-520B-11D2-A0D0-004033D0645D} - C:\Program Files\InfoQuick\VoiceMate\plugin\mybands.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-sg\msntb.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Utilities\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [SmcService] C:\UTILIT~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [AdwareAlert] C:\Utilities\AdwareAlert\adwarealert.Exe -boot
O4 - HKLM\..\Run: [WinPatrol] c:\UTILIT~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Teh Kek Lin\My Documents\My Download Files\Software\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Utilities\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Powerword 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: 3721CMail - {5D73EE86-05F1-49ed-B850-E423120EC329} - http://cmail.3721.com?fb=client (file missing)
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://V4.Windowsupdate.microsoft.com
O15 - Trusted Zone: http://V5.Windowsupdate.microsoft.com
O15 - Trusted Zone: http://Windowsupdate.microsoft.com
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/OAS/ActiveX/winrep.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093701870593
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED167D02-FBA5-4053-99C6-588473EB4C04}: NameServer = 165.21.83.88 165.21.100.88
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Utilities\Sygate\SPF\smc.exe

[pacman2004]

Hello Eddy

After reading the description of the virus at the trend-mirco website, this virus doesn't seem to be stealing information ?

I suppose the data in my PC won't be compromised then.

Please advise.  Thank you. 

[Eddy]

Your system is still infected with maleware.
- adwarealert.exe
- O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-sg\msntb.dll

FOLLOW THESE INSTRUCTIONS

[FreewheelinFrank]

Hi Pacman2004,

msntb.dll is listed as legitimate at castlecops, so you decide if you want to keep it:

http://castlecops.com/clsid-897.html

AdwaerAlert is a 'rogue' product: it claims to remove malware but doesn't:

http://castlecops.com/s9265-AdwareAlert_Exe.html
http://www.spywarewarrior.com/rogue_anti-spyware.htm

You should be able to remove it from Add/Remove programs. Get Ad-Aware and spybot Search & Destroy instead because they work and they are free:

http://www.lavasoft.de/

http://www.safer-networking.org/en/download/

I'm glad your computer is working OK now, although I'm a little confused.

windll.dll seems to be Netbus which avast! should have identified as it was added to definitions in 2004.

http://securityresponse.symantec.com/avcenter/venc/data/backorifice.html

I guess the references to repairing you found mean removing registry entries as described in the Symantec article.

win.dll is created by a couple of Trojans but not by Souljet, according to Symantec.

And what happened to spoo1sv.exe?

Did any of the scans I recommended find and delete anything?

Anyway, I'm glad to hear you're not having any more problems.

FF

[pacman2004]

Hello Freewheelin Frank & Eddy ,

I cleaned the Adaware Alert.exe, and deleted win.dll & windll.dll. 

No trace of spoo1sv.exe in the Prefetch folder also.  I suppose it has been removed 

The scans recommended detected some other things, but not this spoo1sv.exe.

Also the panda scanner doesn't seem usuable because Avast detect a Win32?? (can't remember exact name) during the scan process.  I had to abort the scan.  Tried twice, same thing happened.

E-trust scanner gave no results, same as Jotti scanner.

TrojanHunter found something (actually they are game patches I downloaded).  Did not detect spoo1sv.exe also.

By the way, what is this   
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install  ?  Is this a malware ?


My latest scan :

Logfile of HijackThis v1.99.1
Scan saved at 11:14:37 AM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Utilities\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Utilities\Ahead\InCD\InCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NotifyPhoneBook.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\POP-UP~1\PSFree.exe
C:\Documents and Settings\Teh Kek Lin\My Documents\My Download Files\Software\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Utilities\SpywareGuard\sgmain.exe
C:\Utilities\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Utilities\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-sg\msntb.dll
O3 - Toolbar: ó?ò?°é??(&V) - {4647E382-520B-11D2-A0D0-004033D0645D} - C:\Program Files\InfoQuick\VoiceMate\plugin\mybands.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-sg\msntb.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Utilities\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [SmcService] C:\UTILIT~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Teh Kek Lin\My Documents\My Download Files\Software\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Utilities\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Powerword 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: 3721CMail - {5D73EE86-05F1-49ed-B850-E423120EC329} - http://cmail.3721.com?fb=client (file missing)
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://V4.Windowsupdate.microsoft.com
O15 - Trusted Zone: http://V5.Windowsupdate.microsoft.com
O15 - Trusted Zone: http://Windowsupdate.microsoft.com
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/OAS/ActiveX/winrep.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093701870593
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Utilities\Sygate\SPF\smc.exe

[MFB]

FIX these:

      O3 - Toolbar: ó?ò?°é??(&V) - {4647E382-520B-11D2-A0D0-004033D0645D} - C:\Program Files\InfoQuick\VoiceMate\plugin\mybands.dll

Not sure about these:
      O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll

      O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll

      O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Teh Kek Lin\My Documents\My Download Files\Software\FreeRAM XP Pro 1.40.exe" -win

      O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

[FreewheelinFrank]

Hi Pacman2004,

You can safely diasble avast! during the Panda scan because the warning is a false alarm.

nwiz.exe is not malware. It's from NVIDIA Corporation, but it's not an essential process, so you could disable it to improve performance:

http://www.liutilities.com/products/wintaskspro/processlibrary/nwiz/

I guess one of the scans you did removed the Souljet Trojan, of which spoo1sv.exe is a component. Different scanners use different names, so it might not even have been identified as Souljet.

The mybands.dll entry needs to go, as Fixer has noticed.

Have you run Ad-Aware and Spybot which I mentioned in my previous post? They may well remove it. Otherwise follow these removal instructions:

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453079074

FF

[Eddy]

In a couple of days I will release the next version of my HJT lof file analyzer with additions to the databases.
The current version can be found HERE

Note:
It is a beta version so if you use it, please let me know if you find any shortcommings.