Anyone interested in the UPS Bundle of Viruses

[funke]

My PC got a nasty infection. If anyone wants to study the nasty critters, I have them in zip file on a USB stick. Just tell me how to send them.

After having a bad day with UPS, I stupidly opened an email which i thought was from UPS. Worse, I opened the attached zip and ran the .exe (yes, I still cannot believe I would have been so stupid). The sad thing is that I am not alone. Others have done the same.

First of all I got some terrifying screens telling me to buy and install "XPSecurity 2008" from what masqueraded as a MicroSoft site.

On bootup, there were some strange processes such as rhcpdgj0et13.exe, lpctdgj0et13.exe and a new rhcpdgj0et13\ folder appeared in my C:\Program files\folder. A HouseCall scan turned up a number of viruses, but it could not remove them.

SDFix removed a number of viruses, including braviax.exe, which got rid of "Buy XPSecurity ..or else" displays. Avast!PE got rid of more nasties such as buritos.exe and karina.dat., but it keeps finding C:\Documents and Settings\Funke\Local settings\..\ttB.tmp and \..\wssl52[1].exe each time my PC starts up and lpctdgj0et13.exe appears as a new process. Also, even before Log-in, a

            WARNING
Syware detected on your computer.
Install an antivirus or spyware remover to
       clean your computer

And the screensaver has been replaced by a terrifying screen-saver that presents a BSOD (blue screen..), followed by a convincing show of the PC trying to reboot, followed by another BSOD and so on. The Desktop, Screen Saver tabs on the Screen's property sheet have been hidden, so one cannot select a friendlier screen-saver nor extend the delay period.

This is as good as it gets with Avast!

Unwilling (and probably unable) to launch a career fighting malware, I have decided to kiss my hard drive good-bye. But, I have preserved a vial of these nasties for whomever wishes to study them.

[DavidR]

We don't use the forums as a distribution point for malware, send the password protected zip file (with the password in the body of the email, virus will do) to virus (at) avast dot com with a subject Undetected Malware.

[wyrmrider]

XPSecurity 2008
is a well know dangerous infection- with goad to purchase malware remover product
it is fixable
first schedule a boot time Avast scan
then scan with
spybot search and destroy
malware bytes anti-malware
Super anti spy
quarantine do not remove/ delete any hits  (in case of false positives or need to restore)

report back

you many end up posting a HJT

[funke]

Thanks for recommendations.

Because this threatens to be a BIG project, I have set this aside for a few days so I can get caught up with my work. Each scan takes about 12 to 24 hrs.

What I am learning from this is that one should really set up a fairly small (~40GB) boot partition which can be backed up and restored with partImage s/w. Having a ton of data files on the boot partition has the effect of slowing scanning. It would seem that there is merit in reducing the size of the haystack, should one have to look for a needle in it.

[funke]

I emailed a zip with the UPS virus package as instructed by DavidR.

Should there be any progress in tracking down the critters, being curious, I would like to find out to how I can learn about it.

[DavidR]

You normally don't get a reply (a failing to my mind, there should at the very least be an auto responder so you know that they have at least got it) unless they need more information.

You can also add the samples to the User Files section of the avast chest where they can do no harm and periodically scan them from within the User Files section of the chest. One day hopefully you will have a surprise as avast alerts.

[wyrmrider]

xp 2008 virus/ malware

from the spybot forum-


Its on RogueRemovers radar:

http://www.malwarebytes.org/roguenet.php?id=421

RogueRemoverFREE:

http://www.malwarebytes.org/rogueremover.php

have you run something like CCleaner???

here's a thread of a poster with XP2008 with no AV and initial inability to read the stickies and follow instructions
do not be put off by this- especially if Malware bytes works
http://forums.spybot.info/showthread.php?t=31408

as I said before try the bootime avast scan first
then the MBAM  (Malware Bytes Anti Malware)
report back
this is a team effort

no use running spybot at Today as definition is being added to Wednesday's Beta update
see #9 this thread
http://forums.spybot.info/showthread.php?t=29150
If you are not familiar with Spybot Search and Destroy post back

need I say- Do not try this at home   (alone)

[funke]

My PC is no longer displaying alarming messages and more alarming BSOD screensavers, thanks to Malware Bytes Anti Malware. Here is the MBAM report:

Malwarebytes' Anti-Malware 1.23
Database version: 985
Windows 5.1.2600 Service Pack 2

5:07:49 PM 29/07/2008
mbam-log-7-29-2008 (17-07-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 515785
Time elapsed: 5 hour(s), 57 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 8
Registry Data Items Infected: 6
Folders Infected: 12
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\rhcpdgj0et13 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\XP_SecurityCenter (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XP SecurityCenter (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphctdgj0et13 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcpdgj0et13 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Wise InstallBuilder 8.1\PROGRESS\WizWin32.dll (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphctdgj0et13.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphctdgj0et13.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phctdgj0et13.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

[wyrmrider]

Good news
However sometimes this virtumond infection comes with lots of friends
hopefully one of the removal experts will look at your post

If you have not run a boot time Avast scan manually update do that now

run ccleaner or similar

What I'd do is run a Kaspersky or Bitdefender on line scan - turn on all the options
post any hits (which may be false positives so quarantine- do not delete/remove)
reason- Bitdefender uses heuristics - which is a different approach than Avast- both have their place

DavidR states in another thread
BitDefender free is on-demand only so shouldn't be a problem, I would simply suggest you pause the standard shield whilst doing the BitDefender scan. - good advice- as well as closing unneeded programs and locking the web

removing crap is more difficult if there is a uncaught virus lurking

Then download a fresh copy of Hijack this to your desktop
right click and rename to hijackfunke.exe
why rename?
some malware is smart enough to disable HJT
Close all windows and browsers including this one- read the instructions
run a HJT "scan only" and post it here with the AV log
DO NOT FIX ANYTHING without help
you can read the stickies at the Safernetworking  general malware removal forum for some good ideas/ caveats
http://forums.spybot.info/forumdisplay.php?f=21
please do not post in more than one forum without your helpers ok and link back to here
Malware removal forums are really busy, and you can get advice which conflicts and can leave you really screwed up

thanks

I'll think you will find that the Avast forum is VERY responsive

[funke]

The Avast forum is VERY responsive indeed. I have not even had a chance to add my Trojan Remover scan before getting a response.

There is a good UPS Infection thread on http://support.bicester-computers.com/showthread.php?t=18. They recommend Trojan Remover --> MBAM --> F-Prot. But, I have trouble following instructions. I did MBAM -> Trojan Removal -> Avast bootScan. Each has found nasties. Here is the Trojan Remover scan log:

***** TROJAN REMOVER HAS RESTARTED THE SYSTEM *****
29/07/2008 5:26:47 PM: Trojan Remover has been restarted
The AppInitDLLs Registry entry has been reset
Unable to rename C:\WINDOWS\system32\cru629.dat to C:\WINDOWS\system32\cru629.dat.vir
(C:\WINDOWS\system32\cru629.dat does not appear to exist)
29/07/2008 5:26:47 PM: Trojan Remover closed
************************************************************


***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.7.1.2536. For information, email support@simplysup1.com
[Unregistered version]
Scan started at: 5:22:58 PM 29 Jul 2008
Using Database v7080
Operating System:  Windows XP SP2 [Windows XP Home Edition Service Pack 2 (Build 2600)]
File System:       NTFS
Data directory:     C:\Documents and Settings\Mike\Application Data\Simply Super Software\Trojan Remover\
Database directory: C:\Program Files\Trojan Remover\
Logfile directory:  C:\Documents and Settings\Mike\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory:  C:\Program Files\Trojan Remover\
Running with Administrator privileges

************************************************************
The regfile\shell\open\command Registry Key appears to have been modified.
The current Registry entry is: regedit.exe "%1" %*.
This entry calls the following file:
C:\WINDOWS\regedit.exe
Trojan Remover has restored the Registry regfile\shell\open key.
--------------------

************************************************************
5:23:15 PM: Scanning ----------WIN.INI-----------
WIN.INI found in C:\WINDOWS

************************************************************
5:23:15 PM: Scanning --------SYSTEM.INI---------
SYSTEM.INI found in C:\WINDOWS

************************************************************
5:23:15 PM: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.

************************************************************
5:23:16 PM: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1033216 bytes
Created:  10/08/2004
Modified: 13/06/2007
Company:  Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
24576 bytes
Created:  10/08/2004
Modified: 04/08/2004
Company:  Microsoft Corporation
----------
This key's "System" value appears to be blank
----------
This key's "UIHost" value calls the following program:
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
514560 bytes
Created:  10/08/2004
Modified: 04/08/2004
Company:  Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name: load
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: SoundMAXPnP
Value Data: C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
1404928 bytes
Created:  06/09/2005
Modified: 14/10/2004
Company:  Analog Devices, Inc.
--------------------
Value Name: SunJavaUpdateSched
Value Data: "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
144784 bytes
Created:  24/04/2008
Modified: 25/03/2008
Company:  Sun Microsystems, Inc.
--------------------
Value Name: ISUSPM Startup
Value Data: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
221184 bytes
Created:  27/07/2004
Modified: 27/07/2004
Company:  InstallShield Software Corporation
--------------------
Value Name: ISUSScheduler
Value Data: "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
81920 bytes
Created:  27/07/2004
Modified: 27/07/2004
Company:  InstallShield Software Corporation
--------------------
Value Name: igfxtray
Value Data: C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxtray.exe
94208 bytes
Created:  06/09/2005
Modified: 20/09/2005
Company:  Intel Corporation
--------------------
Value Name: igfxhkcmd
Value Data: C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hkcmd.exe
77824 bytes
Created:  06/09/2005
Modified: 20/09/2005
Company:  Intel Corporation
--------------------
Value Name: igfxpers
Value Data: C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxpers.exe
114688 bytes
Created:  20/09/2005
Modified: 20/09/2005
Company:  Intel Corporation
--------------------
Value Name: Google Desktop Search
Value Data: "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
1838592 bytes
Created:  09/11/2006
Modified: 24/08/2007
Company:  Google
--------------------
Value Name: Adobe Reader Speed Launcher
Value Data: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
39792 bytes
Created:  11/01/2008
Modified: 11/01/2008
Company:  Adobe Systems Incorporated
--------------------
Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot
C:\Program Files\Trojan Remover\Trjscan.exe
910416 bytes
Created:  29/07/2008
Modified: 26/07/2008
Company:  Simply Super Software
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: MsnMsgr
Value Data: "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
C:\Program Files\MSN Messenger\MsnMsgr.Exe [file not found to scan]
--------------------
Value Name: ctfmon.exe
Value Data: C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
15360 bytes
Created:  10/08/2004
Modified: 04/08/2004
Company:  Microsoft Corporation
--------------------
Value Name: swg
Value Data: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
68856 bytes
Created:  13/07/2007
Modified: 13/07/2007
Company:  Google Inc.
--------------------
Value Name: Skype
Value Data: "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
C:\Program Files\Skype\Phone\Skype.exe
-R- 21718312 bytes
Created:  30/05/2008
Modified: 30/05/2008
Company:  Skype Technologies S.A.
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty

************************************************************
5:23:19 PM: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File:      shell32.dll - this file is expected and has been left in place
----------

************************************************************
5:23:19 PM: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------

************************************************************
5:23:20 PM: Scanning -----ACTIVE SCREENSAVER-----
No active ScreenSaver found to scan.

************************************************************

..continued on next post

[funke]

Trojan Remover Log continued..


************************************************************
5:23:20 PM: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----
Key:  {94de52c8-2d59-4f1b-883e-79663d2d9a8c}
Path: rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider
C:\WINDOWS\system32\Setup\FxsOcm.dll
132608 bytes
Created:  10/08/2004
Modified: 04/08/2004
Company:  Microsoft Corporation
----------

************************************************************
5:23:20 PM: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: AppMgmt
%SystemRoot%\System32\appmgmts.dll - file is globally excluded (file cannot be found)
--------------------

************************************************************
5:23:20 PM: Scanning ----- SERVICES REGISTRY KEYS -----
Key:       aspnet_state
ImagePath: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
32768 bytes
Created:  14/07/2004
Modified: 14/07/2004
Company:  Microsoft Corporation
----------
Key:       C4ULoad2515
ImagePath: System32\Drivers\C4ULoad2.sys
C:\WINDOWS\System32\Drivers\C4ULoad2.sys
19112 bytes
Created:  27/04/2004
Modified: 27/04/2004
Company:  anchor chips
----------
Key:       CAN4USB_MCP2515
ImagePath: System32\Drivers\ezusb.sys
C:\WINDOWS\System32\Drivers\ezusb.sys
-R- 12307 bytes
Created:  29/05/2002
Modified: 29/05/2002
Company:  cypress semiconductor
----------
Key:       cvslock
ImagePath: "C:\Program Files\CVSNT\cvslock.exe"
C:\Program Files\CVSNT\cvslock.exe
58368 bytes
Created:  05/07/2006
Modified: 05/07/2006
Company: 
----------
Key:       cvsnt
ImagePath: "C:\Program Files\CVSNT\cvsservice.exe"
C:\Program Files\CVSNT\cvsservice.exe
37888 bytes
Created:  05/07/2006
Modified: 05/07/2006
Company:  March Hare Software Ltd
----------
Key:       DSBrokerService
ImagePath: "C:\Program Files\DellSupport\brkrsvc.exe"
C:\Program Files\DellSupport\brkrsvc.exe
76848 bytes
Created:  07/03/2007
Modified: 07/03/2007
Company: 
----------
Key:       DSproct
ImagePath: \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
4736 bytes
Created:  05/10/2006
Modified: 05/10/2006
Company:  Gteko Ltd.
----------
Key:       dsunidrv
ImagePath: system32\DRIVERS\dsunidrv.sys
C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
-S- 5376 bytes
Created:  25/02/2007
Modified: 25/02/2007
Company:  Gteko Ltd.
----------
Key:       GoogleDesktopManager
ImagePath: "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe"
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
1838592 bytes
Created:  09/11/2006
Modified: 24/08/2007
Company:  Google
----------
Key:       gusvc
ImagePath: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
138168 bytes
Created:  31/01/2007
Modified: 31/01/2007
Company:  Google
----------
Key:       hhdserial
ImagePath: \??\C:\WINDOWS\system32\drivers\hhdserial.sys
C:\WINDOWS\system32\drivers\hhdserial.sys
30856 bytes
Created:  26/03/2008
Modified: 02/10/2007
Company:  HHD Software Ltd.
----------
Key:       HSFHWBS2
ImagePath: system32\DRIVERS\HSFHWBS2.sys
C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
212224 bytes
Created:  06/09/2005
Modified: 17/11/2003
Company:  Conexant Systems, Inc.
----------
Key:       ialm
ImagePath: system32\DRIVERS\ialmnt5.sys
C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
1302332 bytes
Created:  06/09/2005
Modified: 20/09/2005
Company:  Intel Corporation
----------
Key:       mf
ImagePath: system32\DRIVERS\mf.sys
C:\WINDOWS\system32\DRIVERS\mf.sys
63744 bytes
Created:  03/08/2004
Modified: 04/08/2004
Company:  Microsoft Corporation
----------
Key:       NDMSHLP
ImagePath: \??\C:\Program Files\Common Files\HHD Software\Device Monitor\ndmshlp.sys
C:\Program Files\Common Files\HHD Software\Device Monitor\ndmshlp.sys
7632 bytes
Created:  24/05/2005
Modified: 24/05/2005
Company:  HHD Software
----------
Key:       NetSvc
ImagePath: C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
143360 bytes
Created:  17/12/2003
Modified: 17/12/2003
Company:  Intel(R) Corporation
----------
Key:       NPF
ImagePath: system32\drivers\npf.sys
C:\WINDOWS\system32\drivers\npf.sys
32512 bytes
Created:  02/08/2005
Modified: 02/08/2005
Company:  CACE Technologies
----------
Key:       rpcapd
ImagePath: "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini"
C:\Program Files\WinPcap\rpcapd.exe
86016 bytes
Created:  02/08/2005
Modified: 02/08/2005
Company:  CACE Technologies
----------
Key:       senfilt
ImagePath: system32\drivers\senfilt.sys
C:\WINDOWS\system32\drivers\senfilt.sys
732928 bytes
Created:  06/09/2005
Modified: 17/09/2004
Company:  Creative Technology Ltd.
----------
Key:       Ser2pl
ImagePath: system32\DRIVERS\ser2pl.sys
C:\WINDOWS\system32\DRIVERS\ser2pl.sys
-R- 42752 bytes
Created:  01/02/2006
Modified: 27/06/2004
Company:  Prolific Technology Inc.
----------
Key:       SerIMPsw
ImagePath: system32\DRIVERS\serimpsw.sys
C:\WINDOWS\system32\DRIVERS\serimpsw.sys
60800 bytes
Created:  17/01/2006
Modified: 21/01/2004
Company:  Windows (R) 2000 DDK provider
----------
Key:       SerMon
ImagePath: \??\C:\Program Files\HHD Software\Free Serial Port Monitor\sermon.sys
C:\Program Files\HHD Software\Free Serial Port Monitor\sermon.sys
18432 bytes
Created:  24/05/2005
Modified: 24/05/2005
Company:  HHD Software
----------
Key:       smwdm
ImagePath: system32\drivers\smwdm.sys
C:\WINDOWS\system32\drivers\smwdm.sys
260352 bytes
Created:  06/09/2005
Modified: 27/01/2005
Company:  Analog Devices, Inc.
----------
Key:       SwPrv
ImagePath: C:\WINDOWS\system32\dllhost.exe /Processid:{A445BD1E-49EE-4607-B370-5CCA447377C4}
C:\WINDOWS\system32\dllhost.exe
5120 bytes
Created:  10/08/2004
Modified: 04/08/2004
Company:  Microsoft Corporation
----------
Key:       TetaSCDevice
ImagePath: \??\C:\WINDOWS\system32\tetascop.SYS
C:\WINDOWS\system32\tetascop.SYS [file not found to scan]
----------
Key:       U2SP
ImagePath: system32\DRIVERS\u2s2kxp.sys
C:\WINDOWS\system32\DRIVERS\u2s2kxp.sys
23387 bytes
Created:  26/08/2002
Modified: 26/08/2002
Company:  Magic Control Technology Corp.
----------
Key:       wanatw
ImagePath: system32\DRIVERS\wanatw4.sys
C:\WINDOWS\system32\DRIVERS\wanatw4.sys [file not found to scan]
----------
Key:       WinDriver6
ImagePath: system32\drivers\windrvr6.sys
C:\WINDOWS\system32\drivers\windrvr6.sys
329072 bytes
Created:  10/08/2005
Modified: 10/08/2005
Company:  Jungo
----------

************************************************************
5:23:26 PM: Scanning -----VXD ENTRIES-----

************************************************************
5:23:26 PM: Scanning ----- WINLOGON\NOTIFY DLLS -----
Key: igfxcui
DLL: igfxdev.dll
C:\WINDOWS\system32\igfxdev.dll
135168 bytes
Created:  06/09/2005
Modified: 20/09/2005
Company:  Intel Corporation
----------

************************************************************
5:23:26 PM: Scanning ----- CONTEXTMENUHANDLERS -----
Key:   Notepad++
CLSID: {120B94B5-2E6A-4F13-94D0-414BCB64FA0F}
Path:  C:\Program Files\Notepad++\nppcm.dll
C:\Program Files\Notepad++\nppcm.dll
24576 bytes
Created:  23/11/2006
Modified: 23/11/2006
Company:  Burgaud.com
----------
Key:   TextPad
CLSID: {2F25CF20-C569-11D1-B94C-00608CB45480}
Path:  C:\Program Files\TextPad 4\System\shellext.dll
C:\Program Files\TextPad 4\System\shellext.dll
49152 bytes
Created:  30/10/2003
Modified: 30/10/2003
Company:  Helios Software Solutions
----------
Key:   TortoiseCVS
CLSID: {5d1cb710-1c4b-11d4-bed5-005004b1f42f}
Path:  C:\Program Files\TortoiseCVS\TrtseShl.dll
C:\Program Files\TortoiseCVS\TrtseShl.dll
1073152 bytes
Created:  12/09/2005
Modified: 12/09/2005
Company:  www.tortoisecvs.org
----------
Key:   WinMerge
CLSID: {4E716236-AA30-4C65-B225-D68BBA81E9C2}
Path:  C:\Program Files\WinMerge\ShellExtensionU.dll
C:\Program Files\WinMerge\ShellExtensionU.dll
65536 bytes
Created:  03/07/2007
Modified: 19/06/2007
Company: 
----------

************************************************************
5:23:26 PM: Scanning ----- FOLDER\COLUMNHANDLERS -----
Key:  {5d1cb710-1c4b-11d4-bed5-005004b1f42f}
File: C:\Program Files\TortoiseCVS\TrtseShl.dll
C:\Program Files\TortoiseCVS\TrtseShl.dll
1073152 bytes
Created:  12/09/2005
Modified: 12/09/2005
Company:  www.tortoisecvs.org
----------

************************************************************
5:23:26 PM: Scanning ----- BROWSER HELPER OBJECTS -----
No Browser Helper Objects found to scan

************************************************************
5:23:26 PM: Scanning ----- SHELLSERVICEOBJECTS -----

************************************************************

..continued on next post..

[funke]

Trojan Remover scan log continued..

************************************************************
5:23:26 PM: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----

************************************************************
5:23:26 PM: Scanning ----- IMAGEFILE DEBUGGERS -----
No "Debugger" entries found.

************************************************************
5:23:26 PM: Scanning ----- APPINIT_DLLS -----
AppInitDLLs entry = [cru629.dat]
cru629.dat - this reference will be removed
C:\WINDOWS\system32\cru629.dat - unable to take ownership/change permissions
C:\WINDOWS\system32\cru629.dat - marked for renaming when the PC is restarted (if it exists)
----------

************************************************************
5:24:05 PM: Scanning ----- SECURITY PROVIDER DLLS -----

************************************************************
5:24:06 PM: Scanning ------ COMMON STARTUP GROUP ------
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
The Common Startup Group attempts to load the following file(s) at boot time:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
-HS- 84 bytes
Created:  10/08/2004
Modified: 10/08/2004
Company: 
--------------------
C:\Program Files\Microsoft Office\Office\OSA9.EXE
65588 bytes
Created:  21/03/1999
Modified: 21/03/1999
Company:  Microsoft Corporation
Microsoft Office.lnk - links to C:\Program Files\Microsoft Office\Office\OSA9.EXE
--------------------

************************************************************
5:24:06 PM: Scanning ------ USER STARTUP GROUPS ------
--------------------
Checking Startup Group for: Administrator
[C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP]
The Startup Group for Administrator attempts to load the following file(s):
C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created:  24/07/2008
Modified: 10/08/2004
Company: 
----------

************************************************************
5:24:06 PM: Scanning ----- SCHEDULED TASKS -----
No Scheduled Tasks found to scan

************************************************************
5:24:06 PM: Scanning ----- SHELLICONOVERLAYIDENTIFIERS -----
Key:   TortoiseCVS0
CLSID: {5d1cb710-1c4b-11d4-bed5-005004b1f42f}
File:  C:\Program Files\TortoiseCVS\TrtseShl.dll
C:\Program Files\TortoiseCVS\TrtseShl.dll - file already scanned
----------
Key:   TortoiseCVS1
CLSID: {5d1cb711-1c4b-11d4-bed5-005004b1f42f}
File:  C:\Program Files\TortoiseCVS\TrtseShl.dll
C:\Program Files\TortoiseCVS\TrtseShl.dll - file already scanned
----------
Key:   TortoiseCVS2
CLSID: {5d1cb712-1c4b-11d4-bed5-005004b1f42f}
File:  C:\Program Files\TortoiseCVS\TrtseShl.dll
C:\Program Files\TortoiseCVS\TrtseShl.dll - file already scanned
----------
Key:   TortoiseCVS3
CLSID: {5d1cb713-1c4b-11d4-bed5-005004b1f42f}
File:  C:\Program Files\TortoiseCVS\TrtseShl.dll
C:\Program Files\TortoiseCVS\TrtseShl.dll - file already scanned
----------
Key:   TortoiseCVS4
CLSID: {5d1cb714-1c4b-11d4-bed5-005004b1f42f}
File:  C:\Program Files\TortoiseCVS\TrtseShl.dll
C:\Program Files\TortoiseCVS\TrtseShl.dll - file already scanned
----------
Key:   TortoiseCVS5
CLSID: {5d1cb715-1c4b-11d4-bed5-005004b1f42f}
File:  C:\Program Files\TortoiseCVS\TrtseShl.dll
C:\Program Files\TortoiseCVS\TrtseShl.dll - file already scanned
----------
Key:   TortoiseCVS6
CLSID: {5d1cb716-1c4b-11d4-bed5-005004b1f42f}
File:  C:\Program Files\TortoiseCVS\TrtseShl.dll
C:\Program Files\TortoiseCVS\TrtseShl.dll - file already scanned
----------

************************************************************
5:24:06 PM: ----- ADDITIONAL CHECKS -----
PE386 rootkit checks completed
----------
Winlogon registry rootkit checks completed
----------
Heuristic checks for hidden files/drivers completed
----------
Layered Service Provider entries checks completed
----------
Windows Explorer Policies checks completed
----------
Desktop Wallpaper entry is blank
----------
Web Desktop Wallpaper: %SystemRoot%\web\wallpaper\Bliss.bmp
C:\WINDOWS\web\wallpaper\Bliss.bmp
1440054 bytes
Created:  10/08/2004
Modified: 10/08/2004
Company: 
----------
Additional file checks completed

************************************************************
5:24:07 PM: Scanning ----- RUNNING PROCESSES -----

C:\WINDOWS\System32\smss.exe
[1 loaded module]
--------------------
C:\WINDOWS\system32\csrss.exe
[10 loaded modules in total]
--------------------
C:\WINDOWS\system32\winlogon.exe
[66 loaded modules in total]
--------------------
C:\WINDOWS\system32\services.exe
[37 loaded modules in total]
--------------------
C:\WINDOWS\system32\lsass.exe
[62 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe
[49 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe
[39 loaded modules in total]
--------------------
C:\WINDOWS\System32\svchost.exe
[160 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe
[32 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe
[42 loaded modules in total]
--------------------
C:\WINDOWS\system32\spoolsv.exe
[52 loaded modules in total]
--------------------
C:\Program Files\CVSNT\cvslock.exe
[33 loaded modules in total]
--------------------
C:\Program Files\CVSNT\cvsservice.exe
[46 loaded modules in total]
--------------------
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
[19 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe
[39 loaded modules in total]
--------------------
C:\WINDOWS\system32\wdfmgr.exe
[14 loaded modules in total]
--------------------
C:\WINDOWS\System32\alg.exe
[33 loaded modules in total]
--------------------
C:\WINDOWS\Explorer.EXE
[99 loaded modules in total]
--------------------
C:\WINDOWS\system32\wscntfy.exe
[16 loaded modules in total]
--------------------
C:\Program Files\Analog Devices\Core\smax4pnp.exe
[35 loaded modules in total]
--------------------
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
[25 loaded modules in total]
--------------------
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[9 loaded modules in total]
--------------------
C:\WINDOWS\system32\hkcmd.exe
[20 loaded modules in total]
--------------------
C:\WINDOWS\system32\igfxpers.exe
[21 loaded modules in total]
--------------------
C:\WINDOWS\system32\ctfmon.exe
[25 loaded modules in total]
--------------------
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[53 loaded modules in total]
--------------------
C:\Program Files\Skype\Phone\Skype.exe
[74 loaded modules in total]
--------------------
C:\Program Files\Skype\Plugin Manager\skypePM.exe
[58 loaded modules in total]
--------------------
C:\WINDOWS\system32\taskmgr.exe
[36 loaded modules in total]
--------------------
C:\WINDOWS\system32\wuauclt.exe
[42 loaded modules in total]
--------------------
C:\Documents and Settings\Mike\Application Data\Simply Super Software\Trojan Remover\kvw2.exe
FileSize:          2536000
[This is a Trojan Remover component]
[25 loaded modules in total]
--------------------

************************************************************
5:24:24 PM: Checking AUTOEXEC.BAT file
AUTOEXEC.BAT found in C:\
No malicious entries were found in the AUTOEXEC.BAT file

************************************************************
5:24:24 PM: Checking AUTOEXEC.NT file
AUTOEXEC.NT found in C:\WINDOWS\system32
No malicious entries were found in the AUTOEXEC.NT file

************************************************************
5:24:24 PM: Checking HOSTS file
No malicious entries were found in the HOSTS file

************************************************************
5:24:24 PM: Scanning ------ %TEMP% DIRECTORY ------
************************************************************
5:24:25 PM: Scanning ------ C:\WINDOWS\Temp DIRECTORY ------
************************************************************
5:24:25 PM: Scanning ------ ROOT DIRECTORY ------

************************************************************
5:24:25 PM: ------ Scan for other files to remove ------
No malware-related files found to remove

************************************************************

[funke]

Remainder of Trojan Remover scan:

************************************************************
------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
HKLM\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main\"Local Page":
%SystemRoot%\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
http://go.microsoft.com/fwlink/?LinkId=69157
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
http://www.google.com/ie
HKLM\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch":
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM\Software\Microsoft\Internet Explorer\Search\"SearchAssistant":
http://www.google.com
HKCU\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://www.google.com
HKCU\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.google.com
HKCU\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
http://www.dell.ca/myway

************************************************************
=== CHANGES WERE MADE TO THE WINDOWS REGISTRY ===
Scan completed at: 5:24:25 PM 29 Jul 2008
-------------------------------------------------------------------------
One or more files could not be moved or renamed as requested.
They may be in use by Windows, so Trojan Remover needs
to restart the system in order to deal with these files.
29/07/2008 5:24:28 PM: restart commenced
************************************************************

Phew!!

[funke]

Following up on my MBAM -> Trojan Removal -> Avast bootScan. Each has found nasties. Here is the Avast bootScan log:

CmdLine - quick
aswBoot.exe /A:"*" /L:"English" /KBD:2
CmdLine end
SafeBoot: 0
CreateKbThread
new CKbBuffer
CKbBuffer::Init
CKbBuffer::Init end
NtCreateEvent(g_hStopEvent)
dep_osBeginThread - KbThread
CreateKbThread end
NtInitializeRegistry
KbThread start
ReadRegistry
DATA=C:\Program Files\Alwil Software\Avast4\DATA
PROG=C:\Program Files\Alwil Software\Avast4
BUILD=1229
Microsoft Windows XP Service Pack 2
SystemRoot=C:\WINDOWS
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
ReadRegistry end
CreateTemp
CreateTemp end
cmnbInit
SetFolders
SetFolders end
aswEnginDllMain(DLL_PROCESS_ATTACH)
InitLog
InitLog end
CmdLine - full
aswBoot.exe /A:"*" /L:"English" /KBD:2
CmdLine end
Unschedule
61,00,75,00,74,00,6F,00,63,00,68,00,65,00,63,00,
6B,00,20,00,61,00,75,00,74,00,6F,00,63,00,68,00,
6B,00,20,00,2A,00,00,00,61,00,73,00,77,00,42,00,
6F,00,6F,00,74,00,2E,00,65,00,78,00,65,00,20,00,
2F,00,41,00,3A,00,22,00,2A,00,22,00,20,00,2F,00,
4C,00,3A,00,22,00,45,00,6E,00,67,00,6C,00,69,00,
73,00,68,00,22,00,20,00,2F,00,4B,00,42,00,44,00,
3A,00,32,00,00,00,00,00,
Unschedule end
LoadResources
LoadResources end
InitReport
InitReport end
NtSetEvent(g_hInitEvent) - 1
InitKeyboard
FreeMemory: 434495488
g_dwKbdNum: 2
avworkInitialize
s_dwKbdClassCnt: 2
InitKeyboard end
NtSetEvent(g_hInitEvent) - 2
GetKey
FreeMemory: 384831488
CKbBuffer::Wait
CKbBuffer::Get
CKbBuffer::Get end
CKbBuffer::Wait end
ProcessArea
avfilesScanAdd *MBR0
avfilesScanAdd *RAW:C:\  [Fs: 000500ff, NTFS; Dev: 07, 00000020]
avfilesScanRealMulti begin
CKbBuffer::Get
0, 7, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
CKbBuffer::Get end
GetKey
0, 7, 1, 0, 0
avfilesScanRealMulti finished
avworkClose
Checking deleted files:
MarkFileRemoval
MarkFileRemoval end
TerminateKbThread
GetKey end
CloseKeyboard
CloseKeyboard end
KbThread stop
CKbBuffer::~CKbBuffer
CKbBuffer::~CKbBuffer end
aswEnginDllMain(DLL_PROCESS_DETACH)
cmnbFree
FreeResources
CloseReport
CloseLog

[wyrmrider]

OK
I'm not familiar with Trojan Remover - what a log
I've used Trojan Hunter which has a nice 30 day free trial
and A-Squared free
did you buy trojan remover?

anyway
go to my last post
start at run  ccleaner
and continue
post a nice hjt log and let's see if freewheeling frank or one of the HJT experts will pronounce you clean or in need of some additional work
there are things that the tools/ programs can't easily get- or you have to know which one to use
AND IN WHICH ORDER

ps
DO NOT RUN COMBO FIX unattended- or anything else not mentioned above