The Avast forum is VERY responsive indeed. I have not even had a chance to add my Trojan Remover scan before getting a response.
There is a good UPS Infection thread on
http://support.bicester-computers.com/showthread.php?t=18. They recommend Trojan Remover --> MBAM --> F-Prot. But, I have trouble following instructions. I did MBAM -> Trojan Removal -> Avast bootScan. Each has found nasties. Here is the Trojan Remover scan log:
***** TROJAN REMOVER HAS RESTARTED THE SYSTEM *****
29/07/2008 5:26:47 PM: Trojan Remover has been restarted
The AppInitDLLs Registry entry has been reset
Unable to rename C:\WINDOWS\system32\cru629.dat to C:\WINDOWS\system32\cru629.dat.vir
(C:\WINDOWS\system32\cru629.dat does not appear to exist)
29/07/2008 5:26:47 PM: Trojan Remover closed
************************************************************
***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.7.1.2536. For information, email support@simplysup1.com
[Unregistered version]
Scan started at: 5:22:58 PM 29 Jul 2008
Using Database v7080
Operating System: Windows XP SP2 [Windows XP Home Edition Service Pack 2 (Build 2600)]
File System: NTFS
Data directory: C:\Documents and Settings\Mike\Application Data\Simply Super Software\Trojan Remover\
Database directory: C:\Program Files\Trojan Remover\
Logfile directory: C:\Documents and Settings\Mike\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges
************************************************************
The regfile\shell\open\command Registry Key appears to have been modified.
The current Registry entry is: regedit.exe "%1" %*.
This entry calls the following file:
C:\WINDOWS\regedit.exe
Trojan Remover has restored the Registry regfile\shell\open key.
--------------------
************************************************************
5:23:15 PM: Scanning ----------WIN.INI-----------
WIN.INI found in C:\WINDOWS
************************************************************
5:23:15 PM: Scanning --------SYSTEM.INI---------
SYSTEM.INI found in C:\WINDOWS
************************************************************
5:23:15 PM: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.
************************************************************
5:23:16 PM: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1033216 bytes
Created: 10/08/2004
Modified: 13/06/2007
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
24576 bytes
Created: 10/08/2004
Modified: 04/08/2004
Company: Microsoft Corporation
----------
This key's "System" value appears to be blank
----------
This key's "UIHost" value calls the following program:
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
514560 bytes
Created: 10/08/2004
Modified: 04/08/2004
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name: load
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: SoundMAXPnP
Value Data: C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
1404928 bytes
Created: 06/09/2005
Modified: 14/10/2004
Company: Analog Devices, Inc.
--------------------
Value Name: SunJavaUpdateSched
Value Data: "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
144784 bytes
Created: 24/04/2008
Modified: 25/03/2008
Company: Sun Microsystems, Inc.
--------------------
Value Name: ISUSPM Startup
Value Data: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
221184 bytes
Created: 27/07/2004
Modified: 27/07/2004
Company: InstallShield Software Corporation
--------------------
Value Name: ISUSScheduler
Value Data: "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
81920 bytes
Created: 27/07/2004
Modified: 27/07/2004
Company: InstallShield Software Corporation
--------------------
Value Name: igfxtray
Value Data: C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxtray.exe
94208 bytes
Created: 06/09/2005
Modified: 20/09/2005
Company: Intel Corporation
--------------------
Value Name: igfxhkcmd
Value Data: C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hkcmd.exe
77824 bytes
Created: 06/09/2005
Modified: 20/09/2005
Company: Intel Corporation
--------------------
Value Name: igfxpers
Value Data: C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxpers.exe
114688 bytes
Created: 20/09/2005
Modified: 20/09/2005
Company: Intel Corporation
--------------------
Value Name: Google Desktop Search
Value Data: "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
1838592 bytes
Created: 09/11/2006
Modified: 24/08/2007
Company: Google
--------------------
Value Name: Adobe Reader Speed Launcher
Value Data: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
39792 bytes
Created: 11/01/2008
Modified: 11/01/2008
Company: Adobe Systems Incorporated
--------------------
Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot
C:\Program Files\Trojan Remover\Trjscan.exe
910416 bytes
Created: 29/07/2008
Modified: 26/07/2008
Company: Simply Super Software
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: MsnMsgr
Value Data: "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
C:\Program Files\MSN Messenger\MsnMsgr.Exe [file not found to scan]
--------------------
Value Name: ctfmon.exe
Value Data: C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
15360 bytes
Created: 10/08/2004
Modified: 04/08/2004
Company: Microsoft Corporation
--------------------
Value Name: swg
Value Data: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
68856 bytes
Created: 13/07/2007
Modified: 13/07/2007
Company: Google Inc.
--------------------
Value Name: Skype
Value Data: "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
C:\Program Files\Skype\Phone\Skype.exe
-R- 21718312 bytes
Created: 30/05/2008
Modified: 30/05/2008
Company: Skype Technologies S.A.
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
************************************************************
5:23:19 PM: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------
************************************************************
5:23:19 PM: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------
************************************************************
5:23:20 PM: Scanning -----ACTIVE SCREENSAVER-----
No active ScreenSaver found to scan.
************************************************************
..continued on next post