Win32:Trojan-gen (other) Help Needed ASAP

[mclick]

I keep finding the Win32:Trojan-gen (other) virus when scanning with AVAST.  I have downloaded Spybot, SuperAntispyware and Malwarebytes Anti-Malware.  I have done a boot scan with Avast and and I still keep finding viruses.   I need some help on how to fix this problem.  If anyone can help, please give me some advice.  I am not very knowledgeable about viruses.  I did read that I should do a HijackThis log but I am not exactly sure how to do so.

[thathagat]

where exactly does avast detect the   Win32:Trojan-gen (other)....?

[DavidR]

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

[mclick]

I have copied a few of the most recent virus found.  Here they are below.  I have also noticed a ton of pop up adds showing up for some poker site continously.  I am not to sure what I need to do. 


10/18/2008 3:31:51 PM   SYSTEM   1816   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\PROGRAM FILES\COMMON\HELPER.DLL" file. 
10/18/2008 3:46:14 PM   Owner   5540   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Owner.YOUR-73E770ABAA\Local Settings\Temporary Internet Files\Content.IE5\ZP7V6WXB\dl[1].htm" file. 
10/18/2008 4:54:45 PM   Owner   5540   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP617\A0045319.dll" file. 
11/3/2008 11:24:54 AM   SYSTEM   1892   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\windows\temp\u3BR5L8Q.exe" file. 
11/3/2008 1:00:00 PM   SYSTEM   1892   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\pQr3gSU4.exe" file. 
11/3/2008 2:07:57 PM   SYSTEM   1892   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\Swdtc112.exe" file. 
11/3/2008 4:08:27 PM   SYSTEM   1892   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\XnGWa2oo.exe" file. 
11/3/2008 6:19:43 PM   SYSTEM   1892   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\dd3cw0R0.exe" file. 
11/3/2008 7:14:53 PM   Owner   1780   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\3iw1mT3Y.exe" file. 
11/3/2008 9:16:00 PM   Owner   1780   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\v12al86h.exe" file. 
11/3/2008 11:12:59 PM   Owner   1780   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\47R5F5eP.exe" file. 
11/3/2008 11:26:49 PM   Owner   4420   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Owner.YOUR-73E770ABAA\Local Settings\Temp\2RRV64dJ.exe" file. 
11/3/2008 11:28:28 PM   Owner   4420   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Owner.YOUR-73E770ABAA\Local Settings\Temp\4ahk4LET.exe" file. 
11/3/2008 11:28:35 PM   Owner   4420   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Owner.YOUR-73E770ABAA\Local Settings\Temp\7Q8550PN.exe" file. 
11/3/2008 11:28:42 PM   Owner   4420   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Owner.YOUR-73E770ABAA\Local Settings\Temp\JmsMoiW1.exe" file. 
11/3/2008 11:30:42 PM   Owner   4420   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Owner.YOUR-73E770ABAA\Local Settings\Temp\u3BR5L8Q.exe" file. 
11/3/2008 11:31:01 PM   Owner   4420   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Owner.YOUR-73E770ABAA\Local Settings\Temp\w0pA1846.exe" file. 
11/3/2008 11:34:35 PM   Owner   4420   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Owner.YOUR-73E770ABAA\Local Settings\Temp\x20341X1.exe" file. 
11/4/2008 1:21:49 AM   Owner   1904   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\pQr3gSU4.exe_" file. 
11/4/2008 8:02:58 AM   Owner   336   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP631\A0045679.exe" file. 
11/4/2008 11:56:09 AM   SYSTEM   1940   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\windows\temp\EJo1UYBT.exe" file. 
11/4/2008 4:25:43 PM   SYSTEM   1940   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\windows\temp\UFKueIbb.exe" file. 
11/4/2008 9:14:55 PM   Owner   1948   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\windows\temp\erl476Ef.exe" file. 
11/4/2008 10:31:24 PM   Owner   1192   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\Temp\erl476Ef.exe" file. 
11/5/2008 7:14:56 AM   Owner   1940   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\windows\temp\X2inkcSE.exe" file. 
11/5/2008 10:14:58 AM   SYSTEM   2008   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\windows\temp\5QI6AYUt.exe" file. 

[DavidR]

Based solely on the file names (for the most part look like randomly generated file names) they look suspicious to me. This could be an undetected element that is generating/downloading these file in temp and avast is obviously catching these but not the undetected element.

It looks like a Virtumonde infection, but Malwarebytes and SAS should be able to find this, you should run both of these tools from safe mode again and report what they find. You could also try Vundo Fix Tool - Aliases - WinFixer / Virtumonde / Msevents / Trojan.vundo.
Here are the cleansing instructions for Virtumonde: http://www.bleepingcomputer.com/forums/topic18610.html


It could be that this is hidden by a rootkit.
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- Trend Micro RootkitBuster - http://www.trendmicro.com/download/rbuster.asp
- F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight

Sorry to give you so much but it is 2a.m. here and I'm calling it a night.

Since mostly these are in temp

[thathagat]

1.use CCleaner to clean the temp. files then scan again
2.download CCleaner from here......http://www.filehippo.com/download_ccleaner/

[mclick]

I have done a Malware scan in safemode and found the following.  This was towards the end of the log file.

Files Infected:
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP634\A0045869.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pQr3gSU4.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.

I also tried the Vundo and it came up with no infections found.  I am going to scan with AVAST again and also watch for any more found viruses over night.  My wife said that today and yesterday, they were popping up on a constant basis, so within a short time I should know whether or not I was able to clear the problem up. 

Thank you for the help so far.  If the problem persists, I will continue to follow your recommendations.  I will also send a follow up posting to advise you how things have been running.

[DavidR]

Your welcome.

Well this one, could well have been a major contributor as presumably it wasn't detected by avast ?
C:\WINDOWS\system32\pQr3gSU4.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.

The other Restore point one, these really are inert (unless you were to use system restore in the future and include that restore point) as they well previously have been removed from a system folder, but best out of the system volume information folder.

If the pop-ups still occur there is another analysis tool we can try.
Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.

Download and run HJT and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is.

[mclick]

As it turns out, I didn't have any luck with it.  There are still virus warnings popping up.  I still have to try the root kit and I will also try that last suggestion.  I will give it a shot later tonight.  For now I must help put the kids to bed but just wanted to check on here for a response.

[mclick]

I used the CC Cleaner this time prior to my scans.  Avast found the following:

11/5/2008 7:14:56 AM   Owner   1940   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\windows\temp\X2inkcSE.exe" file.  
11/5/2008 10:14:58 AM   SYSTEM   2008   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\windows\temp\5QI6AYUt.exe" file.  
11/5/2008 8:10:13 PM   SYSTEM   2008   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\windows\temp\5mB6E15T.exe" file.  
11/5/2008 11:14:50 PM   Owner   1944   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\8143mWvQ.exe" file.  
11/6/2008 10:00:00 AM   SYSTEM   1920   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\K40WvnA3.exe" file.  
11/6/2008 8:27:13 PM   SYSTEM   1920   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\windows\temp\7ImL5mmH.exe" file.  
11/6/2008 8:49:41 PM   Owner   5708   Sign of "Win32:Trojan-gen {Other}" has been found in "c:\windows\system32\k40wvna3.exe" file.  

The Malwarebytes found the following:

Files Infected:
C:\WINDOWS\system32\pQr3gSU4.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
The rootkit came up with nothing found.  I plugged my internet back in and within a few minutes, had my first pop up show up again.  I did the Hijack this scan and came up with the following:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:37 AM, on 11/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\pQr3gSU4.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

[mclick]

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [showwnd] showwnd.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

[mclick]

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {29C8B1AC-073B-46AC-A077-5114D4C3BF0C} (Image Uploader 3.0 Control) - http://photoshare.shaw.ca/files/ImageUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171686666406
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://photoshare.shaw.ca/files/ImageUploader4.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O18 - Filter hijack: text/html - {ae357988-a36a-4bc9-bf56-47f98402f8d0} - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\516\G2AWinLogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Intel(R) Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Gateway Game Console\GameConsoleService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

--
End of file - 13979 bytes

There seems to be a few things in this list that I wonder about but let me know if anything stands out to you as being a problem.

[essexboy]

Try this

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
  
• Choose "Yes" at the Warning prompt.
  
• Expand the "Tools" menu.
  
• Click "Resident".
  
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  
• In the File menu click "Exit" to exit Spybot Search & Destroy.
  

Please re-open HiJackThis and scan.  Check the boxes next to all the entries listed below.

O18 - Filter hijack: text/html - {ae357988-a36a-4bc9-bf56-47f98402f8d0} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis.  


Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

Code: [Select]

:Processes
pQr3gSU4.exe

:Files
C:\WINDOWS\system32\pQr3gSU4.exe

:Commands
[purity]
[emptytemp]


• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

THEN

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTScanit  to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

• Close ALL OTHER PROGRAMS.
  
• Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  
• Check the box that says Scan All User Accounts
  
• Check the Radio button for Rootkit check YES
  
• Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  
• Under Additional Scans check the following:
• Reg - BotCheck
• File - Additional Folder Scans

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

[mclick]

Here is the first bit of information from the log.  I also plan to post it to that mediafire as well.

========== PROCESSES ==========
Unable to kill process: pQr3gSU4.exe
========== FILES ==========
C:\WINDOWS\system32\pQr3gSU4.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\~DFAA8F.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7c0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
 
OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11072008_190357

Files moved on Reboot...
C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\~DFAA8F.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_7c0.dat not found!

[mclick]

The mediafire link doesn't work.  What would you like to do with the OTscanit log.  Did you need to see this?