Hi friends. Proceeded to install the latest downloads on AVG Antispyware and did a complete system check, as I usually do. Came up with the usual series of cookies but also with the aforementioned Trojan.Maget and AVG suggested that I delete all. When I tried to delete the Trojan, I was told that I couldn't do so because it was embedded in a Windows file

C:\Windows\Options\Install\WIN_19.CAB

and I was asked whether I wanted to quarantine the file. Which I did. I rebooted my computer and did a second complete test, which found nothing.

Is this Trojan a major concern?

Am I 'rid' of it?

Will the quarantining of the above mentioned file have any impact on the general functioning of my computer as a whole?


P.S.: When I checked the 'Infections' section, I noticed that the Trojan had duplicated itself in the following file (which was automatically quarantined along with the first one)

C:\Program files\Plus!\Themes\WindowsDefault (256 color).theme



Many thanks for your help.

At the bottom of my post is a link for read this first, click the link and scroll down and find hijackthis and run it and post a hijackthis log and I will take a look.

As long as the trojan is quarantined it is all right and so will your PC.

Thanks for the reply, Neal. I figured you were going to ask me to post a HJT log and should have done so in the first place. So, without further ado...

Logfile of HijackThis v1.99.1
Scan saved at 2:30:59 PM, on 05/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOW\System32\smss.exe
C:\WINDOW\SYSTEM32\winlogon.exe
C:\WINDOW\system32\services.exe
C:\WINDOW\system32\lsass.exe
C:\WINDOW\system32\svchost.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\system32\spoolsv.exe
C:\WINDOW\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOW\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOW\System32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis1.9.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Adult - http://listdating.com/se/se10.htm
O8 - Extra context menu item: Business - http://listdating.com/se/se5.htm
O8 - Extra context menu item: Car Insurance - http://listdating.com/se/se3.htm
O8 - Extra context menu item: Escorts - http://listdating.com/se/se9.htm
O8 - Extra context menu item: Finance - http://listdating.com/se/se6.htm
O8 - Extra context menu item: Games - http://listdating.com/se/se12.htm
O8 - Extra context menu item: Health Insurance - http://listdating.com/se/se4.htm
O8 - Extra context menu item: Loans - http://listdating.com/se/se7.htm
O8 - Extra context menu item: Online Casino - http://listdating.com/se/se2.htm
O8 - Extra context menu item: Porn - http://listdating.com/se/se11.htm
O8 - Extra context menu item: Sport Betting - http://listdating.com/se/se1.htm
O8 - Extra context menu item: Viagra - http://listdating.com/se/se8.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: >> DATING >> - http://listdating.com/dt.htm
O8 - Extra context menu item: >> SEARCH >> - http://listdating.com/se.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOW\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

_______________

I guess I basically wanted to know if you had heard of this Trojan and how serious a threat it was.

Awaiting your knowledgeable comments, as usual. And many thanks... also as usual.

Hi,


Log is clean, let's run a couple more just to be sure something isn't hiding in the weeds.



Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
* Once the short scan has finished, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the files found:

* If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:


This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
* After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.





1. Download this file - COMBOFIX
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


Post a new hijackthis log also please.

Hi again...

I first ran Dr.Web and it came out empty (i.e. nothing found), so I couldn't save a report ~~ it didn't give me the possibility to do so.

I then ran ComboFix, which then told me that a report of its actions could be found at C:\ComboFix.txt. However, when I came to retrieve it, I found a warning from AVG Resident Shield that there was a BAT extension to the file and asked me if I wanted to store it in the virus vault, which I didn't want to do. So I left the file as is, but somehow wound up with the regular ComboFix.text file (or what I think is such... did I tell you that I was technologically challenged? ). Anywhooo, I am reproducing below the text of that file, hoping it is the right one and that it will be of some help to you:



((((((((((((((((((((((((( Files Created from 2007-05-05 to 2007-06-05 )))))))))))))))))))))))))))))))


2007-06-05 15:59 <DIR> d-------- C:\DOCUME~1\MICHEL~1\DoctorWeb
2007-05-17 19:59 <DIR> d-------- C:\WINDOW\pss


(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))

2007-04-26 1434 72,624 ----a-w C:\WINDOW\system32\drivers\khips.sys
2007-04-26 1430 302,000 ----a-w C:\WINDOW\system32\drivers\fwdrv.sys
2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOW\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOW\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOW\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOW\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOW\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOW\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOW\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOW\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOW\system32\wups2.dll
2007-03-30 03:27:30 16 ----a-w C:\WINDOW\popcinfot.dat
2007-03-30 02:25:18 0 ----a-w C:\WINDOW\popcreg.dat
2007-03-17 13:43:02 292,864 ----a-w C:\WINDOW\system32\winsrv.dll
2007-03-10 00:05:14 2,685,104 ----a-w C:\Program Files\ccsetup138.exe
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOW\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOW\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOW\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOW\system32\win32k.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll [2006-10-26 10:28]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:29]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-04 13:30]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-19 12:22]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 08:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-01-24 15:37]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-08-10 09:37]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOW\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lancement rapide d'Adobe Reader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lancement rapide d'Adobe Reader.lnk
backup=C:\WINDOW\pss\Lancement rapide d'Adobe Reader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOW\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^(name of user)^Start Menu^Programs^Startup^OpenOffice.org 1.1.4.lnk]
path=C:\Documents and Settings\(name of user)\Start Menu\Programs\Startup\OpenOffice.org 1.1.4.lnk
backup=C:\WINDOW\pss\OpenOffice.org 1.1.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
C:\Program Files\ASUS\SmartDoctor\\SmartDoctor.exe /start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\WINDOW\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOW\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
"C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"KPF4"=2 (0x2)
"IDriverT"=3 (0x3)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"Adobe LM Service"=3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


If this ISN'T the file you're looking for, I could always run ComboFix again and this time reproduce the BAT file (assuming it's safe to open).


Here's the HJT file:


Logfile of HijackThis v1.99.1
Scan saved at 19:06, on 2007-06-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOW\System32\smss.exe
C:\WINDOW\SYSTEM32\winlogon.exe
C:\WINDOW\system32\services.exe
C:\WINDOW\system32\lsass.exe
C:\WINDOW\system32\svchost.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOW\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\ComboFix\25935.cfexe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis1.9.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Adult - http://listdating.com/se/se10.htm
O8 - Extra context menu item: Business - http://listdating.com/se/se5.htm
O8 - Extra context menu item: Car Insurance - http://listdating.com/se/se3.htm
O8 - Extra context menu item: Escorts - http://listdating.com/se/se9.htm
O8 - Extra context menu item: Finance - http://listdating.com/se/se6.htm
O8 - Extra context menu item: Games - http://listdating.com/se/se12.htm
O8 - Extra context menu item: Health Insurance - http://listdating.com/se/se4.htm
O8 - Extra context menu item: Loans - http://listdating.com/se/se7.htm
O8 - Extra context menu item: Online Casino - http://listdating.com/se/se2.htm
O8 - Extra context menu item: Porn - http://listdating.com/se/se11.htm
O8 - Extra context menu item: Sport Betting - http://listdating.com/se/se1.htm
O8 - Extra context menu item: Viagra - http://listdating.com/se/se8.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: >> DATING >> - http://listdating.com/dt.htm
O8 - Extra context menu item: >> SEARCH >> - http://listdating.com/se.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOW\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

Run Panda online virus scanner following the instructions in the following link:
http://forums.thatcomputerguy.us/ind...showtopic=5122
Let it fix what it can.
Take note of any files that couldn't be deleted and post them back here. This scan will take more than an hour to complete, so make sure you have time to let it run all the way through.

Sorry Neal. Couldn't make Panda to work after I had downloaded the software AND installed ActiveX. When it comes to asking me which part of my computer I want scanned, I click on 'My Computer'... and nothing happens. I've had problems making Panda work in the past too, the issue then being that the software was incompatible with the AVG edition I have installed. This time, though, there is no such incompatibility message when I click on 'My Computer': there simply isn't anything happening!

I feel fairly confident that the Trojan AVG uncovered is safely quarantined, as you mentioned earlier (especially after I have run through the subsequent checks with the other software and found nothing suspicious): so, unless you are particularly weary of other things potentially running afoul, I think we can consider this case closed. And again, I thank you very much for your precious help in this matter.

OK then, glad all is well....





If you are no longer having any more trouble here is some preventative measures for you.

Be sure to re-hide hidden files/folders if you were asked to unhide them

Here are some preventive measures you can take to keep your computer from getting infected again. also keep all these and Ad-awareSE and SpybotS&D updated.

http://www.d-a-l.com/help/showthread.php?t=32403

Flush your restore points in ME and XP, by turning System Restore off and then back on.
This will create a fresh restore point.

Explained Here:
Windows XP: http://vil.nai.com/vil/SystemHelpDoc...ysRestore.aspx

Explained Here
Microsoft ME:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam


RegProtect

This small registry protection tool will save you hours of heartache by notifying you when some program good or bad is trying to access your registry.

You have the option of allowing(good) items or blocking(bad)items.

http://www.diamondcs.com.au/index.php?page=regprot


To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:

1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer. You CANNOT complete this update using an alternate browser.
http://v5.windowsupdate.microsoft.co....aspx?ln=en-us

http://www.microsoft.com/windows/ie/default.asp


2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1

Avast: http://www.avast.com/eng/avast_4_home.html


3. In addtion to using Ad-aware consider using another free malware scanning/removal program:
Windows Defender

http://www.microsoft.com/athome/secu...e/default.mspx


4. Consider using a free firewall if you are not already using one. Some good free ones are:
Kerio
http://www.sunbelt-software.com/Kerio.cfm

Zone Labs Personal Firewall:
Zone Labs



5. Consider using an alternate free browser for general web surfing but you must use IE for windows update.
Mozilla Firefox: www.mozilla.org/products/firefox/


6. Consider increasing your browser security by using these programs:
SpywareGuard will protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster will increase browser protection by blocking Thousands of known malware sites by adding them to IE's restricted sites zone. Download it here:

http://www.javacoolsoftware.com/spywareblaster.html


If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/


IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm


Block access to Untrustworthy Sites

You can prevent your computer from visiting a myriad of untrustworthy sites and ad-servers by installing a customised hosts file. One of the best available is the: MVPS Hosts File. Simply follow the instructions to install the file in the correct location. This will not only make surfing safer but will improve website load times and block popups from many of the large ad-servers.



*Remember just like your primary anti-virus software, it is important to keep all of these programs up-to-date and use them on a regular basis. It's Free

Thanks Neal. A few additional (unanswered?) questions, if I may:

1. Have you ever heard of that Trojan, and how big a threat is it, if left untouched, in your opinion?

2. I have had to quarantine a whole file

C:\Windows\Options\Install\WIN_19.CAB

in AVG AntiSpyware because the Trojan was attached to it, and couldn't be isolated. I'm assuming the absence of such file won't create (major) problems as far as the functioning of my system is concerned?


Many thanks again, on my behalf and on behalf of the countless others you have helped in the past and continue to help now. Your efforts -- and those of all your expert colleagues -- are to be commended.