Long trojan story - sorry - please read

Dell Dimension 4550
Pentium 4 2.4 ghz, 512 MB RAM
80 GB HD
Windows XP Home w/SP2 and all critical updates
Avast Home Edition, running active scanning
MS AntiSpyware (just upgraded to Defender), running active scanner
Sunbelt Kerio Personal Firewall 4 (free version)
Ad-Aware SE installed (not active scan mode)
Spybot installed (not active scan mode)
IE 6 primary browser
DSL net connection

The other night after clicking on an assumed innocent Google search result (a top 5 link, by the way), my Avast A/V alarm went off and said that a virus had been detected in the link but it had been blocked by Avast, so there was no need to worry. I clicked OK and did a quick search for information on the virus. At a glance, I thought I had read that it was more of a spyware Trojan, so I went ahead with an Ad-Aware scan.

The Avast log says that the file name was http://69.56.176.76/weblugin.cab\wupdt.exe

Shortly after Ad-Aware began scanning, the Avast alarm went off again and said that the same virus had been detected. Here is what the Avast log says now:

Sign of “Win32:Trojano-305[Trj]” has been found in“C:\DOCUME~1\Paul\LOCALS~1\Temp\AAWTMP\C219062250\1AC2F0\wupdr.exe” file

I clicked “Delete” to delete the infected file. Ad-Aware found nothing major in its scan.

Concerned, I then decided to try to get a second opinion. I probably should have just jumped right into a full Avast scan first, but went to Trend Micro and used House Call instead.

When House Call got so far, the Avast alarm again sounded. Here is the log entry for this occurrence:

Sign of “Win32:Trojano-305[Trj]” has been found in“C:\DOCUME~1\Paul\LOCALS~1\Temp\V8AKFHa02872” file

This time I chose to isolate the file in the Avast Chest. The House Call scan returned two spyware threats, ADW_SE 118698 and DIAL_SE 126407, but that was all. I have not had a chance to investigate these, as the House Call results page was not very explanatory. Note that Ad-Aware nor MS AntiSpyware nor PC Pitstop detected either of these.

I then deleted that infected file from the Avast chest, and ran a full Avast scan. It came up with nothing.

I then ran a boot scan with Avast – again nothing was detected. I then turned off System Restore and ran yet another full Avast scan and House Call scan. Avast came up with nothing, the House Call scan gave the same results as above.

When I do a search on my machine for the file wupdt.exe, it cannot be found.

I e-mailed Avast Tech Support and posted on another forum that I frequent.

Here is the reply from Avast Tech Support:
"Hi,
Don't be afraid of some active infection. Your infected files are a parts of
webShield temporary stream. Avast saves downloaded data to your temp
directory, scans them and then forwards (if clean) or deletes (if infected)
them. But in this case the archive webplugin.cab was corrupted. This caused
some error (not critical, don't worry), so Avast stopped the testing of
stream, blocked it, but didn't delete these two files. That's why Avast
found the infection again. As you said - Avast did correct cleaning by
"on-demand" scan, so now you are safe again."

To which I replied:
"What is this archive "webplugin.cab" and if I deleted it, then will I have
issues in the future?

Why can't i find the path C:\DOCUME~1\Paul\LOCALS~1\Temp ? Is this a Temp
folder that is created and then deleted by Avast?

Everytime that I have done an "on demand" scan (boot scan, regular scan,
boot scan with System Restore off, regular scan with System Restore off),
nothing has been found. The second time that the virus was detected by Avast
while running another product's scan, I had Avast move it to the Chest and
then deleted it manually.

Is there anything else I can do to make sure that I am clean??? I really
try to keep security tight on my system and get very frustrated when stuff
like this happens."

I have not received a reply yet.

Someone on the other forums gave me a link to a Symantec tool specifically designed to remove te wupdt.exe virus. (fxIEplgn.exe) I ran this program and it provided this log:

Symantec Adware.IEPlugin Removal Tool 1.0.5

C:\Documents and Settings\All Users\Application Data\Microsoft\Money\11.0\Webcache\clear.gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\MPZ4D8RM\CAI3S16R.gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\OD2R8DQR\blank[1].gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\OD2R8DQR\p_trans[1].gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\STMJ09E7\blank[1].gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YVYYMV2P\blank[1].gif: (deleted)
C:\Documents and Settings\Paul\My Documents\General Computer Info\Belarc Advisor Current Profile_files\trans.gif: (deleted)
C:\Documents and Settings\Paul\My Documents\My Downloads\iRiver MP3 player\Regular Software and Firmware\firmware.aspx_files\s.gif: (deleted)
C:\Documents and Settings\Paul\My Documents\My Downloads\iRiver MP3 player\UMS Info and Firmware\ums.aspx_files\s.gif: (deleted)
C:\Program Files\Adobe\Photoshop Elements 4.0\shared_assets\webcontactsheet\antique paper\images\trans.gif: (deleted)
C:\Program Files\Adobe\Photoshop Elements 4.0\shared_assets\webcontactsheet\portfolio\images\trans.gif: (deleted)
C:\Program Files\Adobe\Photoshop Elements 4.0\shared_assets\webcontactsheet\vacation\images\trans.gif: (deleted)
C:\Program Files\Belarc\Advisor\System\local\images\trans.gif: (deleted)
C:\Program Files\Common Files\InstallShield\UpdateService\images\spacer.gif: (deleted)
C:\Program Files\Microsoft Picture It! 7\1033\Movies\spacer.gif: (deleted)
C:\System Volume Information: (not scanned)
C:\WINDOWS\I860\English\Windows\Photo\Other\spacer.gif: (deleted)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main: Search Bar (value deleted)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main: Use Custom Search URL (value deleted)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main: Use Search Asst (value deleted)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search: SearchAssistant (value deleted)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main: Search Bar (value deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl (key deleted)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components: GeneralFlags (value set to 0x00000004 (4))
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search: SearchAssistant (value set to "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm")
registry: HKEY_USERS\S-1-5-21-299502267-1425521274-725345543-1004\Software\Microsoft\Internet Explorer\Main: Search Page (value set to "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch")
Adware.IEPlugin has been successfully removed from your computer!
Here is the report:
The total number of the scanned files: 83404
The number of deleted files: 16
The number of threat processes terminated: 0
The number of other processes terminated: 0
The number of registry entries fixed: 10

The guy (who I trust) said that most of these files were in my Temp Internet directory, so don't worry about those. The others are just GIFs which are expendable too. He said that the ":" indicates that they may have been infected.

I then ran McAfee online scan, which also turned up nothing.

I also ran Spybot, also nothing.

Just to be sure, I ran the Symantec tool again, but it came back reporting that it cleaned 6 more files.

Log:
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\3FHFRXOW\blank[1].gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\9O4RX189\p_trans[1].gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\ATBOLKV2\1x1[1].gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\CHY7QIBT\dotclear[1].gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\CHY7QIBT\transpix[1].gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\OD2R8DQR\blank[1].gif: (deleted)
C:\System Volume Information: (not scanned)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components: GeneralFlags (value set to 0x00000004 (4))
Adware.IEPlugin has been successfully removed from your computer!
Here is the report:
The total number of the scanned files: 84759
The number of deleted files: 6
The number of threat processes terminated: 0
The number of other processes terminated: 0
The number of registry entries fixed: 1

I was very confused by this point, since the tool alread said that it had removed the malware.

The guy said to consider it clean. He said he was not 100% sure that the tool just does not simple clean out GIFs from the temp directory and throw the ":" on the end of all GIFs for display purposes.

I then ran TrendMicro AntiSpyware Web Scan, which yielded these results:

Adware_ABetterInternet
Adware_ClearSearch
Dialer_7AdPower

None of my other scans turned up these programs.

I then went on a scanning rampage. Here is what i did yesterday:
System Restore OFF
-------
TrendMicro AntiSpy for the Web
Detected:
Cookies (cleared out of browser after scan)
Adware_ABetterInternet - did not take action yet
Adware_ClearSearch - did not take action yet
Dialer_7AdPower - did not take action yet
-------
MS Defender
- Found nothing in nightly scheduled full scan
- Found nothing in quick scan.
-------
Ad-Aware SE - Full Scan Options - NO critical objects
-------
Spy-Bot - No Threats Found
------
Rebooted to move Avast interface so I could see it in Safe Mode and download Symantec Tool.

Restarted in SAFE MODE
-------
MS Defender - Found nothing in quick scan.
-------
Ad-Aware SE - Full Scan Options - NO critical objects
-------
Spy-Bot - No Threats Found
------
Avast! - Deep scan options - Nothing found
------
Ran Symantec Tool again - IEPlugin not found.

Rebooted into regular mode.

Ran TrendMicro Spyware Web Scan again, let it remove the 3 threats.

Ran HouseCall again, only cookies detected.

Is this PROFANITY NOT PERMITTED thing gone now or what? I can provide a HiJack This log if anyone can read it for me. Did Avast block the malware or not? Others suggest that it did block it, just not quickly enough. What is this directory that Avast claims the malware was located in the second and third time (while i was doing the other scans) and how did it get there if i deleted it??


PK