Mystery Toolbar

[Peter Evans]

Hi Guys,

I'm very new to this, have been reading about HijackThis and it's fixes after finding an article, lostinmyrearvew dated 25/10/04 with the same problem I am having. I followed the process, but have had no luck.

The tool bar is blue with, Make Money, Music, Casio, Dating*, Travel*, Careers*, Investing, Travel, Mortgage, Credit*, Computers*, Insurance, with a search box and a red close type box.

This starts each time I start internet Explorer and can only be stopped by restarting the PC.

I am running XP pro with all the updates I know about.

Any help would be awesome.



Logfile of HijackThis v1.99.1
Scan saved at 3:03:41 PM, on 2/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Winzip\WZQKPICK.EXE
C:\PROGRA~1\Belkin\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aitahxpvetwmzmxyqbcefwbfr.com..._Hb/5ZibU.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.needlecraftcottage.com.au/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [Tick Deaf Clock Global] C:\Documents and Settings\All Users\Application Data\GridBindTickDeaf\namedash.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Draw Ford Bone Body] C:\Documents and Settings\All Users\Application Data\PureFragDrawFord\Meow Site.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ONE WARN] C:\DOCUME~1\PETERE~1\APPLIC~1\FRAGLI~1\math tons bleh.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Winzip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edge...oadManager.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/c...b?ver=1,1,0,30
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/c...on=4,3,2,20802
O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} (MyEMessengerSetup Control) - http://www.myemessenger.com/activex/...tupProject.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

[sUBs]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install - CleanUp.exe (not recommended for WinXP64)

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downlaoding.
It is IMPORTANT that you don't miss a step & perform everything in the correct order.


* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aitahxpvetwmzmxyqbcefwbfr.com..._Hb/5ZibU.html
O4 - HKLM\..\Run: [Tick Deaf Clock Global] C:\Documents and Settings\All Users\Application Data\GridBindTickDeaf\namedash.exe
O4 - HKLM\..\Run: [Draw Ford Bone Body] C:\Documents and Settings\All Users\Application Data\PureFragDrawFord\Meow Site.exe
O4 - HKCU\..\Run: [ONE WARN] C:\DOCUME~1\PETERE~1\APPLIC~1\FRAGLI~1\math tons bleh.exe


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

• Tick - 'Show hidden files and folder'
• Untick - 'Hide file extensions for known types'
• Untick - 'Hide protected operating system files'
• Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

• C:\Documents and Settings\All Users\Application Data\GridBindTickDeaf\
  C:\Documents and Settings\All Users\Application Data\PureFragDrawFord\
  C:\Documents and Settings\PETERE~1\Application Data\FRAGLI~1\

* * * * *


Click on the Start button & select Run
Type in tasks & click Ok
In the ensuing window, click on the 'Advanced' menu (located above) & select 'View Hidden Tasks'
Review all the tasks/jobs at hand. You should be able to recognise jobs that you have created yourself.
Delete hidden jobs that look like these:

• A034B7FF91BB36BB.job
  A06F1FEF91A49933.job
  A2C3205A93B8CDFA.job
  A36F645091B91BF0.job
  A42C6F7190EFE559.job

You can recognise them by the fact that they're hidden & have names that consist of 16 random letters.


* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan


Download fl.zip.
Extract the contents to a new folder on Desktop. (do NOT run it from within the zip file)
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:

1. HiJackThis
2. FindLOP.txt
3. Online scan

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[Peter Evans]

Thank you for the quick response.

Is Cleanup another program I should download prior to proceeding?

[sUBs]

Yes..pleased download & install the program - CleanUp!

We have need of it

[Peter Evans]

Success so far, thank you

Have just finished so it's a bit hard to comment on performance, but it seems much faster. I had no real problems with the process just some nerves, it has taken over 3 hours to do.

the online scan was a bit scary with 20 odd viruses.

The tool bar has disappeared.

Here are the results

Logfile of HijackThis v1.99.1
Scan saved at 11:36:28 PM, on 4/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Winzip\WZQKPICK.EXE
C:\PROGRA~1\Belkin\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.needlecraftcottage.com.au/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Winzip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edge...oadManager.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/c...b?ver=1,1,0,30
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/c...on=4,3,2,20802
O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} (MyEMessengerSetup Control) - http://www.myemessenger.com/activex/...tupProject.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

Findlop

Volume in drive C has no label.
Volume Serial Number is FC91-296A

Directory of C:\Documents and Settings\Administrator\Application Data

29/01/2003 12:49 PM <DIR> Identities
29/01/2003 12:53 PM <DIR> InterTrust
0 File(s) 0 bytes
2 Dir(s) 39,424,778,240 bytes free
Volume in drive C has no label.
Volume Serial Number is FC91-296A

Directory of C:\Documents and Settings\All Users\Application Data

09/07/2005 07:02 PM <DIR> CyberLink
23/11/2005 06:01 PM <DIR> Kodak
30/01/2003 10:15 PM <DIR> MSN6
23/11/2005 06:07 PM <DIR> QuickTime
19/11/2005 06:40 PM <DIR> Skype
14/10/2005 07:50 PM <DIR> Spybot - Search & Destroy
09/10/2004 06:16 PM <DIR> Trymedia
06/08/2005 10:19 AM <DIR> Windows Genuine Advantage
14/12/2005 12:00 PM <DIR> yahoo!
0 File(s) 0 bytes
9 Dir(s) 39,424,774,144 bytes free
Volume in drive C has no label.
Volume Serial Number is FC91-296A

Directory of C:\Documents and Settings\Brad Evans\Application Data

16/04/2003 09:39 PM <DIR> Adobe
19/06/2004 06:54 PM 73,464 GDIPFONTCACHEV1.DAT
25/05/2004 08:10 PM <DIR> Hotbar
29/01/2003 12:49 PM <DIR> Identities
29/01/2003 12:53 PM <DIR> InterTrust
05/12/2004 07:15 PM <DIR> Macromedia
25/07/2003 08:42 PM <DIR> MSN6
1 File(s) 73,464 bytes
6 Dir(s) 39,424,774,144 bytes free
Volume in drive C has no label.
Volume Serial Number is FC91-296A

Directory of C:\Documents and Settings\Lauren Evans\Application Data

21/05/2003 06:46 PM <DIR> Adobe
11/04/2005 10:19 AM <DIR> CloseLogo
11/04/2005 01:11 PM 71,880 GDIPFONTCACHEV1.DAT
06/03/2004 08:24 AM <DIR> Hotbar
29/01/2003 12:49 PM <DIR> Identities
29/01/2003 12:53 PM <DIR> InterTrust
16/07/2005 01:18 PM <DIR> Macromedia
1 File(s) 71,880 bytes
6 Dir(s) 39,424,774,144 bytes free
Volume in drive C has no label.
Volume Serial Number is FC91-296A

Directory of C:\Documents and Settings\Louise Evans\Application Data

01/02/2003 05:11 PM <DIR> Adobe
29/01/2003 12:49 PM <DIR> Identities
29/01/2003 12:53 PM <DIR> InterTrust
0 File(s) 0 bytes
3 Dir(s) 39,424,774,144 bytes free
Volume in drive C has no label.
Volume Serial Number is FC91-296A

Directory of C:\Documents and Settings\Peter Evans\Application Data

04/01/2006 09:05 PM <DIR> .
04/01/2006 09:05 PM <DIR> ..
17/02/2003 08:55 PM <DIR> Adobe
26/12/2005 09:20 AM <DIR> ArcSoft
02/01/2006 01:49 PM <DIR> CloseLogo
15/10/2005 10:47 AM 24,281 Comma Separated Values (Windows).ADR
20/08/2004 03:19 PM <DIR> Download Manager
07/10/2005 11:33 AM 77,680 GDIPFONTCACHEV1.DAT
20/08/2003 11:46 PM <DIR> Help
29/01/2003 12:49 PM <DIR> Identities
25/01/2005 02:39 PM <DIR> Incredible Ink
29/01/2003 12:53 PM <DIR> InterTrust
22/08/2004 05:11 PM <DIR> Kontiki
09/07/2005 11:48 PM <DIR> Lavasoft
24/07/2005 05:47 PM <DIR> Leadertech
17/12/2005 01:48 PM <DIR> LPC
22/05/2004 12:12 AM <DIR> Macromedia
22/06/2003 07:47 PM <DIR> MSN6
04/01/2006 11:22 PM <DIR> Skype
01/03/2005 09:34 PM <DIR> spweng
27/09/2005 11:46 PM <DIR> VERITAS
15/08/2005 11:55 PM <DIR> Wildfire
2 File(s) 101,961 bytes
20 Dir(s) 39,424,774,144 bytes free
Volume in drive C has no label.
Volume Serial Number is FC91-296A

Directory of C:\Documents and Settings\Default User\Application Data

29/01/2003 12:53 PM <DIR> .
29/01/2003 12:53 PM <DIR> ..
29/01/2003 11:31 PM 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 39,424,770,048 bytes free
Volume in drive C has no label.
Volume Serial Number is FC91-296A

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is FC91-296A

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues

Online scan

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, January 04, 2006 23:22:04
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 4/01/2006
Kaspersky Anti-Virus database records: 168951
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 87767
Number of viruses found: 24
Number of infected objects: 96
Number of suspicious objects: 0
Duration of the scan process: 4070 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Lauren Evans\Application Data\CloseLogo\mediabalm.exe Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\Documents and Settings\Peter Evans\Local Settings\Application Data\Identities\{BB88A5CF-F660-4647-BFC2-65B6B742A9CC}\Microsoft\Outlook Express\e-Bay.dbx/[From "eBay SafeHarbor" <safeharbor@ebay.com>][Date Thu, 15 Dec 2005 11:00:38 -0500]/UNNAMED/html Infected: Trojan-Spy.HTML.Bayfraud.im
C:\Documents and Settings\Peter Evans\Local Settings\Application Data\Identities\{BB88A5CF-F660-4647-BFC2-65B6B742A9CC}\Microsoft\Outlook Express\e-Bay.dbx/[From "eBay SafeHarbor" <safeharbor@ebay.com>][Date Thu, 15 Dec 2005 11:00:38 -0500]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.im
C:\Documents and Settings\Peter Evans\Local Settings\Application Data\Identities\{BB88A5CF-F660-4647-BFC2-65B6B742A9CC}\Microsoft\Outlook Express\e-Bay.dbx/[From "eBay SafeHarbor" <safeharbor@ebay.com>][Date Thu, 15 Dec 2005 11:00:38 -0500]/UNNAMED/html Infected: Trojan-Spy.HTML.Bayfraud.im
C:\Documents and Settings\Peter Evans\Local Settings\Application Data\Identities\{BB88A5CF-F660-4647-BFC2-65B6B742A9CC}\Microsoft\Outlook Express\e-Bay.dbx/[From "eBay SafeHarbor" <safeharbor@ebay.com>][Date Thu, 15 Dec 2005 11:00:38 -0500]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.im
C:\Documents and Settings\Peter Evans\Local Settings\Application Data\Identities\{BB88A5CF-F660-4647-BFC2-65B6B742A9CC}\Microsoft\Outlook Express\e-Bay.dbx Infected: Trojan-Spy.HTML.Bayfraud.im
C:\Documents and Settings\Peter Evans\Local Settings\Application Data\Identities\{BB88A5CF-F660-4647-BFC2-65B6B742A9CC}\Microsoft\Outlook Express\Stress Relief.dbx/[From Alison & Dave L <alicat@telstra.com>][Date Date header was inserted by mta02bw.email.bigpond.com]/UNNAMED/Kids Infected: Email-Worm.Win32.Tanatos.b
C:\Documents and Settings\Peter Evans\Local Settings\Application Data\Identities\{BB88A5CF-F660-4647-BFC2-65B6B742A9CC}\Microsoft\Outlook Express\Stress Relief.dbx/[From Alison & Dave L <alicat@telstra.com>][Date Date header was inserted by mta02bw.email.bigpond.com]/UNNAMED Infected: Email-Worm.Win32.Tanatos.b
C:\Documents and Settings\Peter Evans\Local Settings\Application Data\Identities\{BB88A5CF-F660-4647-BFC2-65B6B742A9CC}\Microsoft\Outlook Express\Stress Relief.dbx Infected: Email-Worm.Win32.Tanatos.b
C:\Downloads\EJPuzzle-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.a
C:\Downloads\JewelQuestSetup-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.a
C:\Program Files\GameRival\Flipwit\KeenValueInstall_121.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval
C:\Program Files\GameRival\Flipwit\KeenValueInstall_121.exe/data0005 Infected: Trojan-Downloader.Win32.Keenval
C:\Program Files\GameRival\Flipwit\KeenValueInstall_121.exe/data0006 Infected: not-a-virus:AdWare.Win32.Perfnav.d
C:\Program Files\GameRival\Flipwit\KeenValueInstall_121.exe Infected: not-a-virus:AdWare.Win32.Perfnav.d
C:\Program Files\GameRival\Flipwit\setup_incredifind_game_bundles.exe/data0002/data0002 Infected: Trojan-Downloader.Win32.Keenval
C:\Program Files\GameRival\Flipwit\setup_incredifind_game_bundles.exe/data0002/data0004 Infected: Trojan-Downloader.Win32.Keenval
C:\Program Files\GameRival\Flipwit\setup_incredifind_game_bundles.exe/data0002/data0005 Infected: Trojan-Downloader.Win32.Keenval
C:\Program Files\GameRival\Flipwit\setup_incredifind_game_bundles.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval
C:\Program Files\GameRival\Flipwit\setup_incredifind_game_bundles.exe/data0008 Infected: Trojan-Downloader.Win32.Keenval.e
C:\Program Files\GameRival\Flipwit\setup_incredifind_game_bundles.exe/data0009 Infected: Trojan-Downloader.Win32.Keenval.e
C:\Program Files\GameRival\Flipwit\setup_incredifind_game_bundles.exe Infected: Trojan-Downloader.Win32.Keenval.e
C:\Program Files\GameRival\Flipwit\setup_powersearch_gamebar_with_track.exe/data0002 Infected: not-a-virus:AdWare.Win32.PowerSearch.b
C:\Program Files\GameRival\Flipwit\setup_powersearch_gamebar_with_track.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval.e
C:\Program Files\GameRival\Flipwit\setup_powersearch_gamebar_with_track.exe Infected: Trojan-Downloader.Win32.Keenval.e
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000248.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000249.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000250.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000251.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000252.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000253.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000254.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000255.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000256.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000257.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000258.exe Infected: not-a-virus:AdWare.Win32.Lop.z
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000259.exe Infected: not-a-virus:AdWare.Win32.Lop.z
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000260.exe Infected: Trojan-Downloader.Win32.Swizzor.di
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000261.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000262.exe Infected: Trojan-Downloader.Win32.Swizzor.de
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000263.exe Infected: Trojan-Downloader.Win32.Swizzor.dr
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000264.exe Infected: Trojan-Downloader.Win32.Swizzor.cn
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000265.exe Infected: not-a-virus:AdWare.Win32.Lop.p
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000266.exe Infected: Trojan-Downloader.Win32.Swizzor.bz
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000267.exe Infected: not-a-virus:AdWare.Win32.Lop.p
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000268.exe Infected: Trojan-Downloader.Win32.Swizzor.de
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000269.exe Infected: Trojan-Downloader.Win32.Swizzor.df
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000270.exe Infected: Trojan-Downloader.Win32.Swizzor.cn
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000271.exe Infected: Trojan-Downloader.Win32.Swizzor.cn
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000272.exe Infected: not-a-virus:AdWare.Win32.Lop.ab
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000273.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000274.exe Infected: not-a-virus:AdWare.Win32.Lop.ad
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000275.exe Infected: Trojan-Downloader.Win32.Swizzor.de
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000276.exe Infected: not-a-virus:AdWare.Win32.Lop.j
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000277.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000278.exe Infected: not-a-virus:AdWare.Win32.Lop.z
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000279.exe Infected: Trojan-Downloader.Win32.Swizzor.bz
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000280.exe Infected: Trojan-Downloader.Win32.Swizzor.dr
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000281.exe Infected: Trojan-Downloader.Win32.Swizzor.bz
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000282.exe Infected: not-a-virus:AdWare.Win32.Lop.j
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000283.exe Infected: Trojan-Downloader.Win32.Swizzor.dh
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000284.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000285.exe Infected: not-a-virus:AdWare.Win32.Lop.j
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000286.exe Infected: not-a-virus:AdWare.Win32.Lop.p
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000287.exe Infected: Trojan-Downloader.Win32.Swizzor.de
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000288.exe Infected: Trojan-Downloader.Win32.Swizzor.de
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000289.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000290.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000291.exe Infected: not-a-virus:AdWare.Win32.Lop.p
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000292.exe Infected: not-a-virus:AdWare.Win32.Lop.ad
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000293.exe Infected: Trojan-Downloader.Win32.Swizzor.cn
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000294.exe Infected: not-a-virus:AdWare.Win32.Lop.ab
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000295.exe Infected: Trojan-Downloader.Win32.Swizzor.bz
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000296.exe Infected: not-a-virus:AdWare.Win32.Lop.ab
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000297.exe Infected: not-a-virus:AdWare.Win32.Lop.j
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000298.exe Infected: Trojan.Win32.Krepper.ab
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000299.exe Infected: not-a-virus:AdWare.Win32.Lop.z
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000300.exe Infected: Trojan-Downloader.Win32.Swizzor.cn
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000301.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000302.exe Infected: Trojan-Downloader.Win32.Swizzor.df
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000303.exe Infected: Trojan-Downloader.Win32.Swizzor.de
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000304.exe Infected: Trojan-Downloader.Win32.Swizzor.cn
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000305.exe Infected: Trojan-Downloader.Win32.Swizzor.bz
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000306.exe Infected: Trojan-Downloader.Win32.Swizzor.de
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000307.exe Infected: Trojan-Downloader.Win32.Swizzor.de
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000308.exe Infected: not-a-virus:AdWare.Win32.Lop.z
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000309.exe Infected: not-a-virus:AdWare.Win32.Lop.z
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000310.exe Infected: Trojan-Downloader.Win32.Swizzor.bz
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000311.exe Infected: not-a-virus:AdWare.Win32.Lop.z
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000312.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000313.exe Infected: not-a-virus:AdWare.Win32.Lop.ad
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000314.exe Infected: not-a-virus:AdWare.Win32.Lop.p
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000315.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\System Volume Information\_restore{F31BBE68-68FA-4198-90BA-60A3AD2912DC}\RP5\A0000316.exe Infected: not-a-virus:AdWare.Win32.Lop.ad
C:\unzipped\hijackthis\backups\backup-20060102-134927-582.dll Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\WINDOWS\m7.exe Infected: Trojan-Downloader.Win32.Swizzor.bt

Scan process completed.

[sUBs]

Please launch Outlook Express & logon to the appropriate account to delete these..

e-Bay.dbx
[From "eBay SafeHarbor" <safeharbor@ebay.com>][Date Thu, 15 Dec 2005 11:00:38 -0500]/UNNAMED/html
[From "eBay SafeHarbor" <safeharbor@ebay.com>][Date Thu, 15 Dec 2005 11:00:38 -0500]/UNNAMED/html

Stress Relief.dbx
[From Alison & Dave L <alicat@telstra.com>][Date Date header was inserted by mta02bw.email.bigpond.com]/UNNAMED/Kids


Reboot to Safe Mode


Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs:

• Flipwit

Please note any other programs that you dont recognize in that list in your next response


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

• Tick - 'Show hidden files and folder'
• Untick - 'Hide file extensions for known types'
• Untick - 'Hide protected operating system files'
• Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

• C:\Documents and Settings\All Users\Application Data\Trymedia
  C:\Documents and Settings\Brad Evans\Application Data\Hotbar
  C:\Documents and Settings\Lauren Evans\Application Data\CloseLogo
  C:\Documents and Settings\Lauren Evans\Application Data\Hotbar
  C:\Documents and Settings\Peter Evans\Application Data\CloseLogo
  C:\Documents and Settings\Peter Evans\Application Data\spweng
  C:\Downloads\EJPuzzle-dm[1].exe
  C:\Downloads\JewelQuestSetup-dm[1].exe
  C:\Program Files\GameRival\
  C:\WINDOWS\m7.exe

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program.


Reboot to Normal Mode & post a fresh HJT log.

[Peter Evans]

Thank you again,

I think it is looking and performing better now.

Attached is the hijack log

Logfile of HijackThis v1.99.1
Scan saved at 10:26:11 PM, on 5/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Winzip\WZQKPICK.EXE
C:\PROGRA~1\Belkin\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\Program Files\CA\eTrust Vet Antivirus\autodown.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.needlecraftcottage.com.au/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Winzip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edge...oadManager.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/c...b?ver=1,1,0,30
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/c...on=4,3,2,20802
O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} (MyEMessengerSetup Control) - http://www.myemessenger.com/activex/...tupProject.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

[sUBs]

Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:

1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
   Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
   • Tick on the checkbox - Turn off System Restore on all drives
   • Click Apply
   Turn it back 'On' by unticking the same checkbox & click OK
   
   
   
2. DISABLE THE VIEWING OF SYSTEM FILES
   From Windows Explorer, go to Tools>Folder Options> View tab.
   • Untick - Show hidden files and folder
   • Tick - Hide file extensions for known types
   • Tick - Hide protected operating system files
   Click Yes to confirm & then click OK
   
   
   
3. SECURING INTERNET EXPLORER
   From within Internet Explorer click on the Tools menu and then click on Internet Options.
   • Select the Security tab
     • Click once on the Internet icon so it becomes highlighted.
     • Select Custom Level .
       • Change 'Download signed ActiveX controls' to Prompt
       • Change 'Download unsigned ActiveX controls' to Disable
       • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
       • Change 'Installation of desktop items' to Prompt
       • Change 'Launching programs and files in an IFRAME' to Prompt
       • Change 'Navigate sub-frames across different domains' to Prompt
       • When all these changes have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Select OK to exit the Internet Properties page.
   
   
   
4. ANTIVIRUS SOFTWARE
   It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
5. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
   
   
   
6. Microsoft Windows Update
   Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
7. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
   
   
   
8. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
   
   
   
9. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here
   
   
   
10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
    
    
    
11. MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
  
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[Peter Evans]

Thank you once again,

You have been extremely helpful.

I will check out your other recommendations for future protection

Regards

Peter