problems with a trojan virus

It'll work in Blighty. Good luck, and lemme know how it goes.

A tip - Norton should give you the full path and filename - something like "C:\Windows\eied9(whatever)". If so, copy down the exact path and file name, then boot to safe mode, log into Windows as Administrator, navigate to the file using Windows Explorer, and either delete it or rename it to something like "old.(whatever filename)". Personally, I'd try renaming it first, which should prevent it from executing, and then wait a while before deleting it, just to make sure everything is OK without it.

logs here
So I've finally done all the things suggested, and here are the various logs:

First Ewido report

+ Created on: 21:15:33, 09/08/2005
+ Report-Checksum: A2390BD

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@focalink[1].txt -> Spyware.Cookie.Focalink : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adviva[6].txt -> Spyware.Cookie.Adviva : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[5].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[3].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][3].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@x10[1].txt -> Spyware.Cookie.X10 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adviva[1].txt -> Spyware.Cookie.Adviva : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[4].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[3].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[3].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[3].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[3].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adviva[3].txt -> Spyware.Cookie.Adviva : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[4].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][4].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][3].txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][4].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@valueclick[4].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[5].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][5].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adviva[4].txt -> Spyware.Cookie.Adviva : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@valueclick[6].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@valueclick[5].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][3].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adviva[5].txt -> Spyware.Cookie.Adviva : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[3].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[7].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][6].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[5].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@qksrv[3].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@commission-junction[1].txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyqjazgaqa2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[6].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@247realmedia[2].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[4].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[4].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][7].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[4].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adtech[1].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][4].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@valueclick[3].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[6].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][5].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[6].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][6].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[7].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[3].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adviva[2].txt -> Spyware.Cookie.Adviva : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@targetnet[2].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup


::Report End

Second Ewido report

+ Created on: 19:15:17, 11/08/2005
+ Report-Checksum: E03C8988

+ Scan result:

No infected objects found.


::Report End

Hijack report

Logfile of HijackThis v1.99.1
Scan saved at 19:39:09, on 11/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Dell\Solution Center\service.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
O1 - Hosts: 85.192.32.112 lloydstsb.co.uk
O1 - Hosts: 85.192.32.112 online.lloydstsb.co.uk
O1 - Hosts: 85.192.32.112 www.lloydstsb.co.uk
O1 - Hosts: 85.192.32.112 www.lloydstsb.com
O1 - Hosts: 85.192.32.112 personal.barclays.co.uk
O1 - Hosts: 85.192.32.112 barclays.co.uk
O1 - Hosts: 85.192.32.112 ibank.barclays.co.uk
O1 - Hosts: 85.192.32.112 www.barclays.co.uk
O1 - Hosts: 85.192.32.112 www.nwolb.com
O1 - Hosts: 85.192.32.112 nwolb.com
O1 - Hosts: 85.192.32.112 hsbc.co.uk
O1 - Hosts: 85.192.32.112 www.hsbc.co.uk
O1 - Hosts: 85.192.32.112 abbey.com
O1 - Hosts: 85.192.32.112 www.abbey.com
O1 - Hosts: 85.192.32.112 www.abbey.co.uk
O1 - Hosts: 85.192.32.112 abbey.co.uk
O1 - Hosts: 85.192.32.112 cahoot.com
O1 - Hosts: 85.192.32.112 www.cahoot.com
O1 - Hosts: 85.192.32.112 www.cahoot.co.uk
O1 - Hosts: 85.192.32.112 cahoot.co.uk
O1 - Hosts: 85.192.32.112 www.co-operativebank.co.uk
O1 - Hosts: 85.192.32.112 co-operativebank.co.uk
O1 - Hosts: 85.192.32.112 www.co-operativebank.com
O1 - Hosts: 85.192.32.112 co-operativebank.com
O1 - Hosts: 85.192.32.112 welcome2.co-operativebankonline.co.uk
O1 - Hosts: 85.192.32.112 welcome6.co-operativebankonline.co.uk
O1 - Hosts: 85.192.32.112 welcome8.co-operativebankonline.co.uk
O1 - Hosts: 85.192.32.112 welcome10.co-operativebankonline.co.uk
O1 - Hosts: 85.192.32.112 www.smile.co.uk
O1 - Hosts: 85.192.32.112 smile.co.uk
O1 - Hosts: 85.192.32.112 www.cajamar.es
O1 - Hosts: 85.192.32.112 cajamar.es
O1 - Hosts: 85.192.32.112 www.cajamar.com
O1 - Hosts: 85.192.32.112 www.unicaja.es
O1 - Hosts: 85.192.32.112 unicaja.es
O1 - Hosts: 85.192.32.112 www.unicaja.com
O1 - Hosts: 85.192.32.112 unicaja.com
O1 - Hosts: 85.192.32.112 www.caixagalicia.es
O1 - Hosts: 85.192.32.112 caixagalicia.es
O1 - Hosts: 85.192.32.112 www.caixagalicia.com
O1 - Hosts: 85.192.32.112 caixagalicia.com
O1 - Hosts: 85.192.32.112 activa.caixagalicia.es
O1 - Hosts: 85.192.32.112 www.caixapenedes.es
O1 - Hosts: 85.192.32.112 caixapenedes.es
O1 - Hosts: 85.192.32.112 www.caixapenedes.com
O1 - Hosts: 85.192.32.112 caixapenedes.com
O1 - Hosts: 85.192.32.112 bancae.caixapenedes.com
O1 - Hosts: 85.192.32.112 www.caixasabadell.es
O1 - Hosts: 85.192.32.112 caixasabadell.es
O1 - Hosts: 85.192.32.112 www.caixasabadell.net
O1 - Hosts: 85.192.32.112 caixasabadell.net
O1 - Hosts: 85.192.32.112 www.cajamadrid.es
O1 - Hosts: 85.192.32.112 cajamadrid.es
O1 - Hosts: 85.192.32.112 www.cajamadrid.com
O1 - Hosts: 85.192.32.112 cajamadrid.com
O1 - Hosts: 85.192.32.112 oi.cajamadrid.es
O1 - Hosts: 85.192.32.112 www.ccm.es
O1 - Hosts: 85.192.32.112 ccm.es
O1 - Hosts: 85.192.32.112 www.haspa.de
O1 - Hosts: 85.192.32.112 haspa.de
O1 - Hosts: 85.192.32.112 ssl2.haspa.de
O1 - Hosts: 85.192.32.112 www.dresdner-bank.de
O1 - Hosts: 85.192.32.112 dresdner-bank.de
O1 - Hosts: 85.192.32.112 www.dresdner-privat.de
O1 - Hosts: 85.192.32.112 postbank.de
O1 - Hosts: 85.192.32.112 www.postbank.de
O1 - Hosts: 85.192.32.112 banking.postbank.de
O1 - Hosts: 85.192.32.112 www.sparda-b.de
O1 - Hosts: 85.192.32.112 sparda-b.de
O1 - Hosts: 85.192.32.112 www.bankingonline.de
O1 - Hosts: 85.192.32.112 www.raiffeisenbank-erding.de
O1 - Hosts: 85.192.32.112 raiffeisenbank-erding.de
O1 - Hosts: 85.192.32.112 www.vr-networld-ebanking.de
O1 - Hosts: 85.192.32.112 vr-networld-ebanking.de
O1 - Hosts: 85.192.32.112 www.bnhof.de
O1 - Hosts: 85.192.32.112 bnhof.de
O1 - Hosts: 85.192.32.112 www.deutsche-bank.de
O1 - Hosts: 85.192.32.112 deutsche-bank.de
O1 - Hosts: 85.192.32.112 meine.deutsche-bank.de
O1 - Hosts: 85.192.32.112 www.citibank.de
O1 - Hosts: 85.192.32.112 citibank.de
O1 - Hosts: 85.192.32.112 cipehb13.cdg.citibank.de
O1 - Hosts: 85.192.32.112 www.dkb.de
O1 - Hosts: 85.192.32.112 dkb.de
O1 - Hosts: 85.192.32.112 www.sparkasse-regensburg.de
O1 - Hosts: 85.192.32.112 sparkasse-regensburg.de
O1 - Hosts: 85.192.32.112 www.berliner-bank.de
O1 - Hosts: 85.192.32.112 berliner-bank.de
O1 - Hosts: 85.192.32.112 www.berliner-sparkasse.de
O1 - Hosts: 85.192.32.112 berliner-sparkasse.de
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\WINNT\Speech\Dragon\web_ie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DellSC] C:\Program Files\Dell\Solution Center\service.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - HKCU\..\Run: [Boots Insert Detect] C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Billminder.lnk = C:\quickenw\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: SMapplet - https://www.nwolb.co.uk/nwol/rbs_html/classes/SMapplet.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4544/mcfscan.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Any thoughts?
Kath

Hi Kath and welcome,

Download the Hoster from Here Press "Restore Original Hosts" and press "OK". Exit Program

Reboot your computer and post back a fresh HJT log please,

Given that the Host file redirects are to a Russian web address (one known to be involved with identity theft):


That listing merely details the hosting firm - sorta like the landlord of the building that outfit operates out of. The Host firm itself has nothing to do with the badguys - apparently, anyway. There is no information available for the web address itself, which appears to redirect through an ever-changing chain of other fraudulent addresses.

I strongly suggest you review and revise your bank and other financial records - by telephone, preferably, and certainly NOT from that computer. You should request new account numbers and PIN/Passwords all around right now, telling the financial institutions and merchants your personal computer data has been compromised. You should refrain from conducting any financial transactions or other exchanges of personal information from that computer untill your system is cleaned up and secure once again. If you find you have been victimized, contact law enforcement immediately. Do not use your email or chat clients untill this is cleared up, and once your system has been cleaned and secured, change ALL of your passwords - financial, email, website login, program access - ALL OF THEM.

If that sounds scary, its meant to be.

This, among other things, is what you've got there:

Great spot Timber, should have looked a little deeper into this one, was staring me right in the face

Have a look Here

There is a removal tool that can be found Here Download the trial version CounterSpy

Hi timber

Is all that scary stuff meant for me, or Don77? I'm assuming me in which case I better start contacting my banks straightaway. Can you confirm? Sorry I'm a bit of a technophobe so don't really understand much of the detail. So to clean up my computer should I download the trial version of Counterspy as suggested by Don77?

Thanks for your help!

Kath

Well I used counterspy today to help with some junk that I had that was doing all kinds of bad things. Worked a treat. All cleaned up.

Kath, that was meant for you. I'd say try Counterspy, as Don recommends, and see what happens. Alternately, Sunbelt has posted a free standalone fix, which I think might be better than downloading and installing an entire trial program, available HERE. Whichever, run it through, and let us know what you come up with. Post back another HJT log when you've finished. And get busy contacting your financial institutions.

Also, it seems that the major antivirus vendors, and Lavasoft (Ad-Aware's vendor) have caught up to this one too. After running the Sunbelt fix, update your anti-virus signatures and Ad-Aware SE, and perform full system scans with each. I'm not certain Microsoft Antispyware has caught up yet (there are reports either way), but it wouldn't hurt to update it and run a full scan as well. As always, run all scan-and-fix operations while in safe mode.