Here is the log after the first scan of ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 4:18:26 PM, 6/17/2005
+ Report-Checksum: D41F4805
+ Date of database: 6/17/2005
+ Version of scan engine: v3.0
+ Duration: 22 min
+ Scanned Files: 68222
+ Speed: 50.82 Files/Second
+ Infected files: 32
+ Removed files: 31
+ Files put in quarantine: 31
+ Files that could not be opened: 0
+ Files that could not be cleaned: 1
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\DMuir\Cookies\dmuir@7035776[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\
[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\dmuir@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\dmuir@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\dmuir@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\
[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\dmuir@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\
[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\dmuir@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\dmuir@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\
[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\
[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\
[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\dmuir@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\
[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Cookies\
[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DMuir\Local Settings\Temp\b.com -> TrojanDownloader.VB.ft -> Cleaned with backup
C:\Documents and Settings\DMuir\Local Settings\Temporary Internet Files\Content.IE5\69KJUZAP\AppWrap[1].exe -> TrojanDownloader.VB.ft -> Cleaned with backup
C:\Program Files\TightVNC\VNCHooks.dll -> Backdoor.WinVNC-based.b -> Cleaned with backup
C:\Program Files\TightVNC\WinVNC.exe -> Backdoor.WinVNC-based.b -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\MediaTicketsInstaller.ocx -> Spyware.MediaTickets -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\MediaTicketsInstaller.ocx -> Spyware.MediaTickets -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\pcs_0011.exe -> Spyware.Pacer.b -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\pcs_0019.exe -> Spyware.Pacer.b -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\pcs_0025.exe -> Spyware.Pacer.b -> Cleaned with backup
C:\WINDOWS\SYSTEM32\!cxdxregt.exe -> Trojan.Zx.12 -> Cleaned with backup
C:\WINDOWS\SYSTEM32\!nsnBF.dll -> Spyware.HotSearchBar -> Cleaned with backup
C:\WINDOWS\SYSTEM32\!qrdxregu.exe -> Trojan.Zx.12 -> Cleaned with backup
C:\WINDOWS\SYSTEM32\hzixbd.exe -> Spyware.Adstart -> Cleaned with backup
C:\WINDOWS\SYSTEM32\hzixbf.exe -> Spyware.Adstart.b2 -> Cleaned with backup
C:\WINDOWS\Temp\b.com -> TrojanDownloader.VB.ft -> Cleaned with backup
::Report End
Here is the scan after the second run of ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 4:51:51 PM, 6/17/2005
+ Report-Checksum: 7DBD26F8
+ Date of database: 6/17/2005
+ Version of scan engine: v3.0
+ Duration: 25 min
+ Scanned Files: 68391
+ Speed: 44.92 Files/Second
+ Infected files: 1
+ Removed files: 1
+ Files put in quarantine: 1
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
::Report End
===========
Here is the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 5:04:31 PM, on 6/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://smbusiness.dellnet.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://smbusiness.dellnet.com/O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
BTW, WinVNC is our own software.