Okay Greyknight - here's everything you asked for:
Ewido Scan
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:42:35 PM, 5/30/2005
+ Report-Checksum: BBF01D58
+ Date of database: 5/31/2005
+ Version of scan engine: v3.0
+ Duration: 112 min
+ Scanned Files: 202546
+ Speed: 30.10 Files/Second
+ Infected files: 67
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
D:\
E:\
F:\
I:\
J:\
K:\
L:\
+ Scan result:
C:\Documents and Settings\Jason\Cookies\jason@14254446[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@20262100[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@45813911[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@86859256[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\
[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\
[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@bcentral[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@burstnet[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@com[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\
[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@dcs0sapavqljwp9m8brr0j29b_1l1j[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@dcs375hcwoifwzzshyym5x58f_1i9u[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@dcskqeg2voifwznnd6alhtnei_8f3u[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@gostats[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\
[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@indiads[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@link[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@LPplayersonly[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@LPquadratec[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@p[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@S113855[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@S115270[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@S123831[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@S124248[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@S130376[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@S148884[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@S149247[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\jason@S151261[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\
[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\
[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\
[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Cookies\
[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jason\Local Settings\Temp\fen0eGA.exe -> TrojanDownloader.IstBar.hp -> Ignored
C:\Documents and Settings\Jason\Local Settings\Temp\QGE\aurareco.exe -> Spyware.BetterInternet -> Ignored
C:\Documents and Settings\Jason\Local Settings\Temp\RarSFX0\rinst.exe -> TrojanSpy.Perfloger.h -> Ignored
C:\Documents and Settings\Jason\Local Settings\Temp\temp.fr3C4B -> Trojan.Agent.db -> Ignored
C:\Documents and Settings\Jason\Local Settings\Temp\temp.fr4E38 -> TrojanDownloader.Intexp.c -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@45813911[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@47780556[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@60960915[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\
[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@bcentral[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@cj[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\
[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@html[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@link[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@S130376[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@S139314[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\tracie@S151568[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Cookies\
[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Tracie\Local Settings\Temporary Internet Files\Content.IE5\0T2RW12V\Poller[1].exe -> Trojan.Agent.cp -> Ignored
C:\Documents and Settings\Tracie\Local Settings\Temporary Internet Files\Content.IE5\WH2V0PMJ\Nail[2].exe -> Trojan.Nail -> Ignored
C:\Documents and Settings\Tracie\Local Settings\Temporary Internet Files\Content.IE5\ZUOBZTS5\svcproc[2].exe -> Trojan.Stervis.c -> Ignored
C:\WINDOWS\cpbrkpie.ocx -> Spyware.Coupons -> Ignored
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Ignored
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Ignored
C:\WINDOWS\system32\bpk.exe -> TrojanSpy.PerfectKeyLogger.ad -> Ignored
C:\WINDOWS\system32\bpkhk.dll -> TrojanSpy.PerfectKeyLogger.ac -> Ignored
C:\WINDOWS\system32\bpkr.exe -> TrojanSpy.Perfloger.h -> Ignored
C:\WINDOWS\system32\DrPMon.dll -> Trojan.Agent.db -> Ignored
C:\WINDOWS\system32\ltgxrdt.exe -> Trojan.Agent.cp -> Ignored
C:\WINDOWS\system32\rinst.exe -> TrojanSpy.Perfloger.h -> Ignored
D:\Music\Lavasoft Ad-Aware SE Professional 1.06 New Retail.rar/Lavasoft Ad-Aware SE Professional 1.06 New Retail\Lavasoft Ad-Aware SE Professional 1.06.exe -> TrojanDropper.Agent.fr -> Ignored
D:\Music\quicken 2005 (keygen only).zip/quicken 2005 (keygen only).exe -> Spyware.Hijacker.Generic -> Ignored
J:\My D Documents\Program dls\Quicken 2003\Lexware Quicken 2003 Deluxe crack .exe -> Dialer.Generic -> Ignored
J:\My D Documents\Program dls\Quicken 2005\quicken 2005 (keygen only).zip/quicken 2005 (keygen only).exe -> Spyware.Hijacker.Generic -> Ignored
::Report End
New hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 10:54:46 PM, on 5/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
J:\My D Documents\Program dls\CCleaner\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.msnbc.com/F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJLaunchEXE] C:\Program Files\Canon\BJCard\BJLaunch.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [qimsvk] c:\windows\system32\ltgxrdt.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://by19fd.bay19....es/MsnPUpld.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupd...b?1102210545913O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) -
http://a19.g.akamai....23/cpbrkpie.cabO16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) -
http://www.live365.c...ers/play365.cabO16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
http://ax.phobos.app.../ITDetector.cabO20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
and the FindIt's log
Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 05/30/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
* UPX! C:\WINDOWS\System32\EHBIXJ.EXE
* UPX! C:\WINDOWS\SVCPROC.EXE
* Sniffed C:\WINDOWS\System32\DRPMON.DLL
»»»»» lagitamate file's can/will show in this section.
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
Volume in drive C is DSK1_VOL1
Volume Serial Number is E6FE-6400
Directory of C:\WINDOWS\SYSTEM32
»»»»» Checking for SAHAgent ico files.
Volume in drive C is DSK1_VOL1
Volume Serial Number is E6FE-6400
Directory of C:\WINDOWS\system32
05/28/2005 07:02 PM 4,286 greenmovie2311.ico
05/28/2005 07:02 PM 3,262 kill all spyware4.ico
05/28/2005 07:02 PM 3,262 poker11212.ico
05/28/2005 07:07 PM 19,942 virushunter1231.ico
4 File(s) 30,752 bytes
0 Dir(s) 34,369,683,456 bytes free
»»»»»»»»»»»»»»»»»»»»»»»».
HKEY_CURRENT_USER\Software\aurora\AUI3d5OfSInst
HKEY_CURRENT_USER\Software\aurora\AUC3n5trMsgSDisp
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky1S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky2S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky3S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky4S
HKEY_CURRENT_USER\Software\aurora\AUC1o3d5eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUT3i5m7eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUD3s5tSSEnd
HKEY_CURRENT_USER\Software\aurora\AU3N5a7tionSCode
HKEY_CURRENT_USER\Software\aurora\AUP3D5om
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSCheckSIn
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSMots
HKEY_CURRENT_USER\Software\aurora\AUM3o5deSSync
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSCab
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSEx
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSLstest
HKEY_CURRENT_USER\Software\aurora\AUB3D5om
HKEY_CURRENT_USER\Software\aurora\AUE3v5nt
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSBath
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSysSInf
HKEY_CURRENT_USER\Software\aurora\AUL3n5Title
HKEY_CURRENT_USER\Software\aurora\AUC3u5rrentSMode
HKEY_CURRENT_USER\Software\aurora\AUC3n5tFyl
HKEY_CURRENT_USER\Software\aurora\AUI3g5noreS
HKEY_CURRENT_USER\Software\aurora\AUS3t5atusOfSInst
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon\Driver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon\Driver
what can I do now?