I think it's clean but...

tRevHead62tRevHead62 Melbourne, Australia
edited August 2004 in Spyware & Virus Removal
I've installed a new hdd, ghosted my old os and files onto it. After a week everything was going fine.. until today. I ran AdAware (with the latest update) and to my horror, I had dozens of new items identified. (I need to interrogate a family member!).
After deleting and rerunning twice more, AdAware says I'm clean. The OmegaKiller gives the thumbs up and I now would like someone to check my HJT log to see if there is anything suspicious in there.
_______________________________________________________

Logfile of HijackThis v1.98.0
Scan saved at 11:01:22 PM, on 25/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\VPN Client\cvpnd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [xrmcuzqb] C:\WINDOWS\System32\ksscjrov.exe
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

Thanks in anticipation,
Trevor.

Comments

  • MancabusMancabus Charlottesville, VA
    edited August 2004
    Remove these.
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O4 - HKLM\..\Run: [xrmcuzqb] C:\WINDOWS\System32\ksscjrov.exe

    Also these are unnecessary.
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

    And unless you aren't an administrator on your computer then remove this
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
  • DexterDexter Vancouver, BC Canada
    edited August 2004
    Also, besides Ad Aware, click here: http://www.short-media.com/forum/showthread.php?t=14915 to download, install and run Spybot S&D as well. This is our preferred method, a cocktail of both Ad Aware and Spybot.

    Come back and let us know how it goes.

    Dexter...
  • tRevHead62tRevHead62 Melbourne, Australia
    edited August 2004
    Thanks for that peeps, great stuff. I forgot about Spybot' ! Somehow my shortcut disappeared from my desktop! hmmm.. Anyway, before I deleted the entries in HJT log as you advised, I ran the Spybotsearch'ndestroy update and scanned my pc - the results being:
    VX2f
    DSO exploits (x5)
    DyFuCA Internet optimiser
    DyFuCA
    Golden Palace Casino
    PowerScan
    SexList
    Statblaster. All files 7.

    I cleaned them all up (except for the pesky DSO exploits which come back) then I scanned with HJT again.
    The results showed the entries:

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    had changed to:

    R3 - URLSearchHook: (no name) - is missing

    so I deleted this string anyways.

    O4 - HKLM\..\Run: [xrmcuzqb] C:\WINDOWS\System32\ksscjrov.exe
    had been deleted.

    Thanks for all your help once again.
    tRev.
  • DexterDexter Vancouver, BC Canada
    edited August 2004
    The DSO exploits will always exists, as they show security holes that are part of IE. Ignore them. Make sure you are always doing your Windows Updates, and that you use a firewall, and you should be fine. The entries you fixed are correct, so you are fine. I'll mark this closed. :)

    I did not see Folding At Home in your log though....please click the links in my sig and find out about Folding. We need new members on our Team, we are about to be passed by another team!!

    Dexter...
This discussion has been closed.