Hijackthis log

I have been having problems with remnants of adware/malware and would =
like a knowledgeable person to look at this log file and tell me about =
anything suspicious. Particularly, a startup file called ncnk.exe has =
been blocked from loading but can't find it by any of the searches.

Sorry, forgot to add the log.

Logfile of HijackThis v1.99.1
Scan saved at 11:23:24 AM, on 6/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ShopSafe\ShopSafe.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\vavknn.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\MailWasher Pro\MailWasher.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
=3D http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =3D =
http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =3D =
http://srch-us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =3D=20
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =3D =
http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet =
Settings,ProxyOverride =3D localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
=3D=20
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} =
- c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - =
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital =
Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program =
Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe=

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common =
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE =
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH =
Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] =
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec =
Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec =
Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] =
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe =
/dontopenmycards
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common =
Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] =
C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft =
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vavknn.exe reg_run
O4 - HKCU\..\Run: [BackupNotify] c:\Program =
Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] =
"C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: MailWasherPro.lnk =3D C:\Program Files\MailWasher =
Pro\MailWasher.exe
O8 - Extra context menu item: &Google Search - res://C:\Program =
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program =
Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program =
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program =
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program =
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - =
res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - =
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - =
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - =
http://www.lizardtech.com/download/f...S/DjVuControl=
_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine =
Advantage Validation Tool) - =
http://go.microsoft.com/fwlink/?link...&clcid=3D0x409
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - =
http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - =
http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} (MFInstall Class) - =
http://c.ancestry.com/MFInstall/MFInstall.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program =
Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation =
- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec =
Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec =
Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - =
C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - =
Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec =
Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation =
- C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - =
C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton =
AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation =
- C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec =
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program =
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - =
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




"Fox Hunter" wrote in message
=20
I have been having problems with remnants of adware/malware and would =
like
a knowledgeable person to look at this log file and tell me about =
anything
suspicious. Particularly, a startup file called ncnk.exe has been =
blocked
from loading but can't find it by any of the searches.

Bonjour *Fox Hunter* :

I have been having problems with remnants of adware/malware and would like a knowledgeable person to look at this log file and tell me about anything suspicious. Particularly, a startup file called ncnk.exe has been blocked from loading but can't find it by any of the searches.

I'm here.
Post your log here and I give you the result of my analysis as soon as
possible.


--
Claude LaFrenière [MVP] :-)

«My Principal Design Was To Inform, Not To Amuse Thee.»
Lemuel Gulliver, The Travels (IV:12)
http://climenole.serendipia.net
Soon on www.msmvps.com
Bientôt sur www.msmvps.com

Parasite Fighting Recipes
http://forum.aumha.org/viewforum.php?f=43

Register AumHa Forums
http://forum.aumha.org/profile.php?m... 2b1a4fde513a

DETAILS ABOUT YOUR COMPUTER
http://aumha.org/mydetail.htm

Parasites - Adware, Spyware & Other Scumware
http://forum.aumha.org/viewforum.php?f=28

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In ,
Fox Hunter hunted and pecked:
I have been having problems with remnants of adware/malware and would
like a knowledgeable person to look at this log file and tell me about
anything suspicious. Particularly, a startup file called ncnk.exe has
been blocked from loading but can't find it by any of the searches.

Bonjour *Fox Hunter* :

I have been having problems with remnants of adware/malware and would like a knowledgeable person to look at this log file and tell me about anything suspicious. Particularly, a startup file called ncnk.exe has been blocked from loading but can't find it by any of the searches.

I found 2 suspect only ... but not a complete malware collection
Sounds good !

Look points # 3,4,8 ... the others are not importants for now.

1)
Platform: Windows XP SP1 (WinNT 5.01.2600)
Needs to upgrade to the Service Pack 2...


2)
NVidia Helper: related to NVidia Helper service.
Useless most of the time.Put this service in manual.
C:\WINDOWS\System32\nvsvc32.exe

3) *******************
??? What's this ? Suspect...
C:\Program Files\ShopSafe\ShopSafe.exe

4) *******************
??? What's this ? Suspect ...
C:\WINDOWS\System32\vavknn.exe

5)
??? Usefull or not( probably no...)
C:\WINDOWS\System32\rundll32.exe
related to :O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup

6)
pop-up stopper : useless with SP2 and any other Web Browser such as
Firefox or Opera...
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

7)
Did you need to run this every days ?
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r

8) ***************
The 2 suspects ...*****
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe
/dontopenmycards
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vavknn.exe reg_run

9)
Intel Graphic Helper : possibly useless (not a malware however.)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

Use CodeStuff Starter (easier than msconfig) and *disable* :
C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
and
C:\WINDOWS\System32\vavknn.exe reg_run

Reboot and check if somethings is changed (good or bad) in your system...

Let us know.




--
Claude LaFrenière [MVP] :-)

«My Principal Design Was To Inform, Not To Amuse Thee.»
Lemuel Gulliver, The Travels (IV:12)
http://climenole.serendipia.net
Soon on www.msmvps.com
Bientôt sur www.msmvps.com

Disable the NVIDIA Display Driver Service...
Start | Run | Type: services,msc | OK |
Scroll down to and double click: NVIDIA Display Driver Service |
Under Startup type set to Disabled | Apply | Click the Stop button |
When it stops click OK | You may have to reboot
----

NvMediaCenter
[[RunDLL32.exe NvMCTray.dll, NvTaskbarInit System Tray icon used to manage
settings for nVidia based graphics cards. May be required for some 3D
applications to recognize your card correctly - such as the game
"Everquest". Otherwise, settings can be changed manually via Display
Properties]]

Nview.dll = NVIDIA nView Desktop and Window Manager

Name NVIEW
Command rundll32.exe nview.dll, nViewLoadHook
Description This is a DLL to enable multiple display monitors on a single
computer. It can be a cause of numerous problems on some computers
---

NvCplDaemon
System Tray icon used to change display settings, change the clock rate and
memory speed for nVidia based graphics cards. This is unnecessary since you
can easily configure these settings the way you want them in the Display
Properties and not have to mess with them again. Also disable the "NVIDIA
Driver Helper Service" if enabled as it can cause this entry to be
re-enabled on re-boot (note that this service can also cause extreme
shutdown delays if enabled - see
http://www.blackviper.com/WinXP/strangeservice.htm
----

nwiz.exe = NVIDIA nView Wizard
[[Application enables user to having 32 virtual desktops, get a desktop
larger than the viewable area of the monitor, being able to divide the
display across more than one monitor, managing applications and many more
functionality.]]
----

Manually delete these three entries:
NvCplDaemon, NvMediaCenter and nwiz.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
NvCplDaemon
REG_SZ
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
NvMediaCenter
REG_SZ
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
nwiz
REG_SZ
nwiz.exe /install

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In ,
Claude LaFrenière hunted and pecked:
Bonjour *Fox Hunter* :

I have been having problems with remnants of adware/malware and would
like a knowledgeable person to look at this log file and tell me about
anything suspicious. Particularly, a startup file called ncnk.exe has
been blocked from loading but can't find it by any of the searches.

I found 2 suspect only ... but not a complete malware collection
Sounds good !

Look points # 3,4,8 ... the others are not importants for now.

1)
Platform: Windows XP SP1 (WinNT 5.01.2600)
Needs to upgrade to the Service Pack 2...


2)
NVidia Helper: related to NVidia Helper service.
Useless most of the time.Put this service in manual.
C:\WINDOWS\System32\nvsvc32.exe

3) *******************
??? What's this ? Suspect...
C:\Program Files\ShopSafe\ShopSafe.exe

4) *******************
??? What's this ? Suspect ...
C:\WINDOWS\System32\vavknn.exe

5)
??? Usefull or not( probably no...)
C:\WINDOWS\System32\rundll32.exe
related to :O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup

6)
pop-up stopper : useless with SP2 and any other Web Browser such as
Firefox or Opera...
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

7)
Did you need to run this every days ?
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r

8) ***************
The 2 suspects ...*****
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe
/dontopenmycards
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vavknn.exe reg_run

9)
Intel Graphic Helper : possibly useless (not a malware however.)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

Use CodeStuff Starter (easier than msconfig) and *disable* :
C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
and
C:\WINDOWS\System32\vavknn.exe reg_run

Reboot and check if somethings is changed (good or bad) in your system...

Let us know.




--
Claude LaFrenière [MVP] :-)

«My Principal Design Was To Inform, Not To Amuse Thee.»
Lemuel Gulliver, The Travels (IV:12)
http://climenole.serendipia.net
Soon on www.msmvps.com
Bientôt sur www.msmvps.com

Claude,
ShopSafe is a legimate program from MBNA America to allow use of =
one-time credit card numbers for security purposes. What about the item =
ncnk.exe that can't be found in the files and tries to load itself?


"Claude LaFreni=E8re" wrote in message
=20
Bonjour *Fox Hunter* :
=20
I have been having problems with remnants of adware/malware and would =
like
a knowledgeable person to look at this log file and tell me about =
anything
suspicious. Particularly, a startup file called ncnk.exe has been =
blocked
from loading but can't find it by any of the searches. =20
=20
I found 2 suspect only ... but not a complete malware collection
Sounds good !
=20
Look points # 3,4,8 ... the others are not importants for now.
=20
1)
Platform: Windows XP SP1 (WinNT 5.01.2600)
Needs to upgrade to the Service Pack 2...
=20
=20
2)
NVidia Helper: related to NVidia Helper service.
Useless most of the time.Put this service in manual.
C:\WINDOWS\System32\nvsvc32.exe
=20
3) *******************
??? What's this ? Suspect...
C:\Program Files\ShopSafe\ShopSafe.exe
=20
4) *******************
??? What's this ? Suspect ...
C:\WINDOWS\System32\vavknn.exe
=20
5)
??? Usefull or not( probably no...)
C:\WINDOWS\System32\rundll32.exe
related to :O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
=20
6)
pop-up stopper : useless with SP2 and any other Web Browser such as
Firefox or Opera...
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
=20
7)
Did you need to run this every days ?
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
=20
8) ***************
The 2 suspects ...*****
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe
/dontopenmycards
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vavknn.exe reg_run
=20
9)
Intel Graphic Helper : possibly useless (not a malware however.)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
=20
Use CodeStuff Starter (easier than msconfig) and *disable* :
C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
and
C:\WINDOWS\System32\vavknn.exe reg_run
=20
Reboot and check if somethings is changed (good or bad) in your =
system...
=20
Let us know.
=20

=20
=20
--
Claude LaFreni=E8re [MVP] :-)
=20
=ABMy Principal Design Was To Inform, Not To Amuse Thee.=BB
Lemuel Gulliver, The Travels (IV:12)
http://climenole.serendipia.net
Soon on www.msmvps.com
Bient=F4t sur www.msmvps.com

HI *Fox Hunter* :

Claude,
ShopSafe is a legimate program from MBNA America to allow use of one-time credit card numbers for security purposes.
What about the item ncnk.exe that can't be found in the files and tries to load itself?

I found almost nothings about "ncnk.exe" !
I checked again your HJT log and it's not there
And almost nothings with Google...

Very strange...

Some malwares generates random names the stay hidden from the users...

1- Kill that process
2- Update your anti-virus and your antispywares and runned them in safe mode.
3- Some tools and links:

A) "Mini- antivirus" to be runned in safe mode:

Stinger :
http://vil.nai.com/vil/stinger/

Avast cleaner :
http://www.avast.com/eng/avast_cleaner.html

MS:
http://www.microsoft.com/downloads/d...displaylang=fr

Kaspersky:
ftp://ftp.kaspersky.ru/utils/clrav.com

Anti Root-Kits
F-Secure (beta)
http://www.f-secure.com/blacklight/

B) Online scan:

Anti-trojan:
http://www.windowsecurity.com/trojanscan/

Anti-spy:
http://www.spywareguide.com/txt_onlinescan.html
http://store.ca.com/dr/v2/ec_main.en...715&CID=181432

Anti-virus:
www.trendmicro.com

Let us know.



--
Claude LaFrenière [MVP] :-)

«My Principal Design Was To Inform, Not To Amuse Thee.»
Lemuel Gulliver, The Travels (IV:12)
http://climenole.serendipia.net
Soon on www.msmvps.com
Bientôt sur www.msmvps.com

I, too, say very strange. You probably found the same reference I saw in =
Google. Have used the scanners I have, Ad-aware, Spybot, MS =
Anti-Spyware, in safe mode and they found nothing, so far. Will keep =
trying and let the group know what found it.

"Claude LaFreni=E8re" wrote in message
=20
HI *Fox Hunter* :
=20
Claude,
ShopSafe is a legimate program from MBNA America to allow use of =
one-time
credit card numbers for security purposes. What about the item =
ncnk.exe
that can't be found in the files and tries to load itself?=20
=20
I found almost nothings about "ncnk.exe" !
I checked again your HJT log and it's not there
And almost nothings with Google...
=20
Very strange...
=20
Some malwares generates random names the stay hidden from the users...
=20
1- Kill that process
2- Update your anti-virus and your antispywares and runned them in =
safe
mode. 3- Some tools and links:
=20
A) "Mini- antivirus" to be runned in safe mode:
=20
Stinger :
http://vil.nai.com/vil/stinger/
=20
Avast cleaner :
http://www.avast.com/eng/avast_cleaner.html
=20
MS:
=
http://www.microsoft.com/downloads/d...d724ae0-e72d-=
4f54-9ab3-75b8eb148356&displaylang=3Dfr
=20
Kaspersky:
ftp://ftp.kaspersky.ru/utils/clrav.com
=20
Anti Root-Kits
F-Secure (beta)
http://www.f-secure.com/blacklight/
=20
B) Online scan:
=20
Anti-trojan:
http://www.windowsecurity.com/trojanscan/
=20
Anti-spy:
http://www.spywareguide.com/txt_onlinescan.html
=
http://store.ca.com/dr/v2/ec_main.en...WatchingYou&c=
lient=3DComputerAssociates&sid=3D35715&CID=3D18143 2
=20
Anti-virus:
www.trendmicro.com
=20
Let us know.
=20

=20
--
Claude LaFreni=E8re [MVP] :-)
=20
=ABMy Principal Design Was To Inform, Not To Amuse Thee.=BB
Lemuel Gulliver, The Travels (IV:12)
http://climenole.serendipia.net
Soon on www.msmvps.com
Bient=F4t sur www.msmvps.com

Bonjour *Fox Hunter* :

I, too, say very strange. You probably found the same reference I saw in Google.
Have used the scanners I have, Ad-aware, Spybot, MS Anti-Spyware, in safe mode
and they found nothing, so far. Will keep trying and let the group know what found it.

OK.

Can you kill the process with task manager ?

Here some place to check in the registry and system files for the startup
where malware hijack Windows registry keys...

Ref.:http://www.lacave.net/~jokeuse/usenet/demarrage.html
(Fr. usenet virus news group FAQ)
(Well in Fr. not Eng. Here a (short) translation):

1. Startup folders
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\Shell Folders]
Startup = "C:\windows\startup menu\programs\startup"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\User Shell Folders]
Startup = "C:\windows\startup menu\programs\startup"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\Shell Folders]
Common Startup = "C:\windows\startup menu\programs\startup"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\User Shell Folders]
Common Startup = "C:\windows\startup menu\programs\startup"

2. Win.ini


[windows]
load = file1.exe
run = file2.exe


3. System.ini

edit with msconfig.exe.

[boot]
Shell = Explorer.exe


[386Enh]

Example:
device = virus.vxd

4. Autoexec.bat

Example : some weird batch file...


5. Config.sys

Example:
shell=c:\command.com /e:32768 /k c:\infected.bat

6. RUN Keys (check those first)


[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunServices]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunServicesOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer\Run]

[HKEY_USERS\xxxxxx\Software\Microsoft\Windows\Curre ntVersion\Run]
[HKEY_USERS\xxxxxx\Software\Microsoft\Windows\Curre ntVersion\RunOnce]
xxxxxx = User SID

7. Services


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Service_Name]

8. Control

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Session Manager]

Example:
BootExecute = program-abc.exe

(For an indirect launching with a file rename...)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Session Manager]

PendingFileRenameOperations = \??\c:\temp\worm.sys !\??\c:\winnt\system32\prog.sys

In this example the malware file "worm.sys" will be replaced by "prog.sys"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\MPRServices]

9. AppInit_DLLs, Load and Run


All thoses DLL are loaded at each session startup. Good place to hide a malware DLL...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs = program-XYZ.exe
Load = c:\Folder\Program-XYX.exe
Run = c:\explorer.scr


10. Winlogon


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Userinit = c:\windows\system32\svcpack.exe
Other keys to check: Notify, Shell, System, VmApplet.


11. ShellServiceObjectDelayLoad

Runned when explorer is started.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
{One_Key} = 'Service Name'

With [HKEY_CURRENT_USER\Software\Classes\CLSID\{One_Key} \InProcServer32] must exist.


12. SharedTaskScheduler

To start an application in the same time than explorer:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
{One_Key} = 'Un Nom de Service'

{One_Key} must be declared in [HKEY_CLASSES_ROOT\CLSID]


13. Autorun

[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor]

Example:
AutoRun = c:\Startup.cmd


14. Hijack of registry commands :

Chaque clef devrait avoir la valeur "%1" %*. Si elle est changée en serveur.exe "%1" %*, le file serveur.exe sera exécuté à

chaque fois qu'un exe/pif/com/bat/hta sera lancé. Notez que le principe peut être étendu à d'autres types de files.

Each time when the key must have this values:"%1" %*
they are replaced by the malware with somethings else..

Normally:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
[HKEY_CLASSES_ROOT\comfile\shell\open\command]
[HKEY_CLASSES_ROOT\batfile\shell\open\command]
[HKEY_CLASSES_ROOT\htafile\shell\open\command]
[HKEY_CLASSES_ROOT\piffile\shell\open\command]
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\ open\command]
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\ open\command]
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open\command]
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\shell\ open\command]
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\ open\command]

(For all those keys (Default) = "%1" %*


15. Windows explorer startup


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]

default is "explorer.exe"

The "path" must be checked the

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Session Manager\Environment\Path],
[HKEY_CURRENT_USER\Environment\Path].


16. ActiveX

Started *BEFORE* the Run keys !!!!!!!!!!

[HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{One_Key}]
StubPath = c:\"path"\Program-XYZ.exe


17. Hijack of Group Policies

Before the session opening :

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win dows\System\Scripts]
Startup = C:\winNT\system32\GroupPolicy\Machine\Scripts\Star tup

After the session opening:

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Wind ows\System\Scripts]
Startup = C:\winNT\system32\GroupPolicy\User\Scripts\Logon


Before any delete :
check *before* to be sure whats you're doing,
export the key( save it...)
and proceed(one suspected key at the time...)

Ask in the news group before...

Hope this help.

Let us now.



--
Claude LaFrenière [MVP] :-)

«My Principal Design Was To Inform, Not To Amuse Thee.»
Lemuel Gulliver, The Travels (IV:12)
http://climenole.serendipia.net
Soon on www.msmvps.com
Bientôt sur www.msmvps.com

Dump Norton, It ain't working for you !
You have a couple of bad bugs in the log.