If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Hijackthis log
I have been having problems with remnants of adware/malware and would =
like a knowledgeable person to look at this log file and tell me about = anything suspicious. Particularly, a startup file called ncnk.exe has = been blocked from loading but can't find it by any of the searches. |
Ads |
#2
|
|||
|
|||
Sorry, forgot to add the log.
Logfile of HijackThis v1.99.1 Scan saved at 11:23:24 AM, on 6/12/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Softex\OmniPass\Omniserv.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Softex\OmniPass\OPXPApp.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\Explorer.EXE C:\windows\system\hpsysdrv.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe C:\WINDOWS\System32\hphmon05.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\ShopSafe\ShopSafe.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\System32\vavknn.exe C:\WINDOWS\System32\rundll32.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Program Files\MailWasher Pro\MailWasher.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = =3D http://srch-us9.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =3D = http://srch-us9.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =3D = http://srch-us9.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =3D=20 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =3D = http://us9.hpwis.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet = Settings,ProxyOverride =3D localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = =3D=20 R3 - Default URLSearchHook is missing O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} = - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - = c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital = Imaging\\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program = Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe= O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common = Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE = C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH = Jukebox\mmtask.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec = Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec = Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [Advanced Tools Check] = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe = /dontopenmycards O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common = Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] = C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft = AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vavknn.exe reg_run O4 - HKCU\..\Run: [BackupNotify] c:\Program = Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [PopUpStopperFreeEdition] = "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - Startup: MailWasherPro.lnk =3D C:\Program Files\MailWasher = Pro\MailWasher.exe O8 - Extra context menu item: &Google Search - res://C:\Program = Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program = Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program = Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program = Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program = Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - = res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - = C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - = {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - = http://www.lizardtech.com/download/f...S/DjVuControl= _en_US.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine = Advantage Validation Tool) - = http://go.microsoft.com/fwlink/?link...&clcid=3D0x409 O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - = http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - = http://images.myfamily.net/isfiles/downloads/MrSIDI.cab O16 - DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} (MFInstall Class) - = http://c.ancestry.com/MFInstall/MFInstall.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: OPXPGina - C:\Program = Files\Softex\OmniPass\opxpgina.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation = - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec = Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec = Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Diskeeper - Executive Software International, Inc. - = C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - = Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec = Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation = - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - = C:\Program Files\Softex\OmniPass\Omniserv.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton = AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation = - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec = Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program = Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - = C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe "Fox Hunter" wrote in message =20 I have been having problems with remnants of adware/malware and would = like a knowledgeable person to look at this log file and tell me about = anything suspicious. Particularly, a startup file called ncnk.exe has been = blocked from loading but can't find it by any of the searches. |
#3
|
|||
|
|||
Bonjour *Fox Hunter* :
I have been having problems with remnants of adware/malware and would like a knowledgeable person to look at this log file and tell me about anything suspicious. Particularly, a startup file called ncnk.exe has been blocked from loading but can't find it by any of the searches. I'm here. Post your log here and I give you the result of my analysis as soon as possible. -- Claude LaFrenière [MVP] :-) «My Principal Design Was To Inform, Not To Amuse Thee.» Lemuel Gulliver, The Travels (IV:12) http://climenole.serendipia.net Soon on www.msmvps.com Bientôt sur www.msmvps.com |
#4
|
|||
|
|||
Parasite Fighting Recipes
http://forum.aumha.org/viewforum.php?f=43 Register AumHa Forums http://forum.aumha.org/profile.php?m... 2b1a4fde513a DETAILS ABOUT YOUR COMPUTER http://aumha.org/mydetail.htm Parasites - Adware, Spyware & Other Scumware http://forum.aumha.org/viewforum.php?f=28 -- Hope this helps. Let us know. Wes MS-MVP Windows Shell/User In , Fox Hunter hunted and pecked: I have been having problems with remnants of adware/malware and would like a knowledgeable person to look at this log file and tell me about anything suspicious. Particularly, a startup file called ncnk.exe has been blocked from loading but can't find it by any of the searches. |
#5
|
|||
|
|||
Bonjour *Fox Hunter* :
I have been having problems with remnants of adware/malware and would like a knowledgeable person to look at this log file and tell me about anything suspicious. Particularly, a startup file called ncnk.exe has been blocked from loading but can't find it by any of the searches. I found 2 suspect only ... but not a complete malware collection Sounds good ! Look points # 3,4,8 ... the others are not importants for now. 1) Platform: Windows XP SP1 (WinNT 5.01.2600) Needs to upgrade to the Service Pack 2... 2) NVidia Helper: related to NVidia Helper service. Useless most of the time.Put this service in manual. C:\WINDOWS\System32\nvsvc32.exe 3) ******************* ??? What's this ? Suspect... C:\Program Files\ShopSafe\ShopSafe.exe 4) ******************* ??? What's this ? Suspect ... C:\WINDOWS\System32\vavknn.exe 5) ??? Usefull or not( probably no...) C:\WINDOWS\System32\rundll32.exe related to :O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup 6) pop-up stopper : useless with SP2 and any other Web Browser such as Firefox or Opera... C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe 7) Did you need to run this every days ? O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r 8) *************** The 2 suspects ...***** O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vavknn.exe reg_run 9) Intel Graphic Helper : possibly useless (not a malware however.) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll Use CodeStuff Starter (easier than msconfig) and *disable* : C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards and C:\WINDOWS\System32\vavknn.exe reg_run Reboot and check if somethings is changed (good or bad) in your system... Let us know. -- Claude LaFrenière [MVP] :-) «My Principal Design Was To Inform, Not To Amuse Thee.» Lemuel Gulliver, The Travels (IV:12) http://climenole.serendipia.net Soon on www.msmvps.com Bientôt sur www.msmvps.com |
#6
|
|||
|
|||
Disable the NVIDIA Display Driver Service...
Start | Run | Type: services,msc | OK | Scroll down to and double click: NVIDIA Display Driver Service | Under Startup type set to Disabled | Apply | Click the Stop button | When it stops click OK | You may have to reboot ---- NvMediaCenter [[RunDLL32.exe NvMCTray.dll, NvTaskbarInit System Tray icon used to manage settings for nVidia based graphics cards. May be required for some 3D applications to recognize your card correctly - such as the game "Everquest". Otherwise, settings can be changed manually via Display Properties]] Nview.dll = NVIDIA nView Desktop and Window Manager Name NVIEW Command rundll32.exe nview.dll, nViewLoadHook Description This is a DLL to enable multiple display monitors on a single computer. It can be a cause of numerous problems on some computers --- NvCplDaemon System Tray icon used to change display settings, change the clock rate and memory speed for nVidia based graphics cards. This is unnecessary since you can easily configure these settings the way you want them in the Display Properties and not have to mess with them again. Also disable the "NVIDIA Driver Helper Service" if enabled as it can cause this entry to be re-enabled on re-boot (note that this service can also cause extreme shutdown delays if enabled - see http://www.blackviper.com/WinXP/strangeservice.htm ---- nwiz.exe = NVIDIA nView Wizard [[Application enables user to having 32 virtual desktops, get a desktop larger than the viewable area of the monitor, being able to divide the display across more than one monitor, managing applications and many more functionality.]] ---- Manually delete these three entries: NvCplDaemon, NvMediaCenter and nwiz. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run NvCplDaemon REG_SZ RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run NvMediaCenter REG_SZ RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run nwiz REG_SZ nwiz.exe /install -- Hope this helps. Let us know. Wes MS-MVP Windows Shell/User In , Claude LaFrenière hunted and pecked: Bonjour *Fox Hunter* : I have been having problems with remnants of adware/malware and would like a knowledgeable person to look at this log file and tell me about anything suspicious. Particularly, a startup file called ncnk.exe has been blocked from loading but can't find it by any of the searches. I found 2 suspect only ... but not a complete malware collection Sounds good ! Look points # 3,4,8 ... the others are not importants for now. 1) Platform: Windows XP SP1 (WinNT 5.01.2600) Needs to upgrade to the Service Pack 2... 2) NVidia Helper: related to NVidia Helper service. Useless most of the time.Put this service in manual. C:\WINDOWS\System32\nvsvc32.exe 3) ******************* ??? What's this ? Suspect... C:\Program Files\ShopSafe\ShopSafe.exe 4) ******************* ??? What's this ? Suspect ... C:\WINDOWS\System32\vavknn.exe 5) ??? Usefull or not( probably no...) C:\WINDOWS\System32\rundll32.exe related to :O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup 6) pop-up stopper : useless with SP2 and any other Web Browser such as Firefox or Opera... C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe 7) Did you need to run this every days ? O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r 8) *************** The 2 suspects ...***** O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vavknn.exe reg_run 9) Intel Graphic Helper : possibly useless (not a malware however.) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll Use CodeStuff Starter (easier than msconfig) and *disable* : C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards and C:\WINDOWS\System32\vavknn.exe reg_run Reboot and check if somethings is changed (good or bad) in your system... Let us know. -- Claude LaFrenière [MVP] :-) «My Principal Design Was To Inform, Not To Amuse Thee.» Lemuel Gulliver, The Travels (IV:12) http://climenole.serendipia.net Soon on www.msmvps.com Bientôt sur www.msmvps.com |
#7
|
|||
|
|||
Claude,
ShopSafe is a legimate program from MBNA America to allow use of = one-time credit card numbers for security purposes. What about the item = ncnk.exe that can't be found in the files and tries to load itself? "Claude LaFreni=E8re" wrote in message =20 Bonjour *Fox Hunter* : =20 I have been having problems with remnants of adware/malware and would = like a knowledgeable person to look at this log file and tell me about = anything suspicious. Particularly, a startup file called ncnk.exe has been = blocked from loading but can't find it by any of the searches. =20 =20 I found 2 suspect only ... but not a complete malware collection Sounds good ! =20 Look points # 3,4,8 ... the others are not importants for now. =20 1) Platform: Windows XP SP1 (WinNT 5.01.2600) Needs to upgrade to the Service Pack 2... =20 =20 2) NVidia Helper: related to NVidia Helper service. Useless most of the time.Put this service in manual. C:\WINDOWS\System32\nvsvc32.exe =20 3) ******************* ??? What's this ? Suspect... C:\Program Files\ShopSafe\ShopSafe.exe =20 4) ******************* ??? What's this ? Suspect ... C:\WINDOWS\System32\vavknn.exe =20 5) ??? Usefull or not( probably no...) C:\WINDOWS\System32\rundll32.exe related to :O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup =20 6) pop-up stopper : useless with SP2 and any other Web Browser such as Firefox or Opera... C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe =20 7) Did you need to run this every days ? O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r =20 8) *************** The 2 suspects ...***** O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vavknn.exe reg_run =20 9) Intel Graphic Helper : possibly useless (not a malware however.) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll =20 Use CodeStuff Starter (easier than msconfig) and *disable* : C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards and C:\WINDOWS\System32\vavknn.exe reg_run =20 Reboot and check if somethings is changed (good or bad) in your = system... =20 Let us know. =20 =20 =20 -- Claude LaFreni=E8re [MVP] :-) =20 =ABMy Principal Design Was To Inform, Not To Amuse Thee.=BB Lemuel Gulliver, The Travels (IV:12) http://climenole.serendipia.net Soon on www.msmvps.com Bient=F4t sur www.msmvps.com |
#8
|
|||
|
|||
HI *Fox Hunter* :
Claude, ShopSafe is a legimate program from MBNA America to allow use of one-time credit card numbers for security purposes. What about the item ncnk.exe that can't be found in the files and tries to load itself? I found almost nothings about "ncnk.exe" ! I checked again your HJT log and it's not there And almost nothings with Google... Very strange... Some malwares generates random names the stay hidden from the users... 1- Kill that process 2- Update your anti-virus and your antispywares and runned them in safe mode. 3- Some tools and links: A) "Mini- antivirus" to be runned in safe mode: Stinger : http://vil.nai.com/vil/stinger/ Avast cleaner : http://www.avast.com/eng/avast_cleaner.html MS: http://www.microsoft.com/downloads/d...displaylang=fr Kaspersky: ftp://ftp.kaspersky.ru/utils/clrav.com Anti Root-Kits F-Secure (beta) http://www.f-secure.com/blacklight/ B) Online scan: Anti-trojan: http://www.windowsecurity.com/trojanscan/ Anti-spy: http://www.spywareguide.com/txt_onlinescan.html http://store.ca.com/dr/v2/ec_main.en...715&CID=181432 Anti-virus: www.trendmicro.com Let us know. -- Claude LaFrenière [MVP] :-) «My Principal Design Was To Inform, Not To Amuse Thee.» Lemuel Gulliver, The Travels (IV:12) http://climenole.serendipia.net Soon on www.msmvps.com Bientôt sur www.msmvps.com |
#9
|
|||
|
|||
I, too, say very strange. You probably found the same reference I saw in =
Google. Have used the scanners I have, Ad-aware, Spybot, MS = Anti-Spyware, in safe mode and they found nothing, so far. Will keep = trying and let the group know what found it. "Claude LaFreni=E8re" wrote in message =20 HI *Fox Hunter* : =20 Claude, ShopSafe is a legimate program from MBNA America to allow use of = one-time credit card numbers for security purposes. What about the item = ncnk.exe that can't be found in the files and tries to load itself?=20 =20 I found almost nothings about "ncnk.exe" ! I checked again your HJT log and it's not there And almost nothings with Google... =20 Very strange... =20 Some malwares generates random names the stay hidden from the users... =20 1- Kill that process 2- Update your anti-virus and your antispywares and runned them in = safe mode. 3- Some tools and links: =20 A) "Mini- antivirus" to be runned in safe mode: =20 Stinger : http://vil.nai.com/vil/stinger/ =20 Avast cleaner : http://www.avast.com/eng/avast_cleaner.html =20 MS: = http://www.microsoft.com/downloads/d...d724ae0-e72d-= 4f54-9ab3-75b8eb148356&displaylang=3Dfr =20 Kaspersky: ftp://ftp.kaspersky.ru/utils/clrav.com =20 Anti Root-Kits F-Secure (beta) http://www.f-secure.com/blacklight/ =20 B) Online scan: =20 Anti-trojan: http://www.windowsecurity.com/trojanscan/ =20 Anti-spy: http://www.spywareguide.com/txt_onlinescan.html = http://store.ca.com/dr/v2/ec_main.en...WatchingYou&c= lient=3DComputerAssociates&sid=3D35715&CID=3D18143 2 =20 Anti-virus: www.trendmicro.com =20 Let us know. =20 =20 -- Claude LaFreni=E8re [MVP] :-) =20 =ABMy Principal Design Was To Inform, Not To Amuse Thee.=BB Lemuel Gulliver, The Travels (IV:12) http://climenole.serendipia.net Soon on www.msmvps.com Bient=F4t sur www.msmvps.com |
#10
|
|||
|
|||
Bonjour *Fox Hunter* :
I, too, say very strange. You probably found the same reference I saw in Google. Have used the scanners I have, Ad-aware, Spybot, MS Anti-Spyware, in safe mode and they found nothing, so far. Will keep trying and let the group know what found it. OK. Can you kill the process with task manager ? Here some place to check in the registry and system files for the startup where malware hijack Windows registry keys... Ref.:http://www.lacave.net/~jokeuse/usenet/demarrage.html (Fr. usenet virus news group FAQ) (Well in Fr. not Eng. Here a (short) translation): 1. Startup folders [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\Shell Folders] Startup = "C:\windows\startup menu\programs\startup" [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\User Shell Folders] Startup = "C:\windows\startup menu\programs\startup" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\Shell Folders] Common Startup = "C:\windows\startup menu\programs\startup" [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\User Shell Folders] Common Startup = "C:\windows\startup menu\programs\startup" 2. Win.ini [windows] load = file1.exe run = file2.exe 3. System.ini edit with msconfig.exe. [boot] Shell = Explorer.exe [386Enh] Example: device = virus.vxd 4. Autoexec.bat Example : some weird batch file... 5. Config.sys Example: shell=c:\command.com /e:32768 /k c:\infected.bat 6. RUN Keys (check those first) [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run] [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunServices] [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunServicesOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServicesOnce] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer\Run] [HKEY_USERS\xxxxxx\Software\Microsoft\Windows\Curre ntVersion\Run] [HKEY_USERS\xxxxxx\Software\Microsoft\Windows\Curre ntVersion\RunOnce] xxxxxx = User SID 7. Services [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Service_Name] 8. Control [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Session Manager] Example: BootExecute = program-abc.exe (For an indirect launching with a file rename...) [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Session Manager] PendingFileRenameOperations = \??\c:\temp\worm.sys !\??\c:\winnt\system32\prog.sys In this example the malware file "worm.sys" will be replaced by "prog.sys" [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\MPRServices] 9. AppInit_DLLs, Load and Run All thoses DLL are loaded at each session startup. Good place to hide a malware DLL... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] AppInit_DLLs = program-XYZ.exe Load = c:\Folder\Program-XYX.exe Run = c:\explorer.scr 10. Winlogon [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] Userinit = c:\windows\system32\svcpack.exe Other keys to check: Notify, Shell, System, VmApplet. 11. ShellServiceObjectDelayLoad Runned when explorer is started. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad] {One_Key} = 'Service Name' With [HKEY_CURRENT_USER\Software\Classes\CLSID\{One_Key} \InProcServer32] must exist. 12. SharedTaskScheduler To start an application in the same time than explorer: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler] {One_Key} = 'Un Nom de Service' {One_Key} must be declared in [HKEY_CLASSES_ROOT\CLSID] 13. Autorun [HKEY_CURRENT_USER\Software\Microsoft\Command Processor] [HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor] Example: AutoRun = c:\Startup.cmd 14. Hijack of registry commands : Chaque clef devrait avoir la valeur "%1" %*. Si elle est changée en serveur.exe "%1" %*, le file serveur.exe sera exécuté à chaque fois qu'un exe/pif/com/bat/hta sera lancé. Notez que le principe peut être étendu à d'autres types de files. Each time when the key must have this values:"%1" %* they are replaced by the malware with somethings else.. Normally: [HKEY_CLASSES_ROOT\exefile\shell\open\command] [HKEY_CLASSES_ROOT\comfile\shell\open\command] [HKEY_CLASSES_ROOT\batfile\shell\open\command] [HKEY_CLASSES_ROOT\htafile\shell\open\command] [HKEY_CLASSES_ROOT\piffile\shell\open\command] [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\ open\command] [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\ open\command] [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open\command] [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\shell\ open\command] [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\ open\command] (For all those keys (Default) = "%1" %* 15. Windows explorer startup [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell] default is "explorer.exe" The "path" must be checked the [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Session Manager\Environment\Path], [HKEY_CURRENT_USER\Environment\Path]. 16. ActiveX Started *BEFORE* the Run keys !!!!!!!!!! [HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{One_Key}] StubPath = c:\"path"\Program-XYZ.exe 17. Hijack of Group Policies Before the session opening : [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win dows\System\Scripts] Startup = C:\winNT\system32\GroupPolicy\Machine\Scripts\Star tup After the session opening: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Wind ows\System\Scripts] Startup = C:\winNT\system32\GroupPolicy\User\Scripts\Logon Before any delete : check *before* to be sure whats you're doing, export the key( save it...) and proceed(one suspected key at the time...) Ask in the news group before... Hope this help. Let us now. -- Claude LaFrenière [MVP] :-) «My Principal Design Was To Inform, Not To Amuse Thee.» Lemuel Gulliver, The Travels (IV:12) http://climenole.serendipia.net Soon on www.msmvps.com Bientôt sur www.msmvps.com |
#11
|
|||
|
|||
Dump Norton, It ain't working for you !
You have a couple of bad bugs in the log. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
hijackThis | john | Windows XP Help and Support | 2 | April 23rd 05 11:14 PM |
Download/Install HijackThis | XYZ | General XP issues or comments | 5 | April 1st 05 12:07 AM |
HijackThis question for IE hijacker | Crissi | Security and Administration with Windows XP | 4 | July 30th 04 06:59 PM |
HijackThis question for IE hijacker | Crissi | Security and Administration with Windows XP | 2 | July 30th 04 02:07 PM |
HijackThis question for IE hijacker | Crissi | Security and Administration with Windows XP | 2 | July 30th 04 08:01 AM |