Hijackthis log

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

I have been having problems with remnants of adware/malware and would like a knowledgeable person to look at this log file and tell me about anything suspicious. Particularly, a startup file called ncnk.exe has been blocked from loading but can't find it by any of the searches.
9 answers Last reply
More about hijackthis
  1. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    Parasite Fighting Recipes
    http://forum.aumha.org/viewforum.php?f=43

    Register AumHa Forums
    http://forum.aumha.org/profile.php?mode=register&sid=a930b2fda089ba83cac62b1a4fde513a

    DETAILS ABOUT YOUR COMPUTER
    http://aumha.org/mydetail.htm

    Parasites - Adware, Spyware & Other Scumware
    http://forum.aumha.org/viewforum.php?f=28

    --
    Hope this helps. Let us know.

    Wes
    MS-MVP Windows Shell/User

    In news:j_Zqe.72$on5.19@newssvr19.news.prodigy.com,
    Fox Hunter <donlitt@sbcnonglobal.net> hunted and pecked:
    > I have been having problems with remnants of adware/malware and would
    > like a knowledgeable person to look at this log file and tell me about
    > anything suspicious. Particularly, a startup file called ncnk.exe has
    > been blocked from loading but can't find it by any of the searches.
  2. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    Bonjour *Fox Hunter* :

    > I have been having problems with remnants of adware/malware and would like a knowledgeable person to look at this log file and tell me about anything suspicious. Particularly, a startup file called ncnk.exe has been blocked from loading but can't find it by any of the searches.

    I'm here.
    Post your log here and I give you the result of my analysis as soon as
    possible.

    :)
    --
    Claude LaFrenière [MVP] :-)

    «My Principal Design Was To Inform, Not To Amuse Thee.»
    Lemuel Gulliver, The Travels (IV:12)
    http://climenole.serendipia.net
    Soon on www.msmvps.com
    Bientôt sur www.msmvps.com
  3. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    Bonjour *Fox Hunter* :

    > I have been having problems with remnants of adware/malware and would like a knowledgeable person to look at this log file and tell me about anything suspicious. Particularly, a startup file called ncnk.exe has been blocked from loading but can't find it by any of the searches.

    I found 2 suspect only ... but not a complete malware collection :)
    Sounds good !

    Look points # 3,4,8 ... the others are not importants for now.

    1)
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    Needs to upgrade to the Service Pack 2...


    2)
    NVidia Helper: related to NVidia Helper service.
    Useless most of the time.Put this service in manual.
    C:\WINDOWS\System32\nvsvc32.exe

    3) *******************
    ??? What's this ? Suspect...
    C:\Program Files\ShopSafe\ShopSafe.exe

    4) *******************
    ??? What's this ? Suspect ...
    C:\WINDOWS\System32\vavknn.exe

    5)
    ??? Usefull or not( probably no...)
    C:\WINDOWS\System32\rundll32.exe
    related to :O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    C:\WINDOWS\System32\NvCpl.dll,NvStartup

    6)
    pop-up stopper : useless with SP2 and any other Web Browser such as
    Firefox or Opera...
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

    7)
    Did you need to run this every days ?
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
    Files\Sonic\Update Manager\sgtray.exe" /r

    8) ***************
    The 2 suspects ...*****
    O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe
    /dontopenmycards
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vavknn.exe reg_run

    9)
    Intel Graphic Helper : possibly useless (not a malware however.)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

    Use CodeStuff Starter (easier than msconfig) and *disable* :
    C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
    and
    C:\WINDOWS\System32\vavknn.exe reg_run

    Reboot and check if somethings is changed (good or bad) in your system...

    Let us know.

    :)


    --
    Claude LaFrenière [MVP] :-)

    «My Principal Design Was To Inform, Not To Amuse Thee.»
    Lemuel Gulliver, The Travels (IV:12)
    http://climenole.serendipia.net
    Soon on www.msmvps.com
    Bientôt sur www.msmvps.com
  4. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    Disable the NVIDIA Display Driver Service...
    Start | Run | Type: services,msc | OK |
    Scroll down to and double click: NVIDIA Display Driver Service |
    Under Startup type set to Disabled | Apply | Click the Stop button |
    When it stops click OK | You may have to reboot
    ----

    NvMediaCenter
    [[RunDLL32.exe NvMCTray.dll, NvTaskbarInit System Tray icon used to manage
    settings for nVidia based graphics cards. May be required for some 3D
    applications to recognize your card correctly - such as the game
    "Everquest". Otherwise, settings can be changed manually via Display
    Properties]]

    Nview.dll = NVIDIA nView Desktop and Window Manager

    Name NVIEW
    Command rundll32.exe nview.dll, nViewLoadHook
    Description This is a DLL to enable multiple display monitors on a single
    computer. It can be a cause of numerous problems on some computers
    ---

    NvCplDaemon
    System Tray icon used to change display settings, change the clock rate and
    memory speed for nVidia based graphics cards. This is unnecessary since you
    can easily configure these settings the way you want them in the Display
    Properties and not have to mess with them again. Also disable the "NVIDIA
    Driver Helper Service" if enabled as it can cause this entry to be
    re-enabled on re-boot (note that this service can also cause extreme
    shutdown delays if enabled - see
    http://www.blackviper.com/WinXP/strangeservice.htm
    ----

    nwiz.exe = NVIDIA nView Wizard
    [[Application enables user to having 32 virtual desktops, get a desktop
    larger than the viewable area of the monitor, being able to divide the
    display across more than one monitor, managing applications and many more
    functionality.]]
    ----

    Manually delete these three entries:
    NvCplDaemon, NvMediaCenter and nwiz.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    NvCplDaemon
    REG_SZ
    RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    NvMediaCenter
    REG_SZ
    RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    nwiz
    REG_SZ
    nwiz.exe /install

    --
    Hope this helps. Let us know.

    Wes
    MS-MVP Windows Shell/User

    In news:1j17lcnnx6vfq$.ujm449vfrfkv.dlg@40tude.net,
    Claude LaFrenière <No_InterNUT@AntiPebkac.org> hunted and pecked:
    > Bonjour *Fox Hunter* :
    >
    >> I have been having problems with remnants of adware/malware and would
    >> like a knowledgeable person to look at this log file and tell me about
    >> anything suspicious. Particularly, a startup file called ncnk.exe has
    >> been blocked from loading but can't find it by any of the searches.
    >
    > I found 2 suspect only ... but not a complete malware collection :)
    > Sounds good !
    >
    > Look points # 3,4,8 ... the others are not importants for now.
    >
    > 1)
    > Platform: Windows XP SP1 (WinNT 5.01.2600)
    > Needs to upgrade to the Service Pack 2...
    >
    >
    > 2)
    > NVidia Helper: related to NVidia Helper service.
    > Useless most of the time.Put this service in manual.
    > C:\WINDOWS\System32\nvsvc32.exe
    >
    > 3) *******************
    > ??? What's this ? Suspect...
    > C:\Program Files\ShopSafe\ShopSafe.exe
    >
    > 4) *******************
    > ??? What's this ? Suspect ...
    > C:\WINDOWS\System32\vavknn.exe
    >
    > 5)
    > ??? Usefull or not( probably no...)
    > C:\WINDOWS\System32\rundll32.exe
    > related to :O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    > C:\WINDOWS\System32\NvCpl.dll,NvStartup
    >
    > 6)
    > pop-up stopper : useless with SP2 and any other Web Browser such as
    > Firefox or Opera...
    > C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    >
    > 7)
    > Did you need to run this every days ?
    > O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
    > Files\Sonic\Update Manager\sgtray.exe" /r
    >
    > 8) ***************
    > The 2 suspects ...*****
    > O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe
    > /dontopenmycards
    > O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vavknn.exe reg_run
    >
    > 9)
    > Intel Graphic Helper : possibly useless (not a malware however.)
    > O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    >
    > Use CodeStuff Starter (easier than msconfig) and *disable* :
    > C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
    > and
    > C:\WINDOWS\System32\vavknn.exe reg_run
    >
    > Reboot and check if somethings is changed (good or bad) in your system...
    >
    > Let us know.
    >
    > :)
    >
    >
    > --
    > Claude LaFrenière [MVP] :-)
    >
    > «My Principal Design Was To Inform, Not To Amuse Thee.»
    > Lemuel Gulliver, The Travels (IV:12)
    > http://climenole.serendipia.net
    > Soon on www.msmvps.com
    > Bientôt sur www.msmvps.com
  5. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    Sorry, forgot to add the log.

    Logfile of HijackThis v1.99.1
    Scan saved at 11:23:24 AM, on 6/12/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ShopSafe\ShopSafe.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\WINDOWS\System32\vavknn.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\MailWasher Pro\MailWasher.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vavknn.exe reg_run
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
    O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
    O16 - DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} (MFInstall Class) - http://c.ancestry.com/MFInstall/MFInstall.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


    "Fox Hunter" <donlitt@sbcnonglobal.net> wrote in message
    news:j_Zqe.72$on5.19@newssvr19.news.prodigy.com
    > I have been having problems with remnants of adware/malware and would like
    > a knowledgeable person to look at this log file and tell me about anything
    > suspicious. Particularly, a startup file called ncnk.exe has been blocked
    > from loading but can't find it by any of the searches.
  6. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    Claude,
    ShopSafe is a legimate program from MBNA America to allow use of one-time credit card numbers for security purposes. What about the item ncnk.exe that can't be found in the files and tries to load itself?


    "Claude LaFrenière" <No_InterNUT@AntiPebkac.org> wrote in message
    news:1j17lcnnx6vfq$.ujm449vfrfkv.dlg@40tude.net
    > Bonjour *Fox Hunter* :
    >
    >> I have been having problems with remnants of adware/malware and would like
    >> a knowledgeable person to look at this log file and tell me about anything
    >> suspicious. Particularly, a startup file called ncnk.exe has been blocked
    >> from loading but can't find it by any of the searches.
    >
    > I found 2 suspect only ... but not a complete malware collection :)
    > Sounds good !
    >
    > Look points # 3,4,8 ... the others are not importants for now.
    >
    > 1)
    > Platform: Windows XP SP1 (WinNT 5.01.2600)
    > Needs to upgrade to the Service Pack 2...
    >
    >
    > 2)
    > NVidia Helper: related to NVidia Helper service.
    > Useless most of the time.Put this service in manual.
    > C:\WINDOWS\System32\nvsvc32.exe
    >
    > 3) *******************
    > ??? What's this ? Suspect...
    > C:\Program Files\ShopSafe\ShopSafe.exe
    >
    > 4) *******************
    > ??? What's this ? Suspect ...
    > C:\WINDOWS\System32\vavknn.exe
    >
    > 5)
    > ??? Usefull or not( probably no...)
    > C:\WINDOWS\System32\rundll32.exe
    > related to :O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    > C:\WINDOWS\System32\NvCpl.dll,NvStartup
    >
    > 6)
    > pop-up stopper : useless with SP2 and any other Web Browser such as
    > Firefox or Opera...
    > C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    >
    > 7)
    > Did you need to run this every days ?
    > O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
    > Files\Sonic\Update Manager\sgtray.exe" /r
    >
    > 8) ***************
    > The 2 suspects ...*****
    > O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe
    > /dontopenmycards
    > O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vavknn.exe reg_run
    >
    > 9)
    > Intel Graphic Helper : possibly useless (not a malware however.)
    > O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    >
    > Use CodeStuff Starter (easier than msconfig) and *disable* :
    > C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
    > and
    > C:\WINDOWS\System32\vavknn.exe reg_run
    >
    > Reboot and check if somethings is changed (good or bad) in your system...
    >
    > Let us know.
    >
    > :)
    >
    >
    > --
    > Claude LaFrenière [MVP] :-)
    >
    > «My Principal Design Was To Inform, Not To Amuse Thee.»
    > Lemuel Gulliver, The Travels (IV:12)
    > http://climenole.serendipia.net
    > Soon on www.msmvps.com
    > Bientôt sur www.msmvps.com
  7. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    HI *Fox Hunter* :

    > Claude,
    > ShopSafe is a legimate program from MBNA America to allow use of one-time credit card numbers for security purposes.
    > What about the item ncnk.exe that can't be found in the files and tries to load itself?

    I found almost nothings about "ncnk.exe" !
    I checked again your HJT log and it's not there
    And almost nothings with Google...

    Very strange...

    Some malwares generates random names the stay hidden from the users...

    1- Kill that process
    2- Update your anti-virus and your antispywares and runned them in safe mode.
    3- Some tools and links:

    A) "Mini- antivirus" to be runned in safe mode:

    Stinger :
    http://vil.nai.com/vil/stinger/

    Avast cleaner :
    http://www.avast.com/eng/avast_cleaner.html

    MS:
    http://www.microsoft.com/downloads/details.aspx?FamilyID=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=fr

    Kaspersky:
    ftp://ftp.kaspersky.ru/utils/clrav.com

    Anti Root-Kits
    F-Secure (beta)
    http://www.f-secure.com/blacklight/

    B) Online scan:

    Anti-trojan:
    http://www.windowsecurity.com/trojanscan/

    Anti-spy:
    http://www.spywareguide.com/txt_onlinescan.html
    http://store.ca.com/dr/v2/ec_main.entry25?page=FindOutWhosWatchingYou&client=ComputerAssociates&sid=35715&CID=181432

    Anti-virus:
    www.trendmicro.com

    Let us know.

    :)

    --
    Claude LaFrenière [MVP] :-)

    «My Principal Design Was To Inform, Not To Amuse Thee.»
    Lemuel Gulliver, The Travels (IV:12)
    http://climenole.serendipia.net
    Soon on www.msmvps.com
    Bientôt sur www.msmvps.com
  8. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    I, too, say very strange. You probably found the same reference I saw in Google. Have used the scanners I have, Ad-aware, Spybot, MS Anti-Spyware, in safe mode and they found nothing, so far. Will keep trying and let the group know what found it.

    "Claude LaFrenière" <No_InterNUT@AntiPebkac.org> wrote in message
    news:1g68kdg1f5lso.109r2e7mo8wfz.dlg@40tude.net
    > HI *Fox Hunter* :
    >
    >> Claude,
    >> ShopSafe is a legimate program from MBNA America to allow use of one-time
    >> credit card numbers for security purposes. What about the item ncnk.exe
    >> that can't be found in the files and tries to load itself?
    >
    > I found almost nothings about "ncnk.exe" !
    > I checked again your HJT log and it's not there
    > And almost nothings with Google...
    >
    > Very strange...
    >
    > Some malwares generates random names the stay hidden from the users...
    >
    > 1- Kill that process
    > 2- Update your anti-virus and your antispywares and runned them in safe
    > mode. 3- Some tools and links:
    >
    > A) "Mini- antivirus" to be runned in safe mode:
    >
    > Stinger :
    > http://vil.nai.com/vil/stinger/
    >
    > Avast cleaner :
    > http://www.avast.com/eng/avast_cleaner.html
    >
    > MS:
    > http://www.microsoft.com/downloads/details.aspx?FamilyID=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=fr
    >
    > Kaspersky:
    > ftp://ftp.kaspersky.ru/utils/clrav.com
    >
    > Anti Root-Kits
    > F-Secure (beta)
    > http://www.f-secure.com/blacklight/
    >
    > B) Online scan:
    >
    > Anti-trojan:
    > http://www.windowsecurity.com/trojanscan/
    >
    > Anti-spy:
    > http://www.spywareguide.com/txt_onlinescan.html
    > http://store.ca.com/dr/v2/ec_main.entry25?page=FindOutWhosWatchingYou&client=ComputerAssociates&sid=35715&CID=181432
    >
    > Anti-virus:
    > www.trendmicro.com
    >
    > Let us know.
    >
    > :)
    >
    > --
    > Claude LaFrenière [MVP] :-)
    >
    > «My Principal Design Was To Inform, Not To Amuse Thee.»
    > Lemuel Gulliver, The Travels (IV:12)
    > http://climenole.serendipia.net
    > Soon on www.msmvps.com
    > Bientôt sur www.msmvps.com
  9. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    Dump Norton, It ain't working for you !
    You have a couple of bad bugs in the log.
Ask a new question

Read More

Hijackthis Microsoft Malware Windows XP