Hijackthis log

  • Thread starter Thread starter Fox Hunter
  • Start date Start date
F

Fox Hunter

I have been having problems with remnants of adware/malware and would like a knowledgeable person to look at this log file and tell me about anything suspicious. Particularly, a startup file called ncnk.exe has been blocked from loading but can't find it by any of the searches.
 
Sorry, forgot to add the log.

Logfile of HijackThis v1.99.1
Scan saved at 11:23:24 AM, on 6/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ShopSafe\ShopSafe.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\vavknn.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\MailWasher Pro\MailWasher.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vavknn.exe reg_run
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} (MFInstall Class) - http://c.ancestry.com/MFInstall/MFInstall.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
Bonjour *Fox Hunter* :
I have been having problems with remnants of adware/malware and would like a knowledgeable person to look at this log file and tell me about anything suspicious. Particularly, a startup file called ncnk.exe has been blocked from loading but can't find it by any of the searches.
Click to expand...

I'm here.
Post your log here and I give you the result of my analysis as soon as
possible.

:)
--
Claude LaFrenière [MVP] :-)

«My Principal Design Was To Inform, Not To Amuse Thee.»
Lemuel Gulliver, The Travels (IV:12)
http://climenole.serendipia.net
Soon on www.msmvps.com
Bientôt sur www.msmvps.com
 
Bonjour *Fox Hunter* :
I have been having problems with remnants of adware/malware and would like a knowledgeable person to look at this log file and tell me about anything suspicious. Particularly, a startup file called ncnk.exe has been blocked from loading but can't find it by any of the searches.
Click to expand...

I found 2 suspect only ... but not a complete malware collection :)
Sounds good !

Look points # 3,4,8 ... the others are not importants for now.

1)
Platform: Windows XP SP1 (WinNT 5.01.2600)
Needs to upgrade to the Service Pack 2...


2)
NVidia Helper: related to NVidia Helper service.
Useless most of the time.Put this service in manual.
C:\WINDOWS\System32\nvsvc32.exe

3) *******************
??? What's this ? Suspect...
C:\Program Files\ShopSafe\ShopSafe.exe

4) *******************
??? What's this ? Suspect ...
C:\WINDOWS\System32\vavknn.exe

5)
??? Usefull or not( probably no...)
C:\WINDOWS\System32\rundll32.exe
related to :O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup

6)
pop-up stopper : useless with SP2 and any other Web Browser such as
Firefox or Opera...
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

7)
Did you need to run this every days ?
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r

8) ***************
The 2 suspects ...*****
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe
/dontopenmycards
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vavknn.exe reg_run

9)
Intel Graphic Helper : possibly useless (not a malware however.)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

Use CodeStuff Starter (easier than msconfig) and *disable* :
C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
and
C:\WINDOWS\System32\vavknn.exe reg_run

Reboot and check if somethings is changed (good or bad) in your system...

Let us know.

:)


--
Claude LaFrenière [MVP] :-)

«My Principal Design Was To Inform, Not To Amuse Thee.»
Lemuel Gulliver, The Travels (IV:12)
http://climenole.serendipia.net
Soon on www.msmvps.com
Bientôt sur www.msmvps.com
 
Disable the NVIDIA Display Driver Service...
Start | Run | Type: services,msc | OK |
Scroll down to and double click: NVIDIA Display Driver Service |
Under Startup type set to Disabled | Apply | Click the Stop button |
When it stops click OK | You may have to reboot
----

NvMediaCenter
[[RunDLL32.exe NvMCTray.dll, NvTaskbarInit System Tray icon used to manage
settings for nVidia based graphics cards. May be required for some 3D
applications to recognize your card correctly - such as the game
"Everquest". Otherwise, settings can be changed manually via Display
Properties]]

Nview.dll = NVIDIA nView Desktop and Window Manager

Name NVIEW
Command rundll32.exe nview.dll, nViewLoadHook
Description This is a DLL to enable multiple display monitors on a single
computer. It can be a cause of numerous problems on some computers
---

NvCplDaemon
System Tray icon used to change display settings, change the clock rate and
memory speed for nVidia based graphics cards. This is unnecessary since you
can easily configure these settings the way you want them in the Display
Properties and not have to mess with them again. Also disable the "NVIDIA
Driver Helper Service" if enabled as it can cause this entry to be
re-enabled on re-boot (note that this service can also cause extreme
shutdown delays if enabled - see
http://www.blackviper.com/WinXP/strangeservice.htm
----

nwiz.exe = NVIDIA nView Wizard
[[Application enables user to having 32 virtual desktops, get a desktop
larger than the viewable area of the monitor, being able to divide the
display across more than one monitor, managing applications and many more
functionality.]]
----

Manually delete these three entries:
NvCplDaemon, NvMediaCenter and nwiz.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
REG_SZ
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter
REG_SZ
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
REG_SZ
nwiz.exe /install

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
Claude LaFrenière said:
Bonjour *Fox Hunter* :
I have been having problems with remnants of adware/malware and would
like a knowledgeable person to look at this log file and tell me about
anything suspicious. Particularly, a startup file called ncnk.exe has
been blocked from loading but can't find it by any of the searches.
Click to expand...

I found 2 suspect only ... but not a complete malware collection :)
Sounds good !

Look points # 3,4,8 ... the others are not importants for now.

1)
Platform: Windows XP SP1 (WinNT 5.01.2600)
Needs to upgrade to the Service Pack 2...


2)
NVidia Helper: related to NVidia Helper service.
Useless most of the time.Put this service in manual.
C:\WINDOWS\System32\nvsvc32.exe

3) *******************
??? What's this ? Suspect...
C:\Program Files\ShopSafe\ShopSafe.exe

4) *******************
??? What's this ? Suspect ...
C:\WINDOWS\System32\vavknn.exe

5)
??? Usefull or not( probably no...)
C:\WINDOWS\System32\rundll32.exe
related to :O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup

6)
pop-up stopper : useless with SP2 and any other Web Browser such as
Firefox or Opera...
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

7)
Did you need to run this every days ?
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r

8) ***************
The 2 suspects ...*****
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe
/dontopenmycards
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vavknn.exe reg_run

9)
Intel Graphic Helper : possibly useless (not a malware however.)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

Use CodeStuff Starter (easier than msconfig) and *disable* :
C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
and
C:\WINDOWS\System32\vavknn.exe reg_run

Reboot and check if somethings is changed (good or bad) in your system...

Let us know.

:)


--
Claude LaFrenière [MVP] :-)

«My Principal Design Was To Inform, Not To Amuse Thee.»
Lemuel Gulliver, The Travels (IV:12)
http://climenole.serendipia.net
Soon on www.msmvps.com
Bientôt sur www.msmvps.com
Click to expand...
 
Claude,
ShopSafe is a legimate program from MBNA America to allow use of one-time credit card numbers for security purposes. What about the item ncnk.exe that can't be found in the files and tries to load itself?


Claude LaFrenière said:
Bonjour *Fox Hunter* :
I have been having problems with remnants of adware/malware and would like
a knowledgeable person to look at this log file and tell me about anything
suspicious. Particularly, a startup file called ncnk.exe has been blocked
from loading but can't find it by any of the searches.
Click to expand...

I found 2 suspect only ... but not a complete malware collection :)
Sounds good !

Look points # 3,4,8 ... the others are not importants for now.

1)
Platform: Windows XP SP1 (WinNT 5.01.2600)
Needs to upgrade to the Service Pack 2...


2)
NVidia Helper: related to NVidia Helper service.
Useless most of the time.Put this service in manual.
C:\WINDOWS\System32\nvsvc32.exe

3) *******************
??? What's this ? Suspect...
C:\Program Files\ShopSafe\ShopSafe.exe

4) *******************
??? What's this ? Suspect ...
C:\WINDOWS\System32\vavknn.exe

5)
??? Usefull or not( probably no...)
C:\WINDOWS\System32\rundll32.exe
related to :O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup

6)
pop-up stopper : useless with SP2 and any other Web Browser such as
Firefox or Opera...
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

7)
Did you need to run this every days ?
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r

8) ***************
The 2 suspects ...*****
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe
/dontopenmycards
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vavknn.exe reg_run

9)
Intel Graphic Helper : possibly useless (not a malware however.)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

Use CodeStuff Starter (easier than msconfig) and *disable* :
C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
and
C:\WINDOWS\System32\vavknn.exe reg_run

Reboot and check if somethings is changed (good or bad) in your system...

Let us know.

:)


--
Claude LaFrenière [MVP] :-)

«My Principal Design Was To Inform, Not To Amuse Thee.»
Lemuel Gulliver, The Travels (IV:12)
http://climenole.serendipia.net
Soon on www.msmvps.com
Bientôt sur www.msmvps.com
Click to expand...
 
HI *Fox Hunter* :
Claude,
ShopSafe is a legimate program from MBNA America to allow use of one-time credit card numbers for security purposes.
What about the item ncnk.exe that can't be found in the files and tries to load itself?
Click to expand...

I found almost nothings about "ncnk.exe" !
I checked again your HJT log and it's not there
And almost nothings with Google...

Very strange...

Some malwares generates random names the stay hidden from the users...

1- Kill that process
2- Update your anti-virus and your antispywares and runned them in safe mode.
3- Some tools and links:

A) "Mini- antivirus" to be runned in safe mode:

Stinger :
http://vil.nai.com/vil/stinger/

Avast cleaner :
http://www.avast.com/eng/avast_cleaner.html

MS:
http://www.microsoft.com/downloads/...e0-e72d-4f54-9ab3-75b8eb148356&displaylang=fr

Kaspersky:
ftp://ftp.kaspersky.ru/utils/clrav.com

Anti Root-Kits
F-Secure (beta)
http://www.f-secure.com/blacklight/

B) Online scan:

Anti-trojan:
http://www.windowsecurity.com/trojanscan/

Anti-spy:
http://www.spywareguide.com/txt_onlinescan.html
http://store.ca.com/dr/v2/ec_main.e...lient=ComputerAssociates&sid=35715&CID=181432

Anti-virus:
www.trendmicro.com

Let us know.

:)

--
Claude LaFrenière [MVP] :-)

«My Principal Design Was To Inform, Not To Amuse Thee.»
Lemuel Gulliver, The Travels (IV:12)
http://climenole.serendipia.net
Soon on www.msmvps.com
Bientôt sur www.msmvps.com
 
I, too, say very strange. You probably found the same reference I saw in Google. Have used the scanners I have, Ad-aware, Spybot, MS Anti-Spyware, in safe mode and they found nothing, so far. Will keep trying and let the group know what found it.
 
Bonjour *Fox Hunter* :
I, too, say very strange. You probably found the same reference I saw in Google.
Have used the scanners I have, Ad-aware, Spybot, MS Anti-Spyware, in safe mode
and they found nothing, so far. Will keep trying and let the group know what found it.
Click to expand...

OK.

Can you kill the process with task manager ?

Here some place to check in the registry and system files for the startup
where malware hijack Windows registry keys...

Ref.:http://www.lacave.net/~jokeuse/usenet/demarrage.html
(Fr. usenet virus news group FAQ)
(Well in Fr. not Eng. Here a (short) translation):

1. Startup folders
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup = "C:\windows\startup menu\programs\startup"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup = "C:\windows\startup menu\programs\startup"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Common Startup = "C:\windows\startup menu\programs\startup"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Common Startup = "C:\windows\startup menu\programs\startup"

2. Win.ini


[windows]
load = file1.exe
run = file2.exe


3. System.ini

edit with msconfig.exe.

[boot]
Shell = Explorer.exe


[386Enh]

Example:
device = virus.vxd

4. Autoexec.bat

Example : some weird batch file...


5. Config.sys

Example:
shell=c:\command.com /e:32768 /k c:\infected.bat

6. RUN Keys (check those first)


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

[HKEY_USERS\xxxxxx\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_USERS\xxxxxx\Software\Microsoft\Windows\CurrentVersion\RunOnce]
xxxxxx = User SID

7. Services


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service_Name]

8. Control

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager]

Example:
BootExecute = program-abc.exe

(For an indirect launching with a file rename...)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager]

PendingFileRenameOperations = \??\c:\temp\worm.sys !\??\c:\winnt\system32\prog.sys

In this example the malware file "worm.sys" will be replaced by "prog.sys"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MPRServices]

9. AppInit_DLLs, Load and Run


All thoses DLL are loaded at each session startup. Good place to hide a malware DLL...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs = program-XYZ.exe
Load = c:\Folder\Program-XYX.exe
Run = c:\explorer.scr


10. Winlogon


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Userinit = c:\windows\system32\svcpack.exe
Other keys to check: Notify, Shell, System, VmApplet.


11. ShellServiceObjectDelayLoad

Runned when explorer is started.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
{One_Key} = 'Service Name'

With [HKEY_CURRENT_USER\Software\Classes\CLSID\{One_Key}\InProcServer32] must exist.


12. SharedTaskScheduler

To start an application in the same time than explorer:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
{One_Key} = 'Un Nom de Service'

{One_Key} must be declared in [HKEY_CLASSES_ROOT\CLSID]


13. Autorun

[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor]

Example:
AutoRun = c:\Startup.cmd


14. Hijack of registry commands :

Chaque clef devrait avoir la valeur "%1" %*. Si elle est changée en serveur.exe "%1" %*, le file serveur.exe sera exécuté à

chaque fois qu'un exe/pif/com/bat/hta sera lancé. Notez que le principe peut être étendu à d'autres types de files.

Each time when the key must have this values:"%1" %*
they are replaced by the malware with somethings else..

Normally:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
[HKEY_CLASSES_ROOT\comfile\shell\open\command]
[HKEY_CLASSES_ROOT\batfile\shell\open\command]
[HKEY_CLASSES_ROOT\htafile\shell\open\command]
[HKEY_CLASSES_ROOT\piffile\shell\open\command]
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command]
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command]
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\shell\open\command]
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command]

(For all those keys :) (Default) = "%1" %*


15. Windows explorer startup


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]

default is "explorer.exe"

The "path" must be checked there:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\Path],
[HKEY_CURRENT_USER\Environment\Path].


16. ActiveX

Started *BEFORE* the Run keys !!!!!!!!!!

[HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{One_Key}]
StubPath = c:\"path"\Program-XYZ.exe


17. Hijack of Group Policies

Before the session opening :

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts]
Startup = C:\winNT\system32\GroupPolicy\Machine\Scripts\Startup

After the session opening:

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts]
Startup = C:\winNT\system32\GroupPolicy\User\Scripts\Logon


Before any delete :
check *before* to be sure whats you're doing,
export the key( save it...)
and proceed(one suspected key at the time...)

Ask in the news group before...

Hope this help.

Let us now.

:)

--
Claude LaFrenière [MVP] :-)

«My Principal Design Was To Inform, Not To Amuse Thee.»
Lemuel Gulliver, The Travels (IV:12)
http://climenole.serendipia.net
Soon on www.msmvps.com
Bientôt sur www.msmvps.com
 
Back
Top