Attacked by Trojan Horse BHO.AXY (ccfgntj.dll)

satria · 2007/09/17

Hi guys,

I came across this forum when i'm in the midst of freeing my PC from this popping up trojan that can't be killed by AVG - Trojan Horse BHO.AXY (ccfgntj.dll) and a few others that I recognized as trojans .

I've gone through the forums on similiar cases (different trojan names) and I do followed step by step in removing the trojans but AVG still keep on popping up with messages to heal and to reboot my PC.

Please advise me on this matter and how to get rid these trojans and here is the HJT log of my PC:

Logfile of HijackThis v1.99.1
Scan saved at 12:55, on 2007-09-17
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\pctspk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn3\YTBSDK.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Dev\Desktop\zSAM\Appn\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {CA704D09-EB2B-4A94-954F-B4FF0A2CC763} - c:\windows\system32\ccfgntj.dll
O2 - BHO: (no name) - {EDE9E2C5-45D5-4AF0-BDD9-94E41638311E} - c:\windows\system32\pttlsezb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe "
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB0_0_0 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - Winlogon Notify: lbialanj - C:\WINDOWS\SYSTEM32\ccfgntj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

noahdfear · 2007/09/17

Welcome to WindowsBBS satria

Download ComboFix by sUBs from Here or Here, saving the file to your Desktop.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

satria · 2007/09/17

Hi Noah,

Thank you for replying my post...and I've followed your instructions and here goes the logs

Combofix Log:

ComboFix 07-09-17.2 - "Dev" 2007-09-18 11:36:38.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.47 [GMT 8:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-18 to 2007-09-18 )))))))))))))))))))))))))))))))
.

2007-09-13 16:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-13 13:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-13 13:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-13 11:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-13 11:36 <DIR> d-------- C:\VundoFix Backups
2007-09-12 08:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-09-11 09:46 <DIR> d-------- C:\!KillBox
2007-09-06 09:05 756,224 --a------ C:\WINDOWS\system32\dnsstorw.dll
2007-09-06 09:05 48,640 --a------ C:\WINDOWS\system32\wvzidzqe.dll
2007-09-06 09:05 17,280 C:\WINDOWS\system32\drivers\ugtemwkc.sys
2007-09-06 09:05 147,729 --a------ C:\WINDOWS\system32\libssl32.dll
2007-09-06 09:04 88,064 --a------ C:\WINDOWS\system32\pttlsezb.dll
2007-09-06 09:04 46,592 --a------ C:\WINDOWS\system32\wcizumyr.dll
2007-09-06 09:04 129,024 --a------ C:\WINDOWS\system32\klrbvmth.dll
2007-09-06 08:50 82,944 --a------ C:\WINDOWS\system32\ccfgntj.dll
2007-09-06 08:49 88,576 --a------ C:\WINDOWS\system32\dskquouih.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
1997-10-24 13:20 25088 --a------ C:\WINDOWS\inf\regl3acm.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-13_115536.55 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 32,768 2007-09-18 03:27:40 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 344,064 2007-09-18 03:27:40 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 32,768 2007-09-18 03:27:40 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 94,208 2007-09-07 03:29:00 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
----a-w 946,176 2007-09-07 03:29:00 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
----a-w 213,048 2005-05-24 03:27:16 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
----a-w 163,328 2007-03-13 02:57:12 C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
----a-w 32,768 2007-09-13 03:53:24 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 344,064 2007-09-13 03:53:24 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 32,768 2007-09-13 03:53:24 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA704D09-EB2B-4A94-954F-B4FF0A2CC763}]
2007-09-11 07:47 82944 --a------ c:\windows\system32\ccfgntj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDE9E2C5-45D5-4AF0-BDD9-94E41638311E}]
2007-09-06 09:05 88064 --a------ c:\windows\system32\pttlsezb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray "= "C:\WINDOWS\System32\sistray.EXE" [2002-05-09 03:19]
"SiSUSBRG "= "C:\WINDOWS\sisUSBrg.exe" [2002-04-25 08:06]
"PCTVOICE "= "pctspk.exe" [2001-10-03 22:48 C:\WINDOWS\system32\pctspk.exe]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-14 07:48]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"InCD "= "C:\Program Files\Ahead\InCD\InCD.exe" [2002-09-13 01:13]
"NeroCheck "= "C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 16:50]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 09:01:04]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2002-11-19 01:53:07]

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\System32\DRIVERS\bsstor.sys
R0 girynokv;girynokv;C:\WINDOWS\System32\drivers\ugtemwkc.sys
R1 as6eio;as6eio;C:\WINDOWS\System32\drivers\as6eio.SYS
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\System32\drivers\BsUDF.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\System32\DRIVERS\usbprint.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-18 11:38:16
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-18 11:39:14
C:\ComboFix-quarantined-files.txt ... 2007-09-18 11:39
C:\ComboFix3.txt ... 2007-09-13 12:35
C:\ComboFix2.txt ... 2007-09-18 11:22
.
--- E O F ---

Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:47, on 2007-09-18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\pctspk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Dev\Desktop\zSAM\Appn\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {CA704D09-EB2B-4A94-954F-B4FF0A2CC763} - c:\windows\system32\ccfgntj.dll
O2 - BHO: (no name) - {EDE9E2C5-45D5-4AF0-BDD9-94E41638311E} - c:\windows\system32\pttlsezb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe "
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB0_0_0 -reboot 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

noahdfear · 2007/09/17

Now lets get rid of the grime

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
http://www.windowsbbs.com/showpost.php?p=364689&postcount=3

Collect::
C:\WINDOWS\system32\dnsstorw.dll
C:\WINDOWS\system32\wvzidzqe.dll
C:\WINDOWS\system32\drivers\ugtemwkc.sys
C:\WINDOWS\system32\libssl32.dll
C:\WINDOWS\system32\pttlsezb.dll
C:\WINDOWS\system32\wcizumyr.dll
C:\WINDOWS\system32\klrbvmth.dll
C:\WINDOWS\system32\ccfgntj.dll
C:\WINDOWS\system32\dskquouih.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA704D09-EB2B-4A94-954F-B4FF0A2CC763}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDE9E2C5-45D5-4AF0-BDD9-94E41638311E}]

Driver::
girynokv
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Please note that I have instructed CFScript to collect some files. This means that at some point, likely after reboot when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. This will assist the author in adding the files for removal in future updates. Thanks!

satria · 2007/09/18

Noah,

I've done as instructed...AVG still pops up with ccfgntj.dll warnings ..

Here are the logs report

ComboFix

ComboFix 07-09-17.2 - "Dev" 2007-09-18 13:25:18.5 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.76 [GMT 8:00]
Command switches used :: C:\Documents and Settings\Dev\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ccfgntj.dll . . . . failed to delete
C:\WINDOWS\system32\dnsstorw.dll
C:\WINDOWS\system32\drivers\ugtemwkc.sys . . . . failed to delete
C:\WINDOWS\system32\dskquouih.dll
C:\WINDOWS\system32\klrbvmth.dll
C:\WINDOWS\system32\libssl32.dll
C:\WINDOWS\system32\pttlsezb.dll . . . . failed to delete
C:\WINDOWS\system32\wcizumyr.dll
C:\WINDOWS\system32\wvzidzqe.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_GIRYNOKV
-------\girynokv

((((((((((((((((((((((((( Files Created from 2007-08-18 to 2007-09-18 )))))))))))))))))))))))))))))))
.

2007-09-13 16:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-13 13:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-13 13:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-13 11:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-13 11:36 <DIR> d-------- C:\VundoFix Backups
2007-09-12 08:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-09-11 09:46 <DIR> d-------- C:\!KillBox
2007-09-06 09:05 17,280 C:\WINDOWS\system32\drivers\ugtemwkc.sys
2007-09-06 09:04 88,064 --a------ C:\WINDOWS\system32\pttlsezb.dll
2007-09-06 08:50 82,944 --a------ C:\WINDOWS\system32\ccfgntj.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
1997-10-24 13:20 25088 --a------ C:\WINDOWS\inf\regl3acm.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-13_115536.55 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 32,768 2007-09-18 05:28:40 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 344,064 2007-09-18 05:28:40 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 32,768 2007-09-18 05:28:40 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 94,208 2007-09-07 03:29:00 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
----a-w 946,176 2007-09-07 03:29:00 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
----a-w 213,048 2005-05-24 03:27:16 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
.
----a-w 32,768 2007-09-13 03:53:24 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 344,064 2007-09-13 03:53:24 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 32,768 2007-09-13 03:53:24 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA704D09-EB2B-4A94-954F-B4FF0A2CC763}]
2007-09-11 07:47 82944 --a------ c:\windows\system32\ccfgntj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDE9E2C5-45D5-4AF0-BDD9-94E41638311E}]
2007-09-06 09:05 88064 --a------ c:\windows\system32\pttlsezb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray "= "C:\WINDOWS\System32\sistray.EXE" [2002-05-09 03:19]
"SiSUSBRG "= "C:\WINDOWS\sisUSBrg.exe" [2002-04-25 08:06]
"PCTVOICE "= "pctspk.exe" [2001-10-03 22:48 C:\WINDOWS\system32\pctspk.exe]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-14 07:48]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"InCD "= "C:\Program Files\Ahead\InCD\InCD.exe" [2002-09-13 01:13]
"NeroCheck "= "C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 16:50]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 09:01:04]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2002-11-19 01:53:07]

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\System32\DRIVERS\bsstor.sys
R0 girynokv;girynokv;C:\WINDOWS\System32\drivers\ugtemwkc.sys
R1 as6eio;as6eio;C:\WINDOWS\System32\drivers\as6eio.SYS
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\System32\drivers\BsUDF.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\System32\DRIVERS\usbprint.sys

*Newly Created Service* - GIRYNOKV
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-18 13:31:14
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-18 13:32:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-18 13:32
C:\ComboFix2.txt ... 2007-09-18 11:39
C:\ComboFix3.txt ... 2007-09-18 11:22
.
--- E O F ---

Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 13:42, on 2007-09-18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn3\YTBSDK.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\Dev\Desktop\zSAM\Appn\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {CA704D09-EB2B-4A94-954F-B4FF0A2CC763} - c:\windows\system32\ccfgntj.dll
O2 - BHO: (no name) - {EDE9E2C5-45D5-4AF0-BDD9-94E41638311E} - c:\windows\system32\pttlsezb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe "
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB0_0_0 -reboot 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

noahdfear · 2007/09/18

Lets try again using a slightly different method.

Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
File::
C:\WINDOWS\system32\drivers\ugtemwkc.sys
C:\WINDOWS\system32\pttlsezb.dll
C:\WINDOWS\system32\ccfgntj.dll

Driver::
girynokv

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA704D09-EB2B-4A94-954F-B4FF0A2CC763}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDE9E2C5-45D5-4AF0-BDD9-94E41638311E}]
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

satria · 2007/09/18

Noah,

This is the fresh Combofix log...once I click IE icon to open window, AVG pops up with the same warning .

Why these three files cannot be deleted...it seems like they are hooked to IE, manual deletion cannot be done due to these files are in use...

Combofix

ComboFix 07-09-18.4 - "Dev" 2007-09-19 9:36:19.6 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.67 [GMT 8:00]
* Created a new restore point

FILE::
C:\WINDOWS\system32\drivers\ugtemwkc.sys
C:\WINDOWS\system32\pttlsezb.dll
C:\WINDOWS\system32\ccfgntj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ccfgntj.dll . . . . failed to delete
C:\WINDOWS\system32\drivers\ugtemwkc.sys . . . . failed to delete
C:\WINDOWS\system32\pttlsezb.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_GIRYNOKV
-------\girynokv

((((((((((((((((((((((((( Files Created from 2007-08-19 to 2007-09-19 )))))))))))))))))))))))))))))))
.

2007-09-13 16:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-13 13:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-13 11:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-13 11:36 <DIR> d-------- C:\VundoFix Backups
2007-09-12 08:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-09-11 09:46 <DIR> d-------- C:\!KillBox
2007-09-06 09:05 17,280 C:\WINDOWS\system32\drivers\ugtemwkc.sys
2007-09-06 09:04 88,064 --a------ C:\WINDOWS\system32\pttlsezb.dll
2007-09-06 08:50 82,944 --a------ C:\WINDOWS\system32\ccfgntj.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
1997-10-24 13:20 25088 --a------ C:\WINDOWS\inf\regl3acm.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-13_115536.55 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 32,768 2007-09-18 23:41:26 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 344,064 2007-09-18 23:41:26 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 32,768 2007-09-18 23:41:26 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
.
----a-w 32,768 2007-09-13 03:53:24 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 344,064 2007-09-13 03:53:24 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 32,768 2007-09-13 03:53:24 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA704D09-EB2B-4A94-954F-B4FF0A2CC763}]
2007-09-11 07:47 82944 --a------ c:\windows\system32\ccfgntj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDE9E2C5-45D5-4AF0-BDD9-94E41638311E}]
2007-09-06 09:05 88064 --a------ c:\windows\system32\pttlsezb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@ "=" " []
"SiS Tray "= "C:\WINDOWS\System32\sistray.EXE" [2002-05-09 03:19]
"SiSUSBRG "= "C:\WINDOWS\sisUSBrg.exe" [2002-04-25 08:06]
"PCTVOICE "= "pctspk.exe" [2001-10-03 22:48 C:\WINDOWS\system32\pctspk.exe]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-14 07:48]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"InCD "= "C:\Program Files\Ahead\InCD\InCD.exe" [2002-09-13 01:13]
"NeroCheck "= "C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 16:50]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 09:01:04]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2002-11-19 01:53:07]

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\System32\DRIVERS\bsstor.sys
R0 girynokv;girynokv;C:\WINDOWS\System32\drivers\ugtemwkc.sys
R1 as6eio;as6eio;C:\WINDOWS\System32\drivers\as6eio.SYS
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\System32\drivers\BsUDF.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\System32\DRIVERS\usbprint.sys

*Newly Created Service* - GIRYNOKV
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-19 09:41:01
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-19 9:42:58 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-19 09:42
C:\ComboFix3.txt ... 2007-09-18 11:39
C:\ComboFix2.txt ... 2007-09-18 13:32
.
--- E O F ---

noahdfear · 2007/09/18

We're going to give ComboFix one more try, using yet another method.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
Hidden::
C:\WINDOWS\system32\drivers\ugtemwkc.sys
C:\WINDOWS\system32\pttlsezb.dll
C:\WINDOWS\system32\ccfgntj.dll

Driver::
girynokv

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA704D09-EB2B-4A94-954F-B4FF0A2CC763}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDE9E2C5-45D5-4AF0-BDD9-94E41638311E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\[COLOR="Black"]CurrentVersion[/COLOR]\Run]
 "@ "=-
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

satria · 2007/09/18

Noah,

AVG resident shield keep on warns me on the trojan...

This is the latest combofix log:

ComboFix 07-09-18.4 - "Dev" 2007-09-19 10:49:20.7 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.81 [GMT 8:00]
Command switches used :: C:\Documents and Settings\Dev\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-19 to 2007-09-19 )))))))))))))))))))))))))))))))
.

2007-09-13 16:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-13 13:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-13 11:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-13 11:36 <DIR> d-------- C:\VundoFix Backups
2007-09-12 08:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-09-11 09:46 <DIR> d-------- C:\!KillBox
2007-09-06 09:05 17,280 C:\WINDOWS\system32\drivers\ugtemwkc.sys
2007-09-06 09:04 88,064 --a------ C:\WINDOWS\system32\pttlsezb.dll
2007-09-06 08:50 82,944 --a------ C:\WINDOWS\system32\ccfgntj.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
1997-10-24 13:20 25088 --a------ C:\WINDOWS\inf\regl3acm.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-13_115536.55 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 32,768 2007-09-19 01:40:20 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 344,064 2007-09-19 01:40:20 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 32,768 2007-09-19 01:40:20 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
.
----a-w 32,768 2007-09-13 03:53:24 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 344,064 2007-09-13 03:53:24 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 32,768 2007-09-13 03:53:24 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA704D09-EB2B-4A94-954F-B4FF0A2CC763}]
2007-09-11 07:47 82944 --a------ c:\windows\system32\ccfgntj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDE9E2C5-45D5-4AF0-BDD9-94E41638311E}]
2007-09-06 09:05 88064 --a------ c:\windows\system32\pttlsezb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@ "=" " []
"SiS Tray "= "C:\WINDOWS\System32\sistray.EXE" [2002-05-09 03:19]
"SiSUSBRG "= "C:\WINDOWS\sisUSBrg.exe" [2002-04-25 08:06]
"PCTVOICE "= "pctspk.exe" [2001-10-03 22:48 C:\WINDOWS\system32\pctspk.exe]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-14 07:48]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"InCD "= "C:\Program Files\Ahead\InCD\InCD.exe" [2002-09-13 01:13]
"NeroCheck "= "C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 16:50]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 09:01:04]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2002-11-19 01:53:07]

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\System32\DRIVERS\bsstor.sys
R0 girynokv;girynokv;C:\WINDOWS\System32\drivers\ugtemwkc.sys
R1 as6eio;as6eio;C:\WINDOWS\System32\drivers\as6eio.SYS
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\System32\drivers\BsUDF.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\System32\DRIVERS\usbprint.sys

*Newly Created Service* - GIRYNOKV
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-19 10:54:50
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-19 10:56:28 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-19 10:56
C:\ComboFix3.txt ... 2007-09-18 13:32
C:\ComboFix2.txt ... 2007-09-19 09:43
.
--- E O F ---

noahdfear · 2007/09/18

I just noticed that I used the wrong command on that last attempt. Please try once more with the following.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
Rootkit::
C:\WINDOWS\system32\drivers\ugtemwkc.sys
C:\WINDOWS\system32\pttlsezb.dll
C:\WINDOWS\system32\ccfgntj.dll

Driver::
girynokv

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA704D09-EB2B-4A94-954F-B4FF0A2CC763}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDE9E2C5-45D5-4AF0-BDD9-94E41638311E}]
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

satria · 2007/09/18

Noah,

The grimm is still there

Combofix log file:

ComboFix 07-09-18.4 - "Dev" 2007-09-19 12:32:50.8 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.85 [GMT 8:00]
Command switches used :: C:\Documents and Settings\Dev\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-19 to 2007-09-19 )))))))))))))))))))))))))))))))
.

2007-09-13 16:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-13 13:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-13 11:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-13 11:36 <DIR> d-------- C:\VundoFix Backups
2007-09-12 08:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-09-11 09:46 <DIR> d-------- C:\!KillBox
2007-09-06 09:05 17,280 C:\WINDOWS\system32\drivers\ugtemwkc.sys
2007-09-06 09:04 88,064 --a------ C:\WINDOWS\system32\pttlsezb.dll
2007-09-06 08:50 82,944 --a------ C:\WINDOWS\system32\ccfgntj.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
1997-10-24 13:20 25088 --a------ C:\WINDOWS\inf\regl3acm.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-13_115536.55 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 32,768 2007-09-19 02:53:46 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 344,064 2007-09-19 02:53:46 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 32,768 2007-09-19 02:53:46 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
.
----a-w 32,768 2007-09-13 03:53:24 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 344,064 2007-09-13 03:53:24 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 32,768 2007-09-13 03:53:24 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA704D09-EB2B-4A94-954F-B4FF0A2CC763}]
2007-09-11 07:47 82944 --a------ c:\windows\system32\ccfgntj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDE9E2C5-45D5-4AF0-BDD9-94E41638311E}]
2007-09-06 09:05 88064 --a------ c:\windows\system32\pttlsezb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@ "=" " []
"SiS Tray "= "C:\WINDOWS\System32\sistray.EXE" [2002-05-09 03:19]
"SiSUSBRG "= "C:\WINDOWS\sisUSBrg.exe" [2002-04-25 08:06]
"PCTVOICE "= "pctspk.exe" [2001-10-03 22:48 C:\WINDOWS\system32\pctspk.exe]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-14 07:48]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"InCD "= "C:\Program Files\Ahead\InCD\InCD.exe" [2002-09-13 01:13]
"NeroCheck "= "C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 16:50]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 09:01:04]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2002-11-19 01:53:07]

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\System32\DRIVERS\bsstor.sys
R0 girynokv;girynokv;C:\WINDOWS\System32\drivers\ugtemwkc.sys
R1 as6eio;as6eio;C:\WINDOWS\System32\drivers\as6eio.SYS
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\System32\drivers\BsUDF.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\System32\DRIVERS\usbprint.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-19 12:37:57
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-19 12:39:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-19 12:39
C:\ComboFix2.txt ... 2007-09-19 10:56
C:\ComboFix3.txt ... 2007-09-19 09:43
.
--- E O F ---

noahdfear · 2007/09/19

Hi satria,

We need to see if the rogue service has added itself to be loaded in safe mode.
Highlight and copy the contents of the quote box below to a blank notepad. Save it to the desktop as;

Filename: check.bat
Save as type: All Files (*.*)

@echo off
echo.
echo Please wait
if exist c:\safebootkey1.txt del /q c:\safebootkey1.txt
if exist c:\safebootkey.txt del /q c:\safebootkey.txt
regedit /e c:\safebootkey1.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal "
type c:\safebootkey1.txt | findstr /i "girynokv" >> c:\safebootkey.txt
del /q c:\safebootkey1.txt
start notepad c:\safebootkey.txt
cls
exit
Click to expand...

Double click check.bat to run it. It will open safebootkey.txt when it completes. Please post it's contents if anything is listed.

satria · 2007/09/19

Noah,

safebootkey.txt showing a blank notepad...by the way before this thread started I did enter at safe mode, manage to find these trojans but I cannot remove them.

Usually safe mode is the other way of removing stubborn trojans......err...I guess

lets kick these trojans butts...

noahdfear · 2007/09/19

I've written a special batch to try. Download the zip file from the following link.

http://noahdfear.net/downloads/remgirynokv.zip

Save it to your desktop and extract it. Reboot into safe mode.
Double click the remgirynokv.bat file to run it. It's going to kill explorer, which means your desktop and taskbar will disappear. It will restart explorer when it's done.

Reboot to normal mode and create a new HijackThis log and post it here.

satria · 2007/09/20

Noah...I did reply your PM and I'm abit confused on..is it your last post came in first or you PM

noahdfear · 2007/09/20

The post was first. Re-download and run the batch again in safe mode.

satria · 2007/09/20

Noah..I've downloaded the zip file & ran it in safe mode, ok this is the windows that pops up and shows these messages that I've typed...and I just answered 'NO' due to that I'm not really sure what it is, by the way these set of messages came out twice before it dissapears:

C:\WINDOWS\System32\cmd.exe

Please wait

Error: Access is denied

Error: Access is denied

Error: Too many command-line parameters

Error: Too many command-line parameters

Error: The system was unable to find the specified registry key or value

Error: The system was unable to find the specified registry key or value

Error: Too many command-line parameters

Error: Too many command-line parameters

Permanentlydelete the registry key SYSTEM\CurrentControlSet\Enum\Root\LEGACY_girynokv dummy <Y/N>?_

Permanentlydelete the registry key SYSTEM\CurrentControlSet\Services\girynokvdummy <Y/N>?_

Please advise Noah

noahdfear · 2007/09/20

Looking over the batch again right now........ sit tight.

noahdfear · 2007/09/20

I've made a few modifications. Please delete both the zip file and the extracted bat file.

Download a new copy from here. Save it to the desktop and double click, then click Start. It will extract to a folder of the same name on your desktop. Reboot to safe mode, open the folder and double click the remgirynokv.bat to run it. If prompted to delete any keys or rename files, answer Yes.

Let me know if you get any more error messages.

satria · 2007/09/20

Noah...did that and no error messages appeared, it ran automaticaly but both trojans are still hangin tough

Log in or Sign up

Attacked by Trojan Horse BHO.AXY (ccfgntj.dll)

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

noahdfear Inactive

satria Inactive Thread Starter

Share This Page

Log in or Sign up

Attacked by Trojan Horse BHO.AXY (ccfgntj.dll)

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

noahdfear Inactive

satria Inactive Thread Starter

Share This Page

Useful Searches