Attacked by Trojan Horse BHO.AXY (ccfgntj.dll)

Right click the check.bat we created on your desktop and select Edit. Replace it's contents with the contents of the quote box below. Close and save changes. Double click to run and post the contents of the log that opens.

Please post a fresh HijackThis log.

 

Noah...ran the altered check.bat

result:

A box with message

"Cannot find the check.tx file. Do you want to create a new file? "

I answered 'Yes'


Check log file:

ugtemwkc.sys present
pttlsezb.dll present
ccfgntj.dll present

and a check.tx file was created....


Hijackthis log file:


Logfile of HijackThis v1.99.1
Scan saved at 13:27, on 2007-09-21
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\pctspk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn3\YTBSDK.exe
C:\Documents and Settings\Dev\Desktop\zSAM\Appn\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {CA704D09-EB2B-4A94-954F-B4FF0A2CC763} - c:\windows\system32\ccfgntj.dll
O2 - BHO: (no name) - {EDE9E2C5-45D5-4AF0-BDD9-94E41638311E} - c:\windows\system32\pttlsezb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe "
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB0_0_0 -reboot 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

 

My best guess is that when you copied the quote box above to check.bat, the trailing t was missed and it looks like this;

start notepad check.tx



Download the Killbox from here and save it to the desktop.

• Double-click the KillBox icon on your desktop to open it
• Select the box Replace on Reboot
• Select the box Use Dummy
• Copy the bolded filepath below and paste it into the 'Full path of File to Delete' window.
  
  C:\WINDOWS\system32\ccfgntj.dll
  
  
• Click the red circle with a white X [Delete File] button.
• Click Yes at the Delete on Reboot prompt. Click No at the Pending Operations prompt.
• Select the box Use Dummy again
• Copy the bolded filepath below and paste it into the 'Full path of File to Delete' window.
  
  C:\WINDOWS\system32\pttlsezb.dll
  
  
• Click the red circle with a white X [Delete File] button.
• Click Yes at the Delete on Reboot prompt. Click No at the Pending Operations prompt.
• Select the box Use Dummy again
• Copy the bolded filepath below and paste it into the 'Full path of File to Delete' window.
  
  C:\WINDOWS\system32\drivers\ugtemwkc.sys
  
  
• Click the red circle with a white X [Delete File] button.
• Click Yes at the Delete on Reboot prompt. Click Yes at the Pending Operations prompt.

If the computer does not reboot on it's own, restart it yourself.

Upon reboot, run the remgirynokv.bat again (normal mode is fine). When done, restart the computer once more, then post a fresh HijackThis log.

 

Noah,

This is the HJT log file and there is a new horse in the system



Logfile of HijackThis v1.99.1
Scan saved at 11:29, on 2007-09-24
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\pctspk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn3\YTBSDK.exe
C:\Documents and Settings\Dev\Desktop\zSAM\Appn\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {CA704D09-EB2B-4A94-954F-B4FF0A2CC763} - c:\windows\system32\jgsd400h.dll
O2 - BHO: (no name) - {EDE9E2C5-45D5-4AF0-BDD9-94E41638311E} - c:\windows\system32\pttlsezb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe "
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB0_0_0 -reboot 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - Winlogon Notify: lbialanj - C:\WINDOWS\SYSTEM32\jgsd400h.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

 

I have a theory that Killbox was successful in replacing those files with a dummy, which means they couldn't load again upon restart and that without them loaded, we can now see what they were hiding. Let's see what ComboFix can do now.

Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\WINDOWS\system32\drivers\ugtemwkc.sys
C:\WINDOWS\system32\pttlsezb.dll
C:\WINDOWS\system32\ccfgntj.dll
C:\WINDOWS\SYSTEM32\jgsd400h.dll

Driver::
girynokv

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA704D09-EB2B-4A94-954F-B4FF0A2CC763}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDE9E2C5-45D5-4AF0-BDD9-94E41638311E}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lbialanj]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

Hi Noah , sorry for the late reply. I was out of town on field work and just came back Sunday evening....

I've done what you've asked for and here are the logs:

ComboFix
ComboFix 07-10.1.2 - Dev 2007-10-01 9:55:19.9 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.78 [GMT 8:00]
Running from: C:\Documents and Settings\Dev\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dev\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\drivers\ugtemwkc.sys
C:\WINDOWS\system32\pttlsezb.dll
C:\WINDOWS\system32\ccfgntj.dll
C:\WINDOWS\SYSTEM32\jgsd400h.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\ugtemwkc.sys . . . . failed to delete
C:\WINDOWS\System32\jgsd400h.dll . . . . failed to delete
C:\WINDOWS\system32\pttlsezb.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_GIRYNOKV
-------\LEGACY_UUTOBPAL
-------\girynokv
-------\uutobpal


((((((((((((((((((((((((( Files Created from 2007-09-01 to 2007-10-01 )))))))))))))))))))))))))))))))
.

2007-09-21 23:24 83,968 --a------ C:\WINDOWS\system32\jgsd400h.dll
2007-09-20 12:57 8,704 --a------ C:\WINDOWS\system32\dllcache\kbdjpn.dll
2007-09-20 12:57 8,192 --a------ C:\WINDOWS\system32\dllcache\kbdkor.dll
2007-09-20 12:57 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd106.dll
2007-09-20 12:57 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-09-20 12:57 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-09-20 12:57 5,632 --a------ C:\WINDOWS\system32\dllcache\kbd103.dll
2007-09-13 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-13 13:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-13 11:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-13 11:36 <DIR> d-------- C:\VundoFix Backups
2007-09-12 08:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-09-11 09:46 <DIR> d-------- C:\!KillBox
2007-09-06 09:05 17,408 C:\WINDOWS\system32\drivers\ugtemwkc.sys
2007-09-06 09:04 88,064 --a------ C:\WINDOWS\system32\pttlsezb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
1997-10-24 13:20 25088 --a------ C:\WINDOWS\inf\regl3acm.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-13_115536.55 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 135,168 2007-09-28 01:06:10 C:\WINDOWS\catchme.exe
----a-w 844,800 2007-07-22 10:39:28 C:\WINDOWS\system32\swreg.exe
----a-w 32,768 2007-10-01 01:27:14 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 344,064 2007-10-01 01:27:14 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 32,768 2007-10-01 01:27:14 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 821,728 2007-09-21 16:29:06 C:\WINDOWS\system32\drivers\avg7core.sys
----a-w 6,144 2001-08-17 06:55:56 C:\WINDOWS\LastGood\System32\kbd101b.dll
----a-w 6,144 2001-08-17 06:55:56 C:\WINDOWS\LastGood\System32\kbd101c.dll
----a-w 5,632 2001-08-17 06:55:56 C:\WINDOWS\LastGood\System32\kbd103.dll
----a-w 6,144 2001-08-17 06:55:56 C:\WINDOWS\LastGood\System32\kbd106.dll
----a-w 8,704 2001-08-17 14:36:18 C:\WINDOWS\LastGood\System32\kbdjpn.dll
----a-w 8,192 2001-08-17 14:36:18 C:\WINDOWS\LastGood\System32\kbdkor.dll
.
----a-w 109,056 2007-07-19 16:47:24 C:\WINDOWS\catchme.exe
----a-w 279,552 2007-07-22 10:39:28 C:\WINDOWS\system32\swreg.exe
----a-w 32,768 2007-09-13 03:53:24 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 344,064 2007-09-13 03:53:24 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 32,768 2007-09-13 03:53:24 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 821,600 2007-09-04 00:06:36 C:\WINDOWS\system32\drivers\avg7core.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA704D09-EB2B-4A94-954F-B4FF0A2CC763}]
2001-08-23 12:00 83968 --a------ c:\windows\system32\jgsd400h.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDE9E2C5-45D5-4AF0-BDD9-94E41638311E}]
2007-09-06 09:05 88064 --a------ c:\windows\system32\pttlsezb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@ "=" " []
"SiS Tray "= "C:\WINDOWS\System32\sistray.EXE" [2002-05-09 03:19]
"SiSUSBRG "= "C:\WINDOWS\sisUSBrg.exe" [2002-04-25 08:06]
"PCTVOICE "= "pctspk.exe" [2001-10-03 22:48 C:\WINDOWS\system32\pctspk.exe]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-14 07:48]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"InCD "= "C:\Program Files\Ahead\InCD\InCD.exe" [2002-09-13 01:13]
"NeroCheck "= "C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 16:50]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME> "=

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 09:01:04]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2002-11-19 01:53:07]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 09:01:04]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2002-11-19 01:53:07]

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\System32\DRIVERS\bsstor.sys
R0 girynokv;girynokv;C:\WINDOWS\System32\drivers\ugtemwkc.sys
R1 as6eio;as6eio;C:\WINDOWS\System32\drivers\as6eio.SYS
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\System32\drivers\BsUDF.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\System32\DRIVERS\usbprint.sys

*Newly Created Service* - GIRYNOKV
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-01 10:01:52
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-01 10:03:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-01 10:03
C:\ComboFix3.txt ... 2007-09-19 10:56
C:\ComboFix2.txt ... 2007-09-19 12:39
.
--- E O F ---


Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 10:16, on 2007-10-01
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\pctspk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Dev\Desktop\zSAM\Appn\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {CA704D09-EB2B-4A94-954F-B4FF0A2CC763} - c:\windows\system32\jgsd400h.dll
O2 - BHO: (no name) - {EDE9E2C5-45D5-4AF0-BDD9-94E41638311E} - c:\windows\system32\pttlsezb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe "
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB0_0_0 -reboot 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

 

Do you have an Operating System disc or a Recovery cd? Ever used the Recovery Console?

 

I do not have both of them and never yet before use Recovery Console....

 

Do you have a cd burner? And a blank cd?

 

yes...but it is on the other PC...

 

OK, we need to make a bootable cd that we can work from, so you'll need to get the following things on that computer, then make the cd and boot this computer with it.

Download and install the ISO Recorder version for your operating system.


Download and install the Microsoft Diagnostics and Recovery Toolset

Insert a blank cd into your cd/dvd burner. Browse to C:\Program Files\Microsoft Diagnostics and Recovery Toolset and right click erd50.iso, then select Copy image to CD. Follow the instructions in the following link to finish creating the bootable cd.

http://isorecorder.alexfeinman.com/HowTo.htm

Once finished, restart this PC with the cd in the drive and boot to the cd. If successful, restart the computer but remove the cd upon startup and boot back into normal mode, then post back here to let me know it was successful. I'll post instructions on how to proceed from there.


I'll check back in tomorrow evening.