My wife had this show up on her computer and I have been unable to find out anything about it. I’m pretty sure it is some sort of malware but want to make sure it isn’t something important before I finish blowing it off her system.
It started when her anti-virus (we use Trend Micro) started hitting on C:\WINDOWS\ccfgnt32.exe, which it identified as “Spybot A.O.A.” and saying that it was unable to delete the file. The Trend Micro site had no other information on it.
I ran both Spybot S&D and AdAware and neither of them found anything, though the anti-virus alert came up several times while they were running. Hijack This only reported
When I looked in the Windows directory there was no ccfgnt32.exe to be found. I could see it running in Task Manager and killed the process from there, but it always came back within a few seconds.
I finally found it running as a service under the Services panel and was able to disable it there. This seems to at least have gotten it under control as it no longer shows up on any scans.
A Google search on ccfgnt32 doesn’t give me anything except a few other Hijack This logs; I haven’t found it identified anywhere. It looks like I’m going to have to edit the registry to finish getting rid of this thing but I’d like to know what it is first on the off chance that it might be something that is really supposed to be there. Anyone have any clues?
I had no better luck than you searching for this, which confirms What Exit?'s description. When you look for the file make sure that you have the “view hidden files” turned on. Also, go to Start, Run and use msconfig to disable that service (check services and startup). If it’s really nasty, it might figure out how to re-enable itself, I don’t know.
I had something that had some letters then “32.exe” that I had a hard time getting rid of.
Here’s something I found just a second ago
I think I had to find out where the file was actually stored (I searched for the file name looking in all the hidden files) from there I was able to open the folder it was in and delete it manually.
If that fails (which in this case it did) I do a google search on the name.
In this case, that didn’t help either.
This makes me think that whatever it is, it’s not part of any standard program. Some viruses/spyware/malware make a random name for themselves so that it’s harder for anti-virus and anti-spyware programs to find them. Usually, if you kill it from the task manager and it comes back, it’s part of a group of evil programs that monitor each other. Since you can only kill one program at a time, any program you kill gets restarted by any of the others, making it almost impossible to get all of them at once.
Poking around on Google, it looks like Spybot AOA is a known virus.
Yep, I had a pair of them on my daughter’s computer. After getting rid of the other 15 or so virus and malware programs she had downloaded from game sites, I had a pair of executable files that kept reloading each other. I had to simultaneously run the TUT program from Answersthatwork.com and my windows task manager program and then delete both files quickly one after another. Took me about ten minutes of intense “whack-a-mole” action to kill them both off. I then erased the two from my hard drive and cleaned them out of the register.
Thanks everyone, I’m guessing what she got is the worm that Sigene identified since it uses a random collection of letters followed by 32.exe. That would explain why nothing shows up when I search for the filename I have.
I had done a search showing hidden files on her laptop so apparently this thing is able to launch itself then disappear. I’ll kill it from the registry tonight and hopefully that will be the end of it.
And it looks like I’m going to have to remind everyone in the house of the “don’t click on random links in e-mails” rule again… :mad: (sigh)
If removing it with Regedit does not keep it away you might have to put the machine into safe mode that will prevent most services from running and then delete the object. Not too painful. F8 as the machine is booting up will get you into Safe Mode.
Hopefully that will do it. I had the pleasure of dealing with a rootkitted machine earlier this year and it was hell. The rootkit installed itself as a legacy-mode device driver and was able to hide itself and a variety of files from Windows Explorer, DOS prompts, and certain registry keys from Regedit.
Never did get it satisfactorily “cleaned”, I wound up reformatting the machine.