Hello!

Alright, my dad managed to get some spyware thing at his computer today, so he left me the job of removing it. The program that was installed is named "antivirusxp08", and at the start it blocked IE from opening and it left an ugly background on the computer. I managed to get IE working again, but I would really love some help removing this program 100%.

I downloaded the program HiJackThis and this is the log I got:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:27:45, on 04.07.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\SigmaTel\C-dur-lyd\DellXPM_5515v131\WDM\StacSV.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\XU75CF.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\lphcc7qj0ejdr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bamble.vgs.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bamble.vgs.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lphcc7qj0ejdr] C:\WINDOWS\system32\lphcc7qj0ejdr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bamble.vgs.no
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bamblevgs.local
O17 - HKLM\Software\..\Telephony: DomainName = bamblevgs.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bamblevgs.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bamblevgs.local
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-dur-lyd\DellXPM_5515v131\WDM\StacSV.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 7244 bytes

Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Hi again,

I followed the guide and every step and ended up with this ComboFix log, together with a HiJackThis log further down the page:



ComboFix 08-07-03.5 - NORA 2008-07-04 17:16:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1584 [GMT 2:00]
Running from: C:\Documents and Settings\nora\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\nora\Application Data\rhc97qj0ejdr
C:\Program Files\rhc97qj0ejdr
C:\WINDOWS\system32\blphcc7qj0ejdr.scr
C:\WINDOWS\system32\lphcc7qj0ejdr.exe
C:\WINDOWS\system32\phcc7qj0ejdr.bmp
C:\WINDOWS\system32\pphcc7qj0ejdr.exe

----- BITS: Possible infected sites -----

hxxp://bvs02
.
((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
.

2008-07-04 16:42 . 2008-04-14 00:17 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-04 16:42 . 2008-04-14 00:17 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-07-04 16:41 . 2008-04-14 00:15 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-04 16:41 . 2008-04-14 00:15 32,128 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-07-03 23:29 . 2008-07-04 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-03 23:15 . 2008-07-03 23:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-03 23:15 . 2008-07-03 23:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-02 23:05 . 2008-07-02 23:06 <DIR> d-------- C:\Program Files\Google
2008-06-04 08:43 . 2008-03-01 15:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-04 08:43 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-04 08:43 . 2007-03-08 07:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-04 08:43 . 2008-03-01 15:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-04 08:43 . 2008-03-01 15:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-04 08:43 . 2008-03-01 15:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-04 08:43 . 2008-03-01 15:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-04 08:43 . 2008-03-01 15:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-04 08:43 . 2008-02-22 12:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-03 21:07 --------- d-----w C:\Program Files\Trend Micro
2008-06-03 08:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-24 14:05 --------- d-----w C:\Documents and Settings\nora\Application Data\InterVideo
2008-05-24 13:56 --------- d-----w C:\Documents and Settings\nora\Application Data\vlc
2008-05-15 10:09 --------- d-----w C:\Program Files\Java
2008-05-15 09:50 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-15 09:45 --------- d-----w C:\Program Files\CONEXANT
2008-05-15 09:38 --------- d-----w C:\Program Files\SigmaTel
2008-05-15 09:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-15 09:37 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-15 09:34 --------- d-----w C:\Program Files\Intel
2008-05-15 06:16 --------- d-----w C:\Documents and Settings\kvaa\Application Data\InstallShield
2008-05-14 12:16 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Efofex
2008-05-14 12:16 --------- d-----w C:\Program Files\InterVideo
2008-05-14 12:16 --------- d-----w C:\Program Files\Efofex
2008-05-14 12:16 --------- d-----w C:\Program Files\CASIO
2008-05-14 12:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Efofex
2008-05-14 12:15 --------- d-----w C:\Program Files\VideoLAN
2008-05-14 12:15 --------- d-----w C:\Program Files\PDFCreator
2008-05-14 12:15 --------- d-----w C:\Program Files\Common Files\Java
2008-05-14 12:14 --------- d-----w C:\Program Files\LingDys
2008-05-14 12:14 --------- d-----w C:\Program Files\EasyTouch 2000
2008-05-14 12:14 --------- d-----w C:\Program Files\Design Science
2008-05-14 12:14 --------- d-----w C:\Program Files\Borland
2008-05-14 12:13 --------- d-----w C:\Program Files\Telenor R&D
2008-05-14 12:13 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-14 12:12 --------- d-----w C:\Program Files\Microsoft Works
2008-05-14 12:11 --------- d-----w C:\Program Files\Vernier Software
2008-05-14 12:11 --------- d-----w C:\Program Files\MetodeData
2008-05-14 12:08 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-14 05:42 74,752 ----a-w C:\WINDOWS\system32\storprop.dll
2008-04-14 03:55 1,804 ----a-w C:\WINDOWS\system32\Dcache.bin
2008-04-14 03:51 52,736 ----a-w C:\WINDOWS\system32\wzcsapi.dll
2008-04-14 03:51 52,224 ----a-w C:\WINDOWS\system32\dmutil.dll
2008-04-14 03:51 483,840 ----a-w C:\WINDOWS\system32\wzcsvc.dll
2008-04-14 03:51 47,616 ----a-w C:\WINDOWS\system32\iyuv_32.dll
2008-04-14 03:51 47,104 ----a-w C:\WINDOWS\system32\cnbjmon.dll
2008-04-14 03:51 35,328 ----a-w C:\WINDOWS\system32\pid.dll
2008-04-14 03:51 294,912 ----a-w C:\WINDOWS\system32\msh263.drv
2008-04-14 03:51 20,992 ----a-w C:\WINDOWS\system32\hid.dll
2008-04-14 03:51 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-14 03:51 16,896 ----a-w C:\WINDOWS\system32\msyuv.dll
2008-04-14 03:51 15,360 ----a-w C:\WINDOWS\system32\pjlmon.dll
2008-04-14 03:46 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 03:43 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 03:43 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 03:43 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 03:43 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 03:41 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 03:40 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 03:40 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 03:40 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 03:40 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 23:00 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 22:54 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 22:15 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 22:13 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 22:01 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 22:00 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 21:45 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 21:09 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 21:09 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 21:09 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 21:08 306,176 ----a-w C:\WINDOWS\system32\slbcsp.dll
2008-04-13 21:08 169,984 ----a-w C:\WINDOWS\system32\sccbase.dll
2008-04-13 21:08 101,888 ----a-w C:\WINDOWS\system32\gpkcsp.dll
2008-04-13 21:07 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 21:07 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 20:57 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 20:56 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 20:56 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 20:56 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dLL
2008-04-13 20:54 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 20:51 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 20:39 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 20:33 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 20:33 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 20:24 68,768 ----a-w C:\WINDOWS\system32\mmsystem.dll
2008-04-13 20:24 53,840 ----a-w C:\WINDOWS\system32\dosx.exe
2008-04-13 20:24 5,120 ----a-w C:\WINDOWS\system32\winnls.dll
2008-04-13 20:23 92,224 ----a-w C:\WINDOWS\system32\krnl386.exe
2008-04-13 20:22 3,338 ----a-w C:\WINDOWS\system32\redir.exe
2008-04-13 20:20 42,537 ----a-w C:\WINDOWS\system32\keyboard.sys
2008-04-13 20:19 35,648 ----a-w C:\WINDOWS\system32\ntio411.sys
2008-04-13 20:19 35,424 ----a-w C:\WINDOWS\system32\ntio412.sys
2008-04-13 20:19 34,560 ----a-w C:\WINDOWS\system32\ntio804.sys
2008-04-13 20:19 34,560 ----a-w C:\WINDOWS\system32\ntio404.sys
2008-04-13 20:19 33,840 ----a-w C:\WINDOWS\system32\ntio.sys
2008-04-13 20:18 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 20:15 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 19:53 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 19:52 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 19:09 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-07-02 23:06 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-06-07 16:12 702072]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-28 17:32 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-02-28 17:32 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-28 17:32 137752]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 05:42 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=


*Newly Created Service* - APPMGMT
*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-lphcc7qj0ejdr - C:\WINDOWS\system32\lphcc7qj0ejdr.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 17:17:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-04 17:17:57
ComboFix-quarantined-files.txt 2008-07-04 15:17:53

Pre-Run: 73,313,681,408 bytes free
Post-Run: 73,368,649,728 bytes free

181 --- E O F --- 2008-06-04 07:41:04




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:22, on 2008-07-04
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\SigmaTel\C-dur-lyd\DellXPM_5515v131\WDM\StacSV.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bamble.vgs.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bamble.vgs.no
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bamblevgs.local
O17 - HKLM\Software\..\Telephony: DomainName = bamblevgs.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bamblevgs.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bamblevgs.local
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-dur-lyd\DellXPM_5515v131\WDM\StacSV.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 6164 bytes

Hi,

Much better...

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Can you ask your dad if he set the following policies? Or if he's aware of them?



let me know.
Also let me know how things are running now.

Hello again!

Thank you very much for your help. Everything seems to run smoother now, and the option of changing for example backgrounds are now back.

Concerning the policies set, my dad is not aware of them, but then again he didn't quite know what they meant so it was hard for him to really say anything. This computer was given to him by his job and many settings can be configured by them before it's handed out to the workers. Either way, the problems seems to be gone now, so it might be the correct policies shown.

Though, there is still one small thing left. At control panel options, and add/remove programs, the symbol for antivir08 is still visible. Is there any way to remove it from there? I'm not sure if clicking change/remove will make any difference as that was what I did the first time to try and get rid of this problem.

Regards,

andros

This post has been edited by andros: Jul 4 2008, 10:07 AM

Hi,

For the policies, since this is a laptop from work, I guess they have set it... so better leave that alone.

To delete the Antivirus2008 refererence in add/remove programs...

• Open HiJackThis
• Click on the "Config..." button on the bottom right
• Click on the tab "Misc Tools"
• Click on the Box that says "Uninstall Manager"
• Click on the entry AntivirXP08
• Click on Delete this entry
• Click "Yes"

Everything works 100% again now.

We really appreciate the help you have given us, we would have no chance to remove this without your expertise

Thank you once more,

Regards,

andros

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.