Blue screen

Discussion in 'Malware Help (A Specialist Will Reply)' started by laekm, Sep 5, 2008.

  1. laekm

    laekm Private E-2

    Hello Igot this problem when my son tried to download an OC part from a torrent I don´t know which one. Last Saturday. The screen became blue with a message window that said WARNING WARNING WIN32 Adware/virtumonde. This was afake window a mere image Icouldt press any of the buttons. The properties of the screen cganged instead of five I only had three options, so I couldn´t change my screen back to normal. I use avast and I got warnings that I had virus, I removed them to the chest, but evry time I restarted the computor The warnings came back. I looked on the net for solutions and finalyy ran into to you who fixed:) but first I tried something called spy hunter but it didn´t help, I also tried something from someone who called herself pcbutts, at first it seemed to work, but itt didn´t. Itried to do a system resore but couldn´t because The date before this happened was not available. Also network connectios popped up every time I tried to open up a new window I us firefox. So now I send the log reports.
    Sorry can´t find SASlog.txt and Malwarebytes Anti-Malware log
    Thanks a lot

    Lars Ekman
     

    Attached Files:

    laekm, Sep 5, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    The below information shows you where they are. Please attach them.
    Code:
    "C:\Documents and Settings\Gunilla\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\"
supera~1.log   2008-09-05        4477  "SUPERAntiSpyware Scan Log - 09-05-2008 - 07-03-42.log"
 
 
"C:\Documents and Settings\Gunilla\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\"
mbam-l~1.txt   2008-09-05        3414  "mbam-log-2008-09-05 (15-07-45).txt"
    You have leftovers from Symantec to remove. Please run the below then reboot. After reboot run it one more time.

    Norton Removal Tool (SymNRT)

    Now goto Add/Remove Programs and uninstall Dealio Toolbar 3.1

    Some items listed below may not be found after doing the above. Just ignore them and continue if not found.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program\Dealio\kb123\Dealio.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program\Dealio\kb123\Dealio.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [au] C:\Program\Dealio\DealioAU.exe
    O4 - HKCU\..\Run: [Update Service] C:\Program\DELADE~1\TEKNUM~1\update.exe /startup
    O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program\Dealio\kb123\Dealio.dll
    O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program\Dealio\kb123\Dealio.dll

    After clicking Fix, exit HJT.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Sep 10, 2008
    chaslang, Sep 6, 2008
    #2
  3. laekm

    laekm Private E-2

    Hello! After the first session with you my computer has been healed as far as I know, those problem has disappeared, it´s like magic to me, what you do. I´m really fascinated that you do this to help people like. I´m not one of those who understand binary, but I´m happy you do. I´m so greatful to you:)

    When I ran norton uninstaller and restarted the computer the screen was blu and it stalled, I had to turn it of manually pushing the button. Next restart was OK. When I added the fixme.reg I got the message in Swedish,(as I am Swedish)
    that it had registered, it didn´t say it had succeded but i suppose this was the same thing. After my first session with you I installed online armor firewall. I got one mesage from it whether I should allow a program called backweb and in connection with that sprite6.exe, I did, was that ok I don´t remeber installing this program, according to the properties it ws done in the beginning of august this year? I also had to click the mouse a number of times while combofix was running as online armor all the time was asking if I should allow a number of operations combofix wanted to execute. My computer stalled anumber of times after that when I had to restart it, and I had to shut it down manually and try over again.

    Another question, everytime I start my computer I got this message from samsung digitall The newest version of ODD Firmware live update program is in a server, and then i get this message that I have new firmware that needs to be installed, TSST corp CD/DVD S4-S182-D it doesn´t work installing this and how do I get rid of theese messages as I´m getting tired of them?

    I´m sending you C:\MGlogs.zip with my next reply as I can´t fit in more than three at the time.

    God Bless

    Lars Ekman
     

    Attached Files:

    laekm, Sep 8, 2008
    #3
  4. laekm

    laekm Private E-2

    Hello here comes C:\MGlogs.zip

    God Bless again

    Lars Ekman
     

    Attached Files:

    laekm, Sep 8, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is why one of the IMPORTANT NOTES given in the READ & RUN ME instructions says the below
    What you did was make it harder if not impossible to fix your problems. Also in addition the original instructions in the READ & RUN ME for ComboFix state
    Thus what happen is that ComboFix did not run properly and the fix did not work. You need to uninstall Online Armor, reboot, and then run the fix from the point of using ComboFix all the way to the end again. Please recreate the CFScript.txt file as I also fixed a typo in the procedure.

    This is not a topic for the malware removal forum. You are just running programs to automatically get updates for some of the software and hardware on your PC. The Backweb software your ActivSurf software. Backweb is used by many companies to do automatic updating. Many people in the malware removal support area do not like the way this software works and often remove it. You can stop both the Samsung updates and the backweb stuff by using the analyse.exe program like I gave you in my last fix and have it fix the below lines:


    O4 - HKLM\..\Run: [ActivSurf] C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
    O4 - HKLM\..\Run: [Name of App] C:\Program\SAMSUNG\FW LiveUpdate\FWManager.exe r
     
    Last edited: Sep 10, 2008
    chaslang, Sep 10, 2008
    #5
  6. laekm

    laekm Private E-2

    Hello helper!

    Just to clear some things when i used combofix the first time i didn´t have online armor installed, after reading the read and run me instructions I thought I should install a firewall, I misunderstood that, so the next time I ran combo I had online armor installed and it was then my computer stalled. Now I have unistalled online armor and gone through your last fix from the combo point one more time. My screen has become blue twice since your last reply, but it has been possible to change it to any image I chose to choose. After the read and run my computer improved a lo but recently it has slowed down significantly

    Lars Ekman
     

    Attached Files:

    laekm, Sep 17, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please delete the below folder:
    C:\WINDOWS\rnapxs

    This may be due to what you are running. Your last logs showed C:\Program\Azureus\Azureus.exe running. And because of this you have opened up your PC to be accessed by the whole world. For example you last logs show all the below connections
    Code:
        Showing TCP and UDP Network Statistics                                      
    ----------------------------------------------------------------------------
TCP-statistik f”r IPv4
  ™ppna aktiva                            = 795
  ™ppna inaktiva                          = 322
  Misslyckade anslutningsf”rs”k           = 63
  terst„llda anslutningar                = 116
  Aktuella anslutningar                   = 74
  Mottagna segment                        = 111038
  Skickade segment                        = 80496
  ter”verf”rda segment                   = 249
Aktiva anslutningar
  Prot.  Lokal adress              Extern adress             Status
  TCP    Charles:3271              localhost:3272            ESTABLISHED
  TCP    Charles:3272              localhost:3271            ESTABLISHED
  TCP    Charles:3273              localhost:3274            ESTABLISHED
  TCP    Charles:3274              localhost:3273            ESTABLISHED
  TCP    Charles:3618              localhost:3619            ESTABLISHED
  TCP    Charles:3619              localhost:3618            ESTABLISHED
  TCP    Charles:3620              localhost:3621            ESTABLISHED
  TCP    Charles:3621              localhost:3620            ESTABLISHED
  TCP    Charles:3622              localhost:3623            ESTABLISHED
  TCP    Charles:3623              localhost:3622            ESTABLISHED
  TCP    Charles:3651              localhost:12080           ESTABLISHED
  TCP    Charles:3656              localhost:12080           ESTABLISHED
  TCP    Charles:3658              localhost:12080           ESTABLISHED
  TCP    Charles:3661              localhost:12080           ESTABLISHED
  TCP    Charles:5152              localhost:3692            CLOSE_WAIT
  TCP    Charles:12080             localhost:3651            ESTABLISHED
  TCP    Charles:12080             localhost:3656            ESTABLISHED
  TCP    Charles:12080             localhost:3658            ESTABLISHED
  TCP    Charles:12080             localhost:3661            ESTABLISHED
  TCP    Charles:3033              195.54.111.96:http        CLOSE_WAIT
  TCP    Charles:3566              195.54.111.99:http        TIME_WAIT
  TCP    Charles:3567              195.54.111.99:http        TIME_WAIT
  TCP    Charles:3679              spc1-pool8-0-0-cust222.cosh.broadband.ntl.com:23485  ESTABLISHED
  TCP    Charles:3682              181-176.plus.kerch.net:12517  ESTABLISHED
  TCP    Charles:3683              tdv83-1-82-241-66-41.fbx.proxad.net:6881  ESTABLISHED
  TCP    Charles:3684              ANice-151-1-70-136.w83-205.abo.wanadoo.fr:25464  ESTABLISHED
  TCP    Charles:3686              100pc237.sshunet.nl:34638  ESTABLISHED
  TCP    Charles:3691              cpc1-sund8-0-0-cust117.midd.cable.ntl.com:19232  ESTABLISHED
  TCP    Charles:3700              ug-in-f166.google.com:http  CLOSE_WAIT
  TCP    Charles:3701              ug-in-f166.google.com:http  CLOSE_WAIT
  TCP    Charles:3702              ew-in-f127.google.com:http  CLOSE_WAIT
  TCP    Charles:3705              ug-in-f166.google.com:http  CLOSE_WAIT
  TCP    Charles:3724              124-169-201-100.dyn.iinet.net.au:15826  ESTABLISHED
  TCP    Charles:3732              adsl-69-221-175-49.dsl.akrnoh.ameritech.net:6112  ESTABLISHED
  TCP    Charles:3740              BSN-61-38-101.dial-up.dsl.siol.net:62796  ESTABLISHED
  TCP    Charles:3742              AAnnecy-157-1-16-244.w86-200.abo.wanadoo.fr:60002  ESTABLISHED
  TCP    Charles:3743              bas1-windsor12-1088734490.dsl.bell.ca:46332  ESTABLISHED
  TCP    Charles:3744              modemcable037.122-21-96.mc.videotron.ca:51413  ESTABLISHED
  TCP    Charles:3747              host-41.232.80.220.tedata.net:57280  ESTABLISHED
  TCP    Charles:3755              c-69-139-134-42.hsd1.nj.comcast.net:28825  ESTABLISHED
  TCP    Charles:3760              mon75-16-88-170-209-119.fbx.proxad.net:63175  ESTABLISHED
  TCP    Charles:3762              29.Red-80-38-146.staticIP.rima-tde.net:49153  ESTABLISHED
  TCP    Charles:3763              212.199.248.70.static.012.net.il:2048  LAST_ACK
  TCP    Charles:3768              51.60.in-addr.arpa.tm.net.my:15139  FIN_WAIT_1
  TCP    Charles:3769              cpe-65-24-199-76.insight.res.rr.com:37750  ESTABLISHED
  TCP    Charles:3775              adub84.neoplus.adsl.tpnet.pl:35996  TIME_WAIT
  TCP    Charles:3778              cm48.delta104.maxonline.com.sg:34343  FIN_WAIT_1
  TCP    Charles:3783              noname-213.5.156.219.acn.gr:48484  ESTABLISHED
  TCP    Charles:3785              AC848B1D.ipt.aol.com:12974  ESTABLISHED
  TCP    Charles:3786              ppp-124-120-11-32.revip2.asianet.co.th:63022  ESTABLISHED
  TCP    Charles:3787              host7-71-dynamic.182-80-r.retail.telecomitalia.it:39836  ESTABLISHED
  TCP    Charles:36165             cpe-24-90-34-219.nyc.res.rr.com:1640  ESTABLISHED
  TCP    Charles:36165             CPE-24-208-43-209.new.res.rr.com:63213  ESTABLISHED
  TCP    Charles:36165             60-241-45-112.static.tpgi.com.au:65360  ESTABLISHED
  TCP    Charles:36165             k14204.upc-k.chello.nl:4174  ESTABLISHED
  TCP    Charles:36165             62.209.0.76:2393          ESTABLISHED
  TCP    Charles:36165             host-70-45-187-101.onelinkpr.net:2542  ESTABLISHED
  TCP    Charles:36165             static-71-253-149-18.rcmdva.east.verizon.net:2819  ESTABLISHED
  TCP    Charles:36165             cpe-76-168-226-54.socal.res.rr.com:55319  ESTABLISHED
  TCP    Charles:36165             82-46-166-97.cable.ubr02.harb.blueyonder.co.uk:2148  ESTABLISHED
  TCP    Charles:36165             nan92-2-82-66-56-20.fbx.proxad.net:4180  ESTABLISHED
  TCP    Charles:36165             slo13-1-82-66-194-221.fbx.proxad.net:4691  ESTABLISHED
  TCP    Charles:36165             mea77-2-82-239-231-115.fbx.proxad.net:4058  ESTABLISHED
  TCP    Charles:36165             ALille-257-1-40-241.w83-204.abo.wanadoo.fr:42111  ESTABLISHED
  TCP    Charles:36165             clt-84-32-124-17.dtiltas.lt:4930  ESTABLISHED
  TCP    Charles:36165             auh-as42774.alshamil.net.ae:61684  ESTABLISHED
  TCP    Charles:36165             87.68.89.7.cable.012.net.il:50883  ESTABLISHED
  TCP    Charles:36165             89.181.24.9:1455          ESTABLISHED
  TCP    Charles:36165             ANantes-257-1-16-50.w90-31.abo.wanadoo.fr:57300  ESTABLISHED
  TCP    Charles:36165             AMontsouris-157-1-116-219.w90-46.abo.wanadoo.fr:55961  ESTABLISHED
  TCP    Charles:36165             5ac6c1d3.bb.sky.com:1676  ESTABLISHED
  TCP    Charles:36165             pool-96-225-69-178.nwrknj.fios.verizon.net:52955  ESTABLISHED
  TCP    Charles:36165             pool-96-242-29-176.nwrknj.fios.verizon.net:53670  ESTABLISHED
  TCP    Charles:36165             141.238.108.52:56246      ESTABLISHED
  TCP    Charles:36165             d154-20-183-125.bchsia.telus.net:57224  ESTABLISHED
  TCP    Charles:36165             CPE00062564934b-CM001ac3152f46.cpe.net.cable.rogers.com:4076  ESTABLISHED
  TCP    Charles:36165             190-39-108-80.dyn.dsl.cantv.net:1880  ESTABLISHED
  TCP    Charles:36165             client-190.40.28.88.speedy.net.pe:4730  ESTABLISHED
  TCP    Charles:36165             195.137.255.244:3377      ESTABLISHED
  TCP    Charles:36165             207-247.ma.wireless.seidata.com:2019  ESTABLISHED
    Also you are still having those items from Samsung load that I gave you a fix for.

    Your logs are clean but there are a few items that I just don't like the looks of. Do you have any idea what the below drivers are for?
    R2 ithsgt;ithsgt;C:\WINDOWS\System32\DRIVERS\ithsgt.sys [2006-06-24 162432]
    R2 lilsgt;lilsgt;C:\WINDOWS\System32\DRIVERS\lilsgt.sys [2006-06-24 12032]
    S3 bDMusicb;bDMusicb;C:\DOCUME~1\Gunilla\LOKALA~1\Temp\bDMusicb.sys

    The bDMusicb.sys file may not even exist anymore. The other two files do seem to exist. I recommend that you run them thru the below online scanner and let me know if the report any problems with these two files:

    http://www.virustotal.com/
     
    chaslang, Sep 18, 2008
    #7
  8. laekm

    laekm Private E-2

    Dear Helper

    I deleted rnapxs and I scanned those two driver items and got the same result for both, 0/32. Does it make any sense, the third item didn´t exist. Another question, when I ran combo the first time i deactivated my avant on acces scan. The avast icon ussed to be inthe right corner next to the clock, how do I get it back there or should I? I also can´t find the way to put it back to on access scan again, should I do that as well ,which mode is the best seting?

    Lars Ekman
     
    laekm, Sep 19, 2008
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It just means that they are most likely not a problem.

    Try doing the below.


    Copy the bold text below to notepad. Save it as fixAV.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now reboot and see if the icon appears.
     
    chaslang, Sep 20, 2008
    #9
  10. laekm

    laekm Private E-2

    Hello helper!

    Couldn´t fix the avast icon, the fixAV wouldn´t merge. The message I got was couldn´t write all data to the registry, some keys are opened by the system or other processes.

    Lars Ekman
     
    laekm, Sep 21, 2008
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try the registry patch in safe boot mode. If it still gives the same message, shut down Avast and try again.
     
    chaslang, Sep 22, 2008
    #11
  12. laekm

    laekm Private E-2

    Dear helper

    I merged the fixav file in safe boot mode but it didn´t help. As Avast is not in onaccess mode I don´t really know how to shut it down unless you mean I should uninstall it and install it again.

    Another problem I asked you about before

    Another question, everytime I start my computer I got this message from samsung digitall The newest version of ODD Firmware live update program is in a server, and then i get this message that I have new firmware that needs to be installed, TSST corp CD/DVD S4-S182-D it doesn´t work installing this and how do I get rid of theese messages as I´m getting tired of them?

    The samsung message has disappeared but every time I turn on my computor I still got a a message that new firmware has been found and then the guide for new firmware appeares.

    I also get a window that opens every time I start my computor that belongs to a program, Ulead, is it pos:)sible to get rid of that as well?

    Thanks for all of your help

    Lars Ekmanhttp://forums.majorgeeks.com/images/smilies/smile.gif
     
    laekm, Sep 23, 2008
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then try uninstalling, rebooting and then reinstalling. If that does not help, I suggest you post in Awil's forum since this is really not a malware problem. Also make sure that you are not hiding the icons.

    Already answered in message # 5.

    This is not a malware problem. You have Ulead software installed. Do you use this software? If not, then uninstall it. If you do use it and you are getting an error message then you probably need to reinstall it.
     
    chaslang, Sep 25, 2008
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds