Blue Screen and Bugs

Hello,

Earlier today (well yesterday now) my computer and internet was slow, but i figured it was a modem problem so i rebooted. When the computer came back on the wallpaper was a blue screen with a message asking me to download anti-virus protection because i have spyware as well as bugs crawling over the screen.

I freaked at first and then ran my anti-virus program (Norton Internet Security 2007) and did not find anything. then i downloaded and ran sophos, ad-aware free edition, and installed SpywareGuard while i was at it. Ad-aware found one worm (promptly deleted), and four privacy risks (again deleted) and sophos found one unknown hidden file in C:\WINDOWS\I3686\AUTOFMT.EXE but i did not remove it because i did not know if it was necessary. Also, i installed Assassin and everything on it looks good except for one file ".tt19C9.tmp.exe" which neither assassin nor a google search could help identify.

Other than my background and bugs the computer seems completely normal, as all programs work and it is not any slower than normal (even before i ran the above programs).

I am primarily writing this to make sure that I actually fixed the problem and, if not, how to; as well as what should i do to prevent this from happening again.

If it is necessary, the background filename is ctfmonb, however i could not find it in a search of the computer.

Also, I am not the most proficient in computers, so if there is anything I must do please explain it in as layman terms as possible. If not, i can learn.

Thanks for the help.

 

And one more thing: i was able to change the background of my computer without any troubles, but as far as the bugs are concerned i haven't seen them since (likely because its a screen saver and i haven't been inactive long enough).

I would restart the computer to make sure it doesn't happen again, but i am not sure if that would have a negative effect.

again thanks for any help

 

Hi Killerclarinet,
Welcome to Major Geeks!

Could you make a screen shot of the bugs on the scrren? We've fixed this in a lot of people's computers, but I haven't seen it first hand and I would like to see it, if possible. Then I would ask you to please go through the instructions in the READ & RUN ME FIRST and attach the requested logs. Most of the scans we ask you to run don't take very long and there is a set of instructions for each one. You should find some relief from all the symptoms as you work through them. If you can't do something, please make a note of what happened and then continue on until you've done everything you can.

Thanks!
abri

 

Ok i was able to find the background on google, but alas i think ad-aware took care of the bugs so i could not get a screen shot:

http://www.f-secure.com/virus-info/v-pics/trojan_w32_pakes_csg_01.jpg

I ran all of the Read me first instructions and i do believe everything malicious has been removed. Ill attach the logs for reference.

 

and the rest

 

for some reason my other post did not show:

thanks for the help. I followed all the steps in the read me first section and the problem seems to be completely taken care of

My original ad-aware scan seems to have taken care of the bugs so i could not find a screenshot for you, but i found one of the background on google (i'll attach it as well).

Again thanks for the help and here are the logs.

 

Hi killerclarinet,

Your computer is a bit overburdened by too much protection software and too many startup programs. Additionally you have a rootkit infection. Let's start with getting rid of some stuff first and then we'll look for the rootkit.


1) Go to add/remove programs and uninstall the below:

- Viewpoint Media Player

2) You have both the Norton Security Suite and the McAfee Security Suite. This is more than you need, and in fact, it causes problems to have both. Please uninstall either the Norton/Symantec or the McAfee. To uninstall either of the Security Suites, you need to use a removal tool. I will give you the link for each of these. Norton has an extra procedure for removing their quarantined files. If you decide to uninstall Norton/Symantec, please read this extra step and follow the instructions before running the Norton Removal Tool.

Removing Files from Norton Antivirus Quarantine

Norton Removal Tool (SymNRT)


McAfee Consumer Product Removal Tool (SymNRT)



3) Additinally, you have WinPatrol, CA PestPatrol and Spyware Guard. We don't recommend Spyware Guard because it's gotten outdated. As for the other two, I don't know if you need them if you are using one of the above security suites, since these both have anti-spyware protection as part of the suite. For the moment, please uninstall two of these blockers. If you've paid for one of them, keep that one.

4) Next, if you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: EZSaveFlash - {F9E5F47A-45FD-450C-91DF-81C72E1FADB0} - C:\PROGRA~1\EZSAVE~1\EZSAVE~1.DLL
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O9 - Extra button: Flash - {5699BDDB-A771-4E54-ACBB-BE86921D7892} - C:\PROGRA~1\EZSAVE~1\EZSAVE~1.DLL


Put a check in the box of all of the 018 entries that look like the following. These are not malware. They just don't need to be there.

O18 - Protocol: bw+0 - {1E0BF23C-4B37-4B87-84F1-F7F63C12A69C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

Did you set the following to enable restrictions in Internet Explorer? It could be associated with a child safety mechanism. If you did not set it yourself, please fix this as well:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Do the following programs have to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1


After you've checked everything and closed your browser windows, click fix. Then just close hijackthis.


6) Now run CCleaner at the default setting with the Windows tab as the top one.

7) And now, let's look for the rootkit:


Download Registry Search (see the link titled RegSearch Download Link )

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter MEMSWEEP2 in the top area of the form and then click "Ok".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.
  
  
  Let me know how everything went?
  abri

 

thanks for the help.

I will start taking care of the rest after i post this.
And i do not believe that the McAfee Suite is running, i think it just came pre-installed but i will remove it none the less.

 

Alright

I did everything you said with no problems. Everything ran smoothly.

But now that you mention the rootkit, i do remember yesterday Norton detecting and blocking a rootkit "Hacktool.rootkit" is what it shows up as on Norton. I don't know if this helps at all.

Anyway, here is my Registry Search log:

 

Hi killerclarinet,
I will be away for a few days and will see if someone else can post the instructions to you.
abri

 

alright no problem

 

alright then...

no more problems here. i think everything has been taken care of

thanks so much for the help