Bugs on Screen...help please.

I am trying to help a friend with her laptop. She got the bugs on the screen and "Warning! spyware detected..." Blue screen as a background. Here are the log files I've gotten through your directions.

 

Last one. Thanks for any help.

 

Hi 2kmarauder,
Welcome to Major Geeks!

Please try to avoid using the computer until we can post a set of instructions to you. This takes some time, so thanks for being patient.


abri

 

Hi 2kMarauder,

Please do the following:

1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [lphcn8bj0ec2a] C:\WINDOWS\system32\lphcn8bj0ec2a.exe


Do the following programs need to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes2\iTunesHelper.exe"
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT

After you click fix, just close hijackthis.

2) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FILE::
C:\WINDOWS\SwSys1.bmp
C:\WINDOWS\SwSys2.bmp
C:\WINDOWS\system32\lphcn8bj0ec2a.exe
C:\WINDOWS\system32\drivers\kgpfr2.cfg

FOLDER::
C:\Documents and Settings\Rachelle Jones\Application Data\shcg8bj0ec2a

REGISTRY::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"lphcn8bj0ec2a"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


3) Now run CCleaner at the default setting with the Windows tab as the top one.


4) Install the current version of Sun Java from: Sun Java Runtime Environment

5) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

I've done everything you instructed and I've still got the "Warning! Spyware detected..." background on the laptop. It seems to have taken away the option to set my wallpaper too. Here are my logs.

 

Well, that's annoying!

Please do the following:

Find and delete this file:

C:\WINDOWS\system32\phcn8bj0ec2a.bmp


Next please download Registry Search (see the link titled RegSearch Download Link )

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter sysrest in the top area of the form and then click "Ok".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.

Now I would like for you to run two scans, one is a rootkit scan which you'll download, the other is an online scan which needs to be run with Internet Explorer with Active X enabled. The links for these two scans are:

Running GMER to detect rootkits


Running BitDefender Online Scan


When you finish the above instructions, please attach the three logs for RegSearch, GMER and BitDefender. Please note that there are special instructions in the link for getting a log we can use for BitDefender. Be careful to follow the instructions in that link very exactly.


Thanks.
abri

 

Here are my logs. The bdscan wouldn't let me save it as a .txt file, only html was a choice. I copied and pasted the info into a text file.

 

Hi 2kMarauder,

Please do the following:

1) To begin with, please disable Spybot's TeaTimer. Without disabling this, it will block any fixes we do. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


3) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
sysrest

FILE::
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\sysrest32.exe
C:\Documents and Settings\Rachelle Jones\Application Data\internaldb41.dat
C:\Documents and Settings\Rachelle Jones\Application Data\internaldb8467.dat
C:\Documents and Settings\Rachelle Jones\Application Data\internaldb6334.dat
C:\hpqp.ini
C:\XP_TV.ini

REGISTRY::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\StubInstaller.exe"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.

4) Now run CCleaner at the default setting with the Windows tab as the top one.

5) If you have not already done so, please install the current version of Sun Java. You have the installation file here: C:\Documents and Settings\Rachelle Jones\My Documents\jre-6u6-windows-i586-p.exe



6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

All of the signs of the "bugs" are gone. But I still cannot change the wallpaper image. here are the logs. Thanks for the help.

 

Hi 2kMarauder,

1) Spybot's Teatimer is not disabled. The function of Teatimer is to prevent certain changes from being made in your computer, therefore, when we try to fix some things, Teatimer will simply put them back the way they were. That's why we ask that you disable this function. Please do this before you continue. The instructions for how to do this can be found in Step 1 of my last post.

2) Then go to Windows Explorer and delete these files:

C:\Documents and Settings\Rachelle Jones\Desktop\jre-6u6-windows-i586-p.exe
C:\Documents and Settings\Rachelle Jones\My Documents\jre-6u6-windows-i586-p.exe

3) After making sure that Teatimer is disabled, please run Disable/Remove Windows Messenger

4) Next I would like to have you use ComboFix to remove some files. Before you do this, I want you to disable Windows Defender and all other antispyware programs you have running except for your Antivirus Program and your Firewall. Leave those two running. Then continue with the following instructions:

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FILE::
C:\Program Files\Common Files\iS3\Anti-Spyware\phishing.rsf
C:\Program Files\Common Files\iS3\Anti-Spyware\sgdfull.rsf

FOLDER::
C:\Program Files\Common Files\iS3\Anti-Spyware
C:\Program Files\Common Files\iS3

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


5) Now run CCleaner at the default setting with the Windows tab as the top one.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.



Let me know how this went? I am looking into one other question, but will wait to hear back from you about the above instrucitons before posting anything further.

abri