questions about ctfmonb (heck, trojans in general)

Greetings.
I appreciate the knowledge and assistance everyone brings to this board, and I'm hoping someone might be able to answer a few questions I have.

Looks like I got that ctfmonb (blue desktop/bug thing), but I am unsure to the level at which I'm infected. I see there is a thread about removing this, but i guess my first question is:

if I didn't click yes or no on the dialog box that appeared when the thing executed, did I really run the trojan? My desktop did change, my ctrl+alt+del didn't seem to work, and the dialog box appeared again when i started my machine, but I was able to use the task manager from the run function to end the malware program.

Obviously something happened, but I haven't been able to determine if anything I should be worried about occurred.

I must confess to deleting my temporary internet files/history in a bit of a panic. is there another way to see if my machine sent any outbound information?

thanks in advance for any assistance.

 

Hi futureknight,
Welcome to Major Geeks!

If you go through the instructions in the READ & RUN ME FIRST, we'll be able to see what is in your computer and if anything needs to be removed. The scans in this set of instructions pick up a large number of these kinds of malware, and the help we give you is to look for individual files that get missed by the scans and can cause the malware to start up again.

Thanks.
abri

 

I have run through the instructions to the best of my ability. Here are the logs as requested.

thanks again for the assistance!

as also indicated in the instructions, I am creating a second post for the 4th attachment.

 

Here is the last attachment.

Just to give a complete picture of my attempts, please note that I deleted the ctfmonb.bmp, blackster.scr, and ctfmona.exe files before downloading and following the instructions/programs in the forum thread here.

thanks in advance for your time.

 

Hi futureknights

Please do the following:

1) To begin with, please disable Spybot's TeaTimer. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

2) Install the current version of Sun Java from: Sun Java Runtime Environment

3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - SOFTWARE - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe


After you click fix, just close hijackthis.


4) Download and install Erunt. Use it to create a backup of your registry.

5) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

6) Now run CCleaner at the default setting with the Windows tab as the top one.

7) Please run C:\MGtools\GetLogs.bat. Also, let me know if you got a success message with the registry patch (REGEDIT4).


Let me know how things are running now?

abri

 

Abri,
I disabled teatimer, and installed java. When running MGtools, however, I got the following error:

"the application failed to initialize properly (0xc0000155)."

I see there is a section in the first procedure you gave to me pertaining to error messages with MGtools, but this specific one (at least the error code) wasn't there.

If this is errors due to .net framework not being there, how would I get them? I don't have access to a full edition of windows XP disks. (ie the genuine thing)

 

Hi futureknights,

You ran them successfully once. If you aren't able to run them using the GetLogs.bat file located in the C:\MGTools folder, then you need to reinstall them from Using MGTools and allow them to install over the existing ones. Then follow the instructions in the link for running them again. However, before you run them, please do the following first:


1) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

2) Run CCleaner.


3) After you reinstall and rerun the MGTools as per the link above, attach the fresh set of MGlogs.zip. Also, let me know if you got a success message for this REGEDIT4 patch as well.

abri

 

Hi Abri,
Sorry this has been such an involved problem. I really appreciate the help. I did the regedit (and it said it merged). I ran ccleaner and reinstalled mgtools per your link.

When I ran it, I did get the same error, but it looks like it produced a log anyway (which I think it was happened the very first time I ran it now that I think about it).

Anyway, it did do a new zip file of logs. I am attaching them. I hope that I haven't screwed this up, but I figured I had better look at your response from before and follow any instructions I hadn't done because of the error (that is the post 3 above this one or #5) so I could do anything you mentioned there...basically what I saw was that I needed to run getlog.bat, which I did.

If that has screwed things up, let me know.

Thanks again for your assistance.

 

Hi futureknight,

It appears from the logs you posted to me, that you ran the instructions in post 7, then ran the GetLogs.bat and then ran the instructions in Post 5. If this is the case, please go to C:\MGTools\GetLogs.bat and double-click on it and allow it to run again. Then come back here and using the Manage Attachments button, look for C\MGlogs.zip.

It appears that the logs you posted only show the results of the work you did from post 7 but not from post 5. In this case it doesn't matter that these two posts got reversed, but I can't check them without a new set of logs.

Thanks.
abri

 

Evening Abri,
I ran getlogs.bat and am attaching the new zip per your request. I am sorry to have caused some extra grief trying to get the right one to you.

Thanks.

 

Hi futureknight,

None of the files I asked you to delete in Post 5 is gone, including the one bad bit of malware. Please go through those instructions again, starting with the step to disable Teatimer.

In Step 3 of that post, the following two items are option. You do not have to fix these two items, but the other items need to be fixed!

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe


The REGEDIT4 patch needs to be run. Otherwise your computer is just going to get infected again.

Please go through the instructions in post 5 and when you're finished, attach the new MGlogs.zip. If you feel there's some error here, and that you DID run these instructions already, please tell me. The logs you're posting to me show clearly that the steps in post 5 were never done.

I will be gone and will not post again to you for several days.

abri

 

Hi Abri,
I'm sure I did those steps, so I'm not sure where I messed up, but I obviously did. I do get that error every time I run MGTOOLS, but it still generates logs. Since you will be gone a few days, I will go through the whole procedure again and resubmit everything.

Thanks for your patience as I try to fix this stuff.

 

Hi futureknight,

I'm not sure the error you mentioned has to do with the problem that things didn't get deleted using HijackThis. The error you mentioned will only mean that you're missing the procdll log, but it has nothing to do with your fixes not working. These are different problems.

What I'm wondering is, if you are sure you went through all the instructions in both posts 5 & 7, did you get Spybot's Teatimer disabled? If Teatimer is still running, it will reverse any changes which are attempted on your computer, so if you try to delete something, it will put it back. The only other explanation I have, if you did all the instructions in both posts 5 & 7 is that some security software you have running could be blocking things or that the MGlogs are not being overwritten by the new information and so it appears there are still files where there aren't really.

Please try the instructions in post 5 again. When you get to the instructions to run analyse.exe (this is really HijackThis), tell me if the files I asked you to FIX in post 5 are still there. If they are still there, then something is blocking the fix. If they are not there, then the new logs are not overwriting the old ones as they should.

Thanks.
abri

 

welcome back, Abri,
I believe I have tea timer disabled. When I check the advanced options in spy bot, it appears to be properly unchecked. I may not have time tonight, but I will try rerunning through everything again, and checking what you asked in your post 5.

Thanks!