[dk10111]

I have recently started having the following problem, please forgive me if I get the terminology wrong, I don't know much about this stuff: On booting up, opening outlook, internet explorer or pretty much any program I get a black box with "C:\WINDOWS\system32\cmd.exe" popping up.

This is followed by a second box headed "CTF Loader has encountered a problem and needs to close. We are sorry for the inconvenience."

These keep popping up each time I open something new, even a new window for explorer.
I've also now had a file "Bleh.exe" start appearing on my desktop.
I've run Panda Activescan, AVG and Spybot S&D (which keeps picking up bloodhoud.pack even after it's been fixed) and after running them, and cleaning up anything found, I still have the problems.

What can I do that's not too complicated?

[Advertisements]

Work your way through the malware removal guide at the top of this forum where it says "Do you suspect a malware (Spyware, Virus, Trojan) infection? Please start here. " This enables folks to solve most problems on their own. If you still have a problem after that, post a hijack this log in the malware forum at
http://www.geekstogo....o_Here-f37.htm

[austin_o]

Work your way through the malware removal guide at the top of this forum where it says "Do you suspect a malware (Spyware, Virus, Trojan) infection? Please start here. " This enables folks to solve most problems on their own. If you still have a problem after that, post a hijack this log in the malware forum at
http://www.geekstogo....o_Here-f37.htm

[dk10111]

Hi, thanks for the reply, tried the stuff, still got problems though, any other ideas?

[Caris]

I get this problem too, so if anyone has any advice it would be much appreciated! I havn't been able to find a solution yet.

Thanks guys!

[starjax]

ok, I've been cleaning this up all week at work. first you need to reinstall the microsoft patch MSO4-011

DO NOT REBOOT After applying the patch. I will tell you when to reboot. several times the following apps may prompt you to reboot, but just wait till the end.


Welcome,
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

First:
Please download ewido security suite it is a trial version of the program.

• Install ewido security suite
• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:

• Click on scanner
• Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
• Click on Start Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop

Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply

CleanUp!, is a quick and easy way to delete temporary files from your system. Simply deleting these temp files may clear some infections, and will make running the following scans faster.
Install and run. Click on the button labeled CleanUp!.

When it finishes it will prompt you to restart Windows - there will be one or two files it cannot delete when Windows is running - however, they will be deleted next time Windows starts up. download cleanup!

now go to your desktop, right click on my computer and go to properties. click on the system restore tab. check the box for "turn off system restore on all drives". after a reboot you may come back to this and deselect it.

Now we need to check for a registry entry. please go to start run and type in REGEDIT. navigate to hkey_local_machine/software/microsoft/windows/CurrentVersion/run and look for "cryptography service" if found then delete it. also look to see if scvhost is listed there. If found then delete it.

now do a through search on the hard drive for bleh.exe and bingoo.exe and delete them. make sure you empty the recyle bin.

ok now you are ready to reboot. for more info on malware please check here So we can gather a bit more info go ahead and post your HiJackThis log and the eiwido log here. dk10111 I would really prefer if you were the only one to post the logs here. I may have to split/move this topic.


and for the curious this is a new virus that is being identified by symantec as a varient of the w32.gaobot family. All th pc's at work that got infected had previously had the mytob virus (specifically bingoo.exe) and somehow the ms04-011 patch was uninstalled, damaged, not there, or compromised. There was the possiblity of a backdoor virus being installed but symantec was able to clean that one up easily.

Thanks,
Starjax

[starjax]

wow. I just found some good documentation:

http://www.cyberdefe...122800.log.html

hmmm. espect an edit on this tomorrow after I have some sleep and the guru's here may have time to write up an automated fix.

[phantomflyer]

Hey guys - I was getting it after the Office service pack 3 release - I'm a geek and tried this and it WORKED: First, I uninstalled Office in the Xp control panel, then did a disk cleanup, defrag, and virus/adware scans. Then I went to Windows Live FULL SERVICE SCAN - this is a NEW service - HERE: http://safety.live.c...-au/default.htm (I'm in Australia so the en-au section may differ for you) and It GOT RID OF ALL THE INVALID REGISTRY ENTRIES - I DID NOTHING but run it! (It can take a few hours depending on how much you have on the HD and you HAVE TO STAY ONLINE during this great service). I have the Office media Content installed on my comp and left it there. Now, after Windows Live FIXED all the corruption after the uninstall and defrag, I Re-Installed Office - Voila!! No more errors and Office is now starting again (It wouldn't work before this) and I don't get the error any more when using IExplorer. Try it!! It worked for this Geek - I WAS READY to format the HD if this failed -- but now I don't have to. I did all the above IN THE ORDER WRITTEN.

Edited by phantomflyer, 08 November 2006 - 11:49 AM.

[phantomflyer]

I'm back!
Well, having told you all that above, all is still perfectly fine, BUT, Windows Automatic updates WANTS to give me back Office XP Pro Service Pack 3 AGAIN! The pop up just lit up and I CANCELLED it checking the box saying "Do Not remind Me of this Update Again". This is what started all the problems in the first place and I'm NOT willing to risk Office starting all this crap again with "CFT loader has encountered a problem..."! It worked just fine before SP3, so I'm leaving it alone. Also, the Windows Live OneCare Safety scan (my previous post) is FREE - it fixes many other Windows problems. Try it!

Another thing I forgot to say is that when this Office Service pack 3 was installed 2 days ago, I had to re-activate Office online - that was the start of these wierd symptoms. Now that I've done the above, I didn't have to activate it again. If I'm back tomorrow after I shut this thing down and start her up again, it means that it's only working for now without a shut-down and restart. You'll know when I do....

Later