TechSpot

8-steps done - Am I clean now?

Solved
By newatthis
Mar 4, 2010
Topic Status:
Not open for further replies.
  1. I've been having problems with a CiD adware infection on my comp (loads of pop-ups). I manually tracked down the obvious virus files on C:, and then followed the 8-step recipe.

    Can anyone please tell me whether or not the logs look ok now?

    Thanks heaps.

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Have you set homepage up to launch as a blank page? If not, please have HJT remove this entry:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

    I'd like you to run the following 2 programs to make sure everything has been found and removed:

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install the Recovery Console, please do so.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
    .
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please don't use any other cleaning programs while I'm working with you.
    Attach the Combofix report and Eset scan log in next reply.
  3. newatthis

    newatthis Newcomer, in training Topic Starter

    Bobbye,

    Yes, my IE home page is deliberately set to about:blank.

    The Combofix and ESAT logs are attached.

    I am not concerned about the ESAT alerts relating to my D: drive, becasue this is a file store that is never used.

    I can't tell whether ComboFix is saying there are problems, though. What do you think?

    Thanks for your help.

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I cannot ignore this because you tell me you don't use it. It shows that you have 2 pirated programs and 2 P2P programs, all infected with malware. Another, from globalroms, indicates having the ability to download any material when you do not have the legal rights to do so.

    D:\Installation-Kits\BearShare-4.0.5-DONT-INSTALL-CRAP.exe a variant of Win32/Adware.WhenUSave application
    D:\Installation-Kits\BearShare250.exe multiple threats
    D:\Installation-Kits\Adobe Flash CS3 Pro KeyGen and Crack\Step 1 - KeyGen\Adobe Flash CS3 (9.0) Professional KeyGen.exe probably a variant of Win32/Agent trojan
    D:\Installation-Kits\Firedaemon\fd009c-fdui10R3 (Fire Daemon 0.09c).exe Win32/FireDaemon application
    D:\Mame\ROMs - v0.103 Complete [www.globalroms.com]\LUCKYCASHCASINOS.EXE a variant of Win32/Casino application
    D:\Virtual Machines\Shared Folder\Scan2CAD.Pro.v7.6i.Cracked-iNViSiBLE\iNViSiBLE\Scan2CADv7.exe probably a variant of Win32/TrojanDownloader.Obfuscated trojan


    One of the infections has this description:
  5. newatthis

    newatthis Newcomer, in training Topic Starter

    Ok - point taken. I can clean up the files in D: easily enough. But is there anything else, e.g.from ComboFix, that is a problem?
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    After the files and folders have been removed, rerun Combofix and the Eset scan. Leave new Report and log.
  7. newatthis

    newatthis Newcomer, in training Topic Starter

    New logs as requested. How's it looking now?

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KILLALL::
    File::
    c:\users\farrell\AppData\Roaming\uTorrent
    c:\users\farrell\AppData\Local\temp
    c:\users\Public\AppData\Local\temp
    c:\users\Default\AppData\Local\temp
    D:\Installation-Kits\BearShare-4.0.5-DONT-INSTALL-CRAP.exe	
    D:\Installation-Kits\BearShare250.exe	
    D:\Installation-Kits\Adobe Flash CS3 Pro KeyGen and Crack\Step 1 - KeyGen\Adobe Flash CS3  (9.0)  Professional KeyGen.exe	
    D:\Installation-Kits\Firedaemon\fd009c-fdui10R3 (Fire Daemon 0.09c).exe
    D:\Mame\ROMs - v0.103 Complete [www.globalroms.com]\LUCKYCASHCASINOS.EXE	
    D:\VirtualMachines\SharedFolder\Scan2CAD.Pro.v7.6i.Cracked-iNViSiBLE\iNViSiBLE\Scan2CADv7.exe	
    
    Folder::
    
    Registry::
    
    Driver::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
  9. newatthis

    newatthis Newcomer, in training Topic Starter

    CFScript log as requested. Ok now?

    Attached Files:

  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay- rescan with the Eset online scanner once more. If it's clean, I'll have you remove the cleaning tools and old restore points.
  11. newatthis

    newatthis Newcomer, in training Topic Starter

    ESET scan is clean (log attached).

    How do I remove old system restore points?

    Attached Files:

     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Looks good!
    Remove all of the tools we used and the files and folders they created
    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes. If you are prompted to Reboot during the cleanup, select Yes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Stay safe! Let me know if you need help in the future.
  13. newatthis

    newatthis Newcomer, in training Topic Starter

    Thanks for your help.
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome. I'll close this thread now. If you need our help in the future, please let us know.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.