CiD pop ups and trojans HELP

By lrsims91
Jul 4, 2007
Topic Status:
Not open for further replies.
  1. I have been trying to get rid of the CiD pop up and trojans on my computer with no luck so far.

    I have followed the Viruses-Spyware-Malware preliminary removal instructions and now i have those logs to post.



    The AnitRootkit scan didn't find anything on my computer.

    The HJT, Combofix, and AVG Antispyware logs are attached

    (i have 2 Combofix logs, not sure which one is needed so i'm attaching both)


    please help

    -Lena
  2. bobby123

    bobby123 Newcomer, in training Posts: 391

    well the positive thing is your report scan shows many bugs have been deleted.
  3. momok

    momok Newcomer, in training Posts: 2,272

    Hi lrsims91 and welcome to techspot. =)

    Good job with following the instructions.

    Please run ccleaner again and remember to check every single box for cleaning.

    After that please do the following.

    Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type msconfig. Press the enter key.
    Search for the following services. Uncheck them to disable from startup.

    clock poll
    NI.UWFX5_0001_NI530211

    Press OK but do not restart your system yet.


    Go to start > Control Panel > Add and Remove Programs.
    Remove anything related to the following:

    Viewpoint
    Winantivirus Pro
    SurfSideKick 3


    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    O2 - BHO: (no name) - {5b24bf3c-9d30-4a0f-a1ab-43bf6b161746} - C:\WINDOWS\system32\comdus.dll
    O4 - HKLM\..\Run: [NI.UWFX5_0001_NI530211] "C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\QYV0VMJZ\WinFixerScannerInstall[1].exe" -nag /BEFOREINSTALL
    O4 - HKCU\..\Run: [clock poll] C:\DOCUME~1\Patty\APPLIC~1\LIESLI~1\idlefastonce.exe

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\comdus.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\comdus.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\comdus.dll

    O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
    O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab < note this site and never visit it ever again. It is most likely the source of part of your infections.

    O20 - AppInit_DLLs: c:\windows\system32\gebyvsr.dll
    O20 - Winlogon Notify: comdus - C:\WINDOWS\SYSTEM32\comdus.dll

    Close HJT.

    Please search for this two folders and delete them if you did not create them. If you did, please let me know what are its contents and what you use them for.
    C:\Program Files\Gpotato
    C:\Program Files\LIESLICENSEMAGS

    Drag the Combofix-Do.txt that you downloaded earlier over on to Combofix.exe and release.

    This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of lrsims91 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  4. lrsims91

    lrsims91 Newcomer, in training Topic Starter

    updated logs

    here are the updated logs

    i'm pretty sure i did it right

    let me know
  5. momok

    momok Newcomer, in training Posts: 2,272

    Hi,

    I presume you have delete those two folders?

    Please follow these instructions carefully.

    1. Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached "avengerscript.txt" (from my attachment) and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the attachment avengerscript.txt you have just downloaded, click on it and press open.
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT, ComboFix and AVG Antispyware log.


    Regards,
    Your friendly momok =)

    This thread is for the use of lrsims91 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  6. lrsims91

    lrsims91 Newcomer, in training Topic Starter

    New logs

    I have followed everything you said to do

    I wasn't sure whether I was supposed to delete the infected files in the AVG Antispyware scan, so i quarantined them for the time being

    here are the new logs
  7. momok

    momok Newcomer, in training Posts: 2,272

    Hi,

    I notice a new infection on HijackThis. Did you use your system for surfing just recently?

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type msconfig. Press the enter key.
    Search for the following services and uncheck them.

    team 32 mp3 cake

    Press Ok but do not restart your system yet.

    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    O4 - HKLM\..\Run: [team 32 mp3 cake] C:\Documents and Settings\All Users\Application Data\firstmoveteam32\transdraw.exe

    Close HJT.

    Please navigate to this folder and check to see if you created it. If not, immediately delete the entire folder and its contents

    C:\DOCUME~1\Patty\APPLIC~1\acccore

    Navigate in Windows Explorer and delete the following files and folders in bold.

    C:\Documents and Settings\All Users\Application Data\firstmoveteam32\

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of lrsims91 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  8. lrsims91

    lrsims91 Newcomer, in training Topic Starter

    I followed your instructions as before and deleted those 2 folders that you mentioned. I hadn't created them.

    Here are the new logs
  9. momok

    momok Newcomer, in training Posts: 2,272

    Hi,

    Good job, your logs look clean now.

    Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

    You may also delete the C:\avenger and C:\VundoFix Backups folder and its contents.

    Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of lrsims91 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  10. lrsims91

    lrsims91 Newcomer, in training Topic Starter

    thank you so much for your help

    everything seems to be fine now

    i received this computer from a cousin who completely filled it with crap before i got it and was hoping i could get rid of the viruses

    thank you
  11. momok

    momok Newcomer, in training Posts: 2,272

    No problems, glad to be of help. =)
    Now its up to you to keep it that way hehe. Enjoy your clean system.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.