CiD popup on second computer

[Donnamck]

bump


Help, please, anyone?????????????



Hi,

This is a thread but about a different computer. I didnt want to confuse the two cleaning instructions so though I would make a thread for each computer.

This computer is an Acer running XP (my daughters computer). It seems she is the culprit for putting the CiD popup infection on this computer and the laptop.

I have done the 15 steps and now attach the three logs;

 

[momok]

Hi,

You may wish to copy and paste these instructions on notepad for easier reference later.

1. Boot into safe mode under your normal user name. See how HERE
   
2. Next turn on "Show all files and folders, including hidden and system". See how HERE
   
   
3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
   
   R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" //eml:J:\cleaning computer.eml
   O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
   O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
   
   Close HJT.
   
   
4. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
   
   

   File::
   C:\WINDOWS\UPSCR.Scr
   C:\WINDOWS\system32\UPSCR.Scr
   C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
   C:\WINDOWS\system32\C4A6B0798C.sys
   C:\WINDOWS\system32\KGyGaAvL.sys
   Folder::
   C:\Program Files\Else plus
   C:\Documents and Settings\All Users\Application Data\third lies itch ford
   C:\Documents and Settings\Taz\Application Data\Else plus
   C:\Program Files\Circle Developement
   C:\Program Files\Viewpoint
   C:\Documents and Settings\Taz\Application Data\Viewpoint
   C:\Documents and Settings\All Users\Application Data\Viewpoint

5. Save this as CFScript on the desktop.
6. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
   
   
7. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
8. Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT and AVG Antispyware logs and the resultant ComboFix log from the above instructions as attachments into this thread.


Regards,
momok =)

This thread is for the use of Donnamck only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Donnamck]

Hi Momok,

Done the above and here are the logs.

 

[momok]

Hi,

Your logs look clean now.

1. Please download and run CCleaner via step 9 of the instructions HERE.
   
   
2. Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)
   
   
3. Turn off system restore (XP/ME only). Learn how to do that HERE.
   This will remove all the remaining nasties from your old restore points.
   
   
4. After that turn system restore back on.
   This would have created a new safe and clean restore point for your system.
   
   
5. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
   May I recommend you to read this article.
   This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
momok =)

This thread is for the use of Donnamck only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Donnamck]

Thanks once again for all your help. You are truly fantastic.

Donna