TechSpot

CiD popups and iexplore.exe using 95% system mem without using IE

By yarrrheal
Jan 11, 2008
  1. For new problem, Please scroll down to post #17

    Thank you
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Hi yarrrheal and welcome to TechSpot

    You will need to follow the following recommendations first

    Viruses/Spyware/Malware, preliminary removal instructions
    http://www.techspot.com/vb/topic58138.html

    With files like B.exe in you Windows folder, you are most certainly infected !
     
  3. yarrrheal

    yarrrheal TS Rookie Topic Starter

    I have already followed all of those instructions (over the past 3 days (has done nothing else)) These logs are from after all the steps in that topic.
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Someone will help you shortly

    This time may vary, TechSpot members are helping others voluntarily so hang in there. Also I'll check back later. If no response.
     
  5. yarrrheal

    yarrrheal TS Rookie Topic Starter

    Now for the other PC

    So now that my laptop has been cleaned up, now my main pc is having the same issues.
    Followed your directions in the preliminary removal guide and have the logs posted.
    Thank you for your time.
    also, Panda antiroot found 0 issues
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Need to tighten up security, but first - do you still use Norton AV?

    Also I need to see
    Generate Uninstall List

    • 1. Start HijackThis
      2. Click on the Config button
      3. Click on the Misc Tools button
      4. Click on the Open Uninstall Manager button.
      5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.
     
  7. yarrrheal

    yarrrheal TS Rookie Topic Starter

    Norton AV is still used on this comp due to me not being able to convince my parents otherwise.

    Uninstall list attached
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    • Click the following link
      Java Runtime Environment 6 Update 6
    • The 5th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder


    Uninstall these from control panel -> Add/remove programs
    J2SE Runtime Environment 5.0 Update 7
    Java 2 Runtime Environment, SE v1.4.2
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) SE Runtime Environment 6 Update 1
    Messenger Plus! Live & Sponsor (CiD)

    After uninstalling messenger plus sponsor'

    1)Setup" is now displayed. Click on the Uninstall button. Note: options displayed on the first screen are not related to the sponsor program.

    2)The sponsor screen is now displayed (if you don't see it, search for it in your Task Bar). To prove that someone is currently reading the screen, you have to type the code that is displayed. Once you enter the code, press Uninstall.

    3)If you entered the code properly, the program will ask you to confirm that you want to uninstall. You must answer "Yes" to this question, else, you won't have another chance of uninstalling.

    4)Reboot your computer

    5)Run another scan with Hijackthis and attach a new log
     
  9. yarrrheal

    yarrrheal TS Rookie Topic Starter

    The 'setup' screen in question never actually appeared, nor did the sponser screen.
    New HJT log attached.
     
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    That should help, but you still have infections on there

    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


    Remove Viewpoint
    Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
    I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components :
    1. Click Start, point to Settings, and then click Control Panel.
    2. In Control Panel, double-click Add or Remove Programs.
    3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.

      How to prevent it from being recreated every time you run the AOL software:
      • Open AOL
      • Go to Help on the toolbar
      • Select About AOL
      • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.
     
  11. yarrrheal

    yarrrheal TS Rookie Topic Starter

    Followed instructions and have the next log posted.
     
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply

    Also attach a fresh Hijackthis afterwards.
     
  13. yarrrheal

    yarrrheal TS Rookie Topic Starter

    Ran the scanner, and wow it found a lot.
    Scan log and fresh hjt log attached.
     
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Upload a File to Virustotal
    Please visit Virustotal found HERE
    • Click the Browse... button
    • Navigate to the file C:\Windows\System32\NeroCheck.exe
    • Click the Open button
    • Click the Send button
    • Copy and paste the results back here please.

    --------------------------------------------------------------------------------------

    Launch Spybot -> click on the Recovery Icon -> Highlight everything and select the red X that says purge.

    ------------------------------------------------------------------------------------------------

    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [Love default global mess] C:\Documents and Settings\All Users\Application Data\great coal love default\Platform bows.exe
    O4 - HKCU\..\Run: [CakeTest] C:\Document~1\Owner\APPLIC~1\GRIMEQ~1\Store Vc.exe

    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

    C:\Documents and Settings\All Users\Application Data\great coal love default
    C:\Documents and Settings\Owner\Application Data\GRIMEQ~1 <- check this one, it will have a longer name


    -----------------------------------------------

    FileASSASSIN
    • Launch Malwarebytes' Anti-Malware
    • Select the More Tools Tab
    • Under FileASSASSIN select Run Tool
    • Navigate to C:\Program Files\DAEMON Tools Lite\SRSAI.exe
    • Press Open

    ------------------------------------------------

    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.

    -----------------------------------------------------------------------

    Cleanup using OTMoveit2 by OldTimer
    Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

    Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

    1. Double click OTMoveIt2.exe to launch it.
    If using Vista Right-Click OTMoveIt and choose Run As Administrator
    2. Click on the CleanUp! button.
    3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
    4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

    * When finished exit out of OTMoveIt2

    -----------------------------------------------------

    clear system restore points

    • This is a good time to clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.

    ---------------------------------------------------------------------

    After all of this run another Kaspersky and attach the log along with the result from VirusTotal
     
  15. yarrrheal

    yarrrheal TS Rookie Topic Starter

    I really appreciate your help for all of this.
    Virustotal said the file was completely clean and Kaspersky didn't find anything.
     
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Good deal. You now have a nice clean restore point set also.

    Let me know if anything else comes up.

    Regards,

    BD
     
  17. yarrrheal

    yarrrheal TS Rookie Topic Starter

    Vundo strikes again

    Okay, so this is my issue this time. I have come back home for a while to visit and the "family" desktop really just hasn't been taken care of at all. Hasn't been cleaned in probably a year, no av, no firewall (NAT or software), no anything. The only thing it is used for is playing games. They have lost the OS install disks and the restore disks.

    Vundo is the main culprit I know of, though I highly suspect there may be more.

    I would be very happy if you guys could help.
    Thanks for your time.
     
  18. yarrrheal

    yarrrheal TS Rookie Topic Starter

    Update

    Okay, a little update here. After updating to the latest Java (6u13), java will no longer load for anything. Also, IE has completely gone non-responsive.

    Edit: Disregard the Java issue....Comodo decided to play nice
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.