CiD Virus - problems with preliminary removal

Status
Not open for further replies.
CiD Virus AVG Antispyware, Combofix, and HijackThis logs

UPDATE:
I couldn't run the programs in Safe Mode, but I ran them in normal mode. I'm attaching the AVG Antispyware, Combofix, and HijackThis logs. The AVG Antirootkit scan didn't find anything.



ORIGINAL POST:
Hi, I have the CiD Virus and have tried to follow the instructions in the "Viruses/Spyware/Malware, preliminary removal instructions" thread. I've run into a few problems. The first is that VundoFix didn't work for me or I was too impatient, but it took a really long time scanning. Is this normal? I skipped it and continued on. I got stuck, however, on step 13 when I tried to run SS&D and it gave me the error:

"There is no disk in the drive. Please insert a disk into drive \DEVICE\HARDDISK1\DR1"

I also always get this error:
"A Runtime Error has occured.
Line 147
Error: "menu.filters.0" is null or not an object"


I've attached the HijackThis log.

Hope someone can help!
 
Hello and welcome to Techspot.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

style creative.exe
Dentthedata.exe
GMT.exe
jinit.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [Settingsroamdenthole] F:\Documents and Settings\All Users\Application Data\DefyProxySettingsRoam\style creative.exe

O4 - HKCU\..\Run: [Dumb Date] F:\DOCUME~1\ANCAMA~1\APPLIC~1\CORNGR~1\Dentthedata.exe

O4 - Global Startup: GStartup.lnk = F:\Program Files\Common Files\GMT\GMT.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: @Home - {4CE1D3E8-DF96-479F-8890-7298041A24A3} - http://www/ (file missing) (HKCU)

O16 - DPF: TruePass EPF 7,0,100,730 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab

O16 - DPF: {9A5A6B87-B458-47EF-8284-E0EE52877BAD} (CDWeb SmarTimers ActiveX) - http://w3.cdt.ops.tdbank.ca/ActiveX/CDWebAxLib.cab

O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://ssora.tdbank.ca/forms/jinitiator/jinit.exe

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tdbank.ca,ctwan.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 49.10.69.10 49.10.68.10

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tdbank.ca,ctwan.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 49.10.69.10 49.10.68.10

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tdbank.ca,ctwan.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 49.10.69.10 49.10.68.10

Only fix the above 017 entries, if they don`t belong to your ISP or you don`t recognise the domain.

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

F:\Documents and Settings\All Users\Application Data\DefyProxySettingsRoam<Delete the entire folder.
F:\DOCUME~1\ANCAMA~1\APPLIC~1\CORNGR~1<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of untitledself only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
oops, you've answered in the meanwhile. i will do everything you've mentioned and then repost everything!

thanks!!!

Okay, here are the HJT, AVG Antispyware and Combofix logs. The AVG Antirootkit scan was fine.

I guess there is still a problem, though, because AVG Antispywave quarantied two of the high threat viruses, but they re-appeared in the second scan. But I don't have random casino and porn ads showing up anymore every time I open a page, though, so I guess that's pretty good!

:)

p.s. yes, I recognize and need the 017 entries.
 
Your HJT log is now clean.

delete all files in AVG Antispyware quarantine.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of untitledself only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
great! thanks so much! i really appreciate it.

:)

I do, however, get this error still:

"A Runtime Error has occured.
Line 147
Error: "menu.filters.0" is null or not an object"

I have twice since I've been on this site. Is that unrelated?
 
Status
Not open for further replies.
Back