TechSpot

CiD Viruses Cleanup

By BlakeIsBlake
Jul 9, 2008
  1. I found the CiD popups on my PC so I thought it was time to clean the comp...

    Here are the logs...

    ETA: No rootkits found with Panda.
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Hi, welcome to techspot!

    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      O1 - Hosts: 1.1.1.1 f-secure.com
      O1 - Hosts: 1.1.1.1 www.f-secure.com
      O1 - Hosts: 1.1.1.1 ftp.f-secure.com
      O1 - Hosts: 1.1.1.1 ftp.sophos.com
      O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
      O1 - Hosts: 1.1.1.1 customer.symantec.com
      O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
      O1 - Hosts: 1.1.1.1 download.mcafee.com
      O1 - Hosts: 1.1.1.1 rads.mcafee.com
      O1 - Hosts: 1.1.1.1 mast.mcafee.com
      O1 - Hosts: 1.1.1.1 my-etrust.com
      O1 - Hosts: 1.1.1.1 www.my-etrust.com
      O1 - Hosts: 1.1.1.1 nai.com
      O1 - Hosts: 1.1.1.1 www.nai.com
      O1 - Hosts: 1.1.1.1 networkassociates.com
      O1 - Hosts: 1.1.1.1 secure.nai.com
      O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
      O1 - Hosts: 1.1.1.1 service1.symantec.com
      O1 - Hosts: 1.1.1.1 sophos.com
      O1 - Hosts: 1.1.1.1 www.sophos.com
      O1 - Hosts: 1.1.1.1 symantec.com
      O1 - Hosts: 1.1.1.1 www.symantec.com
      O1 - Hosts: 1.1.1.1 update.symantec.com
      O1 - Hosts: 1.1.1.1 updates.symantec.com
      O1 - Hosts: 1.1.1.1 us.mcafee.com
      O1 - Hosts: 1.1.1.1 vil.nai.com
      O1 - Hosts: 1.1.1.1 viruslist.com
      O1 - Hosts: 1.1.1.1 www.viruslist.com
      O1 - Hosts: 1.1.1.1 free.grisoft.com
      O1 - Hosts: 1.1.1.1 trendmicro.com
      O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
      O1 - Hosts: 1.1.1.1 www.trendmicro.com
      O1 - Hosts: 1.1.1.1 usa.kaspersky.com
      O1 - Hosts: 1.1.1.1 zonelabs.com
      O1 - Hosts: 1.1.1.1 www.zonelabs.com
      O1 - Hosts: 1.1.1.1 bitdefender.com
      O1 - Hosts: 1.1.1.1 www.bitdefender.com
      O1 - Hosts: 1.1.1.1 download.bitdefender.com
      O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
      O1 - Hosts: 1.1.1.1 merijn.org
      O1 - Hosts: 1.1.1.1 www.merijn.org
      O1 - Hosts: 1.1.1.1 sysinternals.com
      O1 - Hosts: 1.1.1.1 www.sysinternals.com
      O1 - Hosts: 1.1.1.1 onguardonline.gov
      O1 - Hosts: 1.1.1.1 www.onguardonline.gov
      O1 - Hosts: 1.1.1.1 avast.com
      O1 - Hosts: 1.1.1.1 www.avast.com
      O1 - Hosts: 1.1.1.1 safety.live.com
      O1 - Hosts: 1.1.1.1 www.paretologic.com
      O1 - Hosts: 1.1.1.1 paretologic.com
      O1 - Hosts: 1.1.1.1 virusscan.jotti.org
      O1 - Hosts: 1.1.1.1 services.google.com
      O1 - Hosts: 1.1.1.1 www.webroot.com
      O1 - Hosts: 1.1.1.1 webroot.com
      O1 - Hosts: 1.1.1.1 yandao.com
      O1 - Hosts: 1.1.1.1 www.yandao.com
      O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
      O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
      O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll (file missing)
      O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll (file missing)
      O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - D:\PROGRA~1\FlashFXP\IEFlash.dll (file missing)
      O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll (file missing)
      O4 - HKCU\..\Run: [Meal That] D:\DOCUME~1\Owner\APPLIC~1\EQLOVE~1\part window option.exe
      O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - D:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe (file missing)
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe (file missing)
      O15 - Trusted Zone: *.stumbleupon.com
      O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab

    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.


    Then navigate to and delete this folder:
    D:\Documents and Settings\Owner\Application Data\EQLOVE~1 <-will look different but will start with this and be a random name

    ---------------------------------------------------------------------

    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    -----------------------------------------------------------------------------

    Afterwards post a new hijackthis with the MBAM log
     
  3. BlakeIsBlake

    BlakeIsBlake TS Rookie Topic Starter

    I could not find the meal that process or the EQLOVE folder.

    Logs attatched.
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    That log is clean - let's get a 2nd opinion just to be sure then we can clean up. Are the popups gone? Also I don't see any anti-virus which probably would have prevented this in the first place - I recommend Avira Antivir it is free and has excellent detection rates and real time protection
    -> http://www.free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  5. BlakeIsBlake

    BlakeIsBlake TS Rookie Topic Starter

    For some reason it won't work, but the popups are gone. Thank you for your help! :D
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok, then I need to have a deeper look

    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...