Help checking for malware please

[ethrion]

3wplayer and CiD Help malware issue...

I stupidly downloaded and ran the 3wplayer program but found out that it was bogus and so uninstalled it. The CiD Help thing is on my add/remove programs list and requires a number code to remove it. However, ive not been getting any of the add popups that other people have been complaining about so im not sure if the malware is active or not.

I would be very grateful if someone could check through my HijackThis log file and processes running screenshot to see if I do have any problems. If there is anything else needed then Ill send it too. Thanks in advance.

View attachment 19235

View attachment 19236

 

[momok]

Hi ethrion and welcome to techspot. =)

Important: Please read this thread HERE before you decide whether to clean or reformat your system.

Should you decide to clean your computer, please do the following.

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

WinPop
firstmapi
film blue meta regs

Go to start > Control Panel > Add and Remove Programs.
Remove anything related to the following:

WinPop

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F1117BA3-CF1D-41DB-84B0-58FA6BD2BD0A} - (no file)
O4 - HKLM\..\Run: [film blue meta regs] C:\Documents and Settings\All Users\Application Data\bold fork film blue\Showgreat.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [firstmapi] C:\DOCUME~1\ALEXDA~1\APPLIC~1\BARBFO~1\CopyDateDrv.exe
O20 - Winlogon Notify: awvtq - C:\WINDOWS\
O20 - Winlogon Notify: ljjkjhh - C:\WINDOWS\
O20 - Winlogon Notify: winkve32 - C:\WINDOWS\
O24 - Desktop Component 1: (no name) - http://bf2s.com/player/60970165/

Close HJT.

Navigate in Windows Explorer and delete the following files and folders in bold.
C:\Documents and Settings\All Users\Application Data\bold fork film blue\
C:\DOCUME~1\ALEXDA~1\APPLIC~1\BARBFO~1\
C:\Program Files\WinPop\

Reboot into normal mode and rehide your protected OS files.

Next, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. Do follow all the instructions exactly. They will provide logs for analysis of your system so I will know how to instruct you to proceed.

Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste your logs if not it will be ignored and/or removed.

Also, please let me know the results of the AVG Antirootkit scan


Regards,
Your friendly momok =)

This thread is for the use of ethrion only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ethrion]

Thanks

Thank you very much for the help, it is much appreciated. I followed the steps laid out and saved the logs of the scans etc. If there is anything else I need to do please advise.

Thanks again.

 

[ethrion]

Other reports. However, in the add/remove programs list "CiD Help" is still there...

 

[momok]

Hi,

Please download and run CCleaner via step 9 of the instructions HERE.

Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.
Drag the Combofix-Do.txt that you downloaded earlier over on to Combofix.exe and release.

This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

Thereafter, please post fresh HJT and AVG Antispyware logs from normal mode and the ComboFix log from the safe mode instructions as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of ethrion only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ashbey]

How to remove

Go in C:\Documents and Settings\<user name>\Application Data folder if you see anything wiered like names which are not logical delete it. Do it in safe mode since they are loaded with windows.

Do not download 3Wplayer. It contains Malware.
There is a software tool which can convert 3wplayer files back to normal video files. I tried it on many videos which could only be played on 3w player and it converted them all successfully, although a little slow. You can download it from here:

http://www.topdownloads.net/index/software/view.php?id=121109

It is a clean software without any spyware or adware. I hope this info will help.