also @ TechSpot: Exploit allows command prompt to launch at Windows 7 login screen

TechSpot
Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

I think I have a lot of viruses

Discussion in 'Virus and Malware Removal' started by noobkiller69, Oct 19, 2009.

Thread Status:
Not open for further replies.

  1. noobkiller69 Newcomer, in training

    Theses pass few month my computer slowed down and lag alot. When i use Mozilla Firefox or Internet Explorer a pop-up called CiD keeps poping up. Ths is very annoying cause it happen every 5 minutes. Could someone please review the attachment and give me some feedback?
    noobkiller69, Oct 19, 2009
    #1

  2. raybay TechSpot Addict

    You have a program error. Something needs to be removed and reinstalled.
    I see no viruses or other infestations.
    You can probably figger out the problem software by clicking on that pop-up.
    raybay, Oct 19, 2009
    #2

  3. momok Newcomer, in training

    @noobkiller69: You definitely have malware on your system.

    CiD popups are a common infection with several users.

    This in your hijackthis log for example, is bad:
    O4 - HKCU\..\Run: [Coal 4] C:\DOCUME~1\USER\APPLIC~1\ENCFOR~1\ballhopedraw.exe

    @Ray: please do not give such resolute conclusive advice when you do not read all the logs, or do not know how to read HijackThis logs. You should have seen enough on the forums to realise CiD popups are an infection, and clicking on the popup is going to lead the user to bad sites and more infections.
    momok, Oct 20, 2009
    #3

  4. Bobbye Helper on the Fringe

    Welcome to TechSpot, noobkiller. I'll help you find and remove the malware on your system.

    The CiD Pop-up is a browser hijacker that was downloaded and installed by Adware.Lop. It displays excessive advertisements on infected computer and modifies Internet Explorer settings.This isn't a virus or spyware, but is considered a PUP which is a 'potentially unwanted program.

    First, let me make if clear that you should never click on an unknown pop-up! Never.

    Please follow my instructions below. Run programs in the order that I have them. Don't install, uninstall, download anything else unless I instruct you to do so.

    Please update and run a full system scan with AVG AV and clean/delete all infected files. Save log and attach to new reply.

    • [1] Download NoLop from HERE and save to your desktop.

      [2]Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER

      [3] Double-click to run NoLop.exe on your desktop

      [4] Click the button "Search and Destroy." It will searched for infected files on your computer.

      [5] Click "Reboot" if it finds infected files and prompt you to do so.

      [6] After rebooting the computer, NoLop will prompt for another action, if not please re-run the program again to complete the process.
    Close the program.

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Rescan with HijackThis when through. Paste in new HJT log.
    Attach all other logs and reports.
    Bobbye, Oct 20, 2009
    #4

  5. noobkiller69 Newcomer, in training

    So far, so good! No more CiD popped up lately and my computer speed nearly back to normal without lag. Thank you for your expert help!

    I don't know how to save a log from AVG AV 8.5, so it not attached here. Sorry.

    EDIT: The pop-up still appear
    noobkiller69, Oct 21, 2009
    #5

  6. Bobbye Helper on the Fringe

    Okay, so you came back in an did an Edit saying trhe CIP pop-up reappeared? It that correct?

    I'd like you to run a more up to date LOP program. The one I gave you is an older version (sorry) and it didn't pick up the LOP entries:

    It is best to disable the antivirus and malware programs for the scan; you'll re-enable them after the scan

    Download Lop S&D and save to your desktop.


    • [1] Double-click Lop S&D.exe
      [2] Choose the language, then choose Option 2 (Fix + Hosts)
      [3] Wait till the end of the scan
      [4] Attach the log which is created: (%SystemDrive%\lopR.txt)

    Edit to add:
    Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

    C:\Qoobox\Add-Remove Programs.txt

    A report should pop open for you. Please post the contents in your next reply.

    Rescan with HijackThis and paste the log in your next reply.
    Bobbye, Oct 21, 2009
    #6

  7. noobkiller69 Newcomer, in training

    Do I have to rerun all the other things like combofix and AVG AV
    noobkiller69, Oct 22, 2009
    #7

  8. kritius Newcomer, in training

    No. Just run what you were asked.
    kritius, Oct 22, 2009
    #8

  9. noobkiller69 Newcomer, in training

    Okay I ran the new Lop S&D and so far so good. No CiD pop-up has pop-up. If there's anymore CiD pop-up I'll edit this reply.
    noobkiller69, Oct 22, 2009
    #9

  10. kritius Newcomer, in training

    Just going to do this bit for Bobbye,

    Fix this entry in HijackThis,

    O4 - HKCU\..\Run: [Coal 4] C:\DOCUME~1\USER\APPLIC~1\ENCFOR~1\ballhopedraw.exe

    Please download OTM
    • Save it to your desktop.
    • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes

:Services

:Reg

:Files
C:\DOCUME~1\USER\My Documents\Installer\CA Security Suite2008+Genuine Serials+Keygen
C:\DOCUME~1\USER\My Documents\Installer\keygen.exe
C:\DOCUME~1\USER\My Documents\Installer\CA Security Suite2008+Genuine Serials+Keygen\issdm_en_32.exe
C:\DOCUME~1\USER\My Documents\Installer\CA Security Suite2008+Genuine Serials+Keygen\Keygen
C:\DOCUME~1\USER\My Documents\Installer\CA Security Suite2008+Genuine Serials+Keygen\Serials.txt
C:\DOCUME~1\USER\My Documents\Installer\CA Security Suite2008+Genuine Serials+Keygen\Keygen\file_id.diz
C:\DOCUME~1\USER\My Documents\Installer\CA Security Suite2008+Genuine Serials+Keygen\Keygen\keygen.exe
C:\DOCUME~1\USER\My Documents\Installer\Nero 7.10.1.0\Keygen.exe
C:\DOCUME~1\USER\My Documents\Installer\Norton Internet Security 2009 v16.0.0.125\Crack
C:\DOCUME~1\USER\My Documents\Installer\Norton Internet Security 2009 v16.0.0.125\Crack\Norton_TrialReset_1.5V.exe
C:\DOCUME~1\USER\APPLIC~1\ENCFOR~1

:Commands
[purity]
[emptytemp]
[Reboot]
    • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
    kritius, Oct 22, 2009
    #10

  11. Bobbye Helper on the Fringe

    Thank you kritius. You help is always welcome.
    Bobbye, Oct 22, 2009
    #11
Thread Status:
Not open for further replies.