CiD pop ups and trojans HELP

[lrsims91]

I have been trying to get rid of the CiD pop up and trojans on my computer with no luck so far.

I have followed the Viruses-Spyware-Malware preliminary removal instructions and now i have those logs to post.



The AnitRootkit scan didn't find anything on my computer.

The HJT, Combofix, and AVG Antispyware logs are attached

(i have 2 Combofix logs, not sure which one is needed so i'm attaching both)


please help

-Lena

 

[bobby123]

well the positive thing is your report scan shows many bugs have been deleted.

 

[momok]

Hi lrsims91 and welcome to techspot. =)

Good job with following the instructions.

Please run ccleaner again and remember to check every single box for cleaning.

After that please do the following.

Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type msconfig. Press the enter key.
Search for the following services. Uncheck them to disable from startup.

clock poll
NI.UWFX5_0001_NI530211
Press OK but do not restart your system yet.


Go to start > Control Panel > Add and Remove Programs.
Remove anything related to the following:

Viewpoint
Winantivirus Pro
SurfSideKick 3

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O2 - BHO: (no name) - {5b24bf3c-9d30-4a0f-a1ab-43bf6b161746} - C:\WINDOWS\system32\comdus.dll
O4 - HKLM\..\Run: [NI.UWFX5_0001_NI530211] "C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\QYV0VMJZ\WinFixerScannerInstall[1].exe" -nag /BEFOREINSTALL
O4 - HKCU\..\Run: [clock poll] C:\DOCUME~1\Patty\APPLIC~1\LIESLI~1\idlefastonce.exe

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\comdus.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\comdus.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\comdus.dll

O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab < note this site and never visit it ever again. It is most likely the source of part of your infections.

O20 - AppInit_DLLs: c:\windows\system32\gebyvsr.dll
O20 - Winlogon Notify: comdus - C:\WINDOWS\SYSTEM32\comdus.dll

Close HJT.

Please search for this two folders and delete them if you did not create them. If you did, please let me know what are its contents and what you use them for.
C:\Program Files\Gpotato
C:\Program Files\LIESLICENSEMAGS

Drag the Combofix-Do.txt that you downloaded earlier over on to Combofix.exe and release.

This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of lrsims91 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lrsims91]

updated logs

here are the updated logs

i'm pretty sure i did it right

let me know

 

[momok]

Hi,

I presume you have delete those two folders?

Please follow these instructions carefully.

1. Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached "avengerscript.txt" (from my attachment) and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the attachment avengerscript.txt you have just downloaded, click on it and press open.
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT, ComboFix and AVG Antispyware log.


Regards,
Your friendly momok =)

This thread is for the use of lrsims91 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lrsims91]

New logs

I have followed everything you said to do

I wasn't sure whether I was supposed to delete the infected files in the AVG Antispyware scan, so i quarantined them for the time being

here are the new logs

 

[momok]

Hi,

I notice a new infection on HijackThis. Did you use your system for surfing just recently?

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type msconfig. Press the enter key.
Search for the following services and uncheck them.

team 32 mp3 cake

Press Ok but do not restart your system yet.

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O4 - HKLM\..\Run: [team 32 mp3 cake] C:\Documents and Settings\All Users\Application Data\firstmoveteam32\transdraw.exe

Close HJT.

Please navigate to this folder and check to see if you created it. If not, immediately delete the entire folder and its contents

C:\DOCUME~1\Patty\APPLIC~1\acccore

Navigate in Windows Explorer and delete the following files and folders in bold.

C:\Documents and Settings\All Users\Application Data\firstmoveteam32\

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of lrsims91 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lrsims91]

I followed your instructions as before and deleted those 2 folders that you mentioned. I hadn't created them.

Here are the new logs

 

[momok]

Hi,

Good job, your logs look clean now.

Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

You may also delete the C:\avenger and C:\VundoFix Backups folder and its contents.

Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.

After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of lrsims91 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lrsims91]

thank you so much for your help

everything seems to be fine now

i received this computer from a cousin who completely filled it with crap before i got it and was hoping i could get rid of the viruses

thank you

 

[momok]

No problems, glad to be of help. =)
Now its up to you to keep it that way hehe. Enjoy your clean system.