CiD virus

By Bob_Biriba ยท 9 replies
May 22, 2008
  1. Help!

    Another CiD virus case... I'm sorry, but avast doesn't seem to be able to deal with it.
    I already used NoLop, as i saw in here (, and here goes the HJT and the NoLop logs!

    Thanks in advance!
  2. Ruthe

    Ruthe TS Booster Posts: 70

  3. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Generate Uninstall List

    • 1. Start HijackThis
      2. Click on the Config button
      3. Click on the Misc Tools button
      4. Click on the Open Uninstall Manager button.
      5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.

    Atttach it here
  4. Bob_Biriba

    Bob_Biriba TS Rookie Topic Starter

    I'm sorry, but my english is not that good, and I don't know what is "Gram"... If that's what you're asking, I'm from Brazil.
    Well, I think that TAVO.EXE could be part of the problem, because avast keeps complaining about it every time I turn on the computer, and about some C:\WINDOWS\system32\vga.sys too. Every time I delete them, and yet they come back. I installed that program on the link you said, but it needs a license to really remove the threats (15 at all). =/

    Here it goes. I hope it being in portuguese is not a problem...

    Well, thank you guys in advance for your atention!
  5. Bob_Biriba

    Bob_Biriba TS Rookie Topic Starter

    Ah, I don't know if that's important, but every time I double click the C:\ drive icon on My Computer, it opens that "open with..." window.
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok we have some work to do. So make sure to follow all of this in order. I am going to have to see a startup list before we can completely remove this. Then I can give you a batch file to run, delete some folders and do some fixes with hjt. After that you should be all set.

    Update your Java Runtime Environment
    • Click the following link
      Java Runtime Environment 6 Update 6
    • The 5th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall:
      Java(TM) 6 Update 3
      Java(TM) 6 Update 5
      Java(TM) SE Runtime Environment 6 Update 1
      Messenger Plus! Live & Sponsor (CiD)

      I also recommend uninstalling LimeWire 4.16.6
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder

    Generate Startup List
    Run HJT and click on Open the Misc Tools section.

    * In the next window, under StartupList (integrated: v1.52), check the two boxes to the left of:
    o "List also minor sections (full)"
    o "List empty sections (complete)".
    * Click on Generate StartupList log and OK in the confirmation window.
    * When the scan has completed a Notepad window entitled "startuplist.txt" will open.
    * When you close it, it will be saved into the HJT folder. Please post this into your next reply.


    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

    In your next reply attach:
    1) startup list
    2) results from activescan
    3) a fresh hijackthis log
  7. Bob_Biriba

    Bob_Biriba TS Rookie Topic Starter

    The Panda activescan found no threaths, but when I was downloading it, avast said it could be a virus...

    Well, here goes the attachmentes

    I used SUPERantispyware and AVG antispyware, and they cleaned some of the mess, but I think there's still something to do!

    Thanks in advance (again) I don't even know how to thank you!
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\RunOnce: [MessengerPlusLiveUninstall] "C:\DOCUME~1\SRGIO~1\CONFIG~1\Temp\MsgPlusUninstall.exe" /Cleanup
    O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe

    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) SE Runtime Environment 6 Update 1
    Messenger Plus! Live & Sponsor (CiD)

    Optional: Limewire

    *Limewire is a good way to pick up infections

    Please note any other programs that you don't recognize in that list in your next response.

    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):


    After that, Reboot, and post a new HijackThis log here in a reply


    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.
  9. Bob_Biriba

    Bob_Biriba TS Rookie Topic Starter

    Oh man, I'm sorry, but I'm in college, and it's far from my home... I was there because of a holyday. Now the computer is on my brothers hands, and I won't be able to go back there until the vacation...And then, I'm sure he will manage to have lots of more viruses and malwares... Well, thanks A LOT for you to care about someone you didn't even know, and to 'waste' your time on my viruses! Anyway, next time I get home, I'll do what you said in the last reply, and if there's no other way, I'll consider formating it...

    Thanks a million again!
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    well if you want to call him and tell him to simply uninstall Messenger Plus CID Sponsor that should get rid of the pop ups
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...