CiD virus

[Bob_Biriba]

Help!

Another CiD virus case... I'm sorry, but avast doesn't seem to be able to deal with it.
I already used NoLop, as i saw in here (techspot.com/vb/topic74471.html), and here goes the HJT and the NoLop logs!

Thanks in advance!

 

[Ruthe]

Dude, are you Gram? If so, I wondered why most of your log is in Spanish. Try going here.
http://www.prevx.com/filenames/65738690185445640-X1/TAVO.EXE.html
If that doesn't help, come back and we'll kill them off one by one.
Good luck.

 

[Blind Dragon]

Generate Uninstall List

• 
  1. Start HijackThis
  2. Click on the Config button
  3. Click on the Misc Tools button
  4. Click on the Open Uninstall Manager button.
  5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.

Atttach it here

 

[Bob_Biriba]

Dude, are you Gram? If so, I wondered why most of your log is in Spanish. Try going here.
(sorry, I cannot post urls yet)
If that doesn't help, come back and we'll kill them off one by one.
Good luck.

I'm sorry, but my english is not that good, and I don't know what is "Gram"... If that's what you're asking, I'm from Brazil.
Well, I think that TAVO.EXE could be part of the problem, because avast keeps complaining about it every time I turn on the computer, and about some C:\WINDOWS\system32\vga.sys too. Every time I delete them, and yet they come back. I installed that program on the link you said, but it needs a license to really remove the threats (15 at all). =/

Generate Uninstall List

* 1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.


Atttach it here

Here it goes. I hope it being in portuguese is not a problem...

Well, thank you guys in advance for your atention!

 

[Bob_Biriba]

Ah, I don't know if that's important, but every time I double click the C:\ drive icon on My Computer, it opens that "open with..." window.

 

[Blind Dragon]

Ok we have some work to do. So make sure to follow all of this in order. I am going to have to see a startup list before we can completely remove this. Then I can give you a batch file to run, delete some folders and do some fixes with hjt. After that you should be all set.

----------------------------------------------------------
Update your Java Runtime Environment

• Click the following link
  Java Runtime Environment 6 Update 6
• The 5th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall:
  Java(TM) 6 Update 3
  Java(TM) 6 Update 5
  Java(TM) SE Runtime Environment 6 Update 1
  Messenger Plus! Live & Sponsor (CiD)
  
  I also recommend uninstalling LimeWire 4.16.6
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder

-------------------------------------------------------------------------------

Generate Startup List
Run HJT and click on Open the Misc Tools section.

* In the next window, under StartupList (integrated: v1.52), check the two boxes to the left of:
o "List also minor sections (full)"
o "List empty sections (complete)".
* Click on Generate StartupList log and OK in the confirmation window.
* When the scan has completed a Notepad window entitled "startuplist.txt" will open.
* When you close it, it will be saved into the HJT folder. Please post this into your next reply.

-------------------------------------------------------------------------------

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

In your next reply attach:
1) startup list
2) results from activescan
3) a fresh hijackthis log

 

[Bob_Biriba]

The Panda activescan found no threaths, but when I was downloading it, avast said it could be a virus...

Well, here goes the attachmentes

I used SUPERantispyware and AVG antispyware, and they cleaned some of the mess, but I think there's still something to do!

Thanks in advance (again) I don't even know how to thank you!

 

[Blind Dragon]

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\RunOnce: [MessengerPlusLiveUninstall] "C:\DOCUME~1\SRGIO~1\CONFIG~1\Temp\MsgPlusUninstall.exe" /Cleanup
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
Messenger Plus! Live & Sponsor (CiD)

Optional: Limewire
*Limewire is a good way to pick up infections

Please note any other programs that you don't recognize in that list in your next response.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\system32\kavo.exe

After that, Reboot, and post a new HijackThis log here in a reply

------------------------------------------------------

Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

 

[Bob_Biriba]

Oh man, I'm sorry, but I'm in college, and it's far from my home... I was there because of a holyday. Now the computer is on my brothers hands, and I won't be able to go back there until the vacation...And then, I'm sure he will manage to have lots of more viruses and malwares... Well, thanks A LOT for you to care about someone you didn't even know, and to 'waste' your time on my viruses! Anyway, next time I get home, I'll do what you said in the last reply, and if there's no other way, I'll consider formating it...
=/

Thanks a million again!

 

[Blind Dragon]

well if you want to call him and tell him to simply uninstall Messenger Plus CID Sponsor that should get rid of the pop ups