Winzix adware

[dayslayer8]

K im stupid and I installed winzix before I knew it was a stupid adware. After I unistalled, I (obviously) still get random pop-ups with 3 iexplorer.exe processes are appearing on task manager. Everytime I tried to end the iexplorer.exe, 2 of them just comes back while the other one is the real one. Im a noob in computing and I really need help for removing the stupid pop-ups...:dead:
I attached my log from hijackthis

Thanks everyone

 

[vexon13]

i think normal procedure is follow the 8 steps and wait for some one to look at the 3 logs,

www .techspot.com/vb/topic58138.html << 8 steps

in other words try to follow all of those steps and come back with the malwarebytes log and the supper antispyware one.

if your having problems there are people on this board who can help .

 

[Bobbye]

Your HijackThis log indicates you have a LOP malware infection.

But there is also indication of the use of the AQW Hacking Toolbar, used to pirate software.

We an help with the Lop infection but:

We do not support piracy. Due to the fact that your HijackThis logfile clearly shows you have the AQW Hacking Toolbar, we will not help you.
This is the main reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.
Original source: touch

If you feel this is in error, please provides all three of the logs for Virus & Malware Removal. We will be able to verify any pirating with them.

 

[dayslayer8]

lol that took a while

@vexon13
Thank you for being so remindful to new members like me!!

@bobbye
thank you for your patience and nice altitude, however aqw hacking toolbar is just a toolbar that lets you go to game forums faster, like cheatengine.org, where people post cheats, walkthroughs and glitches in swf games. It is absolutely NOT crack/warez and have completely NOTHING TO DO with piracy. You can check and prove it on my 3 new logs. (i uninstalled the toolbar before the logs were made and hope that im in your favour and get more support...) anywayz here are my 3 new logs.
im sorry if i've made any offense to you but i really didnt mean to.

Alternatively, in control panel -> add/remove programs, i've found this thing called Cid help, which came with the winzix. So should i remove it by using add/remove programs or should i do something else?

sorry double post... forgot to attach logs

 

[touch]

Looks like you´ve got rid of AQW Hacking Toolbar.

We have a special fix tool to remove LOP/CID infections, I´ll therefore suggest we use it


Download http://eric.71.mespages.googlepages.com/LopSD.exe
by Eric_71 and save it to your desktop.

Double-click LopSD.exe
Choose the language by typing of the corresponding letter and press Enter
Click OK at the informative window
Type 2 to choose Option 2 (Fix + Hosts), then press Enter
Wait until the end of the scan have finished
A report will be generated, attach the contents of it in your next reply.

 

[dayslayer8]

@touch
i've installed LopSD to my desktop.
i've double-clicked the icon and clicked on 'run' in the security thing
however, the cmd-like window gets a blue screen and immediately shuts...nothing more happens
EDIT: the words 'please wait...' appears in the middle of the screen before it closes itself

 

[touch]

Ok, try from safe mode then

 

[dayslayer8]

nope, didnt work...
the same thing happened

 

[touch]

That´s odd

Let´s try this scanner ->

Please Download NoLop to your desktop:

http://www.greyknight17.com/spy/NoLop.exe
First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK

Now click the "REBOOT" Button.

A Message should popup from NoLop. If not, double click the program again and it will finish Please attach the contents of C:\NoLop.log along with a fresh HijackThis log
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download http://www.boletrice.com/downloads/mscomctl.ocx to your system32 folder then rerun the program.

 

[dayslayer8]

@touch
thanks for the software
i've done everything and here are the logs

 

[Bobbye]

touch, Lop is still on board as seen below:

O4 - HKLM\..\Run: [Hope Draw Obj Funk] C:\Documents and Settings\All Users\Application Data\LICENSE FORD HOPE DRAW\Idle Dumb.exe
O4 - HKCU\..\Run: [ForkHide] C:\DOCUME~1\Zihao\APPLIC~1\DEFAUL~1\ref vga sixth.exe

.How about trying Lop S&D again:

Download Lop S&D by Eric_71 and save it to your desktop.

Disable your antivirus and anti-malware programs so they do not interfere with the running of Lop S&D. You can usually do this via a right click on the System Tray icon.

• Double-click LopSD.exe
  If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.
• Choose the language by typing of the corresponding letter and press Enter
  
  
• Click OK at the informative window
• Type 2 to choose Option 2 (Fix + Hosts), then press Enter
  
  
• Wait until the end of the scan
  
  
• A report will be generated, post the contents of it in your next reply.

(Copy of the report can be found at this location: %SystemDrive%\lopR.txt, in most cases C:\lopR.txt)

Maybe the images will help.

 

[dayslayer8]

Nope, the same thing happened
i double clicked on lopSD and click 'run' on the security thing.
the blue screen comes up and says please wait...
then it closes and nothing more happens
however, this time i was just able to see a line saying something about: " 'find'............." before it closes
(this message appears really fast just before lopSD closes itself)

By the way, as mentioned earlier

Alternatively, in control panel -> add/remove programs, i've found this thing called Cid help, which came with the winzix. So should i remove it by using add/remove programs or should i do something else?

 

[Bobbye]

the blue screen comes up and says please wait...
then it closes and nothing more happens

Please go to the Event Viewer and find the Error that corresponds to the BSOD.

Start> Run> type in eventvwr

Do this on each the System and the Applications logs:
1. Click to open the log>
2. Look for the Error>
3 .Right click on the Error> Properties>
4. Click on Copy button, top right, below the down arrow
5. Paste here (Ctrl V)

Please ignore Warnings and Information Events. You do nor need to include the lines of code-if ant- in the box below the Description. Please do not attach the entire Event log.

Force the BSOD if you have to and check the time on the computer clock. The logs are time-coded so you will be looking for Errors occurring at the same time.

I had hoped that maybe the images might help with the Lop program.

3 iexplorer.exe processes are appearing on task manager.

This CAN be normal in IE8, but it can also be malware disguised.

Touch, do you think it's worth tryng another Lop program? IF so, how about this?

Download FindLop HEREand save to the desktop.

Unzip to a new folder:
Inside the folder locate findlop.bat

Double click it and it will create the file C:\findlop.txt
Find that file and copy and paste the contents into your next post.

A Notepad file will open.
Copy the content of that file and paste it into your reply to this thread.

Also, copy the part in bold below into notepad and save it as direxie.bat
Set File type to "All files"

cd\
cd C:\Documents and Settings\%UserName%\Application Data
dir /x > C:\directory.txt
cd C:\Documents and Settings\All Users\Application Data
dir /x >> C:\directory.txt
cd C:\Program Files
dir /x >> C:\directory.txt
start notepad C:\directory.txt

Start the file by double clicking direxie.bat
That will open a file called directory.txt. Post the content of that file.

Please do a right click> Delete on the 2 setup files for the previous Lop programs.

So should i remove it by using add/remove programs or should i do something else?

CiD Help is a Malware and Adware. You could get this Malware if you download a software from some un-trusted web sites.

To remove CiD Help, go to Start–>Settings–>Control Panel–> Add and Remove Programs, then select CiD Help, click remove.

Please wait to see if Touch agrees to this before running.

 

[dayslayer8]

@Bobbye
Unforunately, my system shows all the information from event viewer in chinese, including event logs.
I'm cannot understand the chinese words nor able to translate them into english.
So do you think there are any chances of skip this step?

 

[touch]

It´s not easy to understand Chinese, and it almost impossible to pronounce it

Please download http://swandog46.geekstogo.com/avenger2/download.php
by Swandog46 to your Desktop.
Click on Avenger.zip to open the file
Extract avenger2.exe to your desktop

Start Avenger

Folders to delete:
C:\Documents and Settings\All Users\Application Data\License Ford Hope Draw
C:\Documents and Settings\Zihao\Application Data\Defaultwaitremote
C:\Documents and Settings\Zihao\Application Data\Utorrent

Copy/Paste all the text in the above quote box into the main window
Click Execute

The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)

On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions.

This log file will be located at C:\avenger.txt

Attach C:\avenger.txt in next reply, along with fresh hijackthis log and tell how things are running now ?

 

[dayslayer8]

when i pressed execute, an error appears:
"Error: Invalid script, a valid script must begin with a command directive. Aborting execution!"

Please wait to see if Touch agrees to this before running.

should i use direxie.bat or remove 'CiD Help' with Add and Remove Programs before any other steps?

 

[touch]

If avenger don´t close, just continue.

 

[dayslayer8]

i have to press 'ok' when the error occurs and avenger does not start executing.
however, avenger does not close but everytime i press execute, i get error and have to press ok, which stops the execution process.

 

[touch]

Ok. Then you´ll have to delete the folders (in bold) manually:

C:\Documents and Settings\All Users\Application Data\License Ford Hope Draw
C:\Documents and Settings\Zihao\Application Data\Defaultwaitremote
C:\Documents and Settings\Zihao\Application Data\Utorrent

Reboot, attach new hijacktis log and tell how thing are running

 

[dayslayer8]

i'm not able to delete the folder: License Ford Hope Draw
because an error that 'Idle Dumb.exe' is being used or something like that.
However. the other two folders are now deleted.
(dumb.exe is not shown in task manager)

 

[touch]

Ok. Post new hijackthis log

 

[dayslayer8]

Never mind, that folder was deleted after a reboot and i've just rebooted again.
Here's a new Hijack This log

 

[touch]

Great

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
O4 - HKLM\..\Run: [Hope Draw Obj Funk] C:\Documents and Settings\All Users\Application Data\LICENSE FORD HOPE DRAW\Idle Dumb.exe
O4 - HKCU\..\Run: [ForkHide] C:\DOCUME~1\Zihao\APPLIC~1\DEFAUL~1\ref vga sixth.exe

Reboot, post fresh hijackthis log, and let us know how things are running ?

 

[dayslayer8]

Yep, i'm finished
Currently, there are no more multiple iexplorer.exe in taskmanager anymore nor random pop-ups when using ie instead of firefox
Here's my new hijack this log.
However, CiD Help is still in 'Add or Remove Programs'...
Should i do anything about it?

 

[Bobbye]

Question: Check the Computer Management for "language"

Control Panel> Administrative Tools> Computer Management> click on each entry on the left, then look on the right screen> check each category for language.

If part of your system is on one language and another part in a different language,, it's likely your operating system can't understand itself! There is no separate setting in Computer Management in which you will find the Event Viewer, to set a language. That is set in the Control Panel> Regional settings.

You have three Asian language programs loading on boot:

[PHIME2002A]>>> Part of Microsoft's Input Message Editor (IME) for translating Japanese/Chinese text in IE, Outlook and Word

[IMJPMIG8.1]>>> Belongs to the Microsoft Input Method Editor. Used to simplify input of Asian characters in MS Office- needed when typing Chinese characters...Its a process that is installed when you turn on Asian Language packs. Only needed if you require to view them.

[IMEKRMIG6.1]>>> Part of MS Input Method Editor which is used to ease the input of Asian characters in MS Office (Chinese, Japanese and this one is Korean)

Is this intentional?