1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help with CiD popups?? Hijack log included

Discussion in 'Windows - Virus and spyware problems' started by armenix, Jun 12, 2007.

  1. armenix

    armenix Member

    Joined:
    Jul 14, 2006
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    16
    Hey there Afterdawn team! I've been having problems with a "CiD: *popup ad name here*" while i browse the internet, and i know its from something my brother downloaded (im guessing an EXE program he ran), because i found and deleted the virus, and then i ran 3 different spyware scans, and while they found some stuff, they could not get to the source of the problem; any other clean-ups that are possible would be nice too =D Thanks for your great help, heres the log:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:10:34 PM, on 6/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\Program Files\RAM Idle LE\RAM_XP.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\nvsvc32.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [cdrom upload bat manager] C:\Documents and Settings\All Users\Application Data\FUNK PLUS CDROM UPLOAD\each dupe.exe
    O4 - HKCU\..\Run: [Onebore] C:\DOCUME~1\Owner\APPLIC~1\STUPID~1\ManagerBookIdle.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148090561171
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148093679578
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
    armenix, Jun 12, 2007
    #1
  2. bluecoal

    bluecoal Guest

    Hi,
    You have a problem called Lop. A common way to get that used to be from installing messenger plus with the sponsors. (Not sure if that carries through into current versions.)

    Look in your documents and settings folders for all users on the computer for odd madeup names like these (the names in the last one are abbreviated):
    C:\Documents and Settings\All Users\Application Data\FUNK PLUS CDROM UPLOAD
    C:\DOCUME~1\Owner\APPLIC~1\STUPID~1
    Delete those two, if you have concerns about deleting others, rename the files and that gives you a recovery option if something shouldn’t have been changed.

    Allow hijackthis to fix these two lines:
    O4 - HKLM\..\Run: [cdrom upload bat manager] C:\Documents and Settings\All Users\Application Data\FUNK PLUS CDROM UPLOAD\each dupe.exe
    O4 - HKCU\..\Run: [Onebore] C:\DOCUME~1\Owner\APPLIC~1\STUPID~1\ManagerBookIdle.exe


    Then check this one section of the startup log.
    Hijackthis
    Misc tools
    generate startup list log
    This section of that log:
    Enumerating Task Scheduler jobs:
    Should be reviewed for lop tasks.
    If you see some task names that are long with odd assortments of letters and numbers, post that section of the log and I’ll try to find the instructions for removing them for you.

    Regards.
    bc


    I was doing a little reading after I posted, here is a program I am not familiar with. It apparently deletes the task jobs, and gives file/folder lists to help in finding the Lop ones. Here are instructions I copied from a post elsewhere:

    Please download NoLop to your Desktop.

    http://www.spywareedge.net/nolop/NoLop.exe


    First close any other programs you have running; this will need you to reboot.
    Double click NoLop.exe to run it
    Now click the button labelled Search and Destroy
    <<Your computer will now be scanned for infected files>>
    When scanning is finished you will be prompted to reboot only if infected, click OK.
    Now click the REBOOT button.
    A message should popup from NoLop. If not, double click the program again and it will finish. Please post the contents of C:\NoLop.log in your next reply.

    Note: If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered", please download mscomctl.ocx to your System32 folder then re-run the program.


     
    Last edited by a moderator: Jun 12, 2007
    bluecoal, Jun 12, 2007
    #2
  3. armenix

    armenix Member

    Joined:
    Jul 14, 2006
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    16
    thanks for your hasty response!

    Can i fix these without turning off system restore/safe mode?

    heres what i found under what u told me to look for, i put them all just in case
    AED8CB1591E37B45.job
    Uniblue SpyEraser Nag.job
    Uniblue SpyEraser.job
     
    armenix, Jun 12, 2007
    #3
  4. bluecoal

    bluecoal Guest

    The top job is a lop job.

    Go ahead and try the nolop program, from the other post I looked at, it looks like nolop will remove that.

    You can reset the restore points after you do the fixes, that still gives you a restart point in case of trouble.

    Post the nolop log, and we'll see if we can see the lop folder locations.

    EDIT
    Are you familiar with this one:

    O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll

    It does not give me a lot of hits on google, I don't know if it is good or bad.

    ENDEDIT
     
    Last edited by a moderator: Jun 12, 2007
    bluecoal, Jun 12, 2007
    #4
  5. armenix

    armenix Member

    Joined:
    Jul 14, 2006
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    16
    ok great! unfortunately i have to go now, but i'll be be back later tonight with my results, thank you for your help!
     
    armenix, Jun 12, 2007
    #5
  6. armenix

    armenix Member

    Joined:
    Jul 14, 2006
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    16
    Ok, i ran the NoLop program, and everything went as you said it would, but i am still getting those popups (i'm not sure if it was supposed to fix it, i was just letting you know) Here is the log:

    oLop! Log by Skate_Punk_21

    Fix running from: C:\Documents and Settings\Owner\Desktop
    [6/12/2007]
    [6:33:04 PM]

    ---Infection Files Found/Removed---
    C:\WINDOWS\tasks\AED8CB1591E37B45.job

    Beginning Removal...
    Rebooting...
    Removing Lop's Leftover Files/Folders...
    Editing Registry...
    **Fix Complete!**

    ---Listing AppData sub directories---

    C:\Documents and Settings\All Users\Application Data\Ableton
    C:\Documents and Settings\All Users\Application Data\Adobe
    C:\Documents and Settings\All Users\Application Data\Adobe Systems
    C:\Documents and Settings\All Users\Application Data\Ahead
    C:\Documents and Settings\All Users\Application Data\Aol
    C:\Documents and Settings\All Users\Application Data\Aol Downloads
    C:\Documents and Settings\All Users\Application Data\Aol Ocp
    C:\Documents and Settings\All Users\Application Data\Funk Plus Cdrom Upload
    C:\Documents and Settings\All Users\Application Data\Microsoft
    C:\Documents and Settings\All Users\Application Data\Propellerhead Software
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    C:\Documents and Settings\All Users\Application Data\Symantec
    C:\Documents and Settings\All Users\Application Data\Viewpoint
    C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
    C:\Documents and Settings\All Users\Application Data\Yamaha
    C:\Documents and Settings\Localservice\Application Data\Help -- EMPTY Directory
    C:\Documents and Settings\Localservice\Application Data\Microsoft
    C:\Documents and Settings\Networkservice\Application Data\Help -- EMPTY Directory
    C:\Documents and Settings\Networkservice\Application Data\Microsoft
    C:\Documents and Settings\Owner\Application Data\.bittorrent
    C:\Documents and Settings\Owner\Application Data\Ableton
    C:\Documents and Settings\Owner\Application Data\Acccore
    C:\Documents and Settings\Owner\Application Data\Adobe
    C:\Documents and Settings\Owner\Application Data\Adobeum -- EMPTY Directory
    C:\Documents and Settings\Owner\Application Data\Ahead
    C:\Documents and Settings\Owner\Application Data\Aim -- EMPTY Directory
    C:\Documents and Settings\Owner\Application Data\Azureus
    C:\Documents and Settings\Owner\Application Data\Bitdownload
    C:\Documents and Settings\Owner\Application Data\Divx
    C:\Documents and Settings\Owner\Application Data\Geniesoft
    C:\Documents and Settings\Owner\Application Data\Help -- EMPTY Directory
    C:\Documents and Settings\Owner\Application Data\Identities
    C:\Documents and Settings\Owner\Application Data\Lavasoft
    C:\Documents and Settings\Owner\Application Data\Macromedia
    C:\Documents and Settings\Owner\Application Data\Microsoft
    C:\Documents and Settings\Owner\Application Data\Propellerhead Software
    C:\Documents and Settings\Owner\Application Data\Simple Star
    C:\Documents and Settings\Owner\Application Data\Snapfish -- EMPTY Directory
    C:\Documents and Settings\Owner\Application Data\Steinberg
    C:\Documents and Settings\Owner\Application Data\Stupid Rule Second
    C:\Documents and Settings\Owner\Application Data\Sun
    C:\Documents and Settings\Owner\Application Data\Teamspeak2
    C:\Documents and Settings\Owner\Application Data\Uniblue -- EMPTY Directory
    C:\Documents and Settings\Owner\Application Data\Ventrilo
    C:\Documents and Settings\Owner\Application Data\Viewpoint


    There u go :) Ok, and as far as:

    O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll

    i imagine you did have a hard time findign info on it; its something required for my ISP, so its ok :) It doesn't let me use their service otherwise

    Alrighty, so what do i need to do next? Here is my Hijack again just incase u needed it updated:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:50:01 PM, on 6/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\RAM Idle LE\RAM_XP.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [cdrom upload bat manager] C:\Documents and Settings\All Users\Application Data\FUNK PLUS CDROM UPLOAD\each dupe.exe
    O4 - HKCU\..\Run: [Onebore] C:\DOCUME~1\Owner\APPLIC~1\STUPID~1\ManagerBookIdle.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148090561171
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148093679578
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
    armenix, Jun 12, 2007
    #6
  7. bluecoal

    bluecoal Guest

    Well, I hope they are coming from this, because if they aren’t, we are going to be getting beyond what I know to look for.
    EDIT
    Googling, CiD popups seem to be lop related, so getting the lop fixed should fix your problem.
    ENDEDIT

    Look for these two folders and delete them.
    (make a note of the date before you delete them)
    C:\Documents and Settings\All Users\Application Data\Funk Plus Cdrom Upload
    C:\Documents and Settings\Owner\Application Data\Stupid Rule Second

    Then, I don’t know if you will see anything there or not, but take a look in c:programfiles for oddly named folders like that too. If you set view to details and then sort by date, if there is anything there it should be pretty close to the top (and the dates of the other folders).
    EDIT
    After some more reading, I am expecting you to find a
    C:programfiles\Stupid Rule Second\ folder. Please delete that if it exists.
    ENDEDIT

    Then have hijackthis fix these lines:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [cdrom upload bat manager] C:\Documents and Settings\All Users\Application Data\FUNK PLUS CDROM UPLOAD\each dupe.exe
    O4 - HKCU\..\Run: [Onebore] C:\DOCUME~1\Owner\APPLIC~1\STUPID~1\ManagerBookIdle.exe

    Reboot the system and see where you are with the popups.

    EDIT
    If problems continue, run this tool and post the report. It has some file creation information that may be helpful.
    Download Combofix.exe.

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    Combofix will automatically save the log file to C:\combofix.txt
    ENDEDIT


    bc
     
    Last edited by a moderator: Jun 13, 2007
    bluecoal, Jun 12, 2007
    #7
  8. clanfrase

    clanfrase Member

    Joined:
    Jun 14, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    i can only get as far as my start up screen before a message box with vsmon.exe pops up and stops windows loading?it says unknown application has caused an exceptional error at unknown address Help please
     
    clanfrase, Jun 14, 2007
    #8
  9. armenix

    armenix Member

    Joined:
    Jul 14, 2006
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    16
    Hey there Bluecoal, real sorry for slow response, its been real busy around here lately :-/

    Anyways, first i tried to delete those folders you told me to delete, but

    C:\Documents and Settings\All Users\Application Data\Funk Plus Cdrom Upload

    wouldnt let me delete it because it was "in use"; I then used the application "Advanced WindowsCare Personal 2" to look at my starup programs, and found "onebore", which was obviously not supposed to be there. I made it not turn on at startup, and i followed its directory,

    C:\DOCUME~1\Owner\APPLIC~1\STUPID~1\ManagerBookIdle.exe

    which led me to

    C:\Documents and Settings\Owner\Application Data\Stupid Rule Second

    and then proceeded to delete that. I then ran Hijack and fixed all the directories you told me to fix. I restarted the computer, and i was able to delete the other problem folder as well. I now don't have any popup problems, (yay!!!) and all the related folders should be deleted (unless its something me and you havent already found). I just want it permanently removed from my system if its not already, and i'm not sure how to check that; im afraid to see if its gone by allowing it to start up, because i'm not sure if it will reinstall the files when i allow it at start up if its still there. What should i do from here?

    Thanks so much for all your help, you guys dont get enough credit around here :)




     
    armenix, Jun 14, 2007
    #9
  10. bluecoal

    bluecoal Guest

    Hi,

    A) you have given me some useful information, I appreciate that.

    B) You have done what I see folks being asked to do in other threads about this. Based on some experiences sometime ago, I would like for you to check a little further.

    What I would most like to see is a log from this program, at least the files section.

    http://www.geekstogo.com/forum/index.php?automodule=downloads&showfile=19

    I have not learned how to use this program yet and reviewed a log from it, so you can probably do as good a job reviewing it as I can.
    If you decide to try running it, but prefer not to post it, you need to review the file sections carefully, looking for those made up type file names to see if there are any left. Because you got on this so quickly, I am not expecting you to find anything other than the thing I mention next. I would particularly like to know, either yes or no, if there is a c:programfiles\Stupid Rule Second. ( If you prefer not to run the program, you can just check for this folder manually.) Because of the presence of the task scheduler job, I am expecting you to find one. Also, check the program files folder for a c2media program or folder. If you find one, lets talk about that.

    After that, there might possibly be a registry entry or two, but they can no longer call anything so I think you will be ok there.

    (I appreciate your compliment, there are a lot of new infections I could not help you with, this happens to be one I had a runin with.)

    Regards.
    bc
     
    bluecoal, Jun 14, 2007
    #10

Share This Page