Pop-ups (CiD) can't get rid of them

[elaineq]

CiD popups...HELP
I've got CiD popups in my pc and they are driving me crazy! I've checked on my add/remove programs, and there's nothing there. I've also unisntalled MSN plus but they keep on popping. I have tried all sort of ad-aware removals as well as scaned with Norton Antivirus, but I have not been successful at all. Hope someone can help me to get rid of it! It's the second time I'm asking Techspot's help and you were very kind solving my problem before!

 

[Blind Dragon]

Highjackthis Instructions

• Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
• Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
• After installing, the program launches automatically, select Scan now and save a log
• After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.

 

[elaineq]

hijackthis log

Here it goes, hope you can help me, thanks!

 

[Blind Dragon]

Where to start. Follow these instructions carefully and in order

Download\install 'SuperAntiSpyware Home Edition Free Version' from HERE

• Launch SuperAntiSpyware and click on 'Check for updates'.
• Once the updates have been installed,exit SuperAntiSpyware.

----------------------------------------------------------------------------------

: Download and Run FixWarout
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Remove bad HijackThis entries

• Run HijackThis
• Click on the Scan button
• Put a check beside all of the items listed below (if present):
  
  O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  O4 - HKLM\..\Run: [1 mags 16 more] C:\Documents and Settings\All Users\Application Data\Admin Inter 1 Mags\SOFTWARE LOAD.exe
  O4 - HKCU\..\Run: [Drv Cast] C:\DOCUME~1\esys\APPLIC~1\SHIMDE~1\Ball Way Regs.exe
  O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk571IXGB
  O17 - HKLM\System\CCS\Services\Tcpip\..\{0211D6FD-3B29-4B03-8F1D-29ECDF1C1040}: NameServer = 85.255.113.206,85.255.112.76
  O17 - HKLM\System\CCS\Services\Tcpip\..\{18CD6433-FD3C-4CAC-A11B-5216468B7892}: NameServer = 85.255.113.206,85.255.112.76
  O17 - HKLM\System\CCS\Services\Tcpip\..\{7AF1E4FE-107C-4649-B43B-302AB941E7EC}: NameServer = 85.255.113.206,85.255.112.76
  O17 - HKLM\System\CCS\Services\Tcpip\..\{99585E16-D9D3-45F4-88C7-69927F37646D}: NameServer = 85.255.113.206,85.255.112.76
  O17 - HKLM\System\CCS\Services\Tcpip\..\{B8F95B28-4230-4D14-BF04-42BE50F606A0}: NameServer = 85.255.113.206,85.255.112.76
  O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.206 85.255.112.76
  O17 - HKLM\System\CS1\Services\Tcpip\..\{0211D6FD-3B29-4B03-8F1D-29ECDF1C1040}: NameServer = 85.255.113.206,85.255.112.76
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.206 85.255.112.76
  O20 - AppInit_DLLs: c:\progra~1\bandoo\bndhook.dll
  
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems

----------------------------------------------------------------------------------

Copy and paste this section into notepad and save it to your desktop to have while in safe mode

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

----------------------------------------------------------------------------------

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

bandoo

Please note any other programs that you don't recognize in that list in your next response.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Documents and Settings\All Users\Application Data\Admin Inter 1 Mags
C:\Documents and Settings\esys\Application Data\SHIMDE~1<- will start with shimde then be randomly named
c:\program files\bandoo

-----------------------------------------------------------------------------------

Scan with SuperAntiSpyware

• Start SuperAntiSpyware.
• On the main screen click on 'Scan your computer'.
• Check: 'Perform Complete Scan then Click 'Next' to start the scan.
• Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
• Make sure everything found has a checkmark next to it,then press 'Next'.
• Click on 'Finish' when you've done.
  
  It's possible that the program will ask you to reboot in order to delete some files.
  
  Obtain the SuperAntiSpyware log as follows:
  Click on 'Preferences'.
  Click on the 'Statistics/Logs' tab.
  Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
  It will then open in your default text editor,such as Notepad.
  Attach the notepad file here on your next reply

------------------------------------------------------------------------------------

Finally, please post::
1) a fresh HijackThis log
2) C:\fixwareout\report.txt
3) Superantispyware log

 

[elaineq]

Hello Blind Dragon, Thanks for sending the steps. I just couldn't find the Bandoo anywhere, not even in safe mode. There's no aplication data folder in C > Documents and Settings, but I've done everything else. Here goes the attached files you asked me and thank you once again...Since I've started typing this thread no popups have appeared, it looks like a progress! Before I would have being stoped to close at least 5 windows in that short gap of time. That is good!

 

[Blind Dragon]

Show hidden files through windows explorer

• Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
• On the Tools menu in Windows Explorer, click Folder Options
• Click the View tab.
• Under Hidden files and folders, click Show hidden files and folders
• Remove the checkmark from the checkbox labeled Hide protected operating system files
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types
• Put a checkmark in the checkbox labeled Display the contents of system folders.

-----------------------------------------------------------------------------

Try to find and delete:
C:\Documents and Settings\All Users\Application Data\Admin Inter 1 Mags
C:\Documents and Settings\esys\Application Data\SHIMDE~1

------------------------------------------------------------------------------

Don't worry if you still couldn't find the above files, we will remove them another way.

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

 

[elaineq]

Now I was able to find and delete both files. Here goes the combofix log and the new HJT log. The popups are gone and the pc is faster, thanks to your help!
Let me know if everything is ok now.

 

[Blind Dragon]

looking much better, did you install incredimail yourself?

Let's run an online scan to see if there are any stragglers

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[elaineq]

I'm not sure if I did it the right way, as my Java seems to have troubles. Anyway I did the scan the way it allowed.The report is attached.

 

[Blind Dragon]

You are doing great :grinthumb

Either delete everything Norton has quarantined through the program. Or

Navigate to the following folder and delete everything inside but not the folder itself.
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine

-----------------------------------------------------

Afterwards run me another Hijackthis scan and attach so that we can start cleaning up

 

[elaineq]

Back from the weekend, here goes my HJTlog with a clean Norton quarentine. Those infections are really giving a hard time, but with your help we'll win the battle...

 

[Blind Dragon]

Almost missed one. Launch Hijackthis -> scan only -> check the following entry

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab

Click fix checked

This is the activeX control that was installed which allowed the infection to get on there in the first place.

--------------------------------------------------------------

I would keep MBAM and scan with it regularly - also I recommend Winpatrol listed below.

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------

OTCleanit! by Oldtimer

• Download OTCleanIt
• Click the CleanUp! button.
  • It will go thorugh the list and remove all of the tools it finds and then delete itself (requiring a reboot).

---------------------------------------------------------------------------

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Set correct settings for files
   • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
   • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
   • If unchecked please check Hide protected operating system files (Recommended)
   • If necessary check "Display content of system folders"
   • If necessary Uncheck Hide file extensions for known file types.
   • Click OK
   
   clear system restore points
   • 
     This is a good time to clear your existing system restore points and establish a new clean restore point:
     • Go to Start > All Programs > Accessories > System Tools > System Restore
     • Select Create a restore point, and Ok it.
     • Next, go to Start > Run and type in cleanmgr
     • Select the More options tab
     • Choose the option to clean up system restore and OK it.
     This will remove all restore points except the new one you just created.
   
   
2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
   1. From within Internet Explorer click on the Tools menu and then click on Options.
   2. Click once on the Security tab
   3. Click once on the Internet icon so it becomes highlighted.
   4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
        
      • Change the Download unsigned ActiveX controls to Disable
        
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
        
      • Change the Installation of desktop items to Prompt
        
      • Change the Launching programs and files in an IFRAME to Prompt
        
      • Change the Navigate sub-frames across different domains to Prompt
        
      • When all these settings have been made, click on the OK button.
        
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   5. Next press the Apply button and then the OK to exit the Internet Properties page.
3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   
4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
   
   For a tutorial on Firewalls and a listing of some available ones see the link below:
   
   Understanding and Using Firewalls
   
   
6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.This is done in Vista through control panel -> windows updates.
   
   
7. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

 

[Blind Dragon]

And here is some info for you, about how you were originally infected

http://www.networkworld.com/newsletters/web/2003/1208web2.html

 

[shelley.duff]

shelley.duff

I do not understand this site.
do i send message to you for help on CID POP-UPS can't get rid of them, thanks

 

[Blind Dragon]

No messages

Click HERE

And Select New Thread

Explain your problem in a new thread and somebody will come along to help

 

[Tedster]

removal: http://www.symantec.com/security_response/writeup.jsp?docid=2003-092919-5421-99&tabid=3