Internet Explorer Opens By Itself

I have done everything that I know but my antivirus and adaware won't touch whatever it is. I have IE opening up random pages (all start with:CiD). I've uninstalled IE and it STILL happens. I don't know what to do. I've went to the task manager and stopped IE and it just opens right back up.
===============================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:42 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Creative bold] C:\DOCUME~1\GINA~1.REG\APPLIC~1\INSIDE~1\Dent Base.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Avlsnm - ALWIL Software - (no file)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

--
End of file - 2599 bytes

Hello,

Go to start > controlpanel > software > add/remove programs and look if you have one or more of next programs installed and uninstall them:

Messenger Plus! Live & Sponsor (CiD)
Bitroll
Bitgrabber
Bitdownload
Get-Torrent
CiD Help / CiD Manager
Download Plugin for Internet Explorer
Netpumper
Search Plugin
Torrent101
WinZix
W3player
Zone Media

This because they are bundled with the malware you are dealing with (swizzor aka lop).

This will uninstall the malware application.
In case, during uninstall, when asked for the uninstall Verification, please enter the numbers that will appear in the window.
In case it says that the file was not found, doublecheck again if you entered the exact command. If still the same, proceed with next steps.

In case you can't find them,

* Go to start > run and copy and paste next command below in the field:
(Please make sure you copy and paste it exactly as you'll find below)

"C:\DOCUME~1\GINA~1.REG\APPLIC~1\INSIDE~1\Dent Base.exe" -uninstall

Hit enter.

Then reboot. Important!

After reboot,

* Download Deljob.exe and save it on your desktop.
Doubleclick Deljob.exe.

A log, (logit.txt) should open afterwards. This log will be present on your desktop
Post the contents of the logfile in your next reply together with a new Hijackthislog.

That first suggestion seemed to have eliminated it. The popup was so random that it's hard to tell if it's totally gone. I'll post again here if the problem still exists. Thank you very much. You have no idea how irritating it was. I tried everything I knew to get rid of it but nothing worked. I swear I've looked in the "Add/Remove" programs list and never seen it..

Hi,

Please post the logs I asked, because I am sure leftovers will still be present, responsible for reloading the infection again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:18 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Avlsnm - ALWIL Software - (no file)

--
End of file - 2312 bytes

You forgot to post the other log, the log from Deljob.exe
That's the most important log.

Sorry about that...here's the log


--------------------------------------------------------
No LOP job-files found
--------------------------------------------------------
Files in Windows Tasks folder

AppleSoftwareUpdate.job
--------------------------------------------------------
Export App Data folders
--------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 8879-1A1E

Directory of C:\WINDOWS

Volume in drive C has no label.
Volume Serial Number is 8879-1A1E

Directory of C:\Documents and Settings\Gina.REGINA-31D5CE3D\Application Data

01/28/2008 03:38 AM <DIR> .
01/28/2008 03:38 AM <DIR> ..
01/06/2008 12:27 PM <DIR> acccore
02/08/2008 03:00 PM <DIR> Adobe
01/11/2007 08:33 PM <DIR> AdobeUM
09/28/2006 08:10 PM <DIR> Ahead
10/18/2007 09:12 PM <DIR> APPLEC~1 Apple Computer
08/08/2006 10:09 PM <DIR> Corel
08/19/2006 01:26 PM <DIR> Creative
11/12/2006 10:58 AM <DIR> CYBERL~1 CyberLink
05/16/2007 05:17 PM <DIR> DIGITA~1 Digital Album Organizer
12/01/2007 05:32 PM <DIR> DivX
08/03/2006 10:09 AM <DIR> EARTHL~1 Earthlink
12/15/2006 06:39 PM <DIR> GETRIG~1 GetRightToGo
08/03/2006 11:39 PM <DIR> Google
11/12/2006 11:01 AM <DIR> IDENTI~1 Identities
02/14/2007 10:00 AM <DIR> IMVU
04/22/2007 10:46 PM <DIR> INSTAL~1 InstallShield Installation Information
01/30/2007 08:11 PM <DIR> iWin
12/09/2006 08:46 AM <DIR> JetStart
01/13/2007 03:36 PM <DIR> LEADER~1 Leadertech
03/03/2007 02:04 AM <DIR> LimeWire
12/02/2006 06:10 PM <DIR> MACROM~1 Macromedia
10/31/2006 12:18 PM <DIR> MAGICM~1 Magic Match
12/01/2007 05:31 PM <DIR> MEDIAP~1 Media Player Classic
12/01/2007 07:05 PM <DIR> MICROS~1 Microsoft
12/20/2006 07:46 AM <DIR> MICROS~2 Microsoft Games
03/01/2007 11:54 AM <DIR> MOVENE~1 Move Networks
08/08/2006 12:14 AM <DIR> Mozilla
12/14/2007 01:52 AM <DIR> MP3ROC~1 MP3Rocket
02/12/2007 09:39 AM <DIR> MSN6
02/12/2007 12:37 PM <DIR> MSNINS~1 MSNInstaller
02/28/2007 12:08 AM <DIR> MySpace
11/12/2006 11:03 AM <DIR> OFFICE~1 OfficeUpdate12
12/18/2006 04:15 PM <DIR> PLAYFI~1 PlayFirst
01/07/2008 07:29 AM <DIR> Real
08/19/2006 11:39 AM <DIR> SIMPLE~1 Simple Star
02/08/2008 07:20 PM <DIR> SITEAD~1 SiteAdvisor
11/28/2007 03:50 PM <DIR> Snapfish
11/09/2006 04:25 AM <DIR> STUMBL~1 StumbleUpon
08/18/2006 10:16 PM <DIR> Sun
10/25/2006 10:11 AM <DIR> Talkback
01/29/2008 06:10 PM <DIR> uTorrent
12/27/2006 09:04 AM <DIR> Webroot
02/01/2008 06:29 PM <DIR> yahoo!
0 File(s) 0 bytes
45 Dir(s) 21,203,386,368 bytes free
Volume in drive C has no label.
Volume Serial Number is 8879-1A1E

Directory of C:\Documents and Settings\All Users.WINDOWS\Application Data

02/02/2008 12:47 AM <DIR> .
02/02/2008 12:47 AM <DIR> ..
01/28/2008 02:45 PM <DIR> Adobe
08/19/2006 11:32 AM <DIR> Ahead
01/06/2008 12:22 PM <DIR> AOL
01/06/2008 12:28 PM <DIR> AOLOCP~1 AOL OCP
10/17/2007 07:52 PM <DIR> Apple
10/17/2007 07:59 PM <DIR> APPLEC~1 Apple Computer
12/16/2007 09:21 AM <DIR> Avg7
11/12/2006 10:58 AM <DIR> CYBERL~1 CyberLink
12/01/2007 05:12 PM <DIR> DFX
12/10/2007 03:05 PM <DIR> FLEXnet
02/09/2007 11:31 PM <DIR> FRIEND~1 Friends Games
02/02/2007 04:42 PM <DIR> GAMEHO~1 GameHouse
11/12/2006 10:59 AM <DIR> Google
08/03/2006 10:03 AM <DIR> INSTAL~1 InstallShield
01/17/2008 01:39 PM <DIR> Lavasoft
01/28/2008 02:51 AM <DIR> LINKAX~1 Link Axis Bat Wave
11/25/2007 12:15 AM <DIR> MACROV~1 Macrovision
01/28/2008 03:38 AM <DIR> McAfee
02/09/2007 08:47 AM <DIR> McAfee.com
05/16/2007 10:31 PM <DIR> MICROS~1 Microsoft
02/10/2007 08:01 AM <DIR> MICROS~3 Microsoft Corporation
12/20/2006 07:46 AM <DIR> MICROS~2 Microsoft Games
02/10/2007 08:08 AM <DIR> MSN6
01/18/2007 09:14 PM <DIR> MUMBOJ~1 MumboJumbo
12/18/2006 04:15 PM <DIR> PLAYFI~1 PlayFirst
12/31/2007 07:27 PM <DIR> Real
09/23/2006 01:51 PM <DIR> SANDLO~1 Sandlot Games
01/28/2008 03:38 AM <DIR> SITEAD~1 SiteAdvisor
11/19/2006 08:29 AM <DIR> SONYPI~1 SonyPicturesGames
12/30/2007 10:07 PM <DIR> SPYBOT~1 Spybot - Search & Destroy
10/17/2007 10:55 PM <DIR> Symantec
02/12/2007 07:55 AM <DIR> TEMP
11/12/2006 10:59 AM <DIR> Trymedia
01/06/2008 12:23 PM <DIR> VIEWPO~1 Viewpoint
08/03/2006 09:34 PM <DIR> WINDOW~1 Windows Genuine Advantage
11/24/2006 06:03 AM <DIR> WINDOW~2 Windows Live Toolbar
02/09/2007 09:20 AM <DIR> Yahoo
02/01/2008 06:29 PM <DIR> Yahoo!
02/09/2007 01:24 PM <DIR> YAHOO!~1 Yahoo! Companion
0 File(s) 0 bytes
41 Dir(s) 21,203,382,272 bytes free
--------------------------------------------------------
All User Accounts
--------------------------------------------------------
AARON
All Users
All Users.WINDOWS
Application Data
Gina
Gina.REGINA-31D5CE3D
Guest
--------------------------------------------------------

Hi,

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Click Yes to confirm.
Click OK.

Then navigate to and delete next folder:

C:\Documents and Settings\All Users.WINDOWS\Application Data\Link Axis Bat Wave

Let me know in your next reply how things are now.

Everything seems to be working like it should. No random popups or anything.
Did you need to see the log file?

Hi,

No, the logfile is not needed anymore.


Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.