Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CiD hijack


  • Please log in to reply
8 replies to this topic

#1 Stuart_Palma

Stuart_Palma

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mallorca
  • Local time:10:28 AM

Posted 11 October 2009 - 06:59 AM

I'm a newcomer here, and have encountered a problem that my AVG does not deal with. While navigating with IE8 there are constant pop-up PAGES, normally labelled as CiD, that open, offering Tarot cards, Vodafone , etc. If I do not close these while navigating normally, but only after shutting down IE8 when I next open the navigator there is a message saying that IE8 closed down unexpectedly and asks if I want to restore my previous sessions. Igmoring this message does not appear to affect subsequent navigation.

The address bar is also rather strange. The http://www. part od the address of asites is greyed out, the actual site name shows in normal font, and the sub-page is also greyed. This may be normal in IE8 (I've only recently upgraded to IE8) but it seems strange.

I have run Hijack This and ComboFix, and have the logs available. Can anyone help please?

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:28 AM

Posted 11 October 2009 - 06:17 PM

Hello and welcome to Bleeping Computer. As for the greying out in the address bar, that is a new feature in IE8 so that it shows the main site you are on to avoid phishing sites.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.


Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#3 Stuart_Palma

Stuart_Palma
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mallorca
  • Local time:10:28 AM

Posted 11 October 2009 - 08:27 PM

Computer Pro,

Thanks for your prompt reply.

MBAM came up clean. The log text is as follows:-
Malwarebytes' Anti-Malware 1.41
Database version: 2944
Windows 5.1.2600 Service Pack 3

12/10/2009 03:21:59
mbam-log-2009-10-12 (03-21-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 122328
Time elapsed: 44 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


What do you suggest?

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:28 AM

Posted 11 October 2009 - 08:30 PM

Please run ATF and SAS:
Credits to Boopme

Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note 2: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Edition

Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
Computer Pro

#5 Stuart_Palma

Stuart_Palma
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mallorca
  • Local time:10:28 AM

Posted 12 October 2009 - 05:22 AM

There is only one user on this machine in normal mode. In Safe Mode there is an Administrator.


Still no infections found.

The log is clean:-



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/12/2009 at 12:05 PM

Application Version : 4.29.1002

Core Rules Database Version : 4160
Trace Rules Database Version: 2085

Scan type : Complete Scan
Total Scan Time : 00:50:08

Memory items scanned : 232
Memory threats detected : 0
Registry items scanned : 4463
Registry threats detected : 0
File items scanned : 24986
File threats detected : 0


Any other possibilities?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,945 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:28 AM

Posted 12 October 2009 - 07:33 AM

Please uninstall any of the following program(s) using Add/Remove Programs in Control Panel if they are present. They are often bundled with the malware causing your problems. To do this, to Start > Control Panel or Start > Settings > Control Panel (if in Classic View) and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove. Vista users should use the Programs and Features section of Control Panel.

Messenger Plus! Live & Sponsor (CiD)
CiD Help
CiD Manager
Bitdownload
Bitgrabber
BitRol
Download Plugin for Internet Explorer
Get-Torrent
Netpumper
Search Plugin
Torrent101
W3player
WinZix
Zone Media


While uninstalling any of the above, if you are asked for a Verification code, please enter the numbers that appear in the window. When done, be sure to reboot your computer. <- Important!

Open My Computer or Windows Explorer, navigate to C:\Program Files and delete any of the named program folders listed above that you find.

Note: If you were using Messenger Plus! Live and want to continue to use it, then reinstall and choose not to install the Sponsor after your computer has been cleaned. Please refer to How to remove Messenger Plus (C2Media) and How to install Messenger Plus! Live without the Sponsor.

Please download Lop S&D by Eric_71 and save to your desktop. <- for Windows XP and Vista ONLY!

Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan so they do not interfere with the running of Lop S&D. Click on this link to see a list of programs that should be disabled. The list is not all inclusive.
  • Double-click Lop S&D.exe
  • If using Windows Vista, be sure to Run As Administrator to perform this scan.
  • Choose the language by typing of the corresponding letter and press Enter.
  • Please read the informational notice that appears and then click OK.
  • Type 2 to choose Option 2 (Fix + Hosts), then press Enter.
  • Don't close the window during suppression!.
  • Wait until the end of the scan.
  • A report named lopR.txt will be generated and open in Notepad.
  • The report is automatically saved to the root of your system drive (typically C:\lopR.txt).
  • Copy and paste the contents of that report in your next reply.
Instructions with screenshots if needed).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Stuart_Palma

Stuart_Palma
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mallorca
  • Local time:10:28 AM

Posted 13 October 2009 - 05:40 AM

Thanks to those who tried to help me here. In the end it was easier to format and reinstall - my computer was a recent installation and wasn't particularly crowded with files. Thanks again.

Stuart

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,945 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:28 AM

Posted 13 October 2009 - 06:35 AM

Sometimes a reformat/factory restore is the best solution. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned, repaired or trusted. The malware may leave so many remnants behind that security tools cannot find them. Starting over by wiping your drive, reformatting, and performing a clean install of the OS removes everything and is the safest action.

Tips to protect yourself against malware and reduce the potential for re-infection:

Keep Windows and Internet Explorer current with all critical updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. If you're not sure how to do this, see Microsoft Update helps keep your computer current.

Avoid gaming sites, porn sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, uTorrent). They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.Beware of Rogue Security software as they are one of the most common sources of malware infection. They infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware. For more specific information on how these types of rogue programs and infections install themselves, read:Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend you disable Autorun asap as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun

Other related reading sources:• Finally, if you need to replace your anti-virus, firewall or need a reliable anti-malware scanner please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:28 AM

Posted 13 October 2009 - 06:06 PM

Your welcome. I'm sorry that it had to turn out that way.
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users