Sarah

My dad has started using an old computer and has found CiD popups keep appearing. He has done all the various antivirus and spware programs and it wont go away.
This is the hickthis log and can you please try and find the source.
Logfile of HijackThis v1.99.1
Scan saved at 11:44:43, on 29/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
CWINDOWS\System32\smss.exe
CWINDOWS\system32\winlogon.exe
CWINDOWS\system32\services.exe
CWINDOWS\system32\lsass.exe
CWINDOWS\system32\svchost.exe
CWINDOWS\System32\svchost.exe
CWINDOWS\system32\LEXBCES.EXE
CWINDOWS\system32\LEXPPS.EXE
CWINDOWS\system32\spoolsv.exe
CProgram Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
CProgram Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
CProgram Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe
CWINDOWS\System32\nvsvc32.exe
CWINDOWS\system32\wscntfy.exe
CWINDOWS\Explorer.EXE
CProgram Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
CProgram Files\Common Files\Real\Update_OB\realsched.exe
CProgram Files\NETGEAR\WG511SCU\Utility\Gear511.exe
CProgram Files\QuickTime\qttask.exe
CWINDOWS\System32\svchost.exe
CProgram Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
CProgram Files\Internet Explorer\iexplore.exe
CProgram Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
CProgram Files\Internet Explorer\iexplore.exe
CProgram Files\Internet Explorer\iexplore.exe
CProgram Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
CProgram Files\Labtec Wireless Desktop\MagicKey.exe
CProgram Files\Labtec Wireless Desktop\MulMouse.exe
CProgram Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
CProgram Files\Cable & Wireless\Common\C&WConfig.exe
CProgram Files\ArcSoft\TotalMedia\TMMonitor.exe
CProgram Files\Labtec Wireless Desktop\OSD.EXE
CProgram Files\Internet Explorer\iexplore.exe
CProgram Files\Internet Explorer\iexplore.exe
CDOCUME~1\Dad\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.swfc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.swfc.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O1 - Hosts: 213.222.11.11 auto.search.msn.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - CWINDOWS\bxxs5.dll (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - CProgram Files\CxtPls\cxtpls.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - CProgram Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {338F3902-B036-09BB-8720-16557BD42C6C} - CWINDOWS\System32\yjgd.dll (file missing)
O2 - BHO: (no name) - {37209260-9DED-3FE7-4867-BFCDB2B053DA} - CWINDOWS\Thazutyb.dll (file missing)
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - CPROGRA~1\orange3\orange3.dll
O2 - BHO: (no name) - {A1D51423-995F-31BE-A40B-E71917AD654F} - CPROGRA~1\SIXTHD~1\2 ace.exe (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - cprogram files\google\googletoolbar2.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - CWINDOWS\system32\nvms.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - CProgram Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - CProgram Files\eSyndicate\esyn.dll (file missing)
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - CWINDOWS\system32\mscb.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - CDocuments and Settings\Dad\Local Settings\Temp\dr6vdr0.dll (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - CWINDOWS\system32\msbe.dll (file missing)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - CProgram Files\SEP\sep.dll (file missing)
O3 - Toolbar: Search - {12DD64A6-7167-B9ED-252D-8D9A1A0144EA} - CWINDOWS\Thazutyb.dll (file missing)
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - CPROGRA~1\orange3\orange3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - cprogram files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Supastatus] CProgram Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [MCAgentExe] CProgram Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] CPROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [AVPCC] "CProgram Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe" /wait
O4 - HKLM\..\Run: [MSZTCE] CWINDOWS\System32\MSZTCE.EXE
O4 - HKLM\..\Run: [TkBellExe] "CProgram Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AS00_Gear511] CProgram Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [STOPzilla] "CProgram Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE CWINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [CKojEU] Cdocume~1\katy\locals~1\temp\CKojEU.exe
O4 - HKLM\..\Run: [NK9] Cdocume~1\katy\locals~1\temp\NK9.exe
O4 - HKLM\..\Run: [rQC] Cdocume~1\katy\locals~1\temp\rQC.exe
O4 - HKLM\..\Run: [nHbRqxub] Cdocuments and settings\dad\local settings\temp\nHbRqxub.exe
O4 - HKLM\..\Run: [FsMT] Cdocuments and settings\robert\local settings\temp\FsMT.exe
O4 - HKLM\..\Run: [BullsEye Network] CProgram Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [YAr] Cdocuments and settings\robert\local settings\temp\YAr.exe
O4 - HKLM\..\Run: [Modemagsantimove] CDocuments and Settings\All Users\Application Data\City soap mode mags\Locks Live.exe
O4 - HKLM\..\Run: [OZXFXAwM] Cdocuments and settings\katy\local settings\temp\OZXFXAwM.exe
O4 - HKLM\..\Run: [switp] CWINDOWS\Switp_bund_ar3.exe
O4 - HKLM\..\Run: [4HD6lZtA] Cdocuments and settings\robert\local settings\temp\4HD6lZtA.exe
O4 - HKLM\..\Run: [aMpARmmL] Cdocuments and settings\robert\local settings\temp\aMpARmmL.exe
O4 - HKLM\..\Run: [GU1] Cdocuments and settings\katy\local settings\temp\GU1.exe
O4 - HKLM\..\Run: [MZO3] Cdocuments and settings\katy\local settings\temp\MZO3.exe
O4 - HKLM\..\Run: [x] Cdocuments and settings\robert\local settings\temp\x.exe
O4 - HKLM\..\Run: [iLeLbJFP] Cdocuments and settings\robert\local settings\temp\iLeLbJFP.exe
O4 - HKLM\..\Run: [QuickTime Task] "CProgram Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NaviSearch] CProgram Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] CProgram Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [0FnS3mO] txfestrt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Install5G] DInstall.exe
O4 - HKLM\..\Run: [stupid creative poll axis] CDocuments and Settings\All Users\Application Data\Memo save stupid creative\Bolt Dvd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "CProgram Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [GreatDownloads] rundll32.exe CWINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:GreatDownloads:t
O4 - HKCU\..\Run: [HOLE SITE] CDOCUME~1\Dad\APPLIC~1\FACENE~1\Find Exit.exe
O4 - HKCU\..\Run: [swg] CProgram Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - Global Startup: Microsoft Office.lnk = CProgram Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PrecisionTime.lnk = CProgram Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Date Manager.lnk = CProgram Files\Date Manager\DateManager.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = CProgram Files\Labtec Wireless Desktop\MagicKey.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O4 - Global Startup: Cable & Wireless Wireless Utility.lnk = CProgram Files\Cable & Wireless\Common\C&WConfig.exe
O4 - Global Startup: TMMonitor.lnk = CProgram Files\ArcSoft\TotalMedia\TMMonitor.exe
O8 - Extra context menu item: orange search - file://CProgram Files\ORANGE3\Cache\SelectedContextSearch.htm
O9 - Extra button: Erotic - {2648BB17-1868-48d3-9A85-7C77F13A2288} - http://www.erotic.co.uk?ref=9999 (file missing)
O9 - Extra 'Tools' menuitem: Erotic... - {2648BB17-1868-48d3-9A85-7C77F13A2288} - http://www.erotic.co.uk?ref=9999 (file missing)
O9 - Extra button: GreatDownloads - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - CWINDOWS\System32\GreatDownloads (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - CWINDOWS\System32\Shdocvw.dll
O9 - Extra button: IQ Test - {D9FA68E1-AEE2-48d8-B03D-C37DC602554E} - http://www.personaltest.co.uk (file missing)
O9 - Extra 'Tools' menuitem: IQ Test... - {D9FA68E1-AEE2-48d8-B03D-C37DC602554E} - http://www.personaltest.co.uk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - CProgram Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - CProgram Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://gaming.gamesplayground.com/ou.../fullgames.exe
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://bin.mcafee.com/molbin/Shared/...2/ComCtl32.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binarie...tc32_EN_XP.cab
O16 - DPF: {1230CB21-C88D-11CF-B347-000000000000} - http://www.eingang69.de/EroticAccess/cabs/1808000.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/Smi...tialSetup1.0.0.6.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binarie...ia32_EN_XP.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/...9105/flash.cab
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.79/100039/uk/ringtone/ringtone.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...5/mcinsctl.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Ap.../filesharingctrl.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/aplicacion.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload ActiveX Control) - http://www.truprint.co.uk/TruprintUpload.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {C56CE781-A6FC-4706-8B32-6EB4622155DF} - http://plugin.euro-infomedia.com/hipv0.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/A...ler/dwnldr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binarie...pe32_EN_XP.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab
O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com/mt/dialers/fc/MultiDistFC.CAB
O16 - DPF: {FDE6B956-B80A-4578-9A10-4C24609412F1} - http://access.gamezdump.com/output/0.../fullgames.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://69.50.170.35/uk/gvx143u0s14m_wall.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - CProgram Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - CProgram Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe" /Service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - CProgram Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - CProgram Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe" /Service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - CWINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - CWINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - CPROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

Sarah

btw has anyone else had CiD popups and how did you get rid of them?

retired_tanuja

I was going to come in here and say Prevx gest rid of them, but although it does the trick - they've gone and changed their model meaning there's no free way of getting rid of them now without paying £14.50. They used to have a free trial that removed malware for free for 30 days

I guess you'll have to wait until someone with HiJackThis knowledge can come in and help you...

Sarah

ok thanks for trying to help.
Anyone know what I should remove using Hicackthis?

retired_tanuja

Actually I have an idea.

Seeing as Prevx do remove CiD popups, you could run their free scanner (only takes 2 minutes) which will tell you the malicious files for you to delete with HiJackThis.

Jobs a good 'un :thup: