CiD popup

By hussein500
Dec 6, 2009
Topic Status:
Not open for further replies.
  1. CiD popup 8-Step completed Please Help

    Hi there guys

    well i have been really fed up with CiD popups , more over i am having a problem that when i try to install some new softwares it requires me to shut down all my windows , internet explorer shows its on but its not i belive its from the CiD popup itself as i have never been into this kind of problem here is my Hijackthis log file please help me in this problem thanks alot :D

    i have done the 8 - Steps and here r the log files the popup still active
  2. hussein500

    hussein500 Newcomer, in training Topic Starter

    any help from you guys
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I would like to first welcome you to TechSpot and tell you that I will help with the malware.

    But please4 understand this right up front: Everyone wants their problem handled NOW. The problem is that there are more of "you" than there are of "us". A look down the threads should make that clear.

    So patience is required. Some of us don't spend all weekend fixing other people's problems- we work on our own. Yesterday was Sunday.

    Your host files have been hijacked and you most probably have a LOP infection:
    It is best to disable the antivirus and malware programs for the scan; you'll re-enable them after the scan

    Download Lop S&D and save to your desktop.


    • [1] Double-click Lop S&D.exe
      [2] Choose the language, then choose Option 2 (Fix + Hosts)
      [3] Wait till the end of the scan
      [4] Attach the log which is created: (%SystemDrive%\lopR.txt)

    For uninstall list:

    Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

    C:\Qoobox\Add-Remove Programs.txt

    A report should pop open for you. Please post the contents in your next reply.

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Follow with rescan of HijackThis.

    Attach all reports and logs in your next reply. It will most likely be tomorrow before I can get back to you.
  4. hussein500

    hussein500 Newcomer, in training Topic Starter

    hi bobbye,

    well the thing was i got into a hurry cause this malware or spyware , has stopped me from installing new programs that needed to close internet explorer, and i had a deadline which i was working on it on my laptop which is hell of headahe i need large screen for these softwares , so i appologize for the stress from 2 weeks i am looking for a solution nothin came up unless now you the man of the show to help me out :D thanks for the helpy buddy :D

    here r the Log Files u requested
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    C:\DOCUME~1\hussein\LOCALS~1\Temp\Rar$EX00.453\HijackThis.exe

    You are currently using HijackThis from a temporary directory, this can cause problems.[/B]
    HijackThis creates backups, these are needed in case of any recovery issues.

    Please create a directory on your C:\ drive called C:\HJT, download and unzip HijackThis into that directory. Run the program from that directory from now on.

    STEPS For Creating Folder

    1. 1. Please go to My Computer, open your C:\ drive, Select: New >> Folder and name the folder HJT.

      2. Download HijackThis to the new folder:

      3. Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.

      4. Close ALL windows except HJT

      5. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

      6. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')
    Please make sure you post the entire log including the top portion:

    DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

    Have the pop-ups improved? I don't want to remove any entries in HJT until you get it moved as instructed above.

    The only exceptions would be:
    P2P or 'file sharing Warning:

    I notice you have both BitTorrent and Limewire on the system and that you are currently using both. As long as you continue doing that, you will get malware.

    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall BitTorrent and Limewire for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    You are also showing this proxy server:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080

    Did you set this up or is it your ISP?

    Once you have moved the HijackThis program and log as instructed, I will have you remove some entries.
  6. hussein500

    hussein500 Newcomer, in training Topic Starter

    hi there,

    well for :: R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080

    this is my ISP proxy without it i cant access internet well i can but if i dont add it they will close my internet account , any how for the bittorent and limewire i am using these programs to transfer work documents to my co-workers thats the only thing i dont download programs or illegal stuff ,

    my popups are gone and i was able to install my programs which you saved my time as well my comfort which i really appreciate , for the log file i have add it as attachment in Notpad coz i cant Paste it many charachters , looking forward for more help thanks alot buddy :D
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    This is of concern to me:

    Looks like a user agent string here.

    O4 - HKCU\..\: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.4; OfficeLivePatch.1.3; MSN Optimized;US)" -"http://virtualtransport.rta.ae/VirtualTour/login.asp"

    Some type of user agent string- possibly web crawler or bot.
    • Shockwave Updater
    • Adobe
    • Mozilla compatible
    • MSIE 7.0
    • Windows NT 5.1;
    • Trident/4.0
    • MSIE 7.0; Windows NT 5.1;
    • MSIE 6.0; Windows NT 5.1; SV1
    • .NET CLR 1.1.4322;
    • .NET CLR 2.0.50727
    • InfoPath.1;
    • .NET CLR 3.0.4506.2152; .
    • .NET CLR 3.5.30729
    • OfficeLiveConnector.1.4
    • OfficeLivePatch.1.3;
    • MSN Optimized;US)"
    • "http://virtualtransport.rta.ae/VirtualTour/login.asp"[/b]

    What are you doing with this? How is it being used?

    You should run an online antivirus scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please leave the log from the scan in your next reply.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.