CiD Virus help - Hijack scan posted.

By Xander667
Dec 20, 2007
  1. Howdy y'all back again with another virus o.O

    Here is the scan;

    Basically I get frustrating Internet Explorer pop-ups on regular basis and in the top left corner it says, "CiD". Can anyone help?

    -Thanks kindly.
  2. songster

    songster TS Rookie

    Go to Add/Remove Programs in your Windows Control Panel and click Remove on:

    Messenger Plus! Live & Sponsor (CiD) (if you got Lop through a Messenger Plus! installation)

    You'll be asked if you want to uninstall the full program or just the sponsor program (CiD).

    Choose the sponsor program only if you want to just remove the adware. Alternatively, if you want to stick two fingers up to the developer of Messenger Plus and completely withdraw your support for a program that includes a Trojan by default, uninstall both!!

    Go to and add "/nolop/NoLop.exe" after the address. Download NoLop.exe. (sorry .... I can't post the link as this is only my first post).

    Save anything you are working on and prepare for a possible reboot …..

    Run nolop.exe…..

    Click the button "search and destroy"…..

    When it's done it will prompt you to reboot if you are infected …..

    Click the "reboot" button.

    Post the log which is saved to c:\nolop.log.

  3. baros1954

    baros1954 Banned Posts: 37

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Print Spooler Service (earoryyebbe1zu)

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    once byte.exe
    Nurb Sign.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [memo site kind that] C:\Documents and Settings\All Users\Application Data\Grid Blue Memo Site\once byte.exe

    O4 - HKCU\..\Run: [DupeList] C:\DOCUME~1\David\APPLIC~1\JOYMUL~1\Nurb Sign.exe

    O23 - Service: Print Spooler Service (earoryyebbe1zu) - Unknown owner - C:\WINDOWS\system32\z.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\Documents and Settings\All Users\Application Data\Grid Blue Memo Site

    Reboot into normal mode and rehide your protected OS files.

    Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    Combofix will automatically save the log file to C:\combofix.txt

    Post a fresh HJT log as well as the Combofix log.

    This thread is for the use of Xander667 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...