Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Issue With Cid.iepop


  • This topic is locked This topic is locked
2 replies to this topic

#1 danielbispomendonca

danielbispomendonca

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 18 February 2008 - 08:52 AM

Hello everybody , it's my first post here and I'm having a terrible issue with my workstation.

I don't know when or with i get infected but the point is. I'm on a workstation , a work PC and i need it to be healled due that's a lot of information to simple have a format c: done.

I will give you my hijack log , and i guess that my problem is related with a malware named by CID.IEpop ... it's keeps opening a lot of windows and the IExplorer process starts to open randomly in a crazy way , resulting in 100% of CPU usage.

I've already tried to use adware and spybot. the Spybot detected 4 entries of CID.IEpop and removed all of , but the problem stuck to happen.

Thanks a lot for your help !!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:37:36, on 15/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe
C:\Program Files\Cisco Systems\CSAgent\bin\leventmgr.exe
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctapsd.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\CtaEoU.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctatransapt.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\Altiris\ALTIRI~1\AeXNSAgent.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Cisco Systems\CEPS\CEPSWatch.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Credant\Gatekeeper\Gatekeeper.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Credant\Gatekeeper\GKProbe.exe
C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wwwin.cisco.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wwwin.cisco.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AeXAgentLogon] C:\PROGRA~1\Altiris\ALTIRI~1\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [CMGShieldUI] C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [mpeg heck log link] C:\Documents and Settings\All Users\Application Data\Joy coal mpeg heck\pure glue.exe
O4 - HKCU\..\Run: [DiskCleanup] C:\WINDOWS\CISCO_IT\Scripts\DiskCleanup\DiskCleanup.vbs
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BROWSE SETUP] C:\DOCUME~1\psales\APPLIC~1\thisaxis\Extra Memo Blue.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Cisco Security Agent.lnk = C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: GKProbe.lnk = C:\Program Files\Credant\Gatekeeper\GKProbe.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: Manage Printers.lnk = C:\Program Files\Cisco Systems\CEPS\AddPrinter.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195859538296
O16 - DPF: {CAFECAFE-0013-0001-0009-ABCDEFABCDEF} (JInitiator 1.3.1.9) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ciscosales.webex.com/client/T26L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cisco.com
O17 - HKLM\Software\..\Telephony: DomainName = cisco.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{19FD98BE-5240-4B9D-9DBF-02CFFD7D5D37}: Domain = cisco.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{76862527-6A99-4314-B5C4-583F93726B4B}: Domain = cisco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cisco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cisco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cisco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cisco.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = cisco.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = cisco.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cisco.com
O20 - AppInit_DLLs: AMINIT.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL csauser.dll
O20 - Winlogon Notify: CMGShieldNP - C:\Program Files\Credant\CMG Shield\CMGShieldNP.dll
O20 - Winlogon Notify: PAStates - C:\WINDOWS\SYSTEM32\PAStates.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\PROGRA~1\Altiris\ALTIRI~1\AeXNSAgent.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\system32\schdsrvc.exe
O23 - Service: CEPS Watch - Cisco Systems - C:\Program Files\Cisco Systems\CEPS\CEPSWatch.exe
O23 - Service: CMGShield - Credant Technologies, Inc. - C:\WINDOWS\system32\CmgShieldSvc.exe
O23 - Service: Cisco Security Agent (CSAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe
O23 - Service: Cisco Trust Agent EOU Daemon (CtaEoU) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\CtaEoU.exe
O23 - Service: Cisco Trust Agent Logger Daemon (ctalogd) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe
O23 - Service: Cisco Posture Server Daemon (ctapsd) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctapsd.exe
O23 - Service: Cisco Systems, Inc. CTA Posture State Daemon (ctatransapt) - Unknown owner - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctatransapt.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel« PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: CREDANT Mobile Guardian Gatekeeper (guardian) - CREDANT Technologies - C:\Program Files\Credant\Gatekeeper\Gatekeeper.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: Servišo iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: Intel« PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel« PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 14226 bytes

Edited by danielbispomendonca, 18 February 2008 - 08:54 AM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:07 PM

Posted 19 February 2008 - 08:56 AM

Hello,

Go to start > controlpanel > software > add/remove programs and look if you have one or more of next programs installed and uninstall them:

Messenger Plus! Live & Sponsor (CiD)
Bitroll
Bitgrabber
Bitdownload
Get-Torrent
CiD Help / CiD Manager
Download Plugin for Internet Explorer
Netpumper
Search Plugin
Torrent101
WinZix
W3player
Zone Media


This because they are bundled with the malware you are dealing with (swizzor aka lop).

This will uninstall the malware application.
In case, during uninstall, when asked for the uninstall Verification, please enter the numbers that will appear in the window.
In case it says that the file was not found, doublecheck again if you entered the exact command. If still the same, proceed with next steps.


In case you can't find them,

* Go to start > run and copy and paste next command below in the field:
(Please make sure you copy and paste it exactly as you'll find below)

"C:\DOCUME~1\psales\APPLIC~1\thisaxis\Extra Memo Blue.exe" -uninstall

Hit enter.

Then reboot. Important!

After reboot,

* Download Deljob.exe and save it on your desktop.
Doubleclick Deljob.exe.

A log, (logit.txt) should open afterwards. This log will be present on your desktop
Post the contents of the logfile in your next reply together with a new Hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:07 PM

Posted 29 February 2008 - 02:11 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users