CiD: Popup removal help needed.

[RedNylk]

Hi, I am new here and hope for some help.

I am running Sophos Anti-Virus 6.5.5, but currently I am bugged with pop-ups displaying "CiD: something" in the top bar.
Sophos does not detect any problems.

I believe the problem started after viewing an .avi file

Any help is greatly appreciated!

 

[howard_hopkinso]

Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of RedNylk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[RedNylk]

All steps followed...

However, it was not possible to boot into safe mode. Every attempt to do so caused the computer to freeze. So step 13 was done in normal mode.

AVG Antirootkit found no problems.

The problem with CiD pop-ups persists.

Any ideas?

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Delete all files in AVG Antispyware quarantine.

If you don`t use or need this toolbar Macrogaming\SweetIMBarForIE you should uninstall it. Apparently, it`s not very highly thought of.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Viewpoint
Viewpoint Manager

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

wavetime.exe
Internet Rect.exe
ViewMgr.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [Bags Drv Itch Bore] C:\Documents and Settings\All Users\Application Data\wmafilebagsdrv\wavetime.exe

O4 - HKCU\..\Run: [sixth funk] C:\DOCUME~1\FLK\APPLIC~1\BAGSPR~1\Internet Rect.exe

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZN

O16 - DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} (TE) - http://130.228.229.80/homeskyline/TEInstall/TE.cab

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\DOCUME~1\FLK\APPLIC~1\BAGSPR~1<Delete the entire folder.
C:\Documents and Settings\All Users\Application Data\wmafilebagsdrv<Delete the entire folder.
C:\Program Files\Viewpoint<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard

This thread is for the use of RedNylk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[RedNylk]

Thanks a million!

It seems to work perfectly well now.

You are the best!

 

[howard_hopkinso]

We`re not quite done yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

Compokay.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [Bags Drv Itch Bore] C:\Documents and Settings\All Users\Application Data\wmafilebagsdrv\Compokay.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Documents and Settings\All Users\Application Data\wmafilebagsdrv<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of RedNylk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[RedNylk]

Seems to work, but...

icons associated to websites are messed up. F.ex. TechSpot appears with AVG's icon. No biggy though...

What do do you think? Are we done now?

 

[howard_hopkinso]

Uninstall these programmes from add remove programmes in your control panel.

Macrogaming
SweetIMBarForIE

Then, locate and delete the following bold files and/or directories(if there).

C:\Program Files\Macrogaming<Delete the entire folder.

Reboot your system.

Post a fresh HJt log as well as a Combofix log.

Regards Howard

This thread is for the use of RedNylk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[RedNylk]

I have uninstallled SweetIMBarForIE and deleted C:\Program Files\Macrogaming - but I cannot find a program named Macrogaming in the list of installed programs.

Still reboot and post fresh hjt log?

Getting late here, will check for answer tomorrow

 

[howard_hopkinso]

Yes, reboot and post the requested logfiles and let me know if you`re still having any problems.

Regards Howard

This thread is for the use of RedNylk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[RedNylk]

Fresh hjt.log

All seems fine...

 

[kitty500cat]

Your HijackThis log is clean.

Please post a ComboFix log as per the instructions that Howard gave.

Regards

This thread is for the use of RedNylk only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.

 

[RedNylk]

Combofix

Thanks, kitty500cat!

 

[momok]

Hi,

Your logs look clean now.

Delete all files in AVG Antispyware Quarantine folder.

Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.

After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
Your friendly Momok =)

This thread is for the use of RedNylk only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[RedNylk]

Thanks a million to all of you!

 

[ekbryant]

Cid Popup Removal

Not sure if this will help everyone but I have fixed the CID popup problem on my computer rather easily and by mistake. I was watching my processes on task manager trying to figure this one out and as the CID popup was plastering iexplore.exe's all over the place I noticed that another file had emerged onto the screen before morphing into another iexplore.exe file. I only got a split second glimpse of a file that looked something like pl#$%.exe. I did a file search on my computer for all exe files starting with "PL" (pl*.exe). Found nothing at first and realized that I didn't have hidden files/folders checked. Started it again and found this particular file "plan real.exe". It was located at C:\Documents and Settings\All Users\Application Data\Dumb Pure Blind Support\Plan Real.exe.
I opened up regseeker v1.45 and went into startup entries and deleted the line item for this file, restarted the computer, surfed the internet without popups.
I then went to the Dumb Pure Blind Support folder and executed the Plan Real file just to make sure and the popups started again. Restarted the computer and deleted the folder and file. All appears to be in order.
I hope this is the answer for everyone.....I just got lucky.