TechSpot

CiD: Popup removal help needed.

By RedNylk
May 14, 2007
Topic Status:
Not open for further replies.
  1. Hi, I am new here and hope for some help.

    I am running Sophos Anti-Virus 6.5.5, but currently I am bugged with pop-ups displaying "CiD: something" in the top bar.
    Sophos does not detect any problems.

    I believe the problem started after viewing an .avi file :(

    Any help is greatly appreciated!
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of RedNylk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. RedNylk

    RedNylk TS Rookie Topic Starter

    All steps followed...

    However, it was not possible to boot into safe mode. Every attempt to do so caused the computer to freeze. So step 13 was done in normal mode.

    AVG Antirootkit found no problems.

    The problem with CiD pop-ups persists.

    Any ideas?
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Delete all files in AVG Antispyware quarantine.

    If you don`t use or need this toolbar Macrogaming\SweetIMBarForIE you should uninstall it. Apparently, it`s not very highly thought of.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Viewpoint
    Viewpoint Manager

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    wavetime.exe
    Internet Rect.exe
    ViewMgr.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O4 - HKLM\..\Run: [Bags Drv Itch Bore] C:\Documents and Settings\All Users\Application Data\wmafilebagsdrv\wavetime.exe

    O4 - HKCU\..\Run: [sixth funk] C:\DOCUME~1\FLK\APPLIC~1\BAGSPR~1\Internet Rect.exe

    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZN

    O16 - DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} (TE) - http://130.228.229.80/homeskyline/TEInstall/TE.cab

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\DOCUME~1\FLK\APPLIC~1\BAGSPR~1<Delete the entire folder.
    C:\Documents and Settings\All Users\Application Data\wmafilebagsdrv<Delete the entire folder.
    C:\Program Files\Viewpoint<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of RedNylk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. RedNylk

    RedNylk TS Rookie Topic Starter

    Thanks a million!

    It seems to work perfectly well now.

    You are the best!
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    We`re not quite done yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    Compokay.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [Bags Drv Itch Bore] C:\Documents and Settings\All Users\Application Data\wmafilebagsdrv\Compokay.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Documents and Settings\All Users\Application Data\wmafilebagsdrv<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of RedNylk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. RedNylk

    RedNylk TS Rookie Topic Starter

    Seems to work, but...

    icons associated to websites are messed up. F.ex. TechSpot appears with AVG's icon. No biggy though...

    What do do you think? Are we done now?
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Uninstall these programmes from add remove programmes in your control panel.

    Macrogaming
    SweetIMBarForIE

    Then, locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Macrogaming<Delete the entire folder.

    Reboot your system.

    Post a fresh HJt log as well as a Combofix log.

    Regards Howard :)

    This thread is for the use of RedNylk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. RedNylk

    RedNylk TS Rookie Topic Starter

    I have uninstallled SweetIMBarForIE and deleted C:\Program Files\Macrogaming - but I cannot find a program named Macrogaming in the list of installed programs.

    Still reboot and post fresh hjt log?

    Getting late here, will check for answer tomorrow :)
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Yes, reboot and post the requested logfiles and let me know if you`re still having any problems.

    Regards Howard :)

    This thread is for the use of RedNylk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. RedNylk

    RedNylk TS Rookie Topic Starter

    Fresh hjt.log

    All seems fine...
     
     
  12. kitty500cat

    kitty500cat TS Rookie Posts: 2,407   +6

    Your HijackThis log is clean.

    Please post a ComboFix log as per the instructions that Howard gave.

    Regards :)

    This thread is for the use of RedNylk only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  13. RedNylk

    RedNylk TS Rookie Topic Starter

    Combofix

    Thanks, kitty500cat!
     
  14. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Your logs look clean now.

    Delete all files in AVG Antispyware Quarantine folder.

    Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly Momok =)

    This thread is for the use of RedNylk only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. RedNylk

    RedNylk TS Rookie Topic Starter

    Thanks a million to all of you!
     
  16. ekbryant

    ekbryant TS Rookie

    Cid Popup Removal

    Not sure if this will help everyone but I have fixed the CID popup problem on my computer rather easily and by mistake. I was watching my processes on task manager trying to figure this one out and as the CID popup was plastering iexplore.exe's all over the place I noticed that another file had emerged onto the screen before morphing into another iexplore.exe file. I only got a split second glimpse of a file that looked something like pl#$%.exe. I did a file search on my computer for all exe files starting with "PL" (pl*.exe). Found nothing at first and realized that I didn't have hidden files/folders checked. Started it again and found this particular file "plan real.exe". It was located at C:\Documents and Settings\All Users\Application Data\Dumb Pure Blind Support\Plan Real.exe.
    I opened up regseeker v1.45 and went into startup entries and deleted the line item for this file, restarted the computer, surfed the internet without popups.
    I then went to the Dumb Pure Blind Support folder and executed the Plan Real file just to make sure and the popups started again. Restarted the computer and deleted the folder and file. All appears to be in order.
    I hope this is the answer for everyone.....I just got lucky.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.