CiD

[kevmckeown]

Hi Folks - 'm a "posting virgin", so please be gentle!!
Google search led me here, as I have a problem with CiD pop-ups appearing on my pc, despite running latest McAfee and supposedly blocking pop-ups. The post i was led to by google suggested ControlPanel/AddRemoveProgs/CiD Help, but when i try this message tells me its alreay been removed and do i want to delete it from list of programs. Any help would be greatly appreciated. Think this CiD appeared via mininova download!

 

[kitty500cat]

Hello kevmckeown and welcome to TechSpot.

Very important: Before deciding whether to clean or reformat your system, read this thread and decide what you want to do.

If you decide to clean your system after reading the above thread, do the following.

Go and read the Viruses/spyware/malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, ComboFix, and AVG Antispyware logs as attachments into this thread, only after doing the above. Also post here the results of the AVG Antirootkit scan.

Regards

This thread is for the use of kevmckeown only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.

 

[kevmckeown]

Cleanup results

Hi folks

Well, after a long and protracted 5 day process, here are the results of my log files. I hope someone else can make sense of them, as they're complete gobble-de-**** to me!!
One interesting item removed during cleanup was "WinZix". This was a tool i was instructed to download to access my 'mininova download'. It was described as a much better compression tool than WinZip - was i gullible or what!

Anyway, i've been online for 6 minures now and as yet no "CiD" popups. Really hope its gone, but look forward to getting the all clear from you all

Thanks a million!!

Kev

 

[momok]

Hi,

You have not posted your ComboFix log file. It can be located in your C:\ folder.

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

POLL LICENSE
obj peak htm film

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O4 - HKLM\..\Run: [obj peak htm film] C:\Documents and Settings\All Users\Application Data\Wmaflapobjpeak\Global exit.exe

O4 - HKCU\..\Run: [POLL LICENSE] C:\DOCUME~1\Kevin\APPLIC~1\MODEIN~1\bold creative body.exe

O4 - Global Startup: Image Transfer.lnk = ?

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Close HJT.


Navigate in Windows Explorer and delete the following files and folders in bold.

C:\Documents and Settings\All Users\Application Data\Wmaflapobjpeak\
C:\DOCUME~1\Kevin\APPLIC~1\MODEIN~1

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of kevmckeown only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[CTech]

i got the same problem.....................................just go in search type CiD and you will see a application file called CID or something like that cant remember just delete it with some other text file which has the same name CID. then use spyware doctor its an awesome progam clears out all the spywares,trojanas, and viruses.

 

[momok]

CTech: Cleaning out a system of malware usually takes way more than just that, as you can see from my instructions to kevmckeown. Often times the CiD infections come hand in hand with other malware infections.

I would suggest that you go to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given to have your system checked thoroughly for residual infections. Then start a new thread and post the requested logs for a quick check.


Regards,
Your friendly momok =)

This thread is for the use of kevmckeown only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[kevmckeown]

Thanks guys,
Will repost combofix log ASAP.

Kev

 

[momok]

Glad to help. Do follow through the steps I gave you first and post the required logs together in your next reply.


Regards,
Your friendly momok =)

This thread is for the use of kevmckeown only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[kevmckeown]

Revised Cleanup Logs

Hi Momok

Attached are the logs you requested.

When i ran services.msc i was unable to find 'POLL LICENSE
obj peak htm film', but everything else seemed to go as planned.

Looking forward to your diagnosis! Thanking you in anticipation,

Kev

 

[momok]

Hi,

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Windows Firewall

Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

svchost.exe

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O4 - HKCU\..\Run: [Windows Firewall] C:\WINDOWS\System32\drivers\svchost.exe

Close HJT.

Navigate in Windows Explorer and delete the following files and folders in bold.

C:\WINDOWS\UNNMP.exe
C:\WINDOWS\SYSTEM32\fnmode.sys
C:\WINDOWS\System32\drivers\svchost.exe

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT, and ComboFix logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of kevmckeown only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[kevmckeown]

Further revised cleanup logs

Hi Momok

Completed your instructions, but not without incident! The process "svchost.exe" was running 3 times. First one deleted OK, but on deleting second i got an error message stating "RPC had terminated enexpectedly" and this initiated a reboot in safe mode.

It took several attempts but I managed to delete each of the specified files in Windows Explorer, and I've attached the new logs for your attention.

Should i be worried?!?

Thanks

Kev

 

[momok]

Hi,

No worries about that.
Your logs look clean now. =)

Delete all files in AVG Antispyware Quarantine and C:\VundoFix Backups folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.

After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of kevmckeown only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.