TechSpot

CiD

By kevmckeown
May 29, 2007
  1. Hi Folks - 'm a "posting virgin", so please be gentle!!
    Google search led me here, as I have a problem with CiD pop-ups appearing on my pc, despite running latest McAfee and supposedly blocking pop-ups. The post i was led to by google suggested ControlPanel/AddRemoveProgs/CiD Help, but when i try this message tells me its alreay been removed and do i want to delete it from list of programs. Any help would be greatly appreciated. Think this CiD appeared via mininova download!
     
  2. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Hello kevmckeown and welcome to TechSpot.

    Very important: Before deciding whether to clean or reformat your system, read this thread and decide what you want to do.

    If you decide to clean your system after reading the above thread, do the following.

    Go and read the Viruses/spyware/malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, ComboFix, and AVG Antispyware logs as attachments into this thread, only after doing the above. Also post here the results of the AVG Antirootkit scan.

    Regards :)

    This thread is for the use of kevmckeown only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  3. kevmckeown

    kevmckeown TS Rookie Topic Starter

    Cleanup results

    Hi folks

    Well, after a long and protracted 5 day process, here are the results of my log files. I hope someone else can make sense of them, as they're complete gobble-de-**** to me!!
    One interesting item removed during cleanup was "WinZix". This was a tool i was instructed to download to access my 'mininova download'. It was described as a much better compression tool than WinZip - was i gullible or what!

    Anyway, i've been online for 6 minures now and as yet no "CiD" popups. Really hope its gone, but look forward to getting the all clear from you all

    Thanks a million!!

    Kev
     
  4. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You have not posted your ComboFix log file. It can be located in your C:\ folder.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    POLL LICENSE
    obj peak htm film


    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    O4 - HKLM\..\Run: [obj peak htm film] C:\Documents and Settings\All Users\Application Data\Wmaflapobjpeak\Global exit.exe

    O4 - HKCU\..\Run: [POLL LICENSE] C:\DOCUME~1\Kevin\APPLIC~1\MODEIN~1\bold creative body.exe

    O4 - Global Startup: Image Transfer.lnk = ?

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    Close HJT.


    Navigate in Windows Explorer and delete the following files and folders in bold.

    C:\Documents and Settings\All Users\Application Data\Wmaflapobjpeak\
    C:\DOCUME~1\Kevin\APPLIC~1\MODEIN~1

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of kevmckeown only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. CTech

    CTech TS Rookie

    i got the same problem.....................................just go in search type CiD and you will see a application file called CID or something like that cant remember just delete it with some other text file which has the same name CID. then use spyware doctor its an awesome progam clears out all the spywares,trojanas, and viruses.
     
  6. momok

    momok TS Rookie Posts: 2,265

    CTech: Cleaning out a system of malware usually takes way more than just that, as you can see from my instructions to kevmckeown. Often times the CiD infections come hand in hand with other malware infections.

    I would suggest that you go to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given to have your system checked thoroughly for residual infections. Then start a new thread and post the requested logs for a quick check.


    Regards,
    Your friendly momok =)

    This thread is for the use of kevmckeown only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. kevmckeown

    kevmckeown TS Rookie Topic Starter

    Thanks guys,
    Will repost combofix log ASAP.

    Kev
     
  8. momok

    momok TS Rookie Posts: 2,265

    Glad to help. Do follow through the steps I gave you first and post the required logs together in your next reply.


    Regards,
    Your friendly momok =)

    This thread is for the use of kevmckeown only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. kevmckeown

    kevmckeown TS Rookie Topic Starter

    Revised Cleanup Logs

    Hi Momok

    Attached are the logs you requested.

    When i ran services.msc i was unable to find 'POLL LICENSE
    obj peak htm film', but everything else seemed to go as planned.

    Looking forward to your diagnosis! Thanking you in anticipation,

    Kev
     
  10. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Windows Firewall

    Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

    svchost.exe

    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    O4 - HKCU\..\Run: [Windows Firewall] C:\WINDOWS\System32\drivers\svchost.exe

    Close HJT.

    Navigate in Windows Explorer and delete the following files and folders in bold.

    C:\WINDOWS\UNNMP.exe
    C:\WINDOWS\SYSTEM32\fnmode.sys
    C:\WINDOWS\System32\drivers\svchost.exe

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post fresh HJT, and ComboFix logs from normal mode as attachments into this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of kevmckeown only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. kevmckeown

    kevmckeown TS Rookie Topic Starter

    Further revised cleanup logs

    Hi Momok

    Completed your instructions, but not without incident! The process "svchost.exe" was running 3 times. First one deleted OK, but on deleting second i got an error message stating "RPC had terminated enexpectedly" and this initiated a reboot in safe mode.

    It took several attempts but I managed to delete each of the specified files in Windows Explorer, and I've attached the new logs for your attention.

    Should i be worried?!?

    Thanks

    Kev
     
  12. momok

    momok TS Rookie Posts: 2,265

    Hi,

    No worries about that.
    Your logs look clean now. =)

    Delete all files in AVG Antispyware Quarantine and C:\VundoFix Backups folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

    Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of kevmckeown only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...