Home About us Malwarebytes Spyware Doctor Threats Contact us
Home > Threats > CiD Popup

What is CiD Popup

Posted on 19 August 2007 under Trojans and viruses

1. What is CiD Popup?

CiD Popup, also known as CiD Help, CiD Manager, are being displayed as a result of Internet Explorer hijacker, that gives annoying popup window every few minutes. CiD Popups occur constantly every time IE starts. All the popup windows have the words CiD on the left side of the title bar. They link to a variety of different advertisement sites, most of them gambling or adult content related.

Manual CiD Popup removal process can be complicated because hijacker creates files with random names and it is difficult to delete them. It is recommended to use automatic removal tool.

CiD advertisement example:


2. How to remove CiD Popup:

  1. Internet connection might be disabled or Internet browser might be blocked by CiD Popup, so it won't be possible to download any files to infected computer. In this case please download all files required for CiD Popup removal to another computer and then transfer them on the infected one using CD/DVD or USB flash drive.
  2. To remove CiD Popup download Spyware Doctor and install the program (for the installation guide click here). Before installation, make sure all other programs and windows are closed.
  3. After the installation, computer scan should be started automatically. If so, please move to the next step. If not, click "Status" on the left side menu and press "Scan Now" button to run computer scanner as shown in the picture below:

  4. After the scan has been completed and scan results have been generated, press "Fix Checked" button to remove CiD Popup.

  5. Restart the computer to complete CiD Popup removal procedure.

3. CiD Popup files:

random .exe files under these directories:
C:\Documents and Settings\All Users\Application Data\[Random dir]\
C:\DOCUME~1\[Username]\APPLIC~1\[Random dir]\

4. Hijackthis entries:

O4 - HKLM\..\Run: [DEAD BOWS SIGN SETTINGS] C:\Documents and Settings\All Users\Application Data\Extraonlinedeadbows\Slow dale.exe
O4 - HKLM\..\Run: [DEAD BOWS SIGN SETTINGS] C:\Documents and Settings\All Users\Application Data\Extraonlinedeadbows\FilmKeep.exe
O4 - HKLM\..\Run: [CHIN PING PHONE PILE] C:\Documents and Settings\All Users\Application Data\Proxy Long Chin Ping\LOUD WMA.exe
O4 - HKLM\..\Run: [Sectmailfordtest] C:\Documents and Settings\All Users\Application Data\CakeSafeSectMail\64info.exe
O4 - HKLM\..\Run: [Amok Eggs Four Web] C:\Documents and Settings\All Users\Application Data\part dead amok eggs\Multi Error.exe
O4 - HKCU\..\Run: [COOL SHIM] C:\DOCUME~1\ADMINI~1\APPLIC~1\BLEHFA~1\link dead wma.exe
O4 - HKCU\..\Run: [SoftSpam] C:\DOCUME~1\Kaylie\APPLIC~1\MPEGSL~1\SENDMFCD.exe
O4 - HKCU\..\Run: [Eqkind] C:\DOCUME~1\RAHULS~1\APPLIC~1\BAGSBE~1\findbore2.exe
O4 - HKCU\..\Run: [DATEFUNK] C:\DOCUME~1\joe\APPLIC~1\CASHSH~1\CityLoveRoad.exe
O4 - HKLM\..\Run: [MATH DOES FIRST MODE] C:\Documents and Settings\All Users\Application Data\live 64 math does\Bin Mpeg.exe
O4 - HKCU\..\Run: [book ante] C:\DOCUME~1\ryka\APPLIC~1\ELSEPL~1\AXISNEW.exe