13 February 2009

CiD Popups and Messenger Plus

I'm currently working on getting FreeFixer up and running 100% on Vista. There are still some minor issues that needs to be resolved. During my testing on the Vista platform I decided to install Messenger Plus! Live. It is an ad-supported add-on for Microsoft's Messenger Live. The add-on claims more than 400 million downloads!

During the installation of Messenger Plus! Live you can choose to install the sponsor program, which according to the End User License Agreement will show advertising based on the web sites you visit:

THE SPONSOR SOFTWARE, IF INSTALLED, WILL PROVIDE YOU WITH ADDITIONAL CONTENT, PROMOTIONAL OFFERS, ADVERTISEMENTS AND OTHER WEB BROWSER ENHANCEMENTS BASED, IN PART, ON KEYWORDS IN THE WEBSITES YOU VISIT.

A short while after installing the software, I started getting pop-ups. Some of these were labeled "CiD", but many were not:

Screenshot of non-labelled CiD pop-up. Popup shows ad for NetOnNet.

Now, suppose someone else has been using your computer and installed this adware. How do you identify what are causing the pop-ups? And how do you uninstall it? Well, some of the pop-ups have a label saying "CiD". So if you happen to scan through your "c:\Program Files\" folder, you will find a folder called "Circle Development" with a file called uninstall.exe. Great! Problem solved? Well, this is what happens if you run the uninstall.exe file:

Screenshot of useless CiD uninstaller

Bad Elmo? What is that? And what is the parent program? If you configure your system to show hidden files, you will also be able to see a bunch of files located under "C:\ProgramData", with randomly looking names like: "Axis clock bleh.mf4ai", "deaf barb dumb.rrmdf3", "htm slow.exe", "Soap Film Heck Global.exe", "File dupe.exe", "Htm Help.exe", "Kind User.exe" and "Once plus.exe.

Let's look at the file properties on the "htm slow.exe" file. The file properties usually display a proper company name and a product description, but the information for "htm slow.exe" is 100% gobbledygook:

Product name: Itcer tetreiss bismurse
Company name: Ters
File description: Lawhowem
Internal name: ledr
Original filename: ledr.exe
Legal copyright: Samivesh athilath dircech insil thasoso.
Product version: 7, 6, 5, 4
File version: 7, 6, 5, 4

So what kind of crap do we got here? Non-labelled popups, an useless uninstaller, randomly named files with useless file properties, placed in a hidden folder. All this bundled with an application with more than 400 million downloads...

So how do you uninstall the adware? Well, if you do figure out that the adware came with Messenger Plus!, it's easy. Just open up the "Add/Remove" programs dialog, scroll down to "Messenger Plus! and Sponsor" and you're done.

FreeFixer v0.32 log
http://www.freefixer.com/
Operating system: Windows Vista
Log dated 2009-02-11 23:47

Browser Helper Objects
{9030D464-4C02-4ABF-8ECC-5164760863C6}, Windows Live Sign-in Helper, C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

Registry Startups (2 whitelisted)
HKLM\..\Run, VMware Tools = C:\Program Files\VMware\VMware Tools\VMwareTray.exe
HKLM\..\Run, VMware User Process = C:\Program Files\VMware\VMware Tools\VMwareUser.exe
HKCU\..\Run, msnmsgr = "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
HKCU\..\Run, RoadSize = "C:\ProgramData\NOUN TIME MEAL.wh93gv"
HKCU\..\Run, eggs joy math type = "C:\ProgramData\DeafAxisAxis.mgbm0p"

Processes (42 whitelisted)
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\FreeFixer\freefixer.exe
C:\ProgramData\JugsBuildType\htm slow.exe

Application modules (61 whitelisted)
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.6000.16386_none_87e0cb09378714f1\COMCTL32.dll
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\comctl32.dll

Drivers (39 whitelisted)
Compbatt, Microsoft Composite Battery Driver, C:\Windows\system32\drivers\compbatt.sys
crcdisk, Crcdisk Filter Driver, C:\Windows\system32\drivers\crcdisk.sys
intelide, , C:\Windows\system32\drivers\intelide.sys
LSI_SCSI, , C:\Windows\system32\drivers\lsi_scsi.sys

Comments

Troy Dean Garner writes

-4 thumbs

I have this problem but there is no uninstall in the folder "circle development" in C:. the popups still exist and I have tried Malware bytes, and Adaware. (Norton Anitvirus doesn't seem to work either). I found a file named "team 4" that was created on the exact time that I downloaded MSN plus and its properties are nonsense as well. I cant delete it though, because it says it is running. (I also cannot delete the circle development folder even though there is nothing in there.)

To make matters more complicating, I do not have the MSN plus program to uninstall anymore. I uninstalled it, but the virus/malware is still on my computer?!?

# 12 Sep 2009, 11:16

Roger Karlsson writes

-3 thumbs

@Troy: You can give FreeFixer a try. It can delete files even if they are running. More info on FreeFixer is available here:

http://www.freefixer.com/

# 15 Sep 2009, 11:14

Leave a reply