Tech Support Forum - View Single Post

alaus67 · 04-16-2005, 11:23 AM

Hi,
I am having a problem with some persistant spyware and was wondering if anyone could help me out. I was trying to load a shareware game, but it loaded spyware instead.

My current symptoms are:
1) On normal bootup, the dialup connection dialog box keeps popping up.
2) On normal bootup, keep getting McAfee warning popups (program trying to access the internet). These junk .exe files keep appearing in the c:\documents and settings\me\local setings\temp directory.

-----
I turned system restore off, rebooted into safe mode and ran the following:

Spybot - clean
Adaware - cookie me@tribalfusion.com found
Adaware VX2 cleaner - clean
Counterspy - cookie centrport.net found
Trojan Hunter - clean
Cwshredder - clean

-----
However, rebooting back into normal mode, I ran the following:

Spybot - ISearch Tech. Power Scan found
Adaware - cookie me@tribalfusion.com found, DyFuCA found
Adaware VX2 cleaner - clean
Counterspy - IST Power Scan found, IST SlotchBar found
Trojan Hunter - originally found and cleaned about 12 dialer programs, now clean
Cwshredder - clean

-----
Running all the above programs in safe mode, I rebooted into normal mode and ran the HiJackThis program and the KRC HijackThis Analyzer. Here is a copy of the log file:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee

VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant

Updater\RuLaunch.exe" /STARTMONITOR
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 12:10:38 PM, on 4/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\vlntbk.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\System\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "E:\system\qt\qttask.exe" -atboottime
O4 - HKLM\..\Run: [fPb7PjD] C:\WINDOWS\vlntbk.exe
O4 - HKLM\..\Run: [sunasDTServ] E:\Temp\CSpy\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] E:\Temp\CSpy\sunasServ.exe
O4 - HKLM\..\Run: [Á³# K"h'þ9Óœ÷3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\vlntbk.exe
O4 - HKLM\..\Run: [THGuard] "E:\TrojanHunter 4.2\THGuard.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\System\AIM\aim.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) -

http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -

http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://207.188.7.150/16b7b2f78ae95ff...p/RdxIE601.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) -

http://support.vugames.com/betasubmi...sysinfo/Si.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) -

http://www.creative.com/su/ocx/15008/CTPID.cab
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)

End of KRC HijackThis Analyzer Log.
====================================================================

If someone knows of a fix for this problem, I would greatly appreciate it. Thanks for taking the time to look at this.

04-16-2005, 11:23 AM	#1 (permalink)
alaus67 Registered User Join Date: Apr 2005 Posts: 4 OS: Win XP	Spyware keeps getting reloaded Hi, I am having a problem with some persistant spyware and was wondering if anyone could help me out. I was trying to load a shareware game, but it loaded spyware instead. My current symptoms are: 1) On normal bootup, the dialup connection dialog box keeps popping up. 2) On normal bootup, keep getting McAfee warning popups (program trying to access the internet). These junk .exe files keep appearing in the c:\documents and settings\me\local setings\temp directory. ----- I turned system restore off, rebooted into safe mode and ran the following: Spybot - clean Adaware - cookie me@tribalfusion.com found Adaware VX2 cleaner - clean Counterspy - cookie centrport.net found Trojan Hunter - clean Cwshredder - clean ----- However, rebooting back into normal mode, I ran the following: Spybot - ISearch Tech. Power Scan found Adaware - cookie me@tribalfusion.com found, DyFuCA found Adaware VX2 cleaner - clean Counterspy - IST Power Scan found, IST SlotchBar found Trojan Hunter - originally found and cleaned about 12 dialer programs, now clean Cwshredder - clean ----- Running all the above programs in safe mode, I rebooted into normal mode and ran the HiJackThis program and the KRC HijackThis Analyzer. Here is a copy of the log file: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe C:\Program Files\McAfee\McAfee Firewall\CPD.EXE C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe C:\Program Files\McAfee\McAfee Firewall\CPD.EXE C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 12:10:38 PM, on 4/16/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\vlntbk.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\System\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [QuickTime Task] "E:\system\qt\qttask.exe" -atboottime O4 - HKLM\..\Run: [fPb7PjD] C:\WINDOWS\vlntbk.exe O4 - HKLM\..\Run: [sunasDTServ] E:\Temp\CSpy\sunasDtServ.exe O4 - HKLM\..\Run: [sunasServ] E:\Temp\CSpy\sunasServ.exe O4 - HKLM\..\Run: [Á³# K"h'þ9Óœ÷3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\vlntbk.exe O4 - HKLM\..\Run: [THGuard] "E:\TrojanHunter 4.2\THGuard.exe" O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\System\AIM\aim.exe O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/16b7b2f78ae95ff...p/RdxIE601.cab O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://support.vugames.com/betasubmi...sysinfo/Si.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing) End of KRC HijackThis Analyzer Log. ==================================================================== If someone knows of a fix for this problem, I would greatly appreciate it. Thanks for taking the time to look at this.