Spyware keeps getting reloaded

alaus67 · 04-16-2005, 10:23 AM

Hi,
I am having a problem with some persistant spyware and was wondering if anyone could help me out. I was trying to load a shareware game, but it loaded spyware instead.

My current symptoms are:
1) On normal bootup, the dialup connection dialog box keeps popping up.
2) On normal bootup, keep getting McAfee warning popups (program trying to access the internet). These junk .exe files keep appearing in the c:\documents and settings\me\local setings\temp directory.

-----
I turned system restore off, rebooted into safe mode and ran the following:

Spybot - clean
Adaware - cookie me@tribalfusion.com found
Adaware VX2 cleaner - clean
Counterspy - cookie centrport.net found
Trojan Hunter - clean
Cwshredder - clean

-----
However, rebooting back into normal mode, I ran the following:

Spybot - ISearch Tech. Power Scan found
Adaware - cookie me@tribalfusion.com found, DyFuCA found
Adaware VX2 cleaner - clean
Counterspy - IST Power Scan found, IST SlotchBar found
Trojan Hunter - originally found and cleaned about 12 dialer programs, now clean
Cwshredder - clean

-----
Running all the above programs in safe mode, I rebooted into normal mode and ran the HiJackThis program and the KRC HijackThis Analyzer. Here is a copy of the log file:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee

VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant

Updater\RuLaunch.exe" /STARTMONITOR
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 12:10:38 PM, on 4/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\vlntbk.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\System\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "E:\system\qt\qttask.exe" -atboottime
O4 - HKLM\..\Run: [fPb7PjD] C:\WINDOWS\vlntbk.exe
O4 - HKLM\..\Run: [sunasDTServ] E:\Temp\CSpy\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] E:\Temp\CSpy\sunasServ.exe
O4 - HKLM\..\Run: [Á³# K"h'þ9Óœ÷3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\vlntbk.exe
O4 - HKLM\..\Run: [THGuard] "E:\TrojanHunter 4.2\THGuard.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\System\AIM\aim.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) -

http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -

http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://207.188.7.150/16b7b2f78ae95ff...p/RdxIE601.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) -

http://support.vugames.com/betasubmi...sysinfo/Si.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) -

http://www.creative.com/su/ocx/15008/CTPID.cab
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)

End of KRC HijackThis Analyzer Log.
====================================================================

If someone knows of a fix for this problem, I would greatly appreciate it. Thanks for taking the time to look at this.

Herk · 04-16-2005, 10:41 AM

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

You may wish to Subscribe to this thread so that you are notified when a reply has been made.
Click Thread Tools then Subscribe to Thread.

Please be patient with me during this time.

Herk · 04-16-2005, 02:10 PM

Hello alaus67 and welcome to TSF

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

To turn off System Restore Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. You will use this later.

You are running Counter Spy form a temp director. Please move, or reinstall somewhere permanent, such as C:\Program Files be for running CleanUp

Download FxIstbar.exe and run it.

Note: Removing this adware component from the system will likely cause the program that installed it to not function as intended. The uninstaller generally identifies the programs that will not work after uninstallation.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time).

C:\WINDOWS\vlntbk.exe

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

ISTsvc >>If it still exists

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O4 - HKLM\..\Run: [fPb7PjD] C:\WINDOWS\vlntbk.exe
O4 - HKLM\..\Run: [Á ³# K"h'þ9Óœ÷3rÅ WC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\vlntbk.exe

Please remember to close all other windows, including browsers then click Fix checked.

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\vlntbk.exe
C:\Program Files\ISTsvc

Reboot your System in normal mode.

If you have a fast internet connection (Broadband), run an online scan at Trend Micro or RAV Antivirus.
Please select the “autoclean” option when using Trend Micro.

Please post a fresh Hijack This log ( Without HJT Analyzer) so that we can check if your system is clean.

alaus67 · 04-16-2005, 03:50 PM

Hi Herk,
I started the cleaning proceedure, but when I ran the FxIstbar.exe program, it said "Adware.Istbar has not been found on your computer". I rebooted into normal mode and ran it again with the same result. Should I move on to the next step? Just want to double check before doing that.

Herk · 04-16-2005, 05:55 PM

Yes , Just start from reboot to safe mode and take it from there.
If you have not already, remember to move Counterspy or CleanUp will remove it, being its in a temp file.

alaus67 · 04-16-2005, 07:31 PM

I uninstalled Counterspy and finished the cleaning proceedure. There was no process to kill however. Also under CleanUp I got a message at the end about "to delete these 1 or 2 files in use, you need to logout and then log back in". I ran cleanup again, but got the same message. I finished the rest of the directions and here is the latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:24:29 PM, on 4/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\System\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\system\qt\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "E:\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\System\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/16b7b2f78ae95ff...p/RdxIE601.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://support.vugames.com/betasubmi...sysinfo/Si.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{96BD7EF5-EE7E-4438-B41A-8ED9DCBF7103}: NameServer = 207.69.188.185 207.69.188.186
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Herk · 04-18-2005, 09:05 AM

Hi alaus67

First, Counerspy is ok to run if you choose to, just be sure not to install it in a temp directory.
CleanUp will remove the temp files it finds and delete on reboot the one’s in use. This however will not stop your computer from recreating some temp files at start up. You have run it and rebooted so you will have removed any junk files.

Your log looks good now
You can turn System Restoreon now.
Are you having any problems?

This is a good time to set up protection against further attacks. Read How Did I Get Infected In The First Place?. You need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard, to prevent spyware intrusions. IE-Spyad is another excellent program that places over 4000 websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. All of the above have good free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

More information and downloads are available at the following links:

Spyware Blaster
Spyware Guard
IE-Spyad

alaus67 · 04-18-2005, 10:46 AM

Hi Herk,
The dialup connection dialog box has stopped popping up and I am no longer getting any McAfee warning popups. I haven't found any problems on recent spyware scans and I have re-enabled the system restore.
THANK YOU very much for all your help! I really appreciate you taking the time to look over these problems. Also thank you for the spyware prevention information you have posted. I will take a look at those and get them installed on my system. Thanks again!

04-16-2005, 10:23 AM	#1 (permalink)
alaus67 Registered User Join Date: Apr 2005 Posts: 4 OS: Win XP	Spyware keeps getting reloaded Hi, I am having a problem with some persistant spyware and was wondering if anyone could help me out. I was trying to load a shareware game, but it loaded spyware instead. My current symptoms are: 1) On normal bootup, the dialup connection dialog box keeps popping up. 2) On normal bootup, keep getting McAfee warning popups (program trying to access the internet). These junk .exe files keep appearing in the c:\documents and settings\me\local setings\temp directory. ----- I turned system restore off, rebooted into safe mode and ran the following: Spybot - clean Adaware - cookie me@tribalfusion.com found Adaware VX2 cleaner - clean Counterspy - cookie centrport.net found Trojan Hunter - clean Cwshredder - clean ----- However, rebooting back into normal mode, I ran the following: Spybot - ISearch Tech. Power Scan found Adaware - cookie me@tribalfusion.com found, DyFuCA found Adaware VX2 cleaner - clean Counterspy - IST Power Scan found, IST SlotchBar found Trojan Hunter - originally found and cleaned about 12 dialer programs, now clean Cwshredder - clean ----- Running all the above programs in safe mode, I rebooted into normal mode and ran the HiJackThis program and the KRC HijackThis Analyzer. Here is a copy of the log file: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe C:\Program Files\McAfee\McAfee Firewall\CPD.EXE C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe C:\Program Files\McAfee\McAfee Firewall\CPD.EXE C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 12:10:38 PM, on 4/16/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\vlntbk.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\System\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [QuickTime Task] "E:\system\qt\qttask.exe" -atboottime O4 - HKLM\..\Run: [fPb7PjD] C:\WINDOWS\vlntbk.exe O4 - HKLM\..\Run: [sunasDTServ] E:\Temp\CSpy\sunasDtServ.exe O4 - HKLM\..\Run: [sunasServ] E:\Temp\CSpy\sunasServ.exe O4 - HKLM\..\Run: [Á³# K"h'þ9Óœ÷3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\vlntbk.exe O4 - HKLM\..\Run: [THGuard] "E:\TrojanHunter 4.2\THGuard.exe" O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\System\AIM\aim.exe O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/16b7b2f78ae95ff...p/RdxIE601.cab O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://support.vugames.com/betasubmi...sysinfo/Si.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing) End of KRC HijackThis Analyzer Log. ==================================================================== If someone knows of a fix for this problem, I would greatly appreciate it. Thanks for taking the time to look at this.

04-16-2005, 10:41 AM	#2 (permalink)
Herk Registered User Join Date: Feb 2005 Location: Georgia Posts: 584 OS: XP	Hi and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p You may wish to Subscribe to this thread so that you are notified when a reply has been made. Click Thread Tools then Subscribe to Thread. Please be patient with me during this time. __________________ Spybot S&D\| Adaware SE\|Spyware Prevention

04-16-2005, 02:10 PM	#3 (permalink)
Herk Registered User Join Date: Feb 2005 Location: Georgia Posts: 584 OS: XP	Hello alaus67 and welcome to TSF Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. To turn off System Restore Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. You will use this later. You are running Counter Spy form a temp director. Please move, or reinstall somewhere permanent, such as C:\Program Files be for running CleanUp Download FxIstbar.exe and run it. Note: Removing this adware component from the system will likely cause the program that installed it to not function as intended. The uninstaller generally identifies the programs that will not work after uninstallation. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time). C:\WINDOWS\vlntbk.exe Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: ISTsvc >>If it still exists Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O4 - HKLM\..\Run: [fPb7PjD] C:\WINDOWS\vlntbk.exe O4 - HKLM\..\Run: [Á ³# K"h'þ9Óœ÷3rÅ WC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\vlntbk.exe *Please remember to close all other windows, including browsers then click Fix checked.* Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\vlntbk.exe C:\Program Files\ISTsvc Reboot your System in normal mode. If you have a fast internet connection (Broadband), run an online scan at Trend Micro or RAV Antivirus. Please select the “autoclean” option when using Trend Micro. Please post a fresh Hijack This log ( Without HJT Analyzer) so that we can check if your system is clean. __________________ Spybot S&D\| Adaware SE\|Spyware Prevention

04-16-2005, 05:55 PM	#5 (permalink)
Herk Registered User Join Date: Feb 2005 Location: Georgia Posts: 584 OS: XP	Yes , Just start from reboot to safe mode and take it from there. If you have not already, remember to move Counterspy or CleanUp will remove it, being its in a temp file. __________________ Spybot S&D\| Adaware SE\|Spyware Prevention

04-18-2005, 09:05 AM	#7 (permalink)
Herk Registered User Join Date: Feb 2005 Location: Georgia Posts: 584 OS: XP	Hi alaus67 First, Counerspy is ok to run if you choose to, just be sure not to install it in a temp directory. CleanUp will remove the temp files it finds and delete on reboot the one’s in use. This however will not stop your computer from recreating some temp files at start up. You have run it and rebooted so you will have removed any junk files. Your log looks good now You can turn System Restoreon now. Are you having any problems? This is a good time to set up protection against further attacks. Read How Did I Get Infected In The First Place?. You need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard, to prevent spyware intrusions. IE-Spyad is another excellent program that places over 4000 websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. All of the above have good free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. More information and downloads are available at the following links: Spyware Blaster Spyware Guard IE-Spyad __________________ Spybot S&D\| Adaware SE\|Spyware Prevention

04-16-2005, 03:50 PM	#4 (permalink)
alaus67 Registered User Join Date: Apr 2005 Posts: 4 OS: Win XP	Hi Herk, I started the cleaning proceedure, but when I ran the FxIstbar.exe program, it said "Adware.Istbar has not been found on your computer". I rebooted into normal mode and ran it again with the same result. Should I move on to the next step? Just want to double check before doing that.

04-16-2005, 07:31 PM	#6 (permalink)
alaus67 Registered User Join Date: Apr 2005 Posts: 4 OS: Win XP	I uninstalled Counterspy and finished the cleaning proceedure. There was no process to kill however. Also under CleanUp I got a message at the end about "to delete these 1 or 2 files in use, you need to logout and then log back in". I ran cleanup again, but got the same message. I finished the rest of the directions and here is the latest HijackThis log: Logfile of HijackThis v1.99.1 Scan saved at 10:24:29 PM, on 4/16/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\McAfee\McAfee Firewall\CPD.EXE C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\WINDOWS\System32\alg.exe C:\Program Files\McAfee\McAfee Firewall\CPD.EXE C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe C:\HJT\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\System\SPYBOT~1\SDHelper.dll O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "E:\system\qt\qttask.exe" -atboottime O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe O4 - HKLM\..\Run: [THGuard] "E:\TrojanHunter 4.2\THGuard.exe" O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\System\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/16b7b2f78ae95ff...p/RdxIE601.cab O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://support.vugames.com/betasubmi...sysinfo/Si.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{96BD7EF5-EE7E-4438-B41A-8ED9DCBF7103}: NameServer = 207.69.188.185 207.69.188.186 O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing) O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

04-18-2005, 10:46 AM	#8 (permalink)
alaus67 Registered User Join Date: Apr 2005 Posts: 4 OS: Win XP	Hi Herk, The dialup connection dialog box has stopped popping up and I am no longer getting any McAfee warning popups. I haven't found any problems on recent spyware scans and I have re-enabled the system restore. THANK YOU very much for all your help! I really appreciate you taking the time to look over these problems. Also thank you for the spyware prevention information you have posted. I will take a look at those and get them installed on my system. Thanks again!