Spyware, Viruses, & Security forum

General discussion

Weird spyware help. Please help!

by audioguy3107 / January 1, 2005 7:37 AM PST

Ok, hopefully, someone here may know about this, since I cannot find anyone whose heard of this problem. When I go online, a random popup will appear. When I go to process, it is linked to a .exe prog named either ynlnk.exe or c5y.exe. The applications that are running are various things (Casale media, Cydoor, among others). I have tried just about ALL anti spyware prog. (Webroot spysweeper, adaware, spybot, hijack this, online scans) and none of them detect this running or in safe mode. The ONLY place on the hard drive any of these .exe files can be found is in the Windows prefetch folder, and of course, I'll delete them and they will come back. Does anyone know how to get rid of this? Thanks.

Discussion is locked
You are posting a reply to: Weird spyware help. Please help!
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Weird spyware help. Please help!
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Have you looked in
by roddy32 / January 1, 2005 7:59 AM PST

add/remove programs for either Casale Media or Cydoor Media? That is just the first question, it depends on the answer to that as to the next questions.

Collapse -
Also...
by Bugbatter / January 1, 2005 8:23 AM PST
In reply to: Have you looked in

Also, in anticipation of what you will be doing next, make sure your computer is configured to show all files.
Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Display the contents of system folders
Show hidden files and folders
Uncheck: Hide protected operating system files
Click on Apply.
Next go to the side of the Search box and select All files and folders. Go down to More advanced options.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders

After using Add/Remove per Roddy's suggestion,
reboot into Safemode and see if you can delete those files if they still exist.

In addition to the prefetch folder, don't forget to empty the TIF and other temp folders. Do not delete the temp folders themselves.

Please post back and let us know how things are going.

Collapse -
Also run the latest Ad aware SE 1.05 in safemode !
by Marianna Schmudlach / January 1, 2005 8:28 AM PST

Download the latest version of Ad-Aware (Ad-Aware SE Build 1.05) from Major Geeks.

If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.

After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.

Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".

Once the definitions have been updated:

Reconfigure Ad-Aware for Full Scan as per the following instructions:

-Launch the program, and click on the Gear at the top of the start screen.

-Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)

- Automatically save logfile"
- Automatically quarantine objects prior to removal"
- Safe Mode (always request confirmation)
- Prompt to update outdated confirmation) - Change to 7 days.
- Click the "Scanning" button (On the left side).
- Under Drives & Folders, select "Scan within Archives"
- Click "Click here to select Drives + folders" and select your installed hard drives.
- Under Memory & Registry, select all options.
- Click the "Advanced" button (On the left hand side).
- Under "Shell Integration", select "Move deleted files to Recycle Bin".
- Under "Log-file detail", select all options.
- Click on the "Defaults" button on the left.
- Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
- Click the "Tweak" button (Again, on the left hand side).
- Expand "Scanning Engine" by clicking on the "+" (Plus) symbol) and select the following:
- "Unload recognized processes during scanning."
- "Obtain command line of scanned processes"
- "Scan registry for all users instead of current user only"
- Under "Cleaning Engine", select the following:
-"Automatically try to unregister objects prior to deletion."
-"During removal, unload explorer and IE if necessary"
-"Let Windows remove files in use at next reboot."
- "Delete quarrantined objects after restoring"
- Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
- Click on "Proceed" to save these Preferences.
- Click on the "Scan Now" button on the left.
- Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".

- Close all programs except ad-aware.
- Click on "Next" in the bottom right corner to start the scan.
- Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
- After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Plug-Ins for Ad-Aware (VX2 Cleaner)
Download the free VX2 Cleaner here

Close Ad-Aware SE build 1.05 and Ad-Watch (if running)
Install the VX2 Cleaner
Start Ad-Aware SE build 1.05
Go to ?Plug-ins?
Select the VX2 Cleaner plug-in and click ?Run Plugin?
If your computer isn?t infected, click ?Close?.

If your computer is infected:

Select ?Clean System?
Reboot your computer
Scan your computer with Ad-Aware
Remove any VX2 objects detected
Reboot your computer again
Run a second scan to make sure the files have been removed from your computer

Virus warnings while performing a scan with Ad-Aware

While performing a scan with Ad-Aware, a background antivirus monitor may issue an alert, stating that a virus has been found in the temporary directory (%temp%) for the current user. This does not necessarily mean your computer has been infected with an active virus. Most antivirus resident scanners will not scan compressed files and only monitor your memory for the sign of an active viral process.

During a scan, Ad-Aware will temporarily decompress files to scan their contents without activating the content, but in doing so, the file is noticed by the antivirus' resident scanner.

Also, some antivirus applications include an option to quarantine infected files, and when Ad-Aware decompresses these quarantined files, the antivirus background scanner detects the virus moving outside the quarantine area. To avoid this you can either remove the quarantined files via your antivirus application, or have Ad-Aware ignore the antivirus program's quarantine folders/files during a scan.
Then,

Download SPYBOT Search and Destroy here if it is not already installed on your computer. Also download the DSO Exploit Fix - HOTFIX here
Install the program and then start it. Once the program has started make sure you are in the Spybot-S&D section. Click on the "Search for Updates" button. Download all updates. In some cases the program will restart after an update. When updated, click on the "Check for Problems" button. When the Check is over All problems displayed in red are regarded as real threats and should be dealt with. Make sure they are all selected and click the "Fix selected problems" button.

Then browse to the C:\documents and settings\\User Name (repeat for all users)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Windows\Temp folder and delete all files in it.
Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

Then empty the recycle bin.

Collapse -
It didn't help! AAAgghgh
by audioguy3107 / January 12, 2005 6:27 AM PST

Well, I've tried everything. I did find the stupid program, it was "hidden" in the Win/Sys32 folder. I deleted it in SAFE mode, deleted it in the Prefetch folder, and the damn thing comes back. NOTHING seems to get rid of it. Something must be triggering it to appear whenever I start Internet Explorer. Does anybody have any other ideas? I really don't want to restore, this seems like it should be an easy fix.
Please help!

Collapse -
Best way now to go to a HJT forum
by Marianna Schmudlach / January 12, 2005 6:46 AM PST

an copy\paste your HJT log.

First go here:

http://computercops.biz/zx/Merijn/hijackthis.zip

and download HJT 1.99

PLease do this first - go to C: and create a new permanent folder (call it hijackthis) ...Then put (or download - choose "save" not "run") the hijackthis.exe file in it (You must unzip it if it's zipped)...... so you have C:\hijackthis\hijackthis.exe.....then run hijackthis by clicking this .exe file -that way you will have backups if you accidentally remove the wrong item ( running from a temporary folder (or the desktop) these backups can easily get lost)

Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log as a .txt file.

Most of what it lists will be harmless, so do not fix anything yet.

Now go either to:

http://castlecops.com/forum67.html or

http://forums.subratam.org/index.php?showforum=7 or

http://www.spywareinfo.com/forums/

first - you have to register before you are able to post your log !

Then make a new thread and copy\paste the txt. file you saved - then wait for instructions - but be aware, be patient !!

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

We are giving away 'Black Panther' swag!

Four lucky readers will be taking home *Marvel*ous "Black Panther" prizes, including magazines autographed by the King of Wakanda himself! Giveaway ends Feb. 25, 2018.