Jump to content


Photo

Downloader Clispri.A Anyone know anything?


  • Please log in to reply
19 replies to this topic

#1 trinity71

trinity71

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 16 June 2004 - 01:39 AM

I was sent to this forum from another for help.

I have scanned with all the following, updated programs?

Spybot Search and Destroy
Adaware
Stinger
SpywareBlaster is installed and working
TrojanHunter
Also scanned with Housecall at Trend Micro

I use ZoneAlarm for a firewall and..
Grisoft's AVG program

And HijackThis

Scans with TJH tell me that Trojan Downloader Clispri.A is in the Temp Intennet Files. (each time I run TJH, the .exe extension is different) and I should run AVG to get rid of the virus. Doesn't matter if I had just scanned with AVG, which found nothing, it still tells me that.

The latest scans with the other programs produced nothing even remotely similar to this ' creature'. Indeed, most of them found nothing at all, like AVG. Yet, TJH always finds it and with a new extension.

I have spent the better part of the last 24 hours scanning, fixing, deleting the temp files (which are checked to be automatically deleted, btw), etc., etc., to no avail. TJH says it's there and all it's friends seem to be moving in. :wtf:

I'm at my wit's end. I came here, read the rules and all, and hope I've done everything I need to do to maybe find some answers.

I was asked to run HijackThis and post the log here. Below is the latest scan:

Note: I really don't know how this Clispri.A could be found with this, but would truly appreciate any response from anyone who might know anything about it. I also did a search on the web for info about it and did scans with Sys Restore disabled (rebooted in Safe Mode as well) with no result .:thumbsdown:

Logfile of HijackThis v1.97.7
Scan saved at 1:14:34 AM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\devldr32.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\America Online 9.0c\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Documents and Settings\Debra Stiens\My Documents\My eBooks\Zip Files\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll (disabled by BHODemon)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [syqsocmgr.exe] C:\WINNT\System32\syqsocmgr.exe
O4 - HKLM\..\Run: [CGJMPT] C:\WINNT\CGJMPT.exe
O4 - HKLM\..\Run: [61437624.exe] C:\WINNT\System32\61437624.exe
O4 - HKCU\..\Run: [syqsocmgr.exe] C:\WINNT\System32\syqsocmgr.exe
O4 - HKCU\..\Run: [EPSON Stylus C80 Series (Copy 1)] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P32 "EPSON Stylus C80 Series (Copy 1)" /O6 "USB001" /M "Stylus C80"
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0c\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Cookies (HKCU)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.freewebs.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/p...t/msnchat41.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.nor...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {7160FB1B-3DE0-4C42-81F0-41B4269990B0} (MSN Money Ticker) - http://fdl.msn.com/p.../v12/ticker.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7322.6026273148
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communitie...UC/MsnPUpld.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/p...at/msnchat4.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab

I thank you in advance for your time and effort and especially if you can help me figure this out :scratchhead:

D

#2 trinity71

trinity71

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 16 June 2004 - 10:32 AM

To The Top^

#3 trinity71

trinity71

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 16 June 2004 - 02:33 PM

Once again^

#4 trinity71

trinity71

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 16 June 2004 - 07:36 PM

Once more.....with FEELING! :wave:

#5 trinity71

trinity71

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 16 June 2004 - 10:18 PM

Annndddd.....again^

#6 trinity71

trinity71

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 17 June 2004 - 10:46 PM

Is there no one out there who knows anything about this? :unsure: :shock:

#7 trinity71

trinity71

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 18 June 2004 - 11:18 AM

^^bump^^

#8 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 18 June 2004 - 02:03 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R3 - Default URLSearchHook is missing

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [syqsocmgr.exe] C:\WINNT\System32\syqsocmgr.exe
O4 - HKLM\..\Run: [CGJMPT] C:\WINNT\CGJMPT.exe
O4 - HKLM\..\Run: [61437624.exe] C:\WINNT\System32\61437624.exe
O4 - HKCU\..\Run: [syqsocmgr.exe] C:\WINNT\System32\syqsocmgr.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q

O9 - Extra button: WeatherBug (HKCU)

O15 - Trusted Zone: http://*.freewebs.com

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -

Reboot and delete

files
C:\WINNT\System32\syqsocmgr.exe
C:\WINNT\CGJMPT.exe
C:\WINNT\System32\61437624.exe

folders
C:\Program Files\Viewpoint
C:\Program Files\CLOCKS~1

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#9 trinity71

trinity71

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 18 June 2004 - 04:22 PM

Reboot and delete

files
C:\WINNT\System32\syqsocmgr.exe
C:\WINNT\CGJMPT.exe
C:\WINNT\System32\61437624.exe

folders
C:\Program Files\Viewpoint
C:\Program Files\CLOCKS~1

Thanks, dave38,

I did everything you asked. However, the WINNT files you asked me to delete after rebooting (see quote), I was unable to find. I was able to delete the two folders.

I ran Adaware, Spybot and TrojanHunter before doing another HJT scan. This time, TJH found two instances of this virus, not just one, each with a different .exe extension as before.

My log is below with a note:

Logfile of HijackThis v1.97.7
Scan saved at 5:04:13 PM, on 6/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\America Online 9.0c\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Documents and Settings\Debra Stiens\My Documents\My eBooks\Zip Files\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/...//www.yahoo.com
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll (disabled by BHODemon)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [EPSON Stylus C80 Series (Copy 1)] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P32 "EPSON Stylus C80 Series (Copy 1)" /O6 "USB001" /M "Stylus C80"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0c\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Cookies (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: http://*.freewebs.com
I put this into ZoneAlarm because it is my webhost. This allows me to access the site and it's features

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/p...t/msnchat41.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.nor...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {7160FB1B-3DE0-4C42-81F0-41B4269990B0} (MSN Money Ticker) - http://fdl.msn.com/p.../v12/ticker.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7322.6026273148
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communitie...UC/MsnPUpld.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/p...at/msnchat4.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab

I'm very puzzled by this trojan/virus or whatever it is. As it stands, there are ten variations so far. And at this point, I have not noticed any appreciable difference in performance or annoyances, etc. I'm sure some would say to ignore it; however I'm afraid I've gotten too paranoid to do that...lol. I wish there was more information about this parasite.

Thank you for your help.

D

#10 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 18 June 2004 - 05:45 PM

If you cannot find the files, even with the see hidden files options on, it's fairly safe to say they have gone!

If you want to retain freewebs.com in your trusted zone, that's OK. I tend to be a bit heavy handed, and kill anything in there ;D .

Have you deleted all your temporary Internet files, using Control Panel>Internet Options? If not, please do that, and check the box "delete all off line content"

What is the exact path/filename that is reported as the trojan?
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#11 trinity71

trinity71

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 18 June 2004 - 09:42 PM

Thanks, dave :D

I kinda figured you might be the more cautious type when I saw you wanted me to delete my trusted zone. I am also cautious about it, but when I couldn't get to my account and wondered what was going on, somehow, I figured it out, tried putting it in as 'trusted' and it worked. It's the only one there, too.

Well, I haven't deleted the temp files today. I thought that checking the box to do that would take care of it, is this not so? I still have to manually delete them? (going to do that right now)

Done! btw, I have the space for that set to the lowest point, if that is relevant for anything?

This is what TJH shows in the popup window telling me about this "thing" (the file path, anyway):

C:\DOCUME~1\DEBRAS~1\LOCALS~1\Temp\ then whatever file extension is there at that time.

Here is the list I have of the different .exe's it has shown:

C66a.exe
Kt3fKK.exe
152bSqrS.exe
BHAnLlQcs.exe
BS8.exe
ztN6nX.exe
aLibZ.exe
bujFU.exe
lusFbx.exe
MFQc.exe (these last two showed up one after the other today)

Not sure if giving the different .exe extensions is helpful or not. But each time it calls it the Downloader trojan Clispri.A

Hope this helps a little :)

D

#12 trinity71

trinity71

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 19 June 2004 - 10:36 PM

^moving on up!^

OPPS! Sorry!

After I did this, I saw PGPhantom's sticky about not bumping.

Please forgive me! :wave:


Thanks!

D

Edited by trinity71, 19 June 2004 - 10:48 PM.


#13 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 20 June 2004 - 04:54 AM

Delete everything in the folder C:\DOCUME~1\DEBRAS~1\LOCALS~1\Temp.
Do this with all other programs closed.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#14 trinity71

trinity71

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 20 June 2004 - 12:14 PM

Thanks, dave, I will do that

Just want to let you know I truly do appreciate your help and patience.

My little 'adventure' into the world of malware has directed me to some great places with wonderful, caring people. That is the GOOD thing that has come out of all this.

Now.....back to the front :bangbang:

D

#15 trinity71

trinity71

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 20 June 2004 - 05:10 PM

Well, it didn't work..... :weep: though one would think that since TJH says these files are in that folder, deleting them would get rid of them. *sigh*

There were 2 files that couldn't be deleted, however.

I know what one of them is for.

But the other one.......hummmm.....can't identify it for certain.....and the dialog box says it can't be deleted because it's running. To delete it, I have to stop it. And since I don't know what it is, I can't.

Sound fishy? Does to me. :hmmm:

D

#16 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 20 June 2004 - 05:35 PM

What files show when you open tha folder in My computer/Explorer?
That should show the names.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#17 trinity71

trinity71

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 20 June 2004 - 05:41 PM

I'm sorry, dave, I can't find the folder My Computer/Explorer.

Are you referring to the two files that were left in the Temp folder after I deleted everything else?

D

#18 trinity71

trinity71

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 20 June 2004 - 05:49 PM

A strange thing just happened......

I went to search for the two files (forgetting to set it to show hidden files) and only the one showed up (the one that I know what it is.

So, I set it to show the hidden files.....and the other one showed up. I wrote it down......and just after I finished......the file disappeared!

Very.....very strange!

The file name is: JETA3DB.tmp

D

#19 trinity71

trinity71

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 22 June 2004 - 05:52 PM

We seem to be at an impasse.

TJH still reports the bugger, asking me to run AVG

AVG doesn't find anything. Neither does Spybot, Adaware, etc. (just minor stuff)

Just did an online scan for trojans......that came up with nothing too.

:scratchhead:

I'm starting to think this is some kind of prank......something to make a user think there's something there, when there really isn't.....driving them crazy trying to get rid of it? :techsupport:

Or could something be going on with TJH? I only have 2 days left on the evalutation period. Can't pay for it just now, but if it's something with the program.....?

I'm really at a loss.....and I'm sure dave38 is as well.

I am, however, starting to see some 'problems', maybe. Not sure if they are related, but want to let you know....

I'm on dialup......sometimes have to disconnect and reconnect to get a good speed. Before...this didn't happen that often.

When I go to shutdown...it is many seconds before it brings up the box with the "Standby, Shutdown, Restart" buttons.

Am starting to see sudden disconnects, though this could be unrelated as well. This hasn't happened in quite a while.

#20 jebsterino

jebsterino

    Member

  • New Member
  • Pip
  • 2 posts

Posted 22 June 2004 - 06:09 PM

I ran into a virus the other day, trojandownloader.win32.agent.k. When it was loaded in memory, it prevented me and any virus checker from seeing the infected file at all. The file was completely invisible even with show hidden and system files on.

When I was finally able to prevent the virus from loading into memory at startup, the infected file suddenly became visible.

The strange thing was that the virus even loaded into memory in safe mode, and it even hid the registry key that was loading it by changing the permissions on it. I had to change the permissions on the registry key to deny in order to prevent it from loading, then I was able to see the infected file and delete it, and see the registry entry and delete it as well.

One other thing, it didn't load as a task that could be killed, it loaded as a dll file. The only way to tell it was there was through loaded modules in system information, and a virus checker that I tried that could detect it loaded in memory.

Very strange.

Edited by jebsterino, 22 June 2004 - 06:17 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button