CPl32ver Trojan

Discussion in 'ESET Smart Security' started by Zerger, Sep 17, 2008.

Thread Status:
Not open for further replies.
  1. Zerger

    Zerger Registered Member

    Joined:
    Sep 17, 2008
    Posts:
    6
    Cpl32ver.exe Trojan

    Hi,

    I've been trying to clean this trojan last couple of days.

    It seems to have orginated as the program AntivirXP08... which was the first thing I removed (it kept crashing on each uninstall until I ran Spybot over the computer first).

    It seems to run cpl32ver.exe in startup.

    It also seems to be associated with the file lphcvffqj0el4n.exe which is also loaded in startup and had a second variant that had the letters phcv in the name ie. it was missing the "l" at the beginning of the file.

    Manually edited to remove all references to these files in the registry via regedit.

    I have scanned with spybot.

    NOD32 doesn't find it.

    NOD32 is stuck on an old version dating back to the 13-March 08... but it keeps saying it has the latest version (which obviously isn't true).

    Used safe mode to delete stuff and originally there was at least one process running (that was turned off from Task Manager... but a big ad still remains on the desktop (refer attachment)... and it won't go.

    NB. Spybot appears to be blocking the Trojan from loading itself into the registry or the startup since I turned on Tea Timer.

    This trojan seems to stop graphics preferences from appearing correctly... with only 3 tabs appearing... and there are no backgrounds to choose from.

    Windows update downloads also only ever get to 33% and sit there doing nothing. I also tried updating windows via the net... but it just sat there saying it was checking the computer and seemed to never finish.

    The computer is also running slower than it ought to be and the internet is responding very slowly (fast cable... so it should be faster). However it is now responding markedly quicker than it was originally... so it appears much of the infection has been deleted... but more remains (desktop ad, graphics prefs missing & slow down).

    Can someone suggest what to do?

    :)
     

    Attached Files:

    Last edited: Sep 19, 2008
  2. nonoise

    nonoise Registered Member

    Joined:
    Jun 6, 2008
    Posts:
    322
    get rid of it with Malwarebytes' Anti-Malware
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please send a log from ESET SysInspector to samples[at]eset.com with this thread's url in the subject.
     
  4. Jenee

    Jenee Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    185
    ESS and EAV will get rid of it so long as you have every Threatsense engine with ticks in all Objects and Options. Then run a scan in safe mode. I have used this method twice recently on PCs with other brand firewalls and antivirus.
     
  5. Kayracc

    Kayracc Registered Member

    Joined:
    Jul 5, 2008
    Posts:
    96
    Apparently this is a new version of the XP antivirus thinger, apparently(going off the picture) if you have the same version as this fellow

    http://www.dslreports.com/forum/r21122897-File-downloaded-automatically

    it uses a rootkit, the last post is by Magnus from trojanhunter(creator), he gives nice instructions on how to remove this threat

    then again this is assuming it's the exact same variant, which it looks like it is

    -Brian
     
  6. Zerger

    Zerger Registered Member

    Joined:
    Sep 17, 2008
    Posts:
    6
    Re: CPl32ver.exe Trojan

    Thanks I've been watching replies and have been editing the original post to add detail.

    I used sys inspector on it and sent the file to NOD32.

    :)
     
    Last edited: Sep 19, 2008
  7. Zerger

    Zerger Registered Member

    Joined:
    Sep 17, 2008
    Posts:
    6
    NOD32 sent me back a utility to scan the computer with... generated a log file and sent it back to them.

    Waiting for a response.

    The screen properties still don't give me all 5 tabs... but I seem to have most other things operational.

    NOD32 is still stuck on an old version 13/3/08... and for some reason won't update.

    I have scanned the system with Super antispyware and Malwarebytes anti-malware... which found some stuff and removed it.

    Updated WinXP to SP3... which I reckon is one of the reasons this computer was prone to attack. Originally the computer wouldn't let me do an update... so it must be better.

    Now I'm going to try AVG... to see if it updates... if NOD32 won't... and I haven't received a reply from NOD32 technical support (e-mailed them last night) on the updated issue.

    Reset the TCP/IP stack and flushed it.

    Also used Hijack this to check what programs were being loaded.

    :)
     
  8. Zerger

    Zerger Registered Member

    Joined:
    Sep 17, 2008
    Posts:
    6
    The problem appears to have arisen because NOD32 wasn't able to download any updates for ~6 months... so the definitions were 6 months old.

    I think I've finally got rid of all the trojans... by chipping away at them:

    NOD32 not able to download updates (couldn't work out where it was being blocked) so I removed NOD32 and tried AVG 8 which was able to download updates (actually it was in the blocked list... but started to download when the entry was deleted from IE Security). AVG found a few Trojans.

    Then went back and installed NOD32... which this time after a bit of persuasion did download updates (had to try a few times).

    A scan with NOD32 turned up more trojans (not a huge number).

    Then scanned again with Spybot... which found some more malware (a few instances). A second scan confirmed that the spyware was deleted for good (a negative scan and a good sign).

    It was about this time I got back all 5 tabs on the graphics preference settings... and could set a proper background screen. This is probably a good indication that the key bits of the Trojan had finally been removed.

    Just to be on the safe side I decided to scan once more with:

    Super antispyware

    Which found some more Trojans

    I've decided to do one more scan with:

    Malwarebytes anti-malware

    ...but I'm reasonably sure now that the system is fairly clean.

    Although many of the warnings in some of the software pertained to cookies... it appeared that many of the warnings were fairly serious threats. I'm fairly familiar with what's kosher and what's not (especially after all this work) so it seems that these programs really did find some extra stuff on the system that was dangerous.

    As a comparison I did a scan on my system (this is a friends I'm cleaning)... and mine is relatively trouble free (a few false positives... but only for some exotic utilities/programs)... so the warnings on the system are not manufactured warnings.

    Thanks for the suggestions... they were helpful identifying which Trojan we were dealing with:

    It's like an exorcism... once you know the name (and a bit about them)... they can be exorcised without too much trouble.

    :)
     
    Last edited: Sep 20, 2008
  9. Zerger

    Zerger Registered Member

    Joined:
    Sep 17, 2008
    Posts:
    6
    Re: CPl32ver Trojan: retrospective comments

    Now that the trojan seems to be dead here are a couple of comments:

    Until you get all 5 tabs on the graphics preferences screen and can set a normal backdrop eg. like "autumn" you probably haven't got rid of the problem entirely.

    Even after you've got these tabs back you might still have some remnants left.

    It's necessary to scan with more than one product... as one product doesn't seem to do it all.

    :)
     
  10. Zerger

    Zerger Registered Member

    Joined:
    Sep 17, 2008
    Posts:
    6
    Re: CPl32ver Trojan: retrospective suggestions

    I think the back of this Trojan could have been broken a lot sooner if I could have worked out some way to update NOD32 sooner:

    1) We need a way to flush all blocked sites... prior to resetting them again (Spybot does this)... as undoubtedly NOD32 was being blocked this way. However I couldn't find NOD32/Eset in the list of blocked sites...

    ...but the list was so long I might have missed it.

    2) There seemed to be no way to download NOD32 updates manually. I still had access to the net and could have easily downloaded them bypassing the automatic download block. Updated virus definitions would have probably broken the back of the Trojan(s) fairly quickly. I did try reinstalling NOD32 a few times... but this didn't help.

    :)
     
    Last edited: Sep 20, 2008
Thread Status:
Not open for further replies.