Cpl32ver.exe Trojan Hi, I've been trying to clean this trojan last couple of days. It seems to have orginated as the program AntivirXP08... which was the first thing I removed (it kept crashing on each uninstall until I ran Spybot over the computer first). It seems to run cpl32ver.exe in startup. It also seems to be associated with the file lphcvffqj0el4n.exe which is also loaded in startup and had a second variant that had the letters phcv in the name ie. it was missing the "l" at the beginning of the file. Manually edited to remove all references to these files in the registry via regedit. I have scanned with spybot. NOD32 doesn't find it. NOD32 is stuck on an old version dating back to the 13-March 08... but it keeps saying it has the latest version (which obviously isn't true). Used safe mode to delete stuff and originally there was at least one process running (that was turned off from Task Manager... but a big ad still remains on the desktop (refer attachment)... and it won't go. NB. Spybot appears to be blocking the Trojan from loading itself into the registry or the startup since I turned on Tea Timer. This trojan seems to stop graphics preferences from appearing correctly... with only 3 tabs appearing... and there are no backgrounds to choose from. Windows update downloads also only ever get to 33% and sit there doing nothing. I also tried updating windows via the net... but it just sat there saying it was checking the computer and seemed to never finish. The computer is also running slower than it ought to be and the internet is responding very slowly (fast cable... so it should be faster). However it is now responding markedly quicker than it was originally... so it appears much of the infection has been deleted... but more remains (desktop ad, graphics prefs missing & slow down). Can someone suggest what to do?
Please send a log from ESET SysInspector to samples[at]eset.com with this thread's url in the subject.
ESS and EAV will get rid of it so long as you have every Threatsense engine with ticks in all Objects and Options. Then run a scan in safe mode. I have used this method twice recently on PCs with other brand firewalls and antivirus.
Apparently this is a new version of the XP antivirus thinger, apparently(going off the picture) if you have the same version as this fellow http://www.dslreports.com/forum/r21122897-File-downloaded-automatically it uses a rootkit, the last post is by Magnus from trojanhunter(creator), he gives nice instructions on how to remove this threat then again this is assuming it's the exact same variant, which it looks like it is -Brian
Re: CPl32ver.exe Trojan Thanks I've been watching replies and have been editing the original post to add detail. I used sys inspector on it and sent the file to NOD32.
NOD32 sent me back a utility to scan the computer with... generated a log file and sent it back to them. Waiting for a response. The screen properties still don't give me all 5 tabs... but I seem to have most other things operational. NOD32 is still stuck on an old version 13/3/08... and for some reason won't update. I have scanned the system with Super antispyware and Malwarebytes anti-malware... which found some stuff and removed it. Updated WinXP to SP3... which I reckon is one of the reasons this computer was prone to attack. Originally the computer wouldn't let me do an update... so it must be better. Now I'm going to try AVG... to see if it updates... if NOD32 won't... and I haven't received a reply from NOD32 technical support (e-mailed them last night) on the updated issue. Reset the TCP/IP stack and flushed it. Also used Hijack this to check what programs were being loaded.
The problem appears to have arisen because NOD32 wasn't able to download any updates for ~6 months... so the definitions were 6 months old. I think I've finally got rid of all the trojans... by chipping away at them: NOD32 not able to download updates (couldn't work out where it was being blocked) so I removed NOD32 and tried AVG 8 which was able to download updates (actually it was in the blocked list... but started to download when the entry was deleted from IE Security). AVG found a few Trojans. Then went back and installed NOD32... which this time after a bit of persuasion did download updates (had to try a few times). A scan with NOD32 turned up more trojans (not a huge number). Then scanned again with Spybot... which found some more malware (a few instances). A second scan confirmed that the spyware was deleted for good (a negative scan and a good sign). It was about this time I got back all 5 tabs on the graphics preference settings... and could set a proper background screen. This is probably a good indication that the key bits of the Trojan had finally been removed. Just to be on the safe side I decided to scan once more with: Super antispyware Which found some more Trojans I've decided to do one more scan with: Malwarebytes anti-malware ...but I'm reasonably sure now that the system is fairly clean. Although many of the warnings in some of the software pertained to cookies... it appeared that many of the warnings were fairly serious threats. I'm fairly familiar with what's kosher and what's not (especially after all this work) so it seems that these programs really did find some extra stuff on the system that was dangerous. As a comparison I did a scan on my system (this is a friends I'm cleaning)... and mine is relatively trouble free (a few false positives... but only for some exotic utilities/programs)... so the warnings on the system are not manufactured warnings. Thanks for the suggestions... they were helpful identifying which Trojan we were dealing with: It's like an exorcism... once you know the name (and a bit about them)... they can be exorcised without too much trouble.
Re: CPl32ver Trojan: retrospective comments Now that the trojan seems to be dead here are a couple of comments: Until you get all 5 tabs on the graphics preferences screen and can set a normal backdrop eg. like "autumn" you probably haven't got rid of the problem entirely. Even after you've got these tabs back you might still have some remnants left. It's necessary to scan with more than one product... as one product doesn't seem to do it all.
Re: CPl32ver Trojan: retrospective suggestions I think the back of this Trojan could have been broken a lot sooner if I could have worked out some way to update NOD32 sooner: 1) We need a way to flush all blocked sites... prior to resetting them again (Spybot does this)... as undoubtedly NOD32 was being blocked this way. However I couldn't find NOD32/Eset in the list of blocked sites... ...but the list was so long I might have missed it. 2) There seemed to be no way to download NOD32 updates manually. I still had access to the net and could have easily downloaded them bypassing the automatic download block. Updated virus definitions would have probably broken the back of the Trojan(s) fairly quickly. I did try reinstalling NOD32 a few times... but this didn't help.