downloader.clispri.A, trojan.byteverify

i hav TDS 3 and all gr8 AVs like Norton and AVG but... none seem to eradicate the downloader.clispri.A or trojan.byteverify or even catch them... AVG catches though but i hav to clean them manually... come on TDS u can do it

 

trojan.byteverify,downloader.clispri.A

can anyone say wat i can do with these trojans.... they are new kid on the blocks and yes they are unknown... can anyone temme anything bout these...

 

Re:trojan.byteverify,downloader.clispri.A

Hi subratam,

ByteVerify is not that new: http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html
Also check this thread: http://www.wilderssecurity.com/showthread.php?t=13039

I can't find anything about downloader.clispri.A
Can you tell us which scanner identified what file as being clispri.A ?

Regards,

Pieter

 

man... thx that i went to the same thread u gave to kno bout byteverify.. i hav all latest updates for win2k pro.. dunno though y still byteverify attacked me.. i think i hav cleaned it as i hav cwshredder done that... i also delete the historis and caches by system mechanic and i just got my cache jars in memory option in java plug in unchked so that it dun keep any cache... i read that updated java VM shudnt cause probz.. actually i dun wanna uninstall it.. hey i hav started downloading latest java plug in frm sun.. shud it b ok then??
about downloader.clispri.A its a new kid on the block i hav got some info that it generally hav two exes scbr.exe and ptpo.exe.. i dunno wat it doz though till nou for sure.. my AVG caught that but nothin more it cud do.. no heal no delete... i am not sure also that its not anymore ... if u hav downloader... and u dunno u can run the trendmicro online scan and hav AVG 7 installed b4 that... trend opens each file and AVG catches the worm as the infected file is opened.. any got more info or hou to tackle.... plz come on in...
thanx in advance

 

I was going to ask for your HijackThis log, but I think I found it:
http://forums.techguy.org/t179386/s.html

Is that correct?

Regards,

Pieter

 

Hi subratam,

I looked up what zephyr at TSG mentioned and that is correct.

If you had Purityscan this line (or sopmething similar) would have been in your log:
O4 - HKCU\..\Run: [Opad] C:\Documents and Settings\Administrator\Application Data\scbr.exe

Other names that are in use for this spyware are Clickspring and Mendware. Obviously AVG decided it needed yet another name.

Regards,

Pieter

 

hey thats the log of mine u got it rite... and i chked it once for me... and will u plz go thru it and temme if anything wrong is still in my computer... i hav been getting frustrated by these trojans and viruses in the web... they seem to increase every second plz... see thru my hijackthis log... and see if u can find anything not needed...
Logfile of HijackThis v1.97.6
Scan saved at 6:16:42 PM, on 11/14/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\GFI\System Integrity Monitor 3\cfservice.exe
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton CrashGuard\CGMenu.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Desktop Architect\datray.exe
C:\Program Files\FreeMem Professional\fmempro.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Tray Wizard\TWizard.exe
C:\Program Files\Winamp3\Studio.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\mdm.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Happy Surfing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINNT\Downloaded Program Files\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_2_3_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\Program Files\Norton CrashGuard\CGMenu.EXE"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [Tray Wizard] C:\Program Files\Tray Wizard\TWizard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Professional\fmempro.exe" autostart
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/125335c4d044a2873906/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37929.4057986111
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_2_3_0.cab
... thx in advance again

 

Hi subratam,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) <= belongs to DAP but the file is missing

O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe <= Quick access to the control panel via a System Tray icon for graphics based upon the Intel chipsets (ie, i810). These chipsets are often included on motherboards. Available via Start -> Settings -> Control Panel

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <= System Tray access to Apple's "Quick Time" viewer. Not needed

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE <= Resource hog that launches common MS Office components to help speed up the launch of Office programs. Some users claim there's no difference with or without it but it isn't required anyway. Different filenames used for different variants

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/125335c4d044a2873906/netzip/RdxIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab

Then reboot.

Comments in italics came from: http://www.pacs-portal.co.uk/startup_pages/startup_full.php

I don't see any spyware or trojans that are active.

Regards,

Pieter

 

the latest log file ::::

Logfile of HijackThis v1.97.6
Scan saved at 7:45:48 PM, on 11/14/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\GFI\System Integrity Monitor 3\cfservice.exe
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton CrashGuard\CGMenu.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Tray Wizard\TWizard.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Desktop Architect\datray.exe
C:\Program Files\FreeMem Professional\fmempro.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Happy Surfing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINNT\Downloaded Program Files\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_2_3_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\Program Files\Norton CrashGuard\CGMenu.EXE"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [Tray Wizard] C:\Program Files\Tray Wizard\TWizard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Professional\fmempro.exe" autostart
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37929.4057986111
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_2_3_0.cab

the striking part in this is i cant eradicate the
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) and i get the same frm spybot it comes again and again.. mayb default.. anyway i hav gone thru security chks, spywareblaster download browser chks everything... as u said... hou do i kno which cookie is good for me and which one is goin to cause havoc...
thx in advance

 

Hi subratam,

Do you still use DAP?

Regards,

Pieter

 

ya i do use DAP... is thr any probz with that ... it asks for browser integration at first... and when i try to do it it says "int gailed" anyway shud i uninstall DAP or when it asks at 1st i shudnt integrate it with browser??

 

Hi subratam,

No there isnt much wrong with DAP, I just figured that might be the reason you can't remove that entry.
So you can leave that one alone and if Spybot finds it again rightclick it in the main screen and choose "Exclude this product from further searches."

And your log looks fine now.

Regards,

Pieter

 

... u guys rock man... this site really looks into each and every matters... i really appreciate ur attention. i am amazed at the answer reply rate that i hav been gettin frm this site.. hats off to u all guys to u specially frm my heart Pieter....
i hope both download.clispri.a and trojan.byteverify have taken a backseat nou... if not and if i do get anything unnecessary i will report sooner than later..
can u say onething to me... can i continue to hav TDS3 after the trial period.. atleast for chkin trojans..

 

Hi subratam,

I would advise you to buy TDS3 after the trial is over, or sooner if you decide that it suits your needs. They are working on TDS4 now and you will receive a free upgrade.
I know I never regretted buying it.

Regards,

Pieter

 

hi thr.. ya i just saw wat u wrote.. can u plz temme wats the diff that wud come once i get it registered?? and by the way will all the functions of TDS go away after trial period?? .. actually i can ofcourse register in future but till then can i continue to hav the normal functions thoz i hav nou??
thx in advance..
oh 1 more thing i was forgettin to get known frm u.. last time i chked full scan thru TDS it gave autoexec.bat was missin... doz that matter too much?? i chked just nou also b4 posting it says file doesnt exist c:\autoexec.bat after verifying the files.. wat is ntvdm.exe??

 

SOMEBODY PLZ HELP ME !!!!!

plz anyone... plz giv a lill attention to this topic i recently posted one topic namin byteverify and downloader.clispri.a.... many thing may got well till then.. i got all security that almost a person can get
NAV 2002 latest updates with latest liveupdate installed
AVG 7
SpywareBlaster
SpyBot SD
CWshredder
TDS
Trojan Remover
Tiny personal firewall
hijackthis
i hav even gone thru the security chks and have latest security updates...
but this downloader.clispri.a once gettin thru purityscan when i din hav the softwares... and nou dun seem to go
whenever i scan with trendmicro which scans each file minutely and tries to open the infected file (c:\docum~1\admini~1\locals~1\temp\vsg3ea01060) AVG catches the trojan.. but nothin more it can do.. i heard from other sites the trojan mainly has two exes... scbr.exe and ptpo.exe
i welcome anyone anybody to help me out....
thx in advance

 

ReLZ PLZ..... SOMEBODY PLZ HELP ME !!!!

If you use any on- line scanner from housecall or any others...then during that time turn off resident AV and AT programs that you installed on your PC and have running.

 

ReLZ PLZ..... SOMEBODY PLZ HELP ME !!!!

Hi Subratam!

I'm sorry that you have to deal with one of those nasties. Although I have never caught a Trojan myself and can't personally coach you much on that matter, I found some info on Trojans that may be of help. There is advice on how to find a Trojan , how to repair damage --if you have already caught one of them --and how to avoid falling prey to Trojans . It is good also that you unhide all Windows extensions filenames before starting scanning you computer. The link I give you here tells how to do it.

http://www.irchelp.org/irchelp/security/trojan.html

Additional info:

I am infected with a Trojan. How do I get rid of it?
http://www.broadbandreports.com/faq/4191

And I agree with Primrose's tip, turning off any resident AV and At when scanning your computer with online tools.


Hope this helps,

Uguel

 

Hello subratam & welcome, If you are still having problems ref your shout for Help

Can you please go to this link http://www.diamondcs.com.au/index.php?page=asviewer & download AsViewer.

Run the AsViewer.exe then save the findings to asviewer.txt - paste a copy in your next reply to this thread - This may help us determine why you cannot stop or delete the troublsome files and /or what the Trojan is.

If you can copy the any files that may belong to the Trojan - Please send them to submit@diamoncs.com.au where they can be analysed.

To answer your last questions

You will :
Get the added feature of Executive Protection if you wish to install it, this basically will not allow a Trojan to run whilst TDS is running.

Be able to download the radius files from within TDS3.

Get a free upgrade to TDS4

Have access to the TDS private forums - A vast knowledge base for TDS Licensed operators.

TDS trial will stop working after the trial period

Cheers LWM.

 

i hav the temp folder which contains the trojan as and when its tryin to b opened by the house call it shows... shud i delete the tmp folder hou do i kno wat imp things are thr in my folder?? and i have hijackthis.. doz it work same as autostart or can i copy autostart from TDS?? actually i am not sure nou hou many more AVs ATs and Spywareblasters i need to b protected i have more security softwares nou in my comp than anything else.. and had not been my comp 2.4 Ghz and 256 Ram i wud hav been struggling to manage my comp
i hav made all necessary arrangements but i think only this downloader trojan... which once gettin into.. mayb doin nothin but as its also new kid on the block not gettin eradicated.. shud i send the temp folder to u guys?? and if u want i can post my hijackthis file log nxt up... or Autostart Viewer wateva u guys think is good
thx in advance and waitin eagerly

 

Subratam, Zip a copy of the folder if you like and send it to submit@diamondcs.com.au
We would like to see a printout from your autostartviewer please. Ensure that both services & drivers are selected in "Main" before saving the text.

 

here lies the AS viewer report if anything else yall need do temme... i am waitin
DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Subratam@CHWEETY, 11-15-2003
c:\winnt\system32\autoexec.nt
C:\WINNT\system32\mscdexnt.exe
C:\WINNT\system32\redir.exe
C:\WINNT\system32\dosx.exe
c:\winnt\system32\config.nt
C:\WINNT\system32\himem.sys
c:\winnt\system.ini [drivers]
timer=timer.drv
c:\winnt\system.ini [boot]\shell
C:\WINNT\Explorer.exe
c:\winnt\system.ini [boot]\scrnsave.exe
C:\WINNT\Webshots.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINNT\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINNT\Webshots.scr
HKCR\vbsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
mobsync.exe /logon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_CC
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_EMC
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
C:\PROGRA~1\NORTON~1\navapw32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton CrashGuard Monitor
C:\Program Files\Norton CrashGuard\CGMenu.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadQM
C:\WINNT\loadqm.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DownloadAccelerator
C:\PROGRA~1\DAP\DAP.EXE /STARTUP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
C:\WINNT\system32\\NeroCheck.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrojanScanner
C:\Program Files\Trojan Remover\Trjscan.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SpybotSnD
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Tray Wizard
C:\Program Files\Tray Wizard\TWizard.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Mechanic Cache Cleanup
C:\Program Files\iolo\System Mechanic 4\SysMech4.exe /COMPLETECACHE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo! Pager
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Desktop Architect
C:\Program Files\Desktop Architect\datray.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\FreeMem Pro
C:\Program Files\FreeMem Professional\fmempro.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\iolo Task Agent
C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINNT\system32\NETSHELL.dll
C:\WINNT\system32\webcheck.dll
C:\WINNT\system32\stobject.dll
C:\WINNT\Tasks\SIM3 Scan 1.job
C:\Program Files\GFI\System Integrity Monitor 3\cfstart.exe
C:\WINNT\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Webshots.lnk
C:\Program Files\Webshots\WebshotsTray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\24Online Client.lnk
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk /r \??\C:
autocheck autochk *
smrgdf C:\Program Files\iolo\System Mechanic 4\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINNT\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINNT\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINNT\system32\msafd.dll
C:\WINNT\system32\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINNT\system32\JAVASUP.VXD

thx in advance

 

oops i din see that u told me to chk the services and drivers... sorry

the updated viewer log :

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Subratam@CHWEETY, 11-15-2003
c:\winnt\system32\autoexec.nt
C:\WINNT\system32\mscdexnt.exe
C:\WINNT\system32\redir.exe
C:\WINNT\system32\dosx.exe
c:\winnt\system32\config.nt
C:\WINNT\system32\himem.sys
c:\winnt\system.ini [drivers]
timer=timer.drv
c:\winnt\system.ini [boot]\shell
C:\WINNT\Explorer.exe
c:\winnt\system.ini [boot]\scrnsave.exe
C:\WINNT\Webshots.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINNT\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINNT\Webshots.scr
HKCR\vbsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
mobsync.exe /logon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_CC
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_EMC
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
C:\PROGRA~1\NORTON~1\navapw32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton CrashGuard Monitor
C:\Program Files\Norton CrashGuard\CGMenu.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadQM
C:\WINNT\loadqm.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DownloadAccelerator
C:\PROGRA~1\DAP\DAP.EXE /STARTUP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
C:\WINNT\system32\\NeroCheck.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrojanScanner
C:\Program Files\Trojan Remover\Trjscan.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SpybotSnD
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Tray Wizard
C:\Program Files\Tray Wizard\TWizard.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Mechanic Cache Cleanup
C:\Program Files\iolo\System Mechanic 4\SysMech4.exe /COMPLETECACHE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo! Pager
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Desktop Architect
C:\Program Files\Desktop Architect\datray.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\FreeMem Pro
C:\Program Files\FreeMem Professional\fmempro.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\iolo Task Agent
C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINNT\system32\NETSHELL.dll
C:\WINNT\system32\webcheck.dll
C:\WINNT\system32\stobject.dll
C:\WINNT\Tasks\SIM3 Scan 1.job
C:\Program Files\GFI\System Integrity Monitor 3\cfstart.exe
C:\WINNT\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Webshots.lnk
C:\Program Files\Webshots\WebshotsTray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\24Online Client.lnk
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk /r \??\C:
autocheck autochk *
smrgdf C:\Program Files\iolo\System Mechanic 4\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINNT\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINNT\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINNT\system32\msafd.dll
C:\WINNT\system32\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINNT\system32\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINNT\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\Avg7Alrt\
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
HKLM\System\CurrentControlSet\Services\Avg7UpdSvc\
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\dmserver\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\GFI LANguard System Integrity Monitor 3 agent service\
C:\Program Files\GFI\System Integrity Monitor 3\cfservice.exe
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\lnss_sscans\
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
HKLM\System\CurrentControlSet\Services\Messenger\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\navapsvc\
C:\Program Files\Norton AntiVirus\navapsvc.exe
HKLM\System\CurrentControlSet\Services\NtmsSvc\
C:\WINNT\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\PersFw\
C:\Program Files\Tiny Personal Firewall\persfw.exe
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINNT\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\RemoteRegistry\
C:\WINNT\system32\regsvc.exe
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINNT\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINNT\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\SBService\
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINNT\system32\MSTask.exe
HKLM\System\CurrentControlSet\Services\SecDrv\
\??\C:\WINNT\system32\drivers\SECDRV.SYS
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINNT\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINNT\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\SYMTDI\
\??\C:\WINNT\System32\Drivers\SYMTDI.SYS
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\WinMgmt\
C:\WINNT\System32\WBEM\WinMgmt.exe
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINNT\system32\svchost.exe -k wugroup

 

anybody out thr

and i got one more question this TDS scan says c:\autoexec.bat is missin after chkin the files , and wat is ntvdm.exe