Trojan downloader.clispri.a

Discussion in 'adware, spyware & hijack cleaning' started by Vladrek, Dec 4, 2003.

Thread Status:
Not open for further replies.
  1. Vladrek

    Vladrek Guest

    I used the serach function but it didn't get any results so sorry if there's allready a post on this.

    AVG gives me a message: Trojan horse downloader.clispri.a found in C:\system volume information\_restore{FE81F1E0-579B-4EB7-8FF0-BCE4-C056CE13}\RP237\A0038010.exe

    And tells me to run avg to get rid of it, but when I run avg it doesnt find anything.

    I downloaded hijackthis, here's log if someone can tell me wtf it means :p

    Logfile of HijackThis v1.97.7
    Scan saved at 11:54:10 PM, on 12/3/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Philips\PSA2\skin\QveCplSk.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Fast.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\HT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sharempeg.com/find/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:/www.searchv.com/w/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.camelotherald.com/index.shtml
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.sharempeg.com/find/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/w/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wretched hive of scum and villainy
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sharempeg.com/find/
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
    O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
    O1 - Hosts: 198.65.164.168 00hq.com
    O1 - Hosts: 198.65.164.168 8ad.com
    O1 - Hosts: 198.65.164.168 searchv.com
    O1 - Hosts: 198.65.164.168 www.searchv.com
    O1 - Hosts: 198.65.164.168 008k.com
    O1 - Hosts: 198.65.164.168 www.008k.com
    O1 - Hosts: 198.65.164.168 hotbookmark.com
    O1 - Hosts: 198.65.164.168 www.hotbookmark.com
    O1 - Hosts: 198.65.164.168 700k.com
    O1 - Hosts: 198.65.164.168 www.700k.com
    O1 - Hosts: 198.65.164.168 xsex.ws
    O1 - Hosts: 198.65.164.168 www.xsex.ws
    O1 - Hosts: 198.65.164.168 7days.ws
    O1 - Hosts: 198.65.164.168 www.7days.ws
    O1 - Hosts: 198.65.164.168 onlysex.ws
    O1 - Hosts: 198.65.164.168 www.onlysex.ws
    O1 - Hosts: 198.65.164.168 opsex.com
    O1 - Hosts: 198.65.164.168 www.opsex.com
    O1 - Hosts: 198.65.164.168 yellow500.com
    O1 - Hosts: 198.65.164.168 www.yellow500.com
    O1 - Hosts: 198.65.164.168 thesten.com
    O1 - Hosts: 198.65.164.168 www.thesten.com
    O1 - Hosts: 255.255.255.255 www.casinoxo.com
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Fred\Application Data\winshow\winshow.dll (file missing)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
    O4 - HKLM\..\Run: [SetCacheMode] Rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [QveCtl2Tray] C:\Program Files\Philips\PSA2\skin\QveCplSk.EXE C:\Program Files\Philips\PSA2\skin
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Soca] C:\Documents and Settings\Fred\Application Data\oain.exe
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: TREND MICRO HouseCall (HKLM)
    O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - https://horizons.istaria.com/controls/launcher.ocx
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
     
  2. makiavelli

    makiavelli Registered Member

    Joined:
    Nov 24, 2003
    Posts:
    18
    Hi Vladrek I had more or less the same problem check out this thread
    http://www.wilderssecurity.com/showthread.php?t=16997
    I ended up doing a full re-install :( :( hope you have better luck than me.

    Mak
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Vladrek,

    Download, unzip and run: http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip

    Then check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch =

    O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
    O1 - Hosts: 198.65.164.168 00hq.com
    O1 - Hosts: 198.65.164.168 8ad.com
    O1 - Hosts: 198.65.164.168 searchv.com
    O1 - Hosts: 198.65.164.168 www.searchv.com
    O1 - Hosts: 198.65.164.168 008k.com
    O1 - Hosts: 198.65.164.168 www.008k.com
    O1 - Hosts: 198.65.164.168 hotbookmark.com
    O1 - Hosts: 198.65.164.168 www.hotbookmark.com
    O1 - Hosts: 198.65.164.168 700k.com
    O1 - Hosts: 198.65.164.168 www.700k.com
    O1 - Hosts: 198.65.164.168 xsex.ws
    O1 - Hosts: 198.65.164.168 www.xsex.ws
    O1 - Hosts: 198.65.164.168 7days.ws
    O1 - Hosts: 198.65.164.168 www.7days.ws
    O1 - Hosts: 198.65.164.168 onlysex.ws
    O1 - Hosts: 198.65.164.168 www.onlysex.ws
    O1 - Hosts: 198.65.164.168 opsex.com
    O1 - Hosts: 198.65.164.168 www.opsex.com
    O1 - Hosts: 198.65.164.168 yellow500.com
    O1 - Hosts: 198.65.164.168 www.yellow500.com
    O1 - Hosts: 198.65.164.168 thesten.com
    O1 - Hosts: 198.65.164.168

    O4 - HKCU\..\Run: [Soca] C:\Documents and Settings\Fred\Application Data\oain.exe

    Then reboot and delete:
    C:\Documents and Settings\Fred\Application Data\oain.exe

    Please post a new log when you are done.

    Regards,

    Pieter

    PS As you may have noticed I have not addressed the original problem yet. This was done on purpose since there were more urgent matters.
     
  4. Vladrek

    Vladrek Guest

    Thanks for the speedy replies, the link the first poster gave helped. It seems the trojan downloader problem has been solved.


    Here's the hijackthis log.

    Logfile of HijackThis v1.97.7
    Scan saved at 3:46:37 AM, on 12/4/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Philips\PSA2\skin\QveCplSk.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Fast.exe
    C:\HT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.camelotherald.com/index.shtml
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wretched hive of scum and villainy
    O1 - Hosts: 255.255.255.255 www.casinoxo.com
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
    O4 - HKLM\..\Run: [SetCacheMode] Rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [QveCtl2Tray] C:\Program Files\Philips\PSA2\skin\QveCplSk.EXE C:\Program Files\Philips\PSA2\skin
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: TREND MICRO HouseCall (HKLM)
    O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - https://horizons.istaria.com/controls/launcher.ocx
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Perfect. :)

    Did you get rid of the clispri alert by clearing out the Restore Points?

    If so, make a manual Restore Point now that you are clean.

    Regards,

    Pieter
     
  6. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    hey i think i was the first (maybe) to be attacked by this trojan.downloader.clispri.a... i already posted the same sort of probz :( and it did bug me hell lot of a time.... pieter knoz bout it... i got this frm purityscan and then the trojan entered my pc... it remained like that and AVG cud only catch that but sorry nothing else... and when TrendMicro housecall online scan ran tried to open every file AVG again caught it... :rolleyes:
    dunno... what heck was happening but then i already formatted my HDD and i am having a diff sort of probz ofcourse not related to here... what i can say here is that... u can get some more useful info here too
    http://www.wilderssecurity.com/showthread.php?t=16326
    goodluck
     
Thread Status:
Not open for further replies.