Does anyone know how to PERMANENTLY get rid of this trojan

[billym]

I seem to have picked up a Trojan from somewhere that, for some reason, is
NOT being detected by Norton antivirus (very troubling). It injects itself
onto my system under Windows\System32\cpr.dll. It installs itself as CPR,
for which I have to use Add/Remove Programs before I can delete it.

However, the next time I reboot IT'S BACK AGAIN!!!

I found the following eye candy in the dll:

----------------------
http://iads.adroar.com/ie/ad3/index.php ÿÿÿÿ+
http://iads.adroar.com/ie/update3/index.php ?ÿÿÿÿ SOFTWARE\Cpr\Config\



h t t p : / / i a d s . a d r o a r . c o m / c o u n t . p h p ? c p r 3
U



SOFTWARE\Cpr\Config\

 

[Monica]

I have the exact same problem with a chat program that
attached it's self to me called MIrC. i can't get rid of
it even if I go into REGEDIT and delete. I keeps coming
back. Is very troubling. Hope you get a good reply I can
read as well. Regards, Monica

 

[Ramesh [MVP]]

Norton should detect it. Update to latest definitions. Also see:

"Not a valid date" or "Module was compiled with trial version of Delphi"
How to troubleshoot the "Delphi Error":
http://www.mvps.org/sramesh2k/Delphi.htm
[REG file available]

--
Ramesh - Microsoft MVP
http://www.mvps.org/sramesh2k
-------------------------------------------
Computer viruses: description, prevention, and recovery:
http://support.microsoft.com/?kbid=129972
-------------------------------------------


I seem to have picked up a Trojan from somewhere that, for some reason, is
NOT being detected by Norton antivirus (very troubling). It injects itself
onto my system under Windows\System32\cpr.dll. It installs itself as CPR,
for which I have to use Add/Remove Programs before I can delete it.

However, the next time I reboot IT'S BACK AGAIN!!!

I found the following eye candy in the dll:

----------------------
http://iads.adroar.com/ie/ad3/index.php ÿÿÿÿ+
http://iads.adroar.com/ie/update3/index.php ?ÿÿÿÿ SOFTWARE\Cpr\Config\



h t t p : / / i a d s . a d r o a r . c o m / c o u n t . p h p ? c p r 3
U



SOFTWARE\Cpr\Config\

 

[Willit]

Some are hard to catch, after it installs it changes it's
name and uses the system clock to move it's self back in
the start up folder or registry. After you have had your
system on for awhile you have to ck in both. Most have
a .hta extension. They can use the clock even when your
system is shut down.

 

[Guest]

Anti-Virus is only as good as it's reference file. There
100's of things that never get on them. It has to be
reported to then or be widespread enough to be brought to
their attention. Just go to a few adult sites.....lol

 

[billym]

The links is what I used to get rid of it in the firstplace. It works until
I reboot and then reinstalls itself from somewhere. This aspect was not
discussed.

I also used the latest virus definitions, but it didn't work. I suspect it
is because I am using Norton AntiVirus 2002, which does not look for
spyware. I am in the process of upgrading to Norton AntiVirus 2004 in the
hopes that will do the trick.

And... for whatever it is worth, I DO wish we could get a law passed that
would make this sort of thing illegal... and start prosecting these creeps
who hijack our machines.

Norton should detect it. Update to latest definitions. Also see:

"Not a valid date" or "Module was compiled with trial version of Delphi"
How to troubleshoot the "Delphi Error":
http://www.mvps.org/sramesh2k/Delphi.htm
[REG file available]

--
Ramesh - Microsoft MVP
http://www.mvps.org/sramesh2k
-------------------------------------------
Computer viruses: description, prevention, and recovery:
http://support.microsoft.com/?kbid=129972
-------------------------------------------


I seem to have picked up a Trojan from somewhere that, for some reason, is
NOT being detected by Norton antivirus (very troubling). It injects itself
onto my system under Windows\System32\cpr.dll. It installs itself as CPR,
for which I have to use Add/Remove Programs before I can delete it.

However, the next time I reboot IT'S BACK AGAIN!!!

I found the following eye candy in the dll:

----------------------
http://iads.adroar.com/ie/ad3/index.php ÿÿÿÿ+
http://iads.adroar.com/ie/update3/index.php ?ÿÿÿÿ SOFTWARE\Cpr\Config\



h t t p : / / i a d s . a d r o a r . c o m / c o u n t . p h p ? c p r 3
U



SOFTWARE\Cpr\Config\

 

[Papa]

Passing new legislation will not accomplish much because the internet is
world-wide in scope, and much of the spam and virus attacks are beyond
national borders..

Here is what you need to do:

1. Install a good anti-virus program, keep it updated at least weekly, and
run it often. I use AVG 6.0 from Grisoft, which is a free download.
2. Install a good anti-spyware program and do the same thing - keep it
updated at least weekly, and run it often. I use Ad-Aware from Lavasoft. It
is also free. It is a good idea to also install and run Spybot Search and
Destroy. What Ad-Aware won't catch, Spybot will - and Spybot is free too.
3. Install a firewall. Mine is built into my router.
4. If you are not already doing so, use an entirely fake email address for
all newsgroup posts.

 

[Ramesh [MVP]]

Did you run Ad-Aware [www.lavasoftusa.com]?

If the problem persist, send me the log file generated out of Hijackthis:
HijackThis download:
http://www.spywareinfo.com/~merijn/


--
Ramesh - Microsoft MVP
http://www.mvps.org/sramesh2k
-------------------------------------------
Computer viruses: description, prevention, and recovery:
http://support.microsoft.com/?kbid=129972
-------------------------------------------


The links is what I used to get rid of it in the firstplace. It works until
I reboot and then reinstalls itself from somewhere. This aspect was not
discussed.

I also used the latest virus definitions, but it didn't work. I suspect it
is because I am using Norton AntiVirus 2002, which does not look for
spyware. I am in the process of upgrading to Norton AntiVirus 2004 in the
hopes that will do the trick.

And... for whatever it is worth, I DO wish we could get a law passed that
would make this sort of thing illegal... and start prosecting these creeps
who hijack our machines.

Norton should detect it. Update to latest definitions. Also see:

"Not a valid date" or "Module was compiled with trial version of Delphi"
How to troubleshoot the "Delphi Error":
http://www.mvps.org/sramesh2k/Delphi.htm
[REG file available]

--
Ramesh - Microsoft MVP
http://www.mvps.org/sramesh2k
-------------------------------------------
Computer viruses: description, prevention, and recovery:
http://support.microsoft.com/?kbid=129972
-------------------------------------------


I seem to have picked up a Trojan from somewhere that, for some reason, is
NOT being detected by Norton antivirus (very troubling). It injects itself
onto my system under Windows\System32\cpr.dll. It installs itself as CPR,
for which I have to use Add/Remove Programs before I can delete it.

However, the next time I reboot IT'S BACK AGAIN!!!

I found the following eye candy in the dll:

----------------------
http://iads.adroar.com/ie/ad3/index.php ÿÿÿÿ+
http://iads.adroar.com/ie/update3/index.php ?ÿÿÿÿ SOFTWARE\Cpr\Config\



h t t p : / / i a d s . a d r o a r . c o m / c o u n t . p h p ? c p r 3
U



SOFTWARE\Cpr\Config\

 

[kim]

I seem to have picked up a Trojan from somewhere that, for some
reason, is NOT being detected by Norton antivirus (very troubling).
It injects itself onto my system under Windows\System32\cpr.dll. It
installs itself as CPR, for which I have to use Add/Remove Programs
before I can delete it.

However, the next time I reboot IT'S BACK AGAIN!!!

The best way is to install and run HijackThis. Then submit results to the
Spywareinfo forum where they will tell you what to get rid of. Instructions
and download here, http://mjc1.com/mirror/hjt/ There is a link to the forum
from there.

Kimmy

 

[Bruce Chambers]

Greetings --

You want a law passed that says _you_ cannot download and install
whatever software _you_ want?

Usually, it's not anonymous hackers who do such things. In the
overwhelming majority of cases, people do it to themselves. Trojans,
worms, spyware, and adware does not simply ".... somehow get onto the
computer," nor are all such intrusions the results of deliberate
attacks. Such programs are most often installed by unwary and
uniformed computer users who thoughtlessly click pretty links or
download and install the "brightest and shiniest" new, "free"
utilities and games without bothering to read the fine print in the
accompanying license agreements, which explicitly give these
unscrupulous utility/game distributors permission to install
additional "features," or checking to see if this new utility/game
comes from a legitimate source. Another great source of this malware
are email attachments that many people open and execute without a
thought, simply because the subject line is "catchy," or it claims to
be from someone they know. The installation of scumware (a collective
term for adware and spyware) is also part and parcel of using some
peer to peer file sharing programs, Kazaa being the leader in this
field. In plain language, all too many people do not practice "safe
computing."

Firewalls and anti-virus applications are important components of
"safe computing," but they cannot, and should not, protect the
computer user from him/herself. These programs cannot prevent the
computer user from deliberately, if unknowingly, installing such
malware. Ultimately, it is incumbent upon each and every computer
user to be fully aware of the potential consequences of clicking
download links and license agreement buttons.


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Bruce Chambers]

Greetings --

Follow _all_ of the removal instructions very carefully.

Adware.AdRoar
http://securityresponse.symantec.com/avcenter/venc/data/adware.adroar.html

Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[billym]

Passing new legislation will not accomplish much because the internet is
world-wide in scope, and much of the spam and virus attacks are beyond
national borders..

In order for the law to be effective, it will need to account for those who
hire their services. These clowns are not doing this for free.

 

[billym]

Yes.

And the Norton upgrade apparently missed it too. That cpr.dll crap is back
again AFTER running Norton AntiVirus 2004.

Did you run Ad-Aware [www.lavasoftusa.com]?

If the problem persist, send me the log file generated out of Hijackthis:
HijackThis download:
http://www.spywareinfo.com/~merijn/


--
Ramesh - Microsoft MVP
http://www.mvps.org/sramesh2k
-------------------------------------------
Computer viruses: description, prevention, and recovery:
http://support.microsoft.com/?kbid=129972
-------------------------------------------


The links is what I used to get rid of it in the firstplace. It works until
I reboot and then reinstalls itself from somewhere. This aspect was not
discussed.

I also used the latest virus definitions, but it didn't work. I suspect it
is because I am using Norton AntiVirus 2002, which does not look for
spyware. I am in the process of upgrading to Norton AntiVirus 2004 in the
hopes that will do the trick.

And... for whatever it is worth, I DO wish we could get a law passed that
would make this sort of thing illegal... and start prosecting these creeps
who hijack our machines.

Norton should detect it. Update to latest definitions. Also see:

"Not a valid date" or "Module was compiled with trial version of Delphi"
How to troubleshoot the "Delphi Error":
http://www.mvps.org/sramesh2k/Delphi.htm
[REG file available]

--
Ramesh - Microsoft MVP
http://www.mvps.org/sramesh2k
-------------------------------------------
Computer viruses: description, prevention, and recovery:
http://support.microsoft.com/?kbid=129972
-------------------------------------------


I seem to have picked up a Trojan from somewhere that, for some reason, is
NOT being detected by Norton antivirus (very troubling). It injects itself
onto my system under Windows\System32\cpr.dll. It installs itself as CPR,
for which I have to use Add/Remove Programs before I can delete it.

However, the next time I reboot IT'S BACK AGAIN!!!

I found the following eye candy in the dll:

----------------------
http://iads.adroar.com/ie/ad3/index.php ÿÿÿÿ+
http://iads.adroar.com/ie/update3/index.php ?ÿÿÿÿ SOFTWARE\Cpr\Config\



h t t p : / / i a d s . a d r o a r . c o m / c o u n t . p h p ? c p r 3
U



SOFTWARE\Cpr\Config\

 

[billym]

I got into a huge debate about the lack of standards for wall warts awhile
back. The techies made pretty much the same argument you're making here. Due
to lack of standards (including lack of connector standards), the argument
on this matter lined up along a view where electrical techies were adamant
that average consumers who misplace or mix up their unlabeled wall wart and
wound up blowing out an expensive device through a misconnection had no one
other than themselves to blame. IOW, they should have been more
knowledgeable/careful, etc.

But get a clue, the average consumer is NOT a nerd and cannot be expected to
have the wisdom or knowledge of a nerd. There are predators in the industry
who constintly and persitently prey upon vulnerable situations. Nonetheless,
if they invade our systems without our EXPLICIT permission to do so ,
they're thieves. Your excuse for the behavior implying that a consumers
naiveté entitles them to be taken advantage of irritates me to no end.

I am especially irritated by "scumware" being installed by seemingly
mainstream, legitimate sources.

Aren't you?

 

[Papa]

As I indicated earlier, the problem is international in scope, and the
originators are usually not within the reach of local law enforcement. Much
of the stuff is generated by people doing it just for kicks, and to spread
misery. They are not being hired by anyone.

 

[Papa]

Most of these attacks are propagated by innocent bystanders who allow their
systems to become infected (especially their address books), and then they
inadvertently spread it everywhere else.

The bottom line is, every computer user should think about what they are
doing before rushing into something. Unfortunately, far too many do not, and
all that does is allow the scumware to spread even faster.

And ignorance is really no excuse. If a user just employs the brain he/she
was born with, their computer will become much more easily understood. After
all, the current operating systems and associated software were meant for
the average person - not some PHD with a double major in electronics and
computer science. If I, a retired senior citizen in his 70s, can keep up
with it - younger, more energetic people with access to all the latest
technology certainly should manage to cope.

 

[Bruce Chambers]

Greetings --

To sum up something you seem to have entirely missed from my post:
adults accept the responsibility for, and the consequences of, their
own actions. It doesn't matter whether he/she is using a computer,
driving a car, or raising children. Government hand-holding and
baby-sitting will _not_ make the world a better place. It will only
handicap the very people it purports to protect. (I bet you're a big
fan of "political correctness," too.)

You also missed the fact that these so-called predators _do_ have
the explicit permission to "invade" the systems of the willfully
ignorant and the intellectually lazy. Yes, it's a dangerous world,
and each and every one of us should actively participate in our own
defense, rather than rely upon a government agency.


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[David Candy]

There is a law that prevents it. In New South Wales you can't alter someone's computer without their permission.

Ramesh has a copy of it and presumbably has worked out how it works by now. I know how to do a related program called pup. Which I think, but am not sure, is the same as or a different version of CPR (noone has sent me a copy - I was going to ask Ramesh but have been fixing computers so forgot to ask him. Send me the file and I'll look at it.

If it's like pup it has some defenses on being removed.

 

[Guest]

Hi, I had the same problem and it's really anoying!!!
Go to: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 - they teach how to get rid of it, for good!!! Good luck