Author Topic: COuld this be wrong? (Read 6797 times)

.: Mac :. · « **on:** November 30, 2004, 01:00:40 PM »

ClamWin AV detected this when I scanned my computer:

C:\WINDOWS\lpr123.exe: Worm.Gaobot.167 FOUND
-- summary --
Known viruses: 27913
Scanned directories: 5137
Scanned files: 73891
Infected files: 1
Data scanned: 16420.51 MB
I/O buffer size: 131072 bytes
Time: 14813.922 sec (246 m 53 s)

I scanned my computer with Command Antivirus and Avast and neither found anything. Does anyone know anything about this lpr123.exe file?

I run windows update weekly so how could this be Gaobot?

lee16 · « **Reply #1 on:** November 30, 2004, 01:09:34 PM »

Hi MAC,

Please use Jotti scanner and let us know the results, if only one anti-virus detects it, then its properly a false positive.

--lee

Eddy · « **Reply #2 on:** November 30, 2004, 01:25:27 PM »

Looks like the Remote Password Stealer originating from FindPassword.com.

- Connects to the remote server
- Logs keystrokes
- Runs in stealth mode
- Steals personal information

Creates the following files:
FILE:%WINDOWS%\Lpr123.exe
FILE:%WINDOWS%\Spdhook.dll
FILE:%WINDOWS%\Spd123.ini

and adds the following registry keys:
RUN:lpr
RUN:lpr123.exe

whocares · « **Reply #3 on:** November 30, 2004, 03:08:13 PM »

This ClamAV-detection is only 2 days old:
Info
so maybe it's not too good a signature..

But please submit file to alwil, as it definitely seems suspicious

.: Mac :. · « **Reply #4 on:** December 01, 2004, 12:27:16 AM »

ok I will try to locate the file

.: Mac :. · « **Reply #5 on:** December 01, 2004, 01:12:24 AM »

THis is wierd, Clamwin is set to report only which it did. So why Can't I find the file? I went to the folder options and checked the show hidden files and folders option. still could not find anything. I used the search function telling it to search in hidden files in folders and still did not find it. I even tried searching in safe mode.

I tried the following AV scanners
Avast
Antivir
House Call
Command AV
F-Secure AV (which includes the KAV engine)

inthewildteam · « **Reply #6 on:** December 01, 2004, 01:33:13 AM »

@ .:Mac:.

Try a registry search for the 2 values Eddy mentioned

.: Mac :. · « **Reply #7 on:** December 01, 2004, 02:05:40 AM »

no there are no registry entries like that. I will contact the maker of ClamAV (alch) and ask him why his scanner is detecting this.

whocares · « **Reply #8 on:** December 01, 2004, 07:43:13 PM »

Hi MAc,

try ESCAN in SafeMode: See " VirusRemoval" below for link

.: Mac :. · « **Reply #9 on:** December 02, 2004, 03:46:01 AM »

Guys Alfter talking with alch about the problem he gave me a small patch and the version now reads 0.37.3.0.1 and the FP is gone.

Author Topic: COuld this be wrong? (Read 6797 times)

.: Mac :.

COuld this be wrong?

lee16

Re:COuld this be wrong?

Eddy

Re:COuld this be wrong?

whocares

Re:COuld this be wrong?

.: Mac :.

Re:COuld this be wrong?

.: Mac :.

Re:COuld this be wrong?

inthewildteam

Re:COuld this be wrong?

.: Mac :.

Re:COuld this be wrong?

whocares

Re:COuld this be wrong?

.: Mac :.

Re:COuld this be wrong?