How can I fix Win32.clspring!generic trojan.

Nick, April 2005

The Win32.clspring is also called "Adware.PurityScan" by Norton. Norton provides a link to the website that created it so you can uninstall it.

http://www.symantec.com/security_response/writeup.jsp?docid=2003-090516-2325-99&tabid=1

I have Zone Alarm antivirus, and I had this same spyware, and after I used the PurityScan's website uninstaller, my Zone Alarm came back saying that it had been successfully "treated." All of my spyware/antivirus scans are coming back clean now, even after several reboots (This infection used to show itself, then hide, then show itself again after every reboot.). Hope this works for you.

Erica, December 2006

Hi nick

Download Ad-AwareSE

Download SpyBot

Download ScanSpyware
(Serial: 5426-7451-2543)

Download Mwav

Download SysClean (sysclean.com file)
Download pattern file
(unpack and copy with sysclean.com to the same folder)

Download TDS-3
Download TDS-3 update
(just re-copy radius.td3 file to the folder TDS-3)

Download latest Stinger version

Download CCleaner

http://www.docsdownloads.com/Tier1/dr-delete.htm

Download Advanced process termination
www.diamondcs.com.au/index.php?page=apt
(you don´t have to install it....it´s only executable utility)

install and check for updates....

PROCEDURE:
1.Turn off System restore

2.Reboot to the "Safe mode"

3.Show hidden files

4.Run Hijackthis:
Check:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {DE8E2AB6-B503-C8DA-7357-E65B242C6197} - C:\WINDOWS\System32\oprgpja.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [svaoytyqp] C:\WINDOWS\System32\epsdqv.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [Cqsfzd] C:\WINDOWS\System32\m?hta.exe
O4 - HKCU\..\Run: [Rota] C:\Documents and Settings\Tim\Application Data\nplu.exe
O4 - HKCU\..\Run: [K0psRTb4Q] cmdltui.exe
O9 - Extra button: Microsoft AntiSpyware helper - {1E3355A5-42D2-4AAC-868A-7EE3E886D1EA} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1E3355A5-42D2-4AAC-868A-7EE3E886D1EA} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {1F56BA63-46BF-4481-9979-95F5FD2D5160} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1F56BA63-46BF-4481-9979-95F5FD2D5160} - (no file) (HKCU)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {4B65BB35-E5FA-35EE-90AC-51437E7E0003} - http://69.50.182.94/1/rdgUS1882.exe
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15c9385b9cb25a955501/netzip/RdxIE601.cab
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - file://C:\DOCUME~1\Tim\LOCALS~1\Temp\ThereInstallHelper.2.0.1953.0.dll
O16 - DPF: {8B486EF6-6B2A-4A1E-BB0D-236CB2DBB8D2} (There Voice Trainer) -
O16 - DPF: {AAF421E6-7914-430A-9981-72B31AFF3BF4} (There Launcher) -
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0002.exe
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712/2.0.0.33/player.virtools.com/downloads/player/Install2.0/Installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
Fix checked...........

5.Run Advanced Process Termination:
C:\WINDOWS\System32\m?hta.exe
C:\WINDOWS\System32\epsdqv.exe
C:\Documents and Settings\Tim\Application Data\nplu.exe
cmdltui.exe
select and then press "ALL" button in PROCES CONTROL OPTIONS

6.Find and delete these files:(use Dr.Delete)
C:\WINDOWS\System32\oprgpja.dll
C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll
C:\WINDOWS\System32\m?hta.exe
C:\WINDOWS\System32\epsdqv.exe
C:\Documents and Settings\Tim\Application Data\nplu.exe
cmdltui.exe

7.Scans:
run scan with Ad-AwareSE (full system scan, scan volume for ADS)
run scan with SpyBot
run scan with ScanSpyware (do complete scan)
run scan with Stinger
run scan with Mwav (all scan options)
run scan with SysClean
run scan with TDS-3 (choose all choices to scan in SCAN CONTROL)

8.Cleaning
run CCleaner (analyze---run cleaner)

9.Enable System restore (reverse progress of disabling)

10.Reboot

post new log for check...thx

scarletone, July 2005