Jump to content

YahooAntiSpy finds, Mbam does not.


Recommended Posts

I am working on a computer with Vista on it right now, and it has Yahoo Anti Spy. Tonight I did a quick scan with the newest database with Mbam, and nothing was found.

Everytime this computer starts up, Yahoo Anti Spy finds CMJSpy 0.5

Does anyone know what this is?

Attached is a screen shot of it.

post-13640-1252631845_thumb.jpg

Link to post
Share on other sites

  • Root Admin

We don't work on logs here in the General forum. You also need to supply the FULL path to what it's found as the image is cut off.

Scan and post logs - read note at bottom in green

If you're having Malware related issues with your computer that you're unable to resolve.

  1. Please read and follow the instructions provided here: I'm infected - What do I do now?
  2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

  • Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  • Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  • Using these other tools often makes the cleanup task more difficult and time consuming.
  • If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  • Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  • There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

  • NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.

Link to post
Share on other sites

@ AdvancedSetup

I will be leaving this computer soon and will not be back again until next Wednesday.

Have you heard of that file before though? I know the pathfile got cut off :huh: I've been trying to figure out the rest but it won't show for some reason! :lol:

I will happily post a HJT log, however, I would not be able to get to it again until next week, and I am not sure if any of my family members would be able to do it either, as they aren't very computer literate in some respects, which is why I am trying to work on it. I don't get down here very often unfortunately.

Link to post
Share on other sites

  • Root Admin

It's possible the system is infected with something.

http://www.symantec.com/security_response/...-050115-4247-99

Trojan-Spy.CmjSpy attempts to steal confidential information such as usernames and passwords from the affected machine and send the stolen information to a remote attacker.

What is CMJSpy 0.5 ?

Click here to run a free scan for CMJSpy 0.5 related errors

Malware Name : CMJSpy 0.5

Malware Type : Remote Administration Tool (RAT) (A Remote Administration Tool (RAT) is a program that creates a client in the attacker machine and a server in the attacked machine, giving the ability to remotely administer an attacked machine.)

Executable File(s) : client.exe , server.exe , server_unpacked.exe

Registry Entry/Entries :

* HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\monitor

Okay, if you want or need anything more then you'll need to start a new post in the HJT forum.

Link to post
Share on other sites

@ AdvancedSetup

Thank you for the information on that file. It's been popping up for months, always saying its gone but coming up again at reboot. If I post a HJT log, will it be okay if I don't get back to it until next week?

This computer has Comodo Firewall & AntiVirus on it and I was just trying to update Java. It finally finished downloading, and right away the firewall popped up saying MSI8EE.TMP is trying to access... and it was trying to access superantispyware, explorer.exe, firefox.exe, mobsync.exe just now, and I was hitting block but it just kept popping up, and I hit accept finally and more and more things kept popping up, although it is done now.

I think it had to do with Java because I just hit accept on that last exe and it now is saying jre-6u15-windows-i586-iftw.exe. I hope I didn't mess up the update because I did hit block on a few things. Right after, it just asked for msiexe.exe. Now the familiar Java updater/installer started up. Usually it asks me if I want to install a free toolbar or something with it, but it didn't this time. I hope I didn't accidentally accept that on the firewall.

Unfortunately I have to go soon... I hate to leave it like this though. I have tried asking them to stay off the internet until I can get to it but unfortunately I am not sure if this is entirely possible or not.

Link to post
Share on other sites

@ calintexas

Thanks :unsure: I read the directions twice though and they all instruct to scan with Norton/Symantec, which that computer no longer has updates for - it was a trial that ran out I believe :/

Were there any other removal instructions that perhaps I missed? :/

Link to post
Share on other sites

@ calintexas

Thanks :unsure: I read the directions twice though and they all instruct to scan with Norton/Symantec, which that computer no longer has updates for - it was a trial that ran out I believe :/

Were there any other removal instructions that perhaps I missed? :/

Sorry, I didn't read it closely enough. You do have some choices:

1. You could unistall and clean the Norton that's there and the Commodo AV and install an eval copy of NIS 2010 and then follow the directions.

2. Maybe a better idea is to look for the files that the Symantec page said to remove manually. If they aren't there, I'd think that you actually don't have CMJSpy 0.5.

3. Maybe the best choice is to dump Norton and Comodo, and install Avira and mbam. If neither of them find it, you almost surely don't have it.

I googled CMJSpy 0.5. Several of the results were to people that found it with the Yahoo CA app (Hmm). One guy said to be sure you are running as an admin when you try to clean it (with Yahoo CA) I also googled the Yahoo CA spyware app and was surprised to find that people generally like it. I don't know what to tell you, but I'll be a bit surprised if it doesn't turn out to be an FP.

Link to post
Share on other sites

Yahoo CA? As in Computer Associates? This is most certainly a false positive, especially since it's an infection from 2003 and no one else seems to be detecting it.

CMJspy0.5 was noted in a 2005 infection base - Also a CMJ 1.0 (or1.1 or 0.1) from memory -

A Chinese traced backdoor infection that is still around and may be "hard to kill" -

Again only a quick net search based on CMJ spy bases -

Link to post
Share on other sites

I'm referring to the OP's detection, it was Yahoo that made it. I'm not debating whether the threat is still in circulation, I'm debating whether or not this particular detection was accurate. The system in question is running CIS with Defense+ active, if it didn't detect either the RAT or the behavior of it then it's extremely likely to be an FP, that's all I'm saying.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.