Win32.SillyDl.CL Problem

Greetings!

I've read other threads regarding "Win32.SillyDl.CL," but none of them seem to address my particular problem. Here's my situation:

I'm running Windows XP Home (SP2) and I use FireFox, not IE. Yesterday my system became infected with the iSearchToolbar. As soon as I saw this I quit all programs and ran (in this order) EZ Trust Anti Virus, Ad-Aware Pro 6, Spybot S&D. The three programs together found and fixed over 200 problems (I scan daily, so I'm sure these were all caused by the iSearchToolbar).

Since that initial scan and clean I'm still running into problems. I clean my system, reboot and the problems are back. Here's what each program finds...

Spybot keeps finding ISearchTech.PowerScan. I fix it, but after a reboot, it's back.

Ad-Aware finds this:
istbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\IST
I clean it, after reboot, it's back

And, for the first 10-15 minutes after I reboot EZ Antivirus pops up every 45 seconds or so with a new warning. The offending program is always located in my "Temp" directory. Its file name is a random 8 characters followed by a ".exe" extension, and EZ Antivirus identifies it as "Win32.SillyDl.CL" trojan. and deletes it. The strange thing is that after 10 or 15 minutes EZ Antivirus doesn't detect anything, so I'm guessing the background process that's downloading this trojun eventually quits. Oh, and I don't get the warnings from EZ Antivirus if I disconnect from the internet.

I've tried running the three security programs in safe mode, and I've also found information on the www.ca.com web site about removing the trojun manually, but every time I reboot, the problem persists.

So, all I can think of is that there is some process running in the background that's not being detected, but is downloading the trojun after every reboot. I need to find out what this program is and get rid of it. Any suggestions?

Thanks in advance for any help you can offer.

 

Problem Solved

Greetings!

After more than 27 hours straight, I think I've finally solved the problem. In short, a 6,656 byte program called "jwlmrr.exe" located in my "C:\WINDOWS" directory was to blame.

The long answer...

After trying everything in my arsenal I tried some more Google searches. Eventually I came across Spyware Doctor. I downloaded and ran it, and found 45 threats that my other programs hadn't discovered. Spyware Dr., however, won't clean your system until you purchase it, which I reluctantly did (I hate buying something that I'm not sure will do the job). Well, after running it and cleaning my system, I rebooted and...THE PROBLEM WAS STILL THERE!! So I ran all of my programs again. EZAV, Ad-Aware and Spybot were still finding the same things they've been finding since last night, but Spyware Dr. was only finding "XXXToolbar" and "Zango Search Assistant." So, I booted into Safe Mode and ran all 4 apps again. Rebooted and the problem persisted. All programs reported the same problems.

Finally I got an idea that I'm kicking myself for not thinking of yesterday. I waited until EZAV didn't report anything for an hour (with not touching my computer). I then did a full system scan with all four security programs and cleaned everything out. Next I printed out a list of all running processes. I rebooted, waited for EZAV to report a virus, then printed the process list again. I found three processes running that weren't running after my last system scan. The first was EZAV (reporting the viruses), the other two I didn't recognize (jwlmrr.exe & wuauclt.exe). I took these files, placed them in an RAR archive (just in case). I then waited until EZAV stopped reporting viruses. I deleted the two unknown processes. jwlmrr.exe deleted without a problem, but when I deleted wuauclt.exe Windows complained and asked me for my original CD. I popped that in the drive and Windows stopped complaining.

I rebooted, scanned my system with all four programs, and only a couple of registry keys were found. I've been back up and running for more than an hour now with no complaints for EZAV or any of the other security programs.

That was not fun, but it was educational.

 

Well done Kazper Just so you know, wuauclt.exe is the Windows Update Automatic Client. Thanks for sharing your results.

 

Solved! -- And, another question...

Ah yes, thanks noahdfear! I figured that one out quite quickly I did find a very useful web site in the midst of all this called www.processlibrary.com. Lots of great info there about not only Microsoft processes, but lots of 3rd party stuff too.

The good news is that it's been a few days and all is well. It looks like I managed to get rid of that thing for good

However, something did occur to me this afternoon. I have a program on my Mac OS X systems called "Little Snitch." Here's short description from the author...

---snip------
When an application tries to establish a network connection, Little Snitch intercepts the attempt and brings up an alert panel, telling you all the connection details including the name of the application which initiated the connection. You can either allow the connection, deny it or add a permanent rule for similar future-connections.
---snip------

Little Snitch is something like a "reverse firewall." It stops a program from "calling home" without permission. I figure that something like this on my Windows XP system would have alerted me right away that a rogue program was trying to download something behind my back. It also would have let me know where it was "calling" and I could have also dealt with the problem with the help of my ISP.

Is there something like this for Windows? It would be most useful,

Thanks!

 

This Little Snitch sounds like nothing more than a packet sniffer.
What you sound like you are asking for is a firewall that will control inbound and outbound traffic. There are two good free ones available at the Quicklinks page below.
These two firewalls can tell if an appication has been changed since the last time it accessed the internet. This can prevent some malware from imposing under another name.
There is a third real good free firewall, Sygate Personal. It will not only monitor executables, but also their DLL [Dynamic Link Libraries] files. This one will get as complicated as you make it out to be, it starts out with simple operation.

 

I don't think Little Snitch is a packet sniffer. It's a control panel that runs at the kernel level when active.

When an application of any type attempts to access your network connection Little Snitch pops up a dialog box stating something to the effect "Program X just attempted to contact 111.222.333.444. Do you want to: [Allow Once], [Allow Always], [Deny Once] or [Deny Always]?" So it is, essentially, a firewall designed to only let traffic out of the user's computer based on rules the user sets.

If I had a program like Little Snitch for my XP system what would have happened is as soon as the virus tried to download the spyware I would have seen a dialog box pop up saying something like "The program 'jwlmrr.exe' just tried to establish a connection with 'http://111.222.333.444' Do you want to: [Allow Once], [Allow Always], [Deny Once] or [Deny Always]?" That would have pointed me to the root of my virus problem immediately saving me hours of hair-pulling investigation trying to track down the source of the problem.

The main drawback to a program like Little Snitch is that when you first install it you get LOTS of warnings. The first time you check your mail, or browse the internet, or your virus software tries to download a new definition file. Until Little Snitch knows a certain program is "trusted" it won't allow it to establish a connection with the outside world.

I've tried a few firewalls for Windows, but have yet to find one that restricts all outgoing traffic except for programs allowed by a set of user defined rules.

BTW: Little Snitch's web site: http://www.obdev.at/products/littlesnitch/index.html.

I'll check out your suggestions is the QuickLinks section. Thanks!


P.S. I take back what I said about Windows firewalls. I just installed EZ Armor from Computer Associates (www.ca.com) and it seems to have program blocking built in. I'll let you all know in a few days what I think about it.

 

Got to this forum via a link from copernic search when no other source could fix my virus problem. My AntiVirus software continually discovered and deleted files but a pop up kept alerting and disturbing me. After seeing this thread I was able to cure the problem but in this case found the file at the root cause to be called hcixlrni.exe residing in my windows folder as described.
Thanks for the solution....

 

I'm glad you got the problem solved, wwhite!

On a related note...

I received an e-mail from Computer Associates last night. They informed me that their programmers have incorporated this new threat into their definition file and were in the middle of "vigorous testing." They're hoping to release the new definition file to the public sometime today. So, those of you using EZ Trust AV, look for an update today