Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.vb.amx And Vista Home Premium 64-bit


  • Please log in to reply
11 replies to this topic

#1 psymonet

psymonet

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 06 May 2008 - 12:30 PM

CounterSpy has removed what it identified as Win32.vb.amx from my Vista Home Premium 64-bit system. I have been able to find very little on this specific trojan, with CounterSpy's own website providing the most detailed information. Unfortunately, from their description, it sounds likely that other malware has been installed that I haven't yet become aware of.

After CounterSpy removed the one infected file that it found, I ran a Kaspersky online scan, which was unable to detect any infections. However, I still have some unusual symptoms that make me a little uneasy:

1. Unusual activity of csrss.exe (often hundreds of cycles per second, without end), which may or may not be malware-related. It's entirely possible that this is being caused by a software/driver conflict. This is the symptom, however, that caused me to start looking for malware.

2. I have noticed that a python interpreter has been installed on my computer. I did not install it, so unless it comes pre-installed on Windows Vista and I simply haven't noticed it before, this could be an issue.

Complicating matters, as previously mentioned, my computer is 64-bit. As a consequence, many popular malware-removal tools do not work at all, or have unpredictable results. Further complicating matters is that I was an idiot and didn't make a DVD copy of my restore drive (it's an HP computer and came with no Windows install DVD). I hadn't intended on getting an infection a week after I got the thing. My obvious concern is that it has been contaminated.

Thanks very much for taking the time to read this.

- Jim

Edited by Orange Blossom, 06 May 2008 - 07:07 PM.
Moved to more appropriate forum. ~ OB


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:11 PM

Posted 06 May 2008 - 10:15 PM

Hello you weren't forgotten. I have made a request for some information with this situation. Hopefully I'll have something for you relatively soon.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 psymonet

psymonet
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 06 May 2008 - 11:16 PM

I appreciate your help very much. Thank you!

- Jim

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:11 PM

Posted 06 May 2008 - 11:24 PM

http://www.bleepingcomputer.com/forums/ind...st&p=818353

just do the MBAM for now, it works scanning with vista 64 bit, the resident protection isn't ready yet
Chewy

No. Try not. Do... or do not. There is no try.

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 PM

Posted 07 May 2008 - 08:57 AM

After CounterSpy removed the one infected file that it found, I ran a Kaspersky online scan, which was unable to detect any infections. However, I still have some unusual symptoms that make me a little uneasy:

Could you give some details of the file that was found? What is the exact spelling of the file name and what folder was it in? No scanner is perfect, but it sounds to me as if you may be dealing with a false positive. Especially since Kaspersky didn't find anything either, altho that's not ironclad proof. Also because Vista is much more secure than previous OS's (especially if you use the UAC properly) and on a new machine.

Also, just because there are other files listed in the CounterSpy article, it doesn't necessarily mean that they have to all be present if you were/are infected.

One of the files listed is %system%\ jusched.exe. jusched.exe is Java's updater and legitimate, but it should be in a subfolder of Java's folder in Program Files. (%system% equals C:\Windows\System32 for most people on XP and Vista.) That's a common trick malware uses, but it is possible that CS has misinterpreted the file's location or some other data and needs to refine their defintion. This is more likely on a 64 bit system and Vista is still having kinks worked out. The other probelms you describe sound like they could be kinks in the 64 bit system.

So please post back with the name of the file and the folder it was in so we will know better how to aid you. I don't use CS so can't give specific instructions. It may be quicker if you contacted CS support--let them know you suspect a false positive and they will probably ask for a sample so they can correct their defs if need be.

The thing about people

is they change

when they walk away.--Mipso


#6 psymonet

psymonet
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 07 May 2008 - 03:27 PM

Could you give some details of the file that was found? What is the exact spelling of the file name and what folder was it in?


It was jusched.exe and it was, as best I can recall, located inside a .zip file in my Quicktime folder. Unfortunately, I cannot provide more details than that. If there is some explanation for why it might legitimately be there, I would be very happy indeed. No news would be better than this being a false alarm.

Since my last post, I have emptied all temp folders/caches on my computer, and temporarily uninstalled my java runtimes to reduce the potential for confusion with a legitimate file. I have also scanned my system with SpyBot and Avast!, neither of which detected anything (figured it couldn't hurt to try some other programs while I was waiting for better ideas).

I have also been researching possible non-malware causes for the resources being used. I'm wondering now if it is related to this issue with the task scheduler (I have three taskeng.exe processes going, last I checked). I'm thinking there has to be a cleaner solution than the one they came up with, however. I will make an additional post if I am able to confirm this.

I won't be able to try anything until I get home from work today, so I'll post an update then.

Thank you for taking the time to respond!

- Jim

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 PM

Posted 07 May 2008 - 10:39 PM

You're welcome for the help, Jim.

Is what was removed still in CS's quarantine? Look around in there and see if there is info on the file and its original location. If you have a restore option, click it an see where it says it will restore the file to. Also check any logs or reports that were generated when the file was removed.

Was it a zip file in its original location or did it get zipped when quarantined? The latter is a common way to lock down files. Which means if it was a zip in the QuickTime folder, it probably wasn't active--loaded into memory--in the first place. Sorry to ask again--if you've deleted it from quarantine then back to relying on memory, but as I said, the devil is in the details so that is the best way to be more sure of exactly what is going on.

The file being in your QuickTime folder suggests a couple of possibilities:

1. If QuickTime includes setup files for Java runtime, that file would be present. I can't verify this as I haven't installed the full version of QT in some time, using instead QT Alternative.

2. It was put there by unknown malware. Whether it was ever loaded is hard to say without some more in depth logs.

From what you've told me tho it really sounds as if it was either a false positive or has been dealt with. As you say, a buggy driver on a 64-bit system is a more likely explanation of the symptoms.

Suggest you go ahead and run MBAM as suggested by DaChew and then run CS again. If nothing is found I think you can put any wory about infection behind you. You also should reinstall Java runtimes latest version. If the file was in QuickTime folder, it shouldn't affect the legitimate Java files in their proper location. You might want to run CS again afterwards to be sure tho.

Also check your firewall logs for any suspicious outbound activity.

The thing about people

is they change

when they walk away.--Mipso


#8 psymonet

psymonet
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 07 May 2008 - 11:57 PM

Update edit: (Sorry, Papakid, I didn't see your response before I posted mine.) After removing the file CounterSpy claimed to be infected, and after performing another scan with CounterSpy that came back clean, I uninstalled it, unfortunately. I was trying to avoid having any possibly conflicting programs going at the same time, and it did not occur to me that I'd need that information later. It's looking more and more likely that your assessment is correct, that what I'm dealing with is simply a system issue. As further support, continue reading.

I ran MBAM (per the earlier suggestion), then installed and scanned with NOD32 (which I plan on keeping long-term). Neither found anything. This is the good news. The bad news is that I discovered that portions of the registry are corrupt (in some cases showing no permissions at all, and in other cases failing to display a particular key because of an unidentified error). This could explain any number of odd things going on. I think alcohol of some kind would be a good fix for tonight, followed by serious contemplation about a re-install tomorrow, unless anyone has a brilliant idea. Opinions?


Thanks again for all the assistance.

- Jim

Edited by psymonet, 08 May 2008 - 12:06 AM.


#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:11 PM

Posted 08 May 2008 - 12:06 AM

http://www.bleepingcomputer.com/forums/t/78386/bleeping-computer-vista-tutorials/

Vista has some very powerful repair tools, almost makes me want to upgrade
Chewy

No. Try not. Do... or do not. There is no try.

#10 psymonet

psymonet
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 08 May 2008 - 12:23 AM

Thanks for linking to that page, DaChew. Some of those look very handy. Honestly, aside from this, I've been very impressed with Vista. I was bracing for the worst, but was instead pleasantly surprised. Most of the issues I've had relate to the 64-bit aspect of it rather than the operating system itself. But then I have a newer computer that can run Vista well. I imagine it would be a different story with older hardware.

A friend of mine has suggested Registry Drill to attempt to fix things. It does support 64-bit Vista. Anyone have any experience with this?

Another edit: I installed QuickTime on another computer, and the .zip file does appear to be part of QT. The specific file is QTJava.zip. So, this appears to confirm Papakid's assessment.

Edited by psymonet, 08 May 2008 - 12:52 AM.


#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:11 PM

Posted 08 May 2008 - 07:10 AM

One of the leading antimalware programmers said vista infections are easy to clean since malware can't install drivers in that kernel. If I tweaked Vista enough I probably would weaken that protection, IE is a lot more secure. While 64 bit may be a lot of headaches, imagine what an obstacle it's going to be for the bad guys?
Chewy

No. Try not. Do... or do not. There is no try.

#12 psymonet

psymonet
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 09 May 2008 - 01:23 PM

Now that it appears clear that this issue is not malware-related: Papakid and DaChew, thank you both very much for your help throughout this diagnostic process!

- Jim




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users