Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo? Catchme.exe


  • Please log in to reply
18 replies to this topic

#1 Mushrabbit

Mushrabbit

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 AM

Posted 23 July 2009 - 08:00 PM

I'm not sure if I'm being paranoid but I'd rather be safe than sorry.

My computer isn't doing anything obviously wrong. No redirects. Not overly slow. But something just didn't seem right.

I run Windows XP with automatic updates. I use Trend Micro PC-cillin Internet Security 14.

Yesterday my TM security scan aborted with a note saying I wasn't attached to the internet. Not true. I also could not access TrendMicro Housecall or Kaspersky's free scan. They wouldn't work.

So, I ran Malwarebytes' Anti-Malware and got some hits. I have the log, but don't know if it's appropriate to post it here. I did see a noted registry key in the log with Trojan.Vundo, and that freaked me out because I know what a pain it is to clear the vundo virus off the computer.

I went into safemode and ran ATF Cleaner and SuperAntiSpyware. I ran Malwarebytes again and it came up clean.

Tonight I was able to run Housecall and it came back with an infected file. Catchme.exe. I had Housecall fix that. However, Kaspersky still won't run and I don't know if it's an issue with the software or with me.

I'd love for one of you brillant techies to come back and tell me I'm being silly... that would make me feel great. But if I'm not being paranoid... I'll do whatever you ask to be computer healthy.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:35 AM

Posted 23 July 2009 - 08:21 PM

Would you post the MBAM and SAS logs, we need all the clues we can get here

If it's been some time then update MBAM and run another quick scan

Do not post any logs I have not asked for tho.

Edited by DaChew, 23 July 2009 - 08:22 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#3 Mushrabbit

Mushrabbit
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 AM

Posted 23 July 2009 - 08:31 PM

I'll have to find the SAS log. I'm posting the mbam log from before and after.

Before ATF and SAS

Malwarebytes' Anti-Malware 1.39
Database version: 2477
Windows 5.1.2600 Service Pack 3

7/22/2009 8:08:33 AM
mbam-log-2009-07-22 (08-08-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 221703
Time elapsed: 1 hour(s), 33 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bbb05d9e-0297-404d-a6bf-d8f2876b84a6} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8b27cc68-110c-46a9-80d3-f3107de6eb98} (Trojan.Adware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1f158a1e-a687-4a11-9679-b3ac64b86a1c} (Adware.Seekmo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Somefox (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\WinXDefender (Rogue.WinXDefender) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{bbb05d9e-0297-404d-a6bf-d8f2876b84a6} (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\cpnprt2.cid (Adware.Agent) -> No action taken.
c:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> No action taken.

and after ATF and SAS...

Malwarebytes' Anti-Malware 1.39
Database version: 2477
Windows 5.1.2600 Service Pack 3

7/23/2009 6:49:00 AM
mbam-log-2009-07-23 (06-49-00).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 226609
Time elapsed: 2 hour(s), 4 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I haven't been accessing anything since I became suspicious. So I was surprised when today Housecall came back with the catchme.exe file.

#4 Mushrabbit

Mushrabbit
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 AM

Posted 23 July 2009 - 08:41 PM

I see no SAS log. I've looked on the SAS menu and searched the computer. Is it possible there isn't one? Or that I was prompted and failed to save one?

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:35 AM

Posted 23 July 2009 - 08:57 PM

To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
[*]Click Close to exit the program.
Chewy

No. Try not. Do... or do not. There is no try.

#6 Mushrabbit

Mushrabbit
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 AM

Posted 23 July 2009 - 09:09 PM

Thank you. Here it is.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/23/2009 at 07:34 AM

Application Version : 4.26.1006

Core Rules Database Version : 4012
Trace Rules Database Version: 1952

Scan type : Quick Scan
Total Scan Time : 00:30:22

Memory items scanned : 653
Memory threats detected : 0
Registry items scanned : 742
Registry threats detected : 0
File items scanned : 13503
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\Colleen\Cookies\colleen@atwola[2].txt
C:\Documents and Settings\Colleen\Cookies\colleen@advertising[2].txt
C:\Documents and Settings\Colleen\Cookies\colleen@ar.atwola[1].txt
C:\Documents and Settings\Colleen\Cookies\colleen@burstnet[1].txt
C:\Documents and Settings\Colleen\Cookies\colleen@2o7[2].txt
C:\Documents and Settings\Colleen\Cookies\colleen@at.atwola[1].txt
C:\Documents and Settings\Colleen\Cookies\colleen@cdn.at.atwola[1].txt

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:35 AM

Posted 23 July 2009 - 09:25 PM

I saw some old remnants of previous infections, nothing significant, the catchme is a rootkit scanner compnent of several antimalware tools?

Your internet problems may just be glitches during high traffic times?

Try those scanner/updates again to test my hypothesis.
Chewy

No. Try not. Do... or do not. There is no try.

#8 Mushrabbit

Mushrabbit
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 AM

Posted 23 July 2009 - 09:28 PM

I'm not real sure what this means:

Try those scanner/updates again to test my hypothesis.


I have run Housecall and SAS again and they came back clean. Ran S&D too, and that just came up with some spyware.

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:35 AM

Posted 23 July 2009 - 09:34 PM

I also could not access TrendMicro Housecall or Kaspersky's free scan. They wouldn't work.


This was what I was refering to.
Chewy

No. Try not. Do... or do not. There is no try.

#10 Mushrabbit

Mushrabbit
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 AM

Posted 23 July 2009 - 09:46 PM

Housecall is running fine. Comes back now that the computer has no threats.

Kaspersky not so much. I click on the free scan, a new window eventually appears, but the window is incomplete. The top left panel is all dots, there is a message screen where I should be able to scroll and the pop-up screen freezes. I end up have to close the window, and that then closes the browser window as well.

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:35 AM

Posted 23 July 2009 - 09:52 PM

Let's run an online virus scan called Kaspersky or KAV for short

http://www.kaspersky.com/virusscanner

using Internet Explorer.

Please disable your resident Antivirus before performing the scan and re-enable it afterward.

Choose the online scanner option

1. At the main page. Press on "Accept". After reading the contents.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.

Please post the KAV scan report in your next reply.


Well it needs java so maybe that's the problem
Chewy

No. Try not. Do... or do not. There is no try.

#12 Mushrabbit

Mushrabbit
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 AM

Posted 23 July 2009 - 10:19 PM

That is the Kaspersky I've been trying to run. When the initial popup window appears it loads to six green bars on the bottom of it's screen then it just hangs up.

I found your Java reference interesting though. So I checked and I have Java 6 update 11. I checked and tried to load Java 6 update 14. It won't load. I get the following messages.

popup - Warning – Java ™ Update

Bin\awt.dll: Old File not found. However, a file of the same name was found. No update done since file contents do not match.

next popup - Error – Java™ Update

Java™ Update fails to apply changes to your system.

next popup Java Setup

Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor.

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:35 AM

Posted 23 July 2009 - 10:31 PM

Java gets corrupted, especially by infections that targeted it.

Use add/remove programs to clean out the old java, reboot

Reboot and use the offline installer

http://www.java.com/en/download/manual.jsp
Chewy

No. Try not. Do... or do not. There is no try.

#14 Mushrabbit

Mushrabbit
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 AM

Posted 23 July 2009 - 11:02 PM

ahhh... you are truly a brilliant wookie techie!

Followed your instructions... loaded new Java... Kaspersky is running. Will update with log when I get one. May not be till the morning though. It is now after midnight, and I must be able to awaken for work tomorrow.

My fingers and toes are crossed that Kaspersky comes back clean.

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:35 AM

Posted 23 July 2009 - 11:12 PM

I was more worried about the Kasp scan not working than it finding anything, but post the log anyway.

It will aid in a final cleanup
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users