Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

IMPORTANT! Virtumonde, ATLEevents, CATLEevents, TROJAN.VUNDO

(New)
(!)

conde_j73's Avatar
conde_j73 conde_j73 is offline
Member with 164 posts.
THREAD STARTER
 
Join Date: Aug 2003
Location: VENEZUELA
28-Dec-2004, 11:22 PM #1
IMPORTANT! Virtumonde, ATLEevents, CATLEevents, TROJAN.VUNDO
undefinedEDIT: ANYTHING INVOLVING A CLB FILE FORGET IT IS A WINDOWS FILE...


BEFORE ANYTHING YOU NEED TO KNOW THIS TROJAN WILL DAMAGE YOUR COMPUTER TO THE POINT YOU CANNOT USE THE INTERNET DEFINETELY IT HAS HAPPENED ALREADY TO SOME PEOPLE AND MY AUNTS INTERNET WAS ALMOST DAMAGED.
ok hi again, today my brother and i did aaaall this:
d@mn that file....
listen up very important...
what my aunt has or well had...
it was TROJAN.VUNDO(has other names of course)...for her it case all in one with the ATLEevents or CATLEevents adware and VIRTUMONDE also.
well today i was able to discover it was the trojan that had me pi$$ing me off for the past day...
in the securityresponse in nortons page it has a removal tool and some instructions to eliminate it... but SURPRISE it has variations..
so anyways i had to do this all by my self..
ok so for those who don't know who have it and guess who have or has a virus, please do a virus scan wether it's norton or the trend micro, well you have your pick...(she had mcafee before today and i could say it SUCKS it didn't tell her the virus was there in the first place...[among other viruses])well anyways i precised the exact folder where the file was, which in my well her case was inside C:\WINDOWS\REGISTRATION and i have read other cases by google and other people have different names and folder locations. inside the REGISTRATION folder was the executable file (.exe) that was always running and could not finish process by any means or delete it AND WHEN I SAY BY ANY MEANS I MEAN EEVRYTHING YOU CAN POSSIBLY TRY.
in my case the executable was named COMAP.EXE and (I MADE SO I COULD READ HIDDEN FILES AND FOLDERS AND SO THAT I COULD VIEW SYSTEM FILES ALSO!(do that in any folder >tools>folder options>view>and select show hidden files and folders and also deselect hide system files or something like that ...)
after that i also cheked inside the TEMP folder in each persons session in winxp (inside their documents and settings folder which is hidden also) and guessed what i found there ... a DAT file called PAMOC.DAT (the same as the exe file but backwards....) and another onw with a strange name which i couldn't delete easily..
so i uninstalled mcaffe and put in the norton newest version of course and ran the antivirus, it found not only the virus but 15 of the same inside c:\windows folder with other names but were easy to delete...with norton...
so then i went to the security response page in symantec.com and found out little about the trojan some manual removal instructions which DID IN FACT HELP ME alot!!

http://securityresponse.symantec.com...jan.vundo.html

and tried the removal tool there and didn't work anything... then went with the manual instructions. did them step by step and listen you have to do this with every person made user in the computer(the pamoc.dat and the other dat was in every temp folder of every user...)ok now where i was going to say... the step where it says to go to RUNONCE or RUN i could delete one of them i dont remember without coming back immediately after... some other ones kept coming back which in the end i almost finished deleting...i'll tell you why at the end...
OK CONTINUING in the REGISTRATION folder was the comap.exe and comap.exe.bak1, .bak2, .bak3!! the R000000000001.CLB, R000000000002.CLB up to r000000000007.clb, a comap.ini file i think that was all... anyways the baks and all the r00000000000... (except the ....1.clb) i could delete easily.
to delete the dat files i used the MOVEONBOOT which i mentioned earlier.
then i used a little but powerful tool called RESHACK Or RESOURCEHACK found on google easily.
i opened the comap.exe with the reshack and got to the dll folder in there and deleted the dll folder in one of the options in there don't remember which one sorry but that created a file inside the registration folder called comap_original to i dont know creat a backup maybe. but what is important is that the comap.exe was modified yes!! then we used the command

regsvr32 /u /i "C:\windows\registration\comap.exe" and unregistered the process or something happened there because it isn't a dll or ocx so what...
deleted the registry settings (THE ONES IN RUN AND RUNONCE DONT REMEMBER ) and deleted the comap.exe then closed the reshack and deleted the comap_original.exe and the ini OF COURSE i removed evertything on the registry that had comap and pomac and the other dat file in the temp folder and everything in the symantecage except the ATLEevents and ATLEevents.1 in the in the classes in the registry , and the only thing left there was the R000000000001.clb and here is the only part that i have not finished...
EVERYTHING SAID BEFORE IN SAFE MODE WITHOUT INTERNET FUNCTIONS

HOW DO I DELETE THAT FILE AND WHAT IS A *.CLB FILE???!?!?

i can rename it to anything but it changes back after reboot.
and the
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLEvents.ATLEvents\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLEvents.ATLEvents.1\CLSID
come back also....

i have tried all ways to delete the r000000000001.clb and with moveonboot and i don't know i guess that it deletes but is created again by something else.... I NEED HELP THERE...
also i have not tried to use in normal mode or with internet functions...
i am afraid to connect to the internet and that the clb file will connect to an ftp site or something and download the trojan with a different name and everything sooo.... WHAT CAN YOU TELL ME??

the most important thing is that the trojan isn't there anymore yeah...!!

so know what can i do now?
thx for reading this much, it is worth it.

Last edited by conde_j73; 28-Dec-2004 at 11:45 PM..
Byteman's Avatar
Byteman   (Bill) Byteman is offline Byteman is authorized to help remove malware. Byteman has a Profile Picture
Moderator & Malware Removal Specialist with 17,462 posts.
 
Join Date: Jan 2002
Location: NY
29-Dec-2004, 01:13 AM #2
hi, I think I would try AdAware and SpyBot, they should help, after the main removal that you did.

have a look at this page:

http://www.bleepingcomputer.com/forums/topict3494.html


And this one:

http://forum.gladiator-antivirus.com...howtopic=21049

Can you post a hijackthis log---you can download the file to a floppy disk or CD to copy to the computer that you don't want on the Net right now...and, that is a good idea...

You should create a new folder, rename it HJT or something creative...copy and paste the hijackthis.exe file from the disk to that folder, run it from that folder, you can make the new folder right on the desktop for now.

Hijackthis will open, hit the Scan button, when it is done, you see the Save Log button...hit that, and save the log as hijackthis.txt which will open in Notepad, copy/paste the entire log back to a disk and take it to a good pc and open a reply to this thread....open the log file on the disk or have it saved as another text file on the hard drive....copy and paste the log into the blank reply space, and submit the log for advice from some experts...
__________________
Mung (computer term), the act of making several incremental changes to an item that combine to destroy it
Donate directly to help the site TSG Library
TSG's Welcome Guide- Tips, Rules, How to use TSG and more!
conde_j73's Avatar
conde_j73 conde_j73 is offline
Member with 164 posts.
THREAD STARTER
 
Join Date: Aug 2003
Location: VENEZUELA
29-Dec-2004, 08:57 AM #3
hi byteman,
thanx for responding, but yes i had already tried spybot sd and adaware and of course hjt
i had no internet access in my aunts pc....
Byteman's Avatar
Byteman   (Bill) Byteman is offline Byteman is authorized to help remove malware. Byteman has a Profile Picture
Moderator & Malware Removal Specialist with 17,462 posts.
 
Join Date: Jan 2002
Location: NY
29-Dec-2004, 10:44 AM #4
Hi, I mean now, after clearing up what you did yourself.
Does it have Internet access now?

What I am asking....would you post a log now, so we can check for you, sometimes there are other things that need removing....
conde_j73's Avatar
conde_j73 conde_j73 is offline
Member with 164 posts.
THREAD STARTER
 
Join Date: Aug 2003
Location: VENEZUELA
30-Dec-2004, 10:06 AM #5
yes it now works,
i see on that page on the links you sent me that he never responded again,,, using killbox appeared to didn't work for him....
after the reboot i noticed yesterday the ATLEvents mas deleted from the registry...
that's nice ... i mean the reboot after deleting those values from registry and then never came back in safe mode....
i guess all's good now..
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑

Content Relevant URLs by vBSEO 3.3.2