1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

IMPORTANT! Virtumonde, ATLEevents, CATLEevents, TROJAN.VUNDO

Discussion in 'Virus & Other Malware Removal' started by conde_j73, Dec 28, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. conde_j73

    conde_j73 Thread Starter

    Joined:
    Aug 28, 2003
    Messages:
    164
    undefinedEDIT: ANYTHING INVOLVING A CLB FILE FORGET IT IS A WINDOWS FILE...


    BEFORE ANYTHING YOU NEED TO KNOW THIS TROJAN WILL DAMAGE YOUR COMPUTER TO THE POINT YOU CANNOT USE THE INTERNET DEFINETELY IT HAS HAPPENED ALREADY TO SOME PEOPLE AND MY AUNTS INTERNET WAS ALMOST DAMAGED.
    ok hi again, today my brother and i did aaaall this:
    d@mn that file....
    listen up very important...
    what my aunt has or well had...
    it was TROJAN.VUNDO(has other names of course)...for her it case all in one with the ATLEevents or CATLEevents adware and VIRTUMONDE also.
    well today i was able to discover it was the trojan that had me pi$$ing me off for the past day...
    in the securityresponse in nortons page it has a removal tool and some instructions to eliminate it... but SURPRISE it has variations..
    so anyways i had to do this all by my self..
    ok so for those who don't know who have it and guess who have or has a virus, please do a virus scan wether it's norton or the trend micro, well you have your pick...(she had mcafee before today and i could say it SUCKS it didn't tell her the virus was there in the first place...[among other viruses])well anyways i precised the exact folder where the file was, which in my well her case was inside C:\WINDOWS\REGISTRATION and i have read other cases by google and other people have different names and folder locations. inside the REGISTRATION folder was the executable file (.exe) that was always running and could not finish process by any means or delete it AND WHEN I SAY BY ANY MEANS I MEAN EEVRYTHING YOU CAN POSSIBLY TRY.
    in my case the executable was named COMAP.EXE and (I MADE SO I COULD READ HIDDEN FILES AND FOLDERS AND SO THAT I COULD VIEW SYSTEM FILES ALSO!(do that in any folder >tools>folder options>view>and select show hidden files and folders and also deselect hide system files or something like that :) ...)
    after that i also cheked inside the TEMP folder in each persons session in winxp (inside their documents and settings folder which is hidden also) and guessed what i found there ... a DAT file called PAMOC.DAT (the same as the exe file but backwards....) and another onw with a strange name which i couldn't delete easily..
    so i uninstalled mcaffe and put in the norton newest version of course and ran the antivirus, it found not only the virus but 15 of the same inside c:\windows folder with other names but were easy to delete...with norton...
    so then i went to the security response page in symantec.com and found out little about the trojan some manual removal instructions which DID IN FACT HELP ME alot!!

    http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.html

    and tried the removal tool there and didn't work anything... then went with the manual instructions. did them step by step and listen you have to do this with every person made user in the computer(the pamoc.dat and the other dat was in every temp folder of every user...)ok now where i was going to say... the step where it says to go to RUNONCE or RUN i could delete one of them i dont remember without coming back immediately after... some other ones kept coming back which in the end i almost finished deleting...i'll tell you why at the end...
    OK CONTINUING in the REGISTRATION folder was the comap.exe and comap.exe.bak1, .bak2, .bak3!! the R000000000001.CLB, R000000000002.CLB up to r000000000007.clb, a comap.ini file i think that was all... anyways the baks and all the r00000000000... (except the ....1.clb) i could delete easily.
    to delete the dat files i used the MOVEONBOOT which i mentioned earlier.
    then i used a little but powerful tool called RESHACK Or RESOURCEHACK found on google easily.
    i opened the comap.exe with the reshack and got to the dll folder in there and deleted the dll folder in one of the options in there don't remember which one sorry :( but that created a file inside the registration folder called comap_original to i dont know creat a backup maybe. but what is important is that the comap.exe was modified yes!! then we used the command

    regsvr32 /u /i "C:\windows\registration\comap.exe" and unregistered the process or something happened there because it isn't a dll or ocx so what...
    deleted the registry settings (THE ONES IN RUN AND RUNONCE DONT REMEMBER :( ) and deleted the comap.exe then closed the reshack and deleted the comap_original.exe and the ini OF COURSE i removed evertything on the registry that had comap and pomac and the other dat file in the temp folder and everything in the symantecage except the ATLEevents and ATLEevents.1 in the in the classes in the registry , and the only thing left there was the R000000000001.clb and here is the only part that i have not finished...
    EVERYTHING SAID BEFORE IN SAFE MODE WITHOUT INTERNET FUNCTIONS

    HOW DO I DELETE THAT FILE AND WHAT IS A *.CLB FILE???!?!?

    i can rename it to anything but it changes back after reboot.
    and the
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLEvents.ATLEvents\CLSID
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLEvents.ATLEvents.1\CLSID
    come back also....

    i have tried all ways to delete the r000000000001.clb and with moveonboot and i don't know i guess that it deletes but is created again by something else.... I NEED HELP THERE...
    also i have not tried to use in normal mode or with internet functions...
    i am afraid to connect to the internet and that the clb file will connect to an ftp site or something and download the trojan with a different name and everything sooo.... WHAT CAN YOU TELL ME??

    the most important thing is that the trojan isn't there anymore yeah...!! (y)

    so know what can i do now?
    thx for reading this much, it is worth it.
     
  2. Byteman

    Byteman Moderator Malware Specialist

    Joined:
    Jan 24, 2002
    Messages:
    17,727
    hi, I think I would try AdAware and SpyBot, they should help, after the main removal that you did.

    have a look at this page:

    http://www.bleepingcomputer.com/forums/topict3494.html


    And this one:

    http://forum.gladiator-antivirus.com/index.php?showtopic=21049

    Can you post a hijackthis log---you can download the file to a floppy disk or CD to copy to the computer that you don't want on the Net right now...and, that is a good idea...

    You should create a new folder, rename it HJT or something creative...copy and paste the hijackthis.exe file from the disk to that folder, run it from that folder, you can make the new folder right on the desktop for now.

    Hijackthis will open, hit the Scan button, when it is done, you see the Save Log button...hit that, and save the log as hijackthis.txt which will open in Notepad, copy/paste the entire log back to a disk and take it to a good pc and open a reply to this thread....open the log file on the disk or have it saved as another text file on the hard drive....copy and paste the log into the blank reply space, and submit the log for advice from some experts...
     
  3. conde_j73

    conde_j73 Thread Starter

    Joined:
    Aug 28, 2003
    Messages:
    164
    hi byteman,
    thanx for responding, but yes i had already tried spybot sd and adaware and of course hjt
    i had no internet access in my aunts pc....
     
  4. Byteman

    Byteman Moderator Malware Specialist

    Joined:
    Jan 24, 2002
    Messages:
    17,727
    Hi, I mean now, after clearing up what you did yourself.
    Does it have Internet access now?

    What I am asking....would you post a log now, so we can check for you, sometimes there are other things that need removing....
     
  5. conde_j73

    conde_j73 Thread Starter

    Joined:
    Aug 28, 2003
    Messages:
    164
    yes it now works,
    i see on that page on the links you sent me that he never responded again,,, using killbox appeared to didn't work for him....
    after the reboot i noticed yesterday the ATLEvents mas deleted from the registry...
    that's nice :D... i mean the reboot after deleting those values from registry and then never came back in safe mode....
    i guess all's good now..
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/312730