Possible Vundo issue - long post.

The Guvnor

Hi Guys,

A couple days ago (5) whilst browsing - I got the 'pop-up' telling me comp infected etc.

Thankfully running FF so used task manager to close down FF.

Since then had maybe three more pop-ups.

Sometimes when performing a google search an innocent site comes up as a 'suspected attack site'

Now FF works fine but IE is not working - I do not use it but tried it today just to see.

A file called Kwyxntlajb.exe came up in one of the pop-ups so I found this and deleted it three days ago.

There is also a folder in my comp called:
' AppData\Local\CRLAuthenticationserv'

Now a google search for CRL.. gives nothing hence my suspicion plus it seems to be meant to sound like CRM...

There is an 80kb .dll file in there which like an idiot I renamed to 'tobedeleted.dll' without making a note of the original name.

The date stamp on the above file is 06/12/10 18.05 so obviously had it for more than a few days.

However this file cannot be deleted, it also will not go when trying to do so via regsvr32 *.dll - access denied.

Since yesterday when I figured something was definitely up I've run:

1. Panda Cloud Anti-Virus - on and off line.
2. SuperAntiSpyware
3. Hijack This as admin and user
4. Vundo Fix
5. Malwarebytes Anti Malware

Not in the above order.

None of the above are picking it up. I have some log files which can be posted if necessary.

There were some tracking cookies (deleted) - one or two suspicious files sent to Panda but that is about it.

Thanks guys.
Apologies for the long post.

The Guvnor

Hijack This Log File: ran as admin

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:52:18, on 10/01/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18999)
Boot mode: Normal

The Guvnor

Last MAM logfile:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5495

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

10/01/2011 19:10:33
mbam-log-2011-01-10 (19-10-33).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 405008
Time elapsed: 1 hour(s), 16 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

The Guvnor

I ran the SuperAntiSpyware again and the log is as follows:

'SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/10/2011 at 09:47 PM

Application Version : 4.47.1000

Core Rules Database Version : 6135
Trace Rules Database Version: 3947

Scan type : Complete Scan
Total Scan Time : 01:01:29

Memory items scanned : 788
Memory threats detected : 0
Registry items scanned : 15897
Registry threats detected : 0
File items scanned : 64475
File threats detected : 2

Adware.Tracking Cookie
C:\Users\****\AppData\Roaming\Microsoft\Windows\Cookies\Low\daja@content.yieldmanager[1].txt
C:\Users\****\AppData\Roaming\Microsoft\Windows\Cookies\Low\daja@richmedia.yahoo[1].txt'

Now the system rebooted and upon firing up it told me that the file in

C:\Users\****\AppData\Local\CRLAuthenticationserv\handlerapiCtrl.dll could not be found.

This is I would assume a good thing?


More on handlerapiCtrl.dll

http://www.prevx.com/filenames/X189404137396822598-X1/HANDLERAPICTRL.DLL.html

The Guvnor

Just FTR now was the first time I rebooted the system in about 7 days.

Maybe the file was not found on start up due to being renamed?

I was able to delete the folder just now so who knows if this is the end of this issue.

The Guvnor

In the folder C:\Users\****\AppData\Local

I found three files which I think should be removed:

d3d9caps.dat - some research suggest this could ne related to old versions of Java on the comp.

Then there is:

DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF which apparently is for Windows Media Player - could be how the comp got infected if I watched an online video in windows media instead of VLC etc?


Lastly housecall.guid.cache

However all keep coming up in the logs of people looking for help removing malware!?

bhickey

The Guvnor wrote: »

C:\Users\****\AppData\Local\CRLAuthenticationserv\handlerapiCtrl.dll could not be found.

It's probably still being called up on startup. Go to Start > Run > msconfig <Enter> and look through the Startup Items for anything odd. Disable anything you don't like the look of. It sounds like you're fine though. Just make sure everything's up to date (Adobe, Java, Windows etc.) and get a proper antivirus software installed.

The Guvnor

Hi there,

Yes the handlerapi was there in start-up the rest look normal.

I've disabled it.

Do you think deleting the other three items makes sense? Especially the housecall.guid.cache?

Do you think was some new less aggressive version of Vundo or I was just lucky to be using FF?

Thanks

bhickey

The Guvnor wrote: »

Do you think deleting the other three items makes sense? Especially the housecall.guid.cache?

Had you run Trend Housecall at some stage? Anyway you should be save enough deleting it.

The Guvnor

Hi Mate,

Not that I am aware. However I could have run this as an online scan in the last few days - would make sense.

Thanks for the help.

The Guvnor

Another thing is Google Earth no longer works and this is related to IE8 not working.

On trying to access IE8 all that one gets is:

res://ieframe.dll/dnserror.htm#

Would this be related to the above issues?

Thankfully FF is and has been fine.

The Guvnor

Not sure if IE and Google Earth were related but it is fixed now thanks to this:

http://support.microsoft.com/kb/923737

The program reset my IE back to default settings and once IE was working google earth started working again.

Not to be too presumptious but I think one may say that this issue is resolved! Fingers crossed.

Thanks for the help in the forum overall, not just the thread - great resource!