Results 1 to 6 of 6

Thread: Katusha.j keeps comnig back

  1. #1
    nm156 Guest

    Default Katusha.j keeps comnig back

    Since yesterday morning I've been having problems with some sort of Malware/adware. ZA has been finding an quarantining an infection labeled Packed.Win32.Katusha.j every 5-10 minutes.

    WHat I would like to know is how can I stop this from continuously popping up. I'd like to get rid of the source, not just the svchost.exe file it keeps trying to create.

    I have run a full scan multiple times, and ZoneAlarm has not found anything.

  2. #2
    Join Date
    Jun 2006
    Location
    The 3rd Coast - South Central Texas
    Posts
    10,463

    Thumbs up Re: Katusha.j keeps comnig back

    Quote Originally Posted by nm156 View Post
    Since yesterday morning I've been having problems with some sort of Malware/adware. ZA has been finding an quarantining an infection labeled Packed.Win32.Katusha.j every 5-10 minutes.

    WHat I would like to know is how can I stop this from continuously popping up. I'd like to get rid of the source, not just the svchost.exe file it keeps trying to create.

    I have run a full scan multiple times, and ZoneAlarm has not found anything.

    1.) svchost.exe file is part of Windows OS..

    Here is the ZoneAlarm Malware Clean-up Guidance
    NOTE: the steps below works only if you are on the latest versions of ZA (version 9). If you are not, please update.
    Try to perform a full Antivirus/Antispyware scan but in SAFE MODE WITH NETWORKING.

    1. Set ZA Antivirus/antispyware to "Ultra Deep Scan" under the advanced options of the ZA antivirus/antispyware tab (scan modes);
    2. Reboot in SAFE MODE WITH NETWORKING;
    3. Manual run ZA (ZA firewall will be OFF but Antivirus/Antispyware will be functional);

    4. Run a full ZA AV/AS scan;
    5. Reboot in Normal Mode
    6. Set ZA Antivirus/Antispyware back to Normal

    How to start in SAFE MODE WITH NETWORKING

    If the above fails try to clean your system with:

    A. Download update and scan with MBAM
    WARNING: Some malware will block the download of this software, rename the installer to a random name before saving and running (you can chnage the .exe into a .com)
    B. Use the superantispyware online cleaning tool --> Here or download, update and scan with superantispyware FREE
    WARNING: Some malware will block the download of this software, rename the installer to a random name before saving and running.

    If ALL the above fails please post your Hijackthis log to BattleVirus.com.

    or here.. a new malware removal forum:
    http://www.battlevirus.com/forum/vie....php?f=10&t=26

    Still Problems? Try the bootable CD fromDrWeb

    For a final check that your PC is clean run Hitman Pro cloud scanning (the scanner is free not the cleaning)

    if ALL the above fails please post your Hijackthis log to Bleepingcomputer or SpywareHammer


    Once you have cleaned the system please remember to purge the windows system restore points. You may be reinfected otherwise.
    - Disable system restore (How to disable windows SYSTEM RESTORE);
    - Reboot the PC
    - Re-ensable system restore
    Last edited by GeorgeV; April 5th, 2010 at 06:44 AM. Reason: typo
    GeorgeV
    ZoneAlarm® Extreme Security


    Click here for ZA Support
    Monday-Saturday__ 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    nm156 Guest

    Default Re: Katusha.j keeps comnig back

    I have ZA 9.1 as well as the most recent version of Malwarebytes.

    I followed the instructions above and ran ZA in Ultra Deep Scan mode while in safe mode. It found a number of new infeections that the default scan setting did not. During the time it was doing this (in safe mode) I had numerous windows op up that appeared to be the Windows antispyware. I kept closing them out for fear they were not legit.

    Once teh ZA scan was comlete, I rebooted. Upon rebot the system would not run any EXE files. It kept prompting for a file to be associated with it. I was able to correct that problem and rebooted again.

    The next reboot things seemed better. I ran another ZA scan in Rootkit mode and found a few more infections. I also ran MBAM, which came up clean.

    Yeat another reboot, and the multiple .tmp folder seem to have gone away. One thing I am not sure of is the persistence of a number of .tmp files in the C:\Windows\Temp folder. One is AV1.tmp. This sometimes get replaced with a file like AV7.tmp. Is this part of an infection?

    I still seem to have an svchost process that takes up a lot of CPU from time to time. I downloaded Process Explorer, and one thing I found odd was that the svchost process in question showed multiple index.dat references as services.

    I will try running hijackthis and sending the log to the forum listed above. I have not used that product before. I think my system is healthier than it was, but I am still suspicious that it has some lingering infection.

  4. #4

    Default Re: Katusha.j keeps comnig back

    Hi nm156,

    What you described sounds like a nasty rootkit to me.

    As George has kindly recommended, register a new account and post here at BattleVirus.com:
    http://www.battlevirus.com/forum/vie...5ec7c169c0a0d7

    I would be more than willing to help you clean your PC of any lingering infections.


    Regards,
    chiaz

  5. #5
    Join Date
    Aug 2009
    Location
    Texas Gulf Coast
    Posts
    1,643

    Default Re: Katusha.j keeps comnig back

    Quote Originally Posted by nm156 View Post
    One thing I am not sure of is the persistence of a number of .tmp files in the C:\Windows\Temp folder. One is AV1.tmp. This sometimes get replaced with a file like AV7.tmp. Is this part of an infection?
    Notice this temp file after upgrade of ZoneAlarm Security Suite version:9.1.507.000.

    I took a look in C:\Windows\Temp folder to confirm av1.tmp Size : 41.2 MB was there.

    Shutdown ZoneAarm Control Center.Temp file no longer there.Loaded ZoneAlarm Security Suite and av1.tmp is recreated.

    I checked also in Safe Mode with Networking.Checked C:\Windows\Temp.File not in C:\Windows\Temp.Checked before running scan and no av1.tmp in folder.Loaded ZoneAlarm, checked folder and file av1.tmp created.

    Ran Super Scan and it was clean.

    I did Live Chat and they confirm that this is where anti-virus and anti-spyware engine temp files are kept.

    Have a nice Day
    Last edited by Sky Soldiers; April 8th, 2010 at 06:13 AM. Reason: paraphrase

  6. #6
    findley Guest

    Default Re: Katusha.j keeps comnig back

    Quote Originally Posted by Sky Soldiers View Post
    Notice this temp file after upgrade of ZoneAlarm Security Suite version:9.1.507.000.

    I took a look in C:\Windows\Temp folder to confirm av1.tmp Size : 41.2 MB was there.

    Shutdown ZoneAarm Control Center.Temp file no longer there.Loaded ZoneAlarm Security Suite and av1.tmp is recreated.

    I checked also in Safe Mode with Networking.Checked C:\Windows\Temp.File not in C:\Windows\Temp.Checked before running scan and no av1.tmp in folder.Loaded ZoneAlarm, checked folder and file av1.tmp created.

    Ran Super Scan and it was clean.

    I did Live Chat and they confirm that this is where anti-virus and anti-spyware engine temp files are kept.

    Have a nice Day
    Nice catch Sky Soldiers
    Enjoy your day
    Cheers,
    Findley

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Packed.Win32.Katusha.e
    By funkoligy in forum ZoneAlarm Anti-virus & Anti-spyware
    Replies: 3
    Last Post: January 16th, 2010, 03:24 AM
  2. Packed.Win32.Katusha.e
    By worenx in forum Malware Discussion
    Replies: 11
    Last Post: August 25th, 2009, 10:43 AM
  3. Replies: 2
    Last Post: March 17th, 2009, 07:31 PM
  4. guess its back since i updated back to 6.5 v
    By billybobby in forum General - Questions that don't fit any other category
    Replies: 0
    Last Post: June 20th, 2006, 06:31 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •