acmain.exe, catbas.exe, pslog.exe

I normally do not do this but i thought this story was far to interesting not to share.

I encountered a computer (P4 WinXP SP1) the other day that was running very slowly. I decided to try to run an updated Adaware scan. But I soon realized that the computer was running far to slow to even perform this scan. I opened up task manager (which was an effort in of itself) and noticed at least one of the three exe's that I mentioned in the title running as a process. Usually taking 30mb of memory. If one tried to terminate these processes, it would only restart itself in about a second. These processes would not run as a service either. I decided to reboot into safe mode with networking, disabled system restore, and turned on the view hidden and system protected files. I also installed and updated spybot and ewido. I now ran adaware, spybot, and ewido. Large amounts of spyware and trojans were removed. But still acmain and pslog continued running in the background (even in safe mode). Still to slow to run in normal mode, I continued on in safe mode. I then tried cwshredder and it removed one entry. I then used HijackThis and removed all unnecessary entries. I was now able to stop acmain.exe and delete it. It is found in Windows/System folder. pslog.exe however remained (once again still in safe mode). After a HijackThis of pslog's reg start entry it would recreate itself immediately. I looked into the folder where it was found (Windows/Help) and noticed that a tmp file would recreate itself every few seconds. I thought I would try creating a tmp file (which was only read only with deny permissions) of the same name and drop it in the folder, but the tmp file would recreate itself too fast and (I think) would even overwrite the one which i created. I also tried using dellater on pslog.exe but that would not work either. Finally I decided to do something which is pretty out there heh... I copied all the files in Windows/Help excluding pslog, the tmp file, and another folder which I found suspicious to a folder which I named Help2. I used another clean(er) WindowsXP SP1 computer as reference to which files were clean. Figuring Windows XP did not need Windows/Help to boot, I then booted with the XP disk and entered the recovery console in DOS mode. From there I deleted the entire Windows/Help folder. When I booted into safe mode I was glad to see that I got a dialog box that it could not find pslog.exe . I did some more clean up with HijackThis and restored the Windows/Help directory. Restoring or formatting would have been an option, but what fun would that be? I probably will format the computer later if i have time. Computer is now much faster though

I did not have a floppy available to take a sample but I believe acmain.exe is still in the recycle bin of the computer heh. Giant also has a small writeup about acmain.exe if you google it. I believe they classify it as a trojan. So beware of these three.

Computer was running an old version of Norton corp 7.x.
I was thinking of installing another AV but was worried about conflicts and did not think the free AVs would have done me much good.

Edit: How hard is it for a process to be running in safe mode like this with such protection methods? Is any of this behavior normal in the trojan world? Would another method of manually cleaning be possible? Say if this file was found in a Windows/System32 directory where i could just not delete the entire directory?

 

sounds like you had a virtumundo variant, please if you still have that file send it to illukkaATspywarewarrior.com (replace AT with @), a zipped password protected archive please

to delete it on reboot use killbox
http://www.downloads.subratam.org/KillBox.zip

 

I will try and see if I can get acmain.exe to you and others when I have a chance to get back down there. No guarantees though, but with my luck i will probably find some other goodies

How exactly does killbox differ from a program like dellater? Is there anywhere i can get more information on it or perhaps a readme. Thank you illukka.