|
trojan win32 vb.aad
|
|
|
Eddystr
Newbie
|
6. December 2005 @ 19:48 |
Link to this message
|
|
I have a trojan win32 vb.aad Does anyone Know how to remove it. I've tried Ad-aware, spy bot and various others with no luck.
|
|
Advertisement
|
|
|
|
|
-kemisti-
AfterDawn Addict
|
6. December 2005 @ 21:44 |
Link to this message
|
|
|
|
Eddystr
Newbie
|
6. December 2005 @ 22:49 |
Link to this message
|
|
Thanks I'll it now and get back to you.
|
|
Eddystr
Newbie
|
6. December 2005 @ 23:25 |
Link to this message
|
|
Ewido report
+ Created on: 8:21:07 PM, 7/12/2005
+ Report-Checksum: FF3F22BC
+ Scan result:
C:\Documents and Settings\Joshua\Cookies\joshua@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Joshua\Cookies\joshua@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Joshua\Cookies\joshua@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Joshua\Cookies\joshua@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Joshua\Cookies\joshua@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Joshua\Cookies\joshua@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Joshua\Cookies\joshua@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Joshua\Cookies\joshua@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Joshua\Cookies\joshua@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Joshua\Cookies\joshua@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Joshua\Cookies\joshua@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Joshua\Cookies\joshua@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Joshua\Cookies\joshua@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Liam\Cookies\liam@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Liam\Cookies\liam@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Liam\Cookies\liam@ehg-dig.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Liam\Cookies\liam@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Liam\Cookies\liam@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Liam\Cookies\liam@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wfkispcjwdp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wfkyojdzsdq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wflicgdpsho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wfliqlcpgkp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wfmikmajcho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wgkygpdpiho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wgkyokdzigp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjkykhcpcdp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjl4gmd5eap.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjlisldpslp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjlysgc5cbp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjlyslajmko.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjlyugdjobp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjmiakajmlo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjmiqlcpiao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjmyskdpsbp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjnywnd5odp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Local Settings\Temporary Internet Files\Content.IE5\8DIFCTQB\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Local Settings\Temporary Internet Files\Content.IE5\S5IJODI7\home[1].htm -> Trojan.ObjID.b : Cleaned with backup
C:\Documents and Settings\Mum and Dad\Local Settings\Temporary Internet Files\Content.IE5\WXER0PEN\ysb_prompt[1].htm -> Downloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\Nathan\Cookies\nathan@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Nathan\Cookies\nathan@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Nathan\Cookies\nathan@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Nathan\Cookies\nathan@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Nathan\Cookies\nathan@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Nathan\Cookies\nathan@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Nathan\Cookies\nathan@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Nathan\Cookies\nathan@ehg-warnerbrothers.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Nathan\Cookies\nathan@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Nathan\Cookies\nathan@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Nathan\Cookies\nathan@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Nathan\Cookies\nathan@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Nathan\Cookies\nathan@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Nathan\Cookies\nathan@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Nathan\Cookies\nathan@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
::Report End
|
|
-kemisti-
AfterDawn Addict
|
7. December 2005 @ 00:18 |
Link to this message
|
|
This message has been edited since posting. Last time this message was edited on 7. December 2005 @ 00:18
|
Senior Member
3 product reviews
|
7. December 2005 @ 02:38 |
Link to this message
|
|
have you tried a scan with the most updated norton, useful to find these...
or you could try one of the onlline scan pages...
"Its so hard to try to be different..."-Apocalypse Hoboken |
|
-kemisti-
AfterDawn Addict
|
7. December 2005 @ 02:59 |
Link to this message
|
You can also try eScan, it's very good one for viruses/trojans-> http://www.spywareinfo.dk/download/mwav.exe
Here is batch file for easy updating -> http://koti.mbnet.fi/pattaya1/lataus/Mwav.bat
Save it to your desktop, doubleclick and permit kavupd.exe to access internet. After updating, eScan will automatically start.
Make sure that you select these:
And after scan copy the Virus log information(press ctrl+a, then ctrl+c. When you want to paste them here, press ctrl+v):
|
|
ddp
Moderator
|
7. December 2005 @ 04:57 |
Link to this message
|
|
|
|
Eddystr
Newbie
|
7. December 2005 @ 12:19 |
Link to this message
|
Hi Kemisti, I still have the problem. I use the lastest Nod32 antivirus and it can't clean it.
Here is the HijackThis Log. I'll try escan while I waiting for instruction. Thanks
Logfile of HijackThis v1.99.1
Scan saved at 9:56:55 PM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
|
|
-kemisti-
AfterDawn Addict
|
7. December 2005 @ 21:43 |
Link to this message
|
|
@Eddystr: That trojan doesn't seem to appear in HjT-log. Anyway, you can fix this line(open HjT, click do a system scan only, mark it and press fix checked):
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
And aftering finishing eScan, I would like to see "Virus log information", so could you please send it here?
|
|
Eddystr
Newbie
|
7. December 2005 @ 23:51 |
Link to this message
|
|
Hi I ran escan and it found and disinfected 1 virus. I restarted the pc and it appears to be fixed. If for some reason it pops back up I'll get bak to you.
thanks
P.S I didn't copy the virus log.
|
Senior Member
3 product reviews
|
7. December 2005 @ 23:53 |
Link to this message
|
|
glad it worked out for you :)
"Its so hard to try to be different..."-Apocalypse Hoboken
|
|
-kemisti-
AfterDawn Addict
|
8. December 2005 @ 02:32 |
Link to this message
|
|
@Eddystr: You're welcome :) eScan is very good for recognizing/removing viruses.
|
|
Eddystr
Newbie
|
8. December 2005 @ 11:05 |
Link to this message
|
|
Kemisti and Phamtom69,
Sorry guys but the virus has poped up again, this is the actual message.
File
c:\system volume information\_ restore{990456d7-2e61-498a-9bea-78f...\a0018840.exe
Virus
Win32/vb.aad trojan
Also I used Hjt to fix this entry
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
|
|
ddp
Moderator
|
8. December 2005 @ 12:12 |
Link to this message
|
|
disable your system restore, restart windows & enable system restore.
|
|
Eddystr
Newbie
|
8. December 2005 @ 16:06 |
Link to this message
|
|
Thanks DDP
I tried your suggestion and so far (3 hours later) I have not seen the problem reoccur.
Thank kemisti and phantom69 for your help as well.
|
|
ddp
Moderator
|
8. December 2005 @ 16:10 |
Link to this message
|
|
just remember, probably can't do a restore past the point that you re-enabled it
|
|
Eddystr
Newbie
|
8. December 2005 @ 19:04 |
Link to this message
|
|
Yes, I noticed it cleared all the check points. Up to now the problem is fixed.
thanks again.
|
|
ddp
Moderator
|
8. December 2005 @ 19:09 |
Link to this message
|
|
no problem, teach & learn
|
|
Advertisement
|
|
|
|
-kemisti-
AfterDawn Addict
|
8. December 2005 @ 22:10 |
Link to this message
|
|
That's quite strange, because eScan can delete viruses also from system restore. Well, the most imprortant thing is that your computer is ok now :)
|
