TechSpot

Help remove VirTool:Win32/VBInject [keeps coming back]

By JeffHarrsi
Oct 26, 2011
  1. I have A virus (I'm not sure if this is a virus or malware), named;
    VirTool:Win32/VBInject,
    VirTool:Win32/VBInject.SK,
    Trojan:Win32/Sisproc,
    Worm:Win32/Dorkbot.T,
    VirTool:Win32/CeeInject.

    I used Microsoft security essentials, and it detected this virus. I keep deleting it, but it keeps coming back. I have tried a full scan in a safe mode. There were lot kind of this virus that was detected (I think almost 500) and I have removed them all. After that I rebooted my PC and start it normally. But then minutes after, again Microsoft Security Essentials keeps detecting this kind of virus. Please help me how to get rid off this completely. Thanks in advance.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, Jeff! I'll help find the malware. It is most likely coming back because all of the processes haven't been removed.

    When you refer to a number like 500, that is matter of concern. It may indicate that where is a file infector continuing to infect files. Let's do an online virus scan first and leave me that log.>>
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ===========================
    I'd like to check the Eset log before I have you run any other scans.

    Please run that as soon as you can.
    ==================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  3. JeffHarrsi

    JeffHarrsi TS Rookie Topic Starter

    Hello Bobbye,

    First of all I would like to say thank you for your response. Secondly, I wasn't aware that you have change your reply. I already did (not all, I haven't perform the last one which is DDS) what you have said earlier last night. So I will paste the logs here I have.

    Things you may wanna know:

    After doing so what is instructed in "UPDATED 5-step Viruses/Spyware/Malware Preliminary Removal Instructions", my PC got SLOWER like 3-4 times (ex may PC boot start-up is 20secs, now it takes me 1min or more to go into my windows and when I browse the internet or open an application, its really slow.) This slow-thing happened after the GMER scan, I guess. (Note: when I ran the GMER it performed like a real quick scan. I'm not sure if that was really a scan because there was no log after. So I did click scan. I thought the scan will end up very soon. But after like an hour it's still scanning. I was thinking that I did this wrong, so I had just to stop it.)

    Please help. Would you recommend to system restore? Thanks for you response.



    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8025

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    10/27/2011 7:00:58 AM
    mbam-log-2011-10-27 (07-00-58).txt

    Scan type: Quick scan
    Objects scanned: 158683
    Time elapsed: 10 minute(s), 45 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 14

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Btdsdt (Trojan.Agent) -> Value: Btdsdt -> Delete on reboot.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\jun\application data\btdsdt.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\Jun\application data\153D.exe (Trojan.BCMiner) -> Quarantined and deleted successfully.
    c:\documents and settings\Jun\application data\237.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\Jun\application data\74.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\Jun\application data\76.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\Jun\application data\C.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\Jun\application data\E64.exe (Trojan.BCMiner) -> Quarantined and deleted successfully.
    c:\documents and settings\Jun\application data\1C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\Jun\application data\46.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\Jun\application data\18.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\Jun\application data\3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\Jun\local settings\Temp;\acd\tasker.exe (Trojan.BCMiner) -> Quarantined and deleted successfully.
    c:\documents and settings\Jun\local settings\Temp;\acd\taskr.exe (Trojan.BCMiner) -> Quarantined and deleted successfully.
    c:\documents and settings\Jun\local settings\Temp;\acd\tasks.exe (Trojan.BCMiner) -> Quarantined and deleted successfully.



    **GMER LOG**

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-10-27 08:40:50
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST340014A rev.3.04
    Running: 1o89xn4h.exe; Driver: C:\DOCUME~1\Jun\LOCALS~1\TEMP_~1\pgliipoc.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? xvcelyl.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
    .text C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[916] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002C0010
    IAT C:\Documents and Settings\Jun\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1360] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002C0010

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272c2098d
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272c2098d@6c9b026c9c00 0x42 0xB1 0x21 0x24 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000272c2098d (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000272c2098d@6c9b026c9c00 0x42 0xB1 0x21 0x24 ...

    ---- EOF - GMER 1.0.15 ----


    P.S:
    Microsoft Essentials Security does not detecting those viruses anymore, for now. I guess it was completely removed after scanning with Malwarebytes.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I thought I got back quickly enough! I investigated the entries you left and after seeing the severe threat for each and the potential of what they might indicate, I changed to the Eset scan first.

    It's okay that you ran the other programs but we need to get the online virus scan. Please run that now.

    You have already indicated {keeps coming back} I urge you to continue with the cleaning. One problem resolved does not mean all of the malware is gone.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...