Trojan Win32/Spy.VBStat.J

Status
Not open for further replies.

Tartaras

Posts: 6   +0
Hi, sorry for my english, it is not fluent att all :)
So let's get to real problem...
Yesterday nod32 detected this trojan, it was a option like terminate, so i choos it, after while IE tryed to connect to internet, it serch somthing in icq toolbar :/ then firefox opened few times new tabs but it was message "couldn't find server", so after that i scaned my local drives with nod32 in-depth analysis and nod found nothing :/ that's strange i think, no? I downloaded vundofix, scaned, it found these files
C:\WINDOWS\system32\ccbeg.bak2
C:\WINDOWS\system32\ccbeg.ini
C:\WINDOWS\system32\fccaxvt.dll
C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\qsflqint.dll
C:\WINDOWS\system32\tniqlfsq.ini

but now,when windows are starting, a error message apears cann not run some dll file, sorry i can't remmeber which one, but i think that one from that list above.
So i ran hijack (already renamed to scanner) and have this log:
I'll atached the log file to this post.

so, if anybody could tell me, do i have some threats on my sistem?

Thank you, for your cooperation.
 
Hi,

You are running an outdated version of HijackThis.
You can obtain the latest version from the link in my signature.

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\uroapxlw.dll
O2 - BHO: (no name) - {5B62916D-0617-4D58-8FFD-06C99F30F279} - blank (file missing)

Close HJT.

Navigate in Windows Explorer and delete the following files and folders in bold.
C:\WINDOWS\system32\uroapxlw.dll


Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread. You can obtain the programs from the links in my signature.


Regards,
Your friendly Momok =)

This thread is for the use of tartaras only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hi again

First, thank you for replying.

I did everything you told me, just i couldn't find that file:
C:\WINDOWS\system32\uroapxlw.dll
maybe hijack deleted that file :/
so i'll include log files as you asked.
And about avg report:
Your file of 180.0 KB bytes exceeds the forum's limit of 100.0 KB for this filetype. :)
So it's to big, but it is about 540 tracking coockies and logger.agent in pach file also Trojan.Obfuscated.en :)
Not good at all i think :)
So wath's next my friend
 
Hi,

Your logs look clean now.

Perhaps you can do a fresh AVG scan and post your new log. I'll just take a quick look at it before giving you the green light.


Regards,
Your friendly Momok =)

This thread is for the use of Tartaras only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Me again

Hi,

I attached two log files first one is avg report.txt, after first scan avg detected trojan, so i turned off system monitoring and rebooted system after choosing delete on reboot option i avg, so i did another scan after that, and log of that scan is in avg report 2.txt, avg didn't found any trojans :) just tracking cookies.
So have i the green light :)
 
Hi,

Please download and run CCleaner via step 9 of the instructions HERE.

Your logs look clean now.

Delete all files in AVG Antispyware Quarantine folder.

Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.

After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
Your friendly Momok =)

This thread is for the use of Tartaras only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.
Back