TechSpot

Trojan Win32/Spy.VBStat.J

By Tartaras
May 20, 2007
  1. Hi, sorry for my english, it is not fluent att all :)
    So let's get to real problem...
    Yesterday nod32 detected this trojan, it was a option like terminate, so i choos it, after while IE tryed to connect to internet, it serch somthing in icq toolbar :/ then firefox opened few times new tabs but it was message "couldn't find server", so after that i scaned my local drives with nod32 in-depth analysis and nod found nothing :/ that's strange i think, no? I downloaded vundofix, scaned, it found these files
    C:\WINDOWS\system32\ccbeg.bak2
    C:\WINDOWS\system32\ccbeg.ini
    C:\WINDOWS\system32\fccaxvt.dll
    C:\WINDOWS\system32\gebcc.dll
    C:\WINDOWS\system32\qsflqint.dll
    C:\WINDOWS\system32\tniqlfsq.ini

    but now,when windows are starting, a error message apears cann not run some dll file, sorry i can't remmeber which one, but i think that one from that list above.
    So i ran hijack (already renamed to scanner) and have this log:
    I'll atached the log file to this post.

    so, if anybody could tell me, do i have some threats on my sistem?

    Thank you, for your cooperation.
     
  2. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You are running an outdated version of HijackThis.
    You can obtain the latest version from the link in my signature.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\uroapxlw.dll
    O2 - BHO: (no name) - {5B62916D-0617-4D58-8FFD-06C99F30F279} - blank (file missing)

    Close HJT.

    Navigate in Windows Explorer and delete the following files and folders in bold.
    C:\WINDOWS\system32\uroapxlw.dll


    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread. You can obtain the programs from the links in my signature.


    Regards,
    Your friendly Momok =)

    This thread is for the use of tartaras only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Tartaras

    Tartaras TS Rookie Topic Starter

    Hi again

    First, thank you for replying.

    I did everything you told me, just i couldn't find that file:
    C:\WINDOWS\system32\uroapxlw.dll
    maybe hijack deleted that file :/
    so i'll include log files as you asked.
    And about avg report:
    Your file of 180.0 KB bytes exceeds the forum's limit of 100.0 KB for this filetype. :)
    So it's to big, but it is about 540 tracking coockies and logger.agent in pach file also Trojan.Obfuscated.en :)
    Not good at all i think :)
    So wath's next my friend
     
  4. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your logs look clean now.

    Perhaps you can do a fresh AVG scan and post your new log. I'll just take a quick look at it before giving you the green light.


    Regards,
    Your friendly Momok =)

    This thread is for the use of Tartaras only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Tartaras

    Tartaras TS Rookie Topic Starter

    Me again

    Hi,

    I attached two log files first one is avg report.txt, after first scan avg detected trojan, so i turned off system monitoring and rebooted system after choosing delete on reboot option i avg, so i did another scan after that, and log of that scan is in avg report 2.txt, avg didn't found any trojans :) just tracking cookies.
    So have i the green light :)
     
  6. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Please download and run CCleaner via step 9 of the instructions HERE.

    Your logs look clean now.

    Delete all files in AVG Antispyware Quarantine folder.

    Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly Momok =)

    This thread is for the use of Tartaras only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Tartaras

    Tartaras TS Rookie Topic Starter

    Thank you very much

    You are the man friendly momok :)
    Thanks again :grinthumb
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...