TechSpot

Win32:VBStat-C [Trj]

By Rajittaa
May 23, 2007
  1. Im a newbie to this place, but it would appear that everyone here knows their stuff.

    I keep receiving the follwing message from avast:
    [​IMG]

    I delete the file and it just keeps returning.

    I have run avast, hi-jack, adaware, and Spy Bot. Each one has come up with something and I have deleted it all. Yet it keeps coming back.

    If anyone can help it would be most greatly appreciated.
     
  2. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Hello Rajittaa and welcome to TechSpot.

    Very important: Before deciding whether to clean or reformat your system, read this thread and decide what you want to do.

    If you decide to clean your system after reading the above thread, do the following.

    Go and read the Viruses/spyware/malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, ComboFix, and AVG Antispyware logs as attachments into this thread, only after doing the above. Also post here the results of the AVG Antirootkit scan.

    Regards :)

    This thread is for the use of Rajittaa only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  3. Rajittaa

    Rajittaa TS Rookie Topic Starter

    Reply to kitty500cat::

    I think this is everything you needed

    [​IMG]
     
  4. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    You should copy and paste these instructions into a text file (using Notepad) and save it to your desktop so you can access it from safe mode.

    Now please do the following.

    Boot into safe mode, under your normal user name (not the administrator account). See how HERE.

    In Windows Explorer, turn on "show all files and folders, including hidden and system." See how HERE.

    Run HijackThis with no other programs open (except Notepad). Place a tick in the little box next to the following entries (if there):

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe

    O20 - Winlogon Notify: winrge32 - winrge32.dll (file missing)

    O23 - Service: WatchDog Network Server (wdserver) - Unknown owner - C:\Program Files\WatchDog\wdserver.exe (file missing)

    Click the Fix Checked button and then close HijackThis.

    Search your system for the filename alcxmntr.exe and delete all instances found.

    Now reboot into normal mode and rehide your protected files.

    All the items in your AVG Antispyware log say No Action Taken. This is because you haven't set it to deal properly with the results. You need to set it to apply the recommended action to all results. See how here.

    After doing that, scan with AVG Antispyware again, and post a fresh log, along with fresh HijackThis and ComboFix logs and fresh AVG Antirootkit results.

    Regards :)

    This thread is for the use of Rajittaa only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  5. Rajittaa

    Rajittaa TS Rookie Topic Starter

    Reply to kitty500cat::

    Ok round two fight!

    Hopefully I got it all for you this time.

    The only thing I didn't do was the Rootkit screen cap, but the results came back with it not finding anything.
     
  6. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    I'm leaving for the weekend. Can somebody else please check this?

    I'll be back Sunday.

    Regards :)
     
  7. momok

    momok TS Rookie Posts: 2,265

    Sure thing kitty500cat. =)

    Rajittaa:

    Have HijackThis fix the following:

    O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
    O20 - AppInit_DLLs: PAVWAIT.DLL C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL

    I notice you have watchdog installed on your system.
    from http://www.fbmsoftware.com/spyware-net/process/wdserver_exe/2219/
    If it was not intentionally installed for a reason, I suggest that you get rid of it.

    Your system shows traces of malware. I'd like you to do the following.

    Boot into safe mode like how you did previously and unhide all system files and folders.

    Use control Panel > Add and Remove progams and remove anything related to the following (if you find them):
    WildTangent
    Viewpoint


    Then navigate in Windows Explorer and delete the following folders:
    C:\Program Files\WildTangent
    C:\Program Files\Viewpoint

    Reboot into normal mode and rehide your OS files.

    Please post a fresh ComboFix and HijackThis log from normal mode after you have done the above.


    Regards,
    Your friendly Momok =)

    This thread is for the use of Rajittaa only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. Rajittaa

    Rajittaa TS Rookie Topic Starter

    Reply to Momok

    Did what you asked. I wasn't able to locate anything in regards to watchdog. I at one point did install it, but then removed the program.

    Here are the logs you requested:

    Thanks for filling in yo
     
  9. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.
    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply.

    Now go into Add/Remove Programs in your Control panel and remove anything relating to Viewpoint or FlashGet.

    Please visit this link http://virusscan.jotti.org/
    * Click the Browse... button
    * Navigate to the following files:
    D:\Info.exe
    E:\start.exe
    C:\WINDOWS\iun6002.exe

    * Click Open
    * Please let me know the results.

    FlashGet sometimes gives ads, which is why I told you to remove it. You can find a list of good download managers here.

    Please post a fresh HijackThis and ComboFix log, as well as C:\avenger.txt, and post here the results of the Jotti.org virus scan.

    Regards :)

    This thread is for the use of Rajittaa only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  10. Rajittaa

    Rajittaa TS Rookie Topic Starter

    THe Jotti scan was all ok except the last one I ran, E:\start.exe . It came back with this "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

    I didn't think I had an E:\ drive, it was a CD drive that unplugged. Maybe thats the problem?
     
  11. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    OK then, don't worry about the E:\start.exe.

    Have HijackThis fix this inactive entry yet:

    O23 - Service: WatchDog Network Server (wdserver) - Unknown owner - C:\Program Files\WatchDog\wdserver.exe (file missing)

    All your logs are now clean.

    Turn off system restore (XP/ME only). See how HERE
    This will remove all the remaining nasties from your old restore points.

    After that turn system restore back on.
    This will create a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.

    Regards :)

    This thread is for the use of Rajittaa only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...