WIN32:VBStat-C [Trj]

[Zyrreh]

Hello, recently my computer was infected with some kind of Trojan - WIN32:VBStat-C [Trj]. I'm running Avast and it detects it, I delete the trojan, but it comes back after rebooting.

Symptoms - strange alert pop-ups about some kind pseudo-software called ErrorSafe and other.

I want to clean my computer, I would really appreciate your help. Thanks in advance!

 

[kitty500cat]

Hello Zyrreh and welcome to TechSpot.

Very important: Before deciding whether to clean or reformat your system, read this thread and decide what you want to do.

If you decide to clean your system after reading the above thread, do the following.

Go and read the Viruses/spyware/malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, ComboFix, and AVG Antispyware logs as attachments into this thread, only after doing the above. Also post here the results of the AVG Antirootkit scan.

Regards

This thread is for the use of Zyrreh only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.

 

[Zyrreh]

Thanks for the quick reply!
I've followed all the steps, but with some problems - I've run the 4 programs (VundoFix, SmitfraudFix etc.) later than suggested, in the safe mode. In normal Windows mode my system was freezing and nothing could be done about it.

I'm attatching all the necessary log files.

AVG Antirootkit didn't detect any rootkits, so I don't attach anything from it's report - it was empty.

 

[momok]

Hi,

Download LSPFix from HERE.
1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
3. Check the "I know what I am doing" checkbox.
4. Select (highlight) all instances of 'nwprovau.dll' in the left column under "Keep".
5. Click the arrow >> so it goes over to the right column under "Remove".
6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
7. Restart your computer

Please follow these instructions carefully.

1. Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached "avengerscript.txt" (from my attachment) and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the attachment avengerscript.txt you have just downloaded, click on it and press open.
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

NewDotNet
UnSpyPC

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

R3 - URLSearchHook: (no name) - {BA40A64C-2A13-BCAA-FBA9-CDD919F1124D} - driver64.dll (file missing)
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\ftxjftep.dll

Close HJT.

Navigate in Windows Explorer and delete the following files and folders in bold.

C:\Program Files\NewDotNet < or anything related
C:\Program Files\UnSpyPC

Reboot into normal mode and rehide your protected OS files.

6. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT, ComboFix and AVG Antispyware log.


Regards,
Your friendly momok =)

This thread is for the use of Zyrreh only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Zyrreh]

Thank you very much for the very quick reply!

I've done everything you said, and here are the log files. I don't attach the AVG Antispyware log, because the scan didn't detect this time anything, and the log was empty.

In the meantime I've installed ZoneAlarm, so some things in this logs could look different. I just report it, so you know why.

 

[momok]

Hi,

Your logs look fairly clean, I have provided a script for avenger to remove some registry keys to be on the safe side.

Please follow these instructions carefully.

1. Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached "avengerscript2.txt" (from my attachment) and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the attachment avengerscript2.txt you have just downloaded, click on it and press open.
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT and ComboFix log.


Regards,
Your friendly momok =)

This thread is for the use of Zyrreh only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Zyrreh]

I must say it looks good! I've left the PC running during the night, and nothing happened. Looks as it is really fairly clean.

And of course here are the log files.

 

[momok]

Hi,

Your logs are clean.

Have HijackThis fix this entry though:

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)

I'm just a little concerned with this registry value that I spot in your ComboFix file.

Go to start > Run > regedit

Navigate manually to HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ym^ebokm
Delete the entire key. (ym^ebokm)

Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.

After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of Zyrreh only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Zyrreh]

Done it all, except for this strange registry key... It doesn't exist! I checked it many times, serached for it, but didn't find it. So I've run ComboFix one more time to check it. It didn't detect it this time.

If you want to have a look at the log, I attach it.

But I get the imprssion that everything is OK, all the problems seem to have disappeared. And everything works a little bit faster.

About the protection now I'm running Avast+ZoneAlarm - I think it will be enough to protect a computer, which is used normally.

Oh, one more thing - can I delete the c:\QooBox and c:\avenger? - there are backups there, made by these programs of course.

Finally, thanks a lot Momok! You saved my day, really. All the clues were so easy to follow, descriptive and just plain great.

You should consider changing your signature to "Your friendly momok - but only for people; for viruses I'm a lethal threat" =)

 

[momok]

Hi,

Thank you for the kind comments.
You are right, that registry key doesn't exist anymore. Quite weird.

About the protection now I'm running Avast+ZoneAlarm - I think it will be enough to protect a computer, which is used normally.

Those two programs are great to use; here are some more recommended software and links to them.

Spybot Search & Destroy. < use this if you have no other real time monitoring programs such as spyware doctor. It's a real gem.
Ccleaner.

Oh, one more thing - can I delete the c:\QooBox and c:\avenger?

Yes you may delete QooBox and avenger. We have no further use for them.


Regards,
Your friendly momok =)

This thread is for the use of Zyrreh only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.