I have a trojan win32 vb.aad Does anyone Know how to remove it. I've tried Ad-aware, spy bot and various others with no luck.
Try ewido -> http://www.ewido.net/en/download Install and update it. Then do a complete system scan, let it delete what it finds and save report. Send that report here. Send also HijackThis-log, instructions (Step 3) -> http://forums.afterdawn.com/thread_view.cfm/263784
Ewido report + Created on: 8:21:07 PM, 7/12/2005 + Report-Checksum: FF3F22BC + Scan result: C:\Documents and Settings\Joshua\Cookies\joshua@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup C:\Documents and Settings\Joshua\Cookies\joshua@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup C:\Documents and Settings\Joshua\Cookies\joshua@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup C:\Documents and Settings\Joshua\Cookies\joshua@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup C:\Documents and Settings\Joshua\Cookies\joshua@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup C:\Documents and Settings\Joshua\Cookies\joshua@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup C:\Documents and Settings\Joshua\Cookies\joshua@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup C:\Documents and Settings\Joshua\Cookies\joshua@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup C:\Documents and Settings\Joshua\Cookies\joshua@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup C:\Documents and Settings\Joshua\Cookies\joshua@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup C:\Documents and Settings\Joshua\Cookies\joshua@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup C:\Documents and Settings\Joshua\Cookies\joshua@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup C:\Documents and Settings\Joshua\Cookies\joshua@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup C:\Documents and Settings\Liam\Cookies\liam@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup C:\Documents and Settings\Liam\Cookies\liam@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup C:\Documents and Settings\Liam\Cookies\liam@ehg-dig.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup C:\Documents and Settings\Liam\Cookies\liam@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup C:\Documents and Settings\Liam\Cookies\liam@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup C:\Documents and Settings\Liam\Cookies\liam@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wfkispcjwdp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wfkyojdzsdq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wflicgdpsho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wfliqlcpgkp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wfmikmajcho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wgkygpdpiho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wgkyokdzigp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjkykhcpcdp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjl4gmd5eap.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjlisldpslp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjlysgc5cbp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjlyslajmko.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjlyugdjobp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjmiakajmlo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjmiqlcpiao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjmyskdpsbp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@e-2dj6wjnywnd5odp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Mum and Dad\Cookies\mum and dad@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup C:\Documents and Settings\Mum and Dad\Local Settings\Temporary Internet Files\Content.IE5\8DIFCTQB\mm[2].js -> Spyware.Chitika : Cleaned with backup C:\Documents and Settings\Mum and Dad\Local Settings\Temporary Internet Files\Content.IE5\S5IJODI7\home[1].htm -> Trojan.ObjID.b : Cleaned with backup C:\Documents and Settings\Mum and Dad\Local Settings\Temporary Internet Files\Content.IE5\WXER0PEN\ysb_prompt[1].htm -> Downloader.IstBar.j : Cleaned with backup C:\Documents and Settings\Nathan\Cookies\nathan@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup C:\Documents and Settings\Nathan\Cookies\nathan@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\Nathan\Cookies\nathan@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup C:\Documents and Settings\Nathan\Cookies\nathan@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup C:\Documents and Settings\Nathan\Cookies\nathan@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup C:\Documents and Settings\Nathan\Cookies\nathan@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup C:\Documents and Settings\Nathan\Cookies\nathan@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup C:\Documents and Settings\Nathan\Cookies\nathan@ehg-warnerbrothers.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup C:\Documents and Settings\Nathan\Cookies\nathan@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup C:\Documents and Settings\Nathan\Cookies\nathan@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup C:\Documents and Settings\Nathan\Cookies\nathan@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup C:\Documents and Settings\Nathan\Cookies\nathan@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup C:\Documents and Settings\Nathan\Cookies\nathan@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup C:\Documents and Settings\Nathan\Cookies\nathan@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup C:\Documents and Settings\Nathan\Cookies\nathan@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup ::Report End
Ok. Still having problems? Send also HijackThis-log, instructions here (Step 3 and 4) -> http://forums.afterdawn.com/thread_view.cfm/263784
have you tried a scan with the most updated norton, useful to find these... or you could try one of the onlline scan pages...
You can also try eScan, it's very good one for viruses/trojans-> http://www.spywareinfo.dk/download/mwav.exe Here is batch file for easy updating -> http://koti.mbnet.fi/pattaya1/lataus/Mwav.bat Save it to your desktop, doubleclick and permit kavupd.exe to access internet. After updating, eScan will automatically start. Make sure that you select these: And after scan copy the Virus log information(press ctrl+a, then ctrl+c. When you want to paste them here, press ctrl+v):
ccleaner http://www.ccleaner.com/ online virus & spyware scan http://housecall60.trendmicro.com/en/start_corp.asp
Hi Kemisti, I still have the problem. I use the lastest Nod32 antivirus and it can't clean it. Here is the HijackThis Log. I'll try escan while I waiting for instruction. Thanks Logfile of HijackThis v1.99.1 Scan saved at 9:56:55 PM, on 7/12/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Eset\nod32kui.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Outlook Express\msimn.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124690977984 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
@Eddystr: That trojan doesn't seem to appear in HjT-log. Anyway, you can fix this line(open HjT, click do a system scan only, mark it and press fix checked): O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) And aftering finishing eScan, I would like to see "Virus log information", so could you please send it here?
Hi I ran escan and it found and disinfected 1 virus. I restarted the pc and it appears to be fixed. If for some reason it pops back up I'll get bak to you. thanks P.S I didn't copy the virus log.
Kemisti and Phamtom69, Sorry guys but the virus has poped up again, this is the actual message. File c:\system volume information\_ restore{990456d7-2e61-498a-9bea-78f...\a0018840.exe Virus Win32/vb.aad trojan Also I used Hjt to fix this entry O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
Thanks DDP I tried your suggestion and so far (3 hours later) I have not seen the problem reoccur. Thank kemisti and phantom69 for your help as well.
That's quite strange, because eScan can delete viruses also from system restore. Well, the most imprortant thing is that your computer is ok now
