Trojan Horse Generic9.aibf

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > Am I infected? What do I do?

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

Trojan Horse Generic9.aibf

Options

mungun View Member Profile	Feb 1 2008, 09:56 AM Post #1
New Member Group: Members Posts: 2 Joined: 1-February 08 Member No.: 187,657	Ok, to start it off i think i have had this since monday, 1/28/08 It started out as a Trojan.Vundo, i ran multiple anti-spyware/cleaners. Then i found a program called "VundoFix" it seemed to have worked, but caused 3 .dll run errors on startup. Yesterday AVG found the trojan horse generic9.aibf, it healed it, but found it again this morning. I don't know what to do anymore.

quietman7 View Member Profile	Feb 1 2008, 12:46 PM Post #2
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	RunDLL32.exe is a legit Windows file that loads .dll files which too can be legit or malware related. The "Cannot find...", "Could not run..." or "Error loading..." message usually occurs when the .dll file(s) that was set to run at startup has been deleted and it becomes an orphaned registry entry. Windows is trying to load this file(s) but cannot locate it since the file was removed during an anti-virus or anti-malware scan, or the uninstall of a program. However, the associated registry entry remains and is telling Windows to load the file when you boot up. When Windows loads, it looks for any files associated with registry entries for programs that are set to run at startup. If the file was removed but not the registry entry, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads. To resolve this, download Autoruns, search for the related entry and then delete it. Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if your not sure how to do this.) Open the folder and double-click on autoruns.exe to launch it. Please be patient as it scans and populates the entries. When done scanning, it will say Ready at the bottom. Scroll through the list and look for a startup entry related to the file(s) in the error message. Right-click on the entry and choose delete. Reboot your computer and see if the startup error returns. Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet. Please download and install SUPERAntiSpyware Free Double-click SUPERAntiSypware.exe and use the default settings for installation. An icon will be created on your desktop. Double-click that icon to launch the program. If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.) Under the "Configuration and Preferences", click the Preferences... button. Click the "*General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked. Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked): Close browsers before scanning.* Scan for tracking cookies. Terminate memory threats before quarantining. Click the "Close" button to leave the control center screen and exit the program. Do not run a scan just yet. Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Double-click ATF-Cleaner.exe to run the program. Under Main "*Select Files to Delete" choose: Select All. Click the Empty Selected* button. If you use Firefox browser click Firefox at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser click Opera at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator". Scan with SUPERAntiSpyware as follows: Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer. On the left, make sure you check C:\Fixed Drive. On the right, under "Complete Scan", choose *Perform Complete Scan* and click "Next". After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK". Make sure everything has a checkmark next to it and click "Next". A notification will appear that "*Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu. If asked if you want to reboot, click "Yes" and reboot normally. To retrieve the removal information after reboot, launch SUPERAntispyware again. Click Preferences, then click the Statistics/Logs tab.* Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. If there are several logs, click the current dated log and press View log. A text file will open in your default text editor. Please copy and paste the Scan Log results in your next reply. Click Close to exit the program. Repeat your AVG scan in "Safe Mode. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009

mungun View Member Profile	Feb 2 2008, 07:21 PM Post #3
New Member Group: Members Posts: 2 Joined: 1-February 08 Member No.: 187,657	SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 02/01/2008 at 03:02 PM Application Version : 3.9.1008 Core Rules Database Version : 3393 Trace Rules Database Version: 1385 Scan type : Complete Scan Total Scan Time : 00:06:22 Memory items scanned : 224 Memory threats detected : 0 Registry items scanned : 6573 Registry threats detected : 6 File items scanned : 627 File threats detected : 4 Adware.Vundo Variant HKLM\Software\Classes\CLSID\{80BB55D5-0982-4A14-95AE-B5B293FF85B6} HKCR\CLSID\{80BB55D5-0982-4A14-95AE-B5B293FF85B6} HKCR\CLSID\{80BB55D5-0982-4A14-95AE-B5B293FF85B6}\InprocServer32 HKCR\CLSID\{80BB55D5-0982-4A14-95AE-B5B293FF85B6}\InprocServer32#ThreadingModel C:\USERS\APPDATA\LOCAL\TEMP\EFCYV.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{80BB55D5-0982-4A14-95AE-B5B293FF85B6} HKCR\CLSID\{80BB55D5-0982-4A14-95AE-B5B293FF85B6} It found it all and removed it, but I've tried to system restore around 7 times, and i get a message after it attempts to restore and restart, "System Restore did not complete successfully. Your computers files and settings were not changed. Details: An unspecified error occurred during System Restore" Also, Windows Security Center doesn't detect my anti-virus, or windows defender anymore, but both of them are working and running. My W-LAN signal is showing I'm not connected to the internet, although i am. If i need to post in another sub-forum or whatever about the other problems just tell me, but i figured it all had to do with the virus since it just started doing all this when i got the virus. Thanks. This post has been edited by mungun: Feb 2 2008, 08:54 PM

quietman7 View Member Profile	Feb 2 2008, 10:01 PM Post #4
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	Sometimes, the Security Center stops recognizing an antivirus or firewall program. Here is one possible solution that may work: Click on Start > Run and type: services.msc Press OK. Click the "Extended tab" at the bottom to view all the info on your services. Scroll down the list and find the service called Windows Managament Instrumentation. When you find the service, double-click on it or right-click and choose "Properties". In the Properties Window > General Tab that opens, click the "Stop" button. From the drop-down menu next to "Startup Type", make sure its set to "Automatic". Exit and return to your desktop. Right click Start and choose Explore. Navigate to C:\Windows\system32\wbem\repository Delete or rename this subdirectory ONLY. Close Windows Explorer when done and reboot your computer. This will rebuild the deleted folder and the database. Once restarted, Windows Security Center should show the correct information and antivirus/firewall should be recoginized. See "WMI FAQs: How do I rebuild the repository?. If System Restore is not working, check to make sure it is started and set to automatic. Go to Start > Run and type: services.msc Locate the System Restore Service and double-click it. Click the "Start" button, then set the startup type in the dropdown box to "Automatic". Press Apply > Ok, then reboot and try using it again. If its still not working, go to Start > Run and type: services.msc[list] Locate the System Restore Service and double-click it. Click the "Stop" button, then set the startup type in the dropdown box to "Disabled". Press Apply > Ok, then reboot. Open My Computer or Windows Explorer, go to Tools > Folder Options > View and check "Show hidden files and Folders", UNcheck "Hide Protected operating system Files (recommended)" and hit Apply > OK. Check the "System Volume Information folder" on each drive and delete its contents (doing this removes all existing restore points). Then reverse the steps where you disabled the service and restart it: Click "Start" and set set the startup type in the dropdown box to "Automatic". If this still does not help, then follow these steps to "Reinstall System Restore". "How to troubleshoot System Restore" "System Restore Knowledge Base articles & Troubleshooting" Start a new topic in the Networking forum in regards to your W-LAN. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009

« Next Oldest · Am I infected? What do I do? · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 9th January 2009 - 06:20 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides