Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

remove VBInject (might be problem?)


  • This topic is locked This topic is locked
1 reply to this topic

#1 aapolyzo

aapolyzo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 07 August 2011 - 12:10 PM

Hi,

My laptop has been screened as having a trojan, and the IT department has blocked it from getting onto my work network.

their message was:
"Infection Type : Trojan.VBInject"

I have:
1) reformatted and re-installed windows XP
2) installed and ran the following updated virus removal tools: Malwarebytes, AVG and Spyware Doctor, and the same thing has occurred.

I would like to clean up my machine thoroughly of this or any other insipid virus (then I can ask to have my access re-instated). Could someone help me diagnose the problems on it?

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
INFORMATION

laptop: Toshiba Satellite
processor: Intel CPU T2400 1.83GHz 1.99GB RAM
system: MS Win XP media center edition, vs. 2002, service pack 2

HIJACKTHIS LOG FILE

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:57:17 AM, on 8/7/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O3 - Toolbar: IspAssistant Add-on - {6DA1E850-9F71-4B3C-81A4-D9EEEF6FCD50} - C:\Program Files\IspAssistant Addon\ispassistant.dll
O3 - Toolbar: FinderQuery Add-on - {ADC66251-6410-4a15-9499-7D73C6994B25} - C:\Program Files\FinderQuery Addon\finderquery.dll
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} (BitDefender QuickScan Control) - http://quickscan.bitdefender.com/qsax/qsax.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - Unknown owner - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (file missing)
O23 - Service: DVD-RAM_Service - Unknown owner - C:\WINDOWS\system32\DVDRAMSV.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Microsoft Antimalware Service (MsMpSvc) - Unknown owner - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe (file missing)
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

I know this is a big request, and appreciate any help whatsoever, even if not a full assessment of the problems.

I need to have a laptop at work, and the IT support is very very very slow there.

Thanks so so much

Computer-frustrated

Edited by hamluis, 07 August 2011 - 12:16 PM.
Moved from XP to Malware Removal Logs.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:30 AM

Posted 08 August 2011 - 03:08 PM

Good evening. :)

As the infection you have mentioned has a backdoor capability, which allows a remote user the same access to your system as you have sat in front of it, the best advice I can give is to reformat and reinstall your operating system. The risk of file infection and corruption, security settings being lowered to make further infection more likely etc... makes this the only sensible option.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Given that you have already reinstalled once, there are three possibilities that spring to mind:

1) Your IT Dept. is wrong and your system is clean. This is always possible as nobody's perfect, but the IT bods should be able to tell you how they know that your machine is infected, which should remove this is an option.

2) Once you had reinstalled Windows you reinfected the system. You may have run infected files that you had backed up prior to the reformat and one of these is the dropper for the infection you have.
It could also be that you connect the PC to the internet via a router and that the router has been hijacked and has sent your PC to an infected website where you picked up the nasty you have.
Finally, you may just be visiting infected websites yourself and getting the PC all slimy.

3) The reformat and reinstall didn't kill the nasty. This isn't impossible depending on how you reinstalled Windows, from a Recovery Partition for example, or where the infection is hiding on the hard drive.

Unfortunately there is a large degree of disagreement online, and some time with the search engine of your choice will show you exactly how much, over exactly how serious you need to get to guarantee a clean PC, which obviously depends on the infection you are dealing with.

Most infections will be dealt with by a reformat and reinstall, as you have already done, but if you can rule out number's one and two above, you need to concern yourself with three.

Some people suggest deleting all partitions prior to reinstalling Windows to ensure a clean PC regardless of original infection and others will utilise what is probably the nuclear option, Darik's Boot and Nuke which will securely wipe the hard disks destroying all data on it, ensuring nothing survives - I did say it was the nuclear option!

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users