Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A Problem Regarding A Virus Named "vbs\unknown"


  • Please log in to reply
5 replies to this topic

#1 Code_M

Code_M

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 27 April 2007 - 07:59 AM

Hello everyone. Recently my computer was infected by a virus "VBS\Unknown." It started as a message in Outlook Express. The Sender is from one of my contacts saved in the address book, but he told me he never send me a message. The title Gwd: Hi or some random topic. It looks like some wrong spelling of fwd but it's actually a virus. Inside the message you will see " See attachment for more details." If you open the attachment, it has a text and say " You have already received it". My computer started to have problems with the softwares installed in the OS. Office Applications no longer work and you can't access the Add/remove options in the control panel and also the "run" is gone at the when you click start.

I also noticed that when you open My Computer and select one of the partitions like C:\ and D:\. It doesn't open normally and also when you right click on it adds Autoplay. You have to right click and select the option Open. After scanning with AVG 7.5 with the latest update, it detected that a virus found VBS/Unknown. It can't be healed so I tried putting in virus vault. After a few minutes, it creates another copy. :thumbsup: . I tried manually deleting the virus. The name is "FS6519.dll.vbs". The virus is hidden so you need set the options to display hidden files. The file is located in C:\ and C:\Windows\. If you have other partitions, it also located at D:\ or E:\ or even flashdisks drive. If anyone can help me remove this virus, I would really appreciate it :flowers:

//Mod edit: Moved from Windows XP home forum to the more appropriate.//

Edited by KoanYorel, 27 April 2007 - 09:10 AM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,496 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:37 PM

Posted 27 April 2007 - 09:41 AM

Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

--------------------------------------------------------------------------------

Post a Hijack This log in the Hijack This Forum by following the directions in the link below if the programs above have not removed ALL malware. DO NOT post the log in this forum.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
--------------------------------------------------------------------------------

Getting into Windows Safe Mode
http://www.computerhope.com/issues/chsafe.htm
(pre-Vista OS's)
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:02:37 AM

Posted 27 April 2007 - 10:04 AM

This appears to be a variant of one of the many flash drives infections which are around these days

You could try Flash_Disinfector.exe
prior to buddy's instructions

The title Gwd: Hi or some random topic. It looks like some wrong spelling of fwd but it's actually a virus. Inside the message you will see " See attachment for more details." If you open the attachment, it has a text and say " You have already received it

This is lethal in these days. What do you have as far as firewall is concerned?

You might want to read through the below articles

Simple and easy ways to keep your computer safe
The Ten Most Dangerous Things Users Do Online
Seven ways to keep your search history private
How did I get infected?, With steps so it does not happen again!
Secure Your Home Computer - A guide for online users

#4 Code_M

Code_M
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 27 April 2007 - 03:06 PM

Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html


I tried installing Super Antispyware but there were some errors regarding some PSAPI.DLL being unable to locate the file. So I restarted and tried it in Safe Mode. Still the same problem.

Also my IE is no longer working so I can't try the online scanning. I tried installing the IE again but it is still not working. :thumbsup:

I tried the Flash Disinfector, the wierd part is after I press ok and my USB Flash disk was already connected, the icons in the desktop disappeared.

I found some interesting information about the virus but I think it is written in Spanish.VBS/Unknown Information

Thanks for the help guys. :flowers: . Although the errors are still there, hopefully this new information will make a step closer to solving this problem.

#5 buddy215

buddy215

  • Moderator
  • 13,496 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:37 PM

Posted 27 April 2007 - 06:50 PM

Were you able to do the online scan with Bit Defender? Have you tried to rollback to IE6? Do you have another browser installed? What was the exact message concerning PSAPI.DLL?

--------------------------------------------------------------------------------


Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

--------------------------------------------------------------------------------

Post a Hijack This log in the Hijack This Forum by following the directions in the link below if the programs above have not removed ALL malware. DO NOT post the log in this forum.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
--------------------------------------------------------------------------------

Edited by buddy215, 27 April 2007 - 06:53 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 PM

Posted 28 April 2007 - 12:20 PM

Yes, posting a HijackThis log at this point is the best way to go and the sooner the better. These infections are new and changing rapidly so automatic removers like antivirus have a hard time keeping up. HJT will help find what needs to be removed manually.

Try those pre-cleaning steps in the Prep guide that buddy215 has linked you to, but if you can't use Internet Explorer you won't be able to run Bit Defender or the other online scanners with the exception of Housecall--choose the Java kernal for that one if you are using another browser. If you have any problems doing any of the pre-cleaning steps, just skip them and post what happened in the logs forum. Please don't post your log in this topic.

And in hindsight, never open attachments you aren't expecting, even if it appears to be from someone you know. Someone else that has both you and your friend in their address book is infected and the malware just put a random name from that address book in the from field of the email it sent out--very common.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users