I need help with removing Win32:VB-EIJ

[heythereitsme]

Hi People,
I sure hope someone can help me. My computer has been acting very strangely for a month now and the other day, opening up My Computer takes almost a minute as well as any browsing of My Computer...i.e. Save As and I click the arrow. MS Paint even takes longer than a minute to open.

I disconnected the hard drive and installed it into a computer that has Avast antivirus on it. It found this virus in the pagefile.sys file. I instructed Avast to delete the file. This was the only virus found. When the virus scan finished it was the only virus found and cleaned. I then put the hard drive back into the computer and booted it up into Safe Mode (thinking that the virus might recreate itself from a system restore point. I then deleted the system restore points by turning off system restore. Then put the hard drive back into the compter with Avast and the page file was there again and still had the same virus.

So something that is loadeded in Safe mode is re-creating this virus.

Does anyone have any ideas as to how to delete this virus? I have googled and only found programs that "might" delete it but after paying an enormous registration fee.

Thanks in advance for your help and replies

[DavidR]

There have recently been a number of people having issues with the pagefile.sys file and I'm not sure if it is the fact that data being switched in and out of it might well just leave a data string that happens to match a virus signature.

I had thought that the pagefile.sys was excluded from scans by default, it is on mine, but that may also have been me as the pagefile.sys can be huge and I believe presents a very low risk as you can actually set it to delete on shutdown (I don't) so you would have a new pagefile.sys on reboot.

Add this, ?:\pagefile.sys, to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions

Copy and past this into the areas, the ? is a single character wildcard so if you have the pagefile.sys in more than one drive (I do) it will cater for that too.

[polonus]

hi heythereitsme,

In the case of Win32:VB-EIJ:
Kill the following processes
c4fab977bd93a6a31000fbf106f9595f.exe, demons trail.exe, desktop wallpaper.exe, erian.exe, delivers this file to a victim.exe, ibhflwo.exe, ntsmod.exe, nxipqo.exe, prank.exe, project.exe, trojan.win32.vb.a.exe, trojan.win32.vb.ad.exe, trojan.win32.vb.ah.exe, trojan.win32.vb.ai.exe, trojan.win32.vb.am.exe, trojan.win32.vb.ao.exe, trojan.win32.vb.ap.exe, trojan.win32.vb.aq.exe, trojan.win32.vb.ar.exe, trojan.win32.vb.au.exe, trojan.win32.vb.av.exe, trojan.win32.vb.bd.exe, trojan.win32.vb.bh.exe, trojan.win32.vb.bq.exe, trojan.win32.vb.bu.exe, trojan.win32.vb.cb.exe, trojan.win32.vb.cj.exe, trojan.win32.vb.cl.exe, trojan.win32.vb.cp.exe, trojan.win32.vb.cu.exe, trojan.win32.vb.dl.exe, trojan.win32.vb.ds.exe, trojan.win32.vb.du.exe, trojan.win32.vb.dv.exe, trojan.win32.vb.dy.exe, trojan.win32.vb.eb.exe, trojan.win32.vb.ej.exe, trojan.win32.vb.ew.exe, trojan.win32.vb.ey.exe, trojan.win32.vb.fc.exe, trojan.win32.vb.fd.exe, trojan.win32.vb.fi.exe, trojan.win32.vb.fj.exe, trojan.win32.vb.fk.exe, trojan.win32.vb.fl.exe, trojan.win32.vb.fm.exe, trojan.win32.vb.fs.exe, trojan.win32.vb.gq.exe, trojan.win32.vb.gw.exe, trojan.win32.vb.h.exe, trojan.win32.vb.hy.exe, trojan.win32.vb.ib.exe, trojan.win32.vb.ik.exe, trojan.win32.vb.im.exe, trojan.win32.vb.j.exe, trojan.win32.vb.n.exe, trojan.win32.vb.r.exe, trojan.win32.vb.w.exe, trojan.win32.vb.x.exe, unistallxtray.exe, w32@a+a.exe, xtray_link.exe
Remove the following files
!!!readme!!!.txt, c4fab977bd93a6a31000fbf106f9595f.exe, demons trail.exe, desktop wallpaper.exe, erian.exe, deliver this file to a victim.exe, ibhflwo.exe, leesmij eerst!.txt, ntsmod.exe, nxipqo.exe, prank.exe, project.exe, trojan.win32.vb.a.exe, trojan.win32.vb.ad.exe, trojan.win32.vb.ah.exe, trojan.win32.vb.ai.exe, trojan.win32.vb.am.exe, trojan.win32.vb.ao.exe, trojan.win32.vb.ap.exe, trojan.win32.vb.aq.exe, trojan.win32.vb.ar.exe, trojan.win32.vb.au.exe, trojan.win32.vb.av.exe, trojan.win32.vb.bd.exe, trojan.win32.vb.bh.exe, trojan.win32.vb.bq.exe, trojan.win32.vb.bu.exe, trojan.win32.vb.cb.exe, trojan.win32.vb.cj.exe, trojan.win32.vb.cl.exe, trojan.win32.vb.cp.exe, trojan.win32.vb.cu.exe, trojan.win32.vb.dl.exe, trojan.win32.vb.ds.exe, trojan.win32.vb.du.exe, trojan.win32.vb.dv.exe, trojan.win32.vb.dy.exe, trojan.win32.vb.eb.exe, trojan.win32.vb.ej.exe, trojan.win32.vb.ew.exe, trojan.win32.vb.ey.exe, trojan.win32.vb.fc.exe, trojan.win32.vb.fd.exe, trojan.win32.vb.fi.exe, trojan.win32.vb.fj.exe, trojan.win32.vb.fk.exe, trojan.win32.vb.fl.exe, trojan.win32.vb.fm.exe, trojan.win32.vb.fs.exe, trojan.win32.vb.gk.exe.com, trojan.win32.vb.gk_(21).exe.com, trojan.win32.vb.gq.exe, trojan.win32.vb.gw.exe, trojan.win32.vb.h.exe, trojan.win32.vb.hy.exe, trojan.win32.vb.ib.exe, trojan.win32.vb.ik.exe, trojan.win32.vb.im.exe, trojan.win32.vb.j.exe, trojan.win32.vb.n.exe, trojan.win32.vb.r.exe, trojan.win32.vb.w.exe, trojan.win32.vb.x.exe, unistallxtray.exe, w32@a+a.exe, xtray.cfg, xtray_link.exe.


polonus

[FreewheelinFrank]

Pagefile.sys is normally excluded from scans but not if you're scanning a slave HD. Ignore any detections in pagefile.sys. If virus symptoms still persist, can you use online scanners to scan a slave disk? A scan with Kaspersky online scanner would be a good idea, if it'll work that way.

[DavidR]

Hi Frank, the slave drive issue (if heythereitsme has a slave drive with a pagefile.sys on it) would be catered for by the ?:\pagefile.sys exclusion.

It would be nice to get some feedback from heythereitsme.

[FreewheelinFrank]

OK David. I bow to experience. Lappies don't accept slaves.

Is it possible to run an online scan on a slave?

[DavidR]

By slave, e.g. a second hard disk on a system it should be treated no differently to any HDD when it comes to an AV scan it is just another HDD. The only time a slave drive is any different is during boot when the Master drive is the boot disk/drive.

My F: drive (two partitions on the Master drive) is my slave HDD and you elect to scan the drive letter rather than slave or master.

[FreewheelinFrank]

Thanks.

I reckon heythereitsme should do a few online scans then just to make sure there's nothing that avast! missed.