Win32.trojanVGB0FHa0364

[jazzymina]

Hello  ,

I am a newbie and a user of Avast Home Edition. My resident protection is remains on a High level, but I keep getting warnings about a virus that is called WIN32.trojanVG (manynumbersandletters) in my internet temporary folder.  I move the virus to the chest, and after a while I delete the files. It's the same virus that keeps popping up, only then with different numbers and letters.

Maybe it's wrong of me that I delete the files, but what are you supposed to do with the files in your virus chest? Do they have stay there all the time? And how do I get rid off this virus? It is not a very well known virus, because I looked it up in several virus databases.

I read somewhere else that there may be a interferance with Ad-aware and some virusscanners. Some virusscanners say there is a virus on the computer, while Ad-aware is running, while that is not the case. Could this be why the VIRUS keeps coming back?? 

And another thing, the last time I got this virus I also scanned my system online at Trend Micro Europe. Trend Micro spotted a virus in my System Volume information  that AVAST never mentioned. The name of that virus was CASPER1.

I think that AVAST is a very good programme. But, when another virusscanner says that there is a virus that AVAST never mentioned, I begin to wonder which other viruses there still may be on my computer that AVAST missed.

Anyway, how do I get rid off this virus? It's strange that the same virus keeps coming back. I use Warez P2p client (Kazaa-like) programme for downloading music, although Avast supports many P2P's, Warez is not included in the list of P2P-programmes. AVAST covers Warez' older version Arez, but not the new one. Or am I wrong here?

Could you help me out please? I will run a trojan port scan just to make sure.

Thanks a lot in advance

Jazzymina

[DavidR]

Don confuse adware/spyware with a virus they are two entirely different things, although avast does detect many of the trojans (malware), it is a specialist Anti-virus program.

   - What OS are you using? is it up to date?
   - What avast! version and VPS file (virus database) number, e.g. 0436-4 (see about avast!)
   - What was the virus name, what was the filename, where was it found
     example (C:\windows\system32\infected-filename.xxx)?


This should get you started, Advice & Tools for virus/trojan/malware Removal & Prevention and Eddy's Website click the "HiJackThis Section" and also the "Malware removal instructions and applications" section, and follow the directions there and get back to us if you need more help....

[DavidR]

Also the Casper1 virus name is different in the avast virus naming, so it should have been recognised as formatA [Trj].

ALWIL        FormatA [Trj]

AV companies use different naming conventions, there is no standard. For your future use this helps identify the different names used, http://www.virusbtn.com/resources/vgrep/index.xml.

[jazzymina]

Hi again,

I have never seen that AVAST came up with the Format A. virus. If it had, wouldn't it have removed the virus immediately?

My OS is Windows XP (Service Pack 2). Yesterday I downloaded the latest updates from www.microsoft.com. I am using AVAST 4,5 and my current VPS-file is  0507.3. In addition to Avast, I am using Spybot, Ad-Aware and Sygate Personal Firewall (the basic version)

The virus pops up in  C:\Documents and Settings\(Myrealname)\Local Settings\Temp. The name of the virus is always Win32.trojanVG, but the numbers and letters change. The current one is called Win32.trojanVGB0FHa0364

I forgot to mention that there is also is a exe.file that I can't remove in the same folder. The name changes also and it is not a JET.TMP of D~.TMP files (someone working at a online virushelpdesk told me that JET. and D~.TMP-files are not viruses, but log files when your computer crashes or something like that).

This particular exe. file in my temporary folder has strange names like 'knnqdns' or 'brrr' etc,etc. I can't remove this file and AVAST says it's clean. I think that this file might be responsible for the virus, but I am not sure.
 
I tried to do a trojan port scan, but because AVAST is running and is very slow, the website that performs the scan doesn't work properly. I'll try again later.

I will look at Eddy's website and at your link to see I can find something helpful.
Thanks again

Jazzymina

[jazzymina]

 I just searched for the term 'VGB' on the virus bulletin board. The results say that Alwill (AVAST) does not detect this virus?  Is this correct? Could you have a look please?

If Avast doesnt detect this virus, what should I do now? My computer will be constantly vulnerable to this particular trojan horse, if AVAST can't protect my computer from it.

Should I switch to another virusscanner? 

[Eddy]

Keep in mind that VGrep is not using the latest data.
(latest version currently 29 Jan 2005)

Have a look HERE for the vps history.

Warez p2p comes with malware. As long as you have warez p2p on your system, your system will never be clean.

[jazzymina]

Hello,

AVAST just said that the same virus is still on my computer. I had moved this virus to the virus chest, apparently this doesn't seem to be effective. I haven't used WAREZ since I got the virus. As you can see from the title, the current name of the trojan is WIN32.trojanVB2G3QA02420

THis virus has been bothering me for more than a month now, how do I get rid off it before it harms my computer any further?? I don't understand how Avast doesn't protect my pc from this virus, especially since this is the fifth time the virus has struck.

What do I do now? :'(

[DavidR]

Start by following the instruction on the links I gave you (blue text) in my first reply, the drill is the same.

We also need the same information
- what was the filename, where was it found example (C:\windows\system32\infected-filename.xxx)?

[jazzymina]

Hi David,

I don't know which win32.file is infected to be honest with you, the only thing Avast mentions is that the virus is in my temporary folder?

I went into safe mode and removed a file that I thought was suspicious, but now I have two other weird files in my temporary folder, one of them named pntahjlb.exe. I really think that this is a virus, but again I'm not sure. I scanned my system in Safe mode, but Avast came up with nothing.

I am posting my hijack this log, maybe this could help? Please take a look at it and let me now if something weird is going on. Thanks again.


Logfile of HijackThis v1.99.1
Scan saved at 20:04:28, on 22-2-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {E6DA8678-2095-CA84-8A20-983A6726D192} - C:\DOCUME~1\YASEMI~1\APPLIC~1\glueboob\BlehBase.exe (disabled by BHODemon)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (disabled by BHODemon)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IDLE16BONEBIAS] C:\Documents and Settings\All Users\Application Data\Dale Dog Idle 16\Bias close.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [Axis Inter] C:\DOCUME~1\YASEMI~1\APPLIC~1\PLATFO~1\each meet.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O18 - Protocol hijack: mhtml - 
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

[lee16]

--------------------------------------------------------------------------------
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------
search bar = http://minisearch.startnow.com/
search page = http://minisearch.startnow.com/
r1 - hklm\software\microsoft\internet explorer\main
default_search_url = http://minisearch.startnow.com/
r1 - hklm\software\microsoft\internet explorer\main
search bar = http://minisearch.startnow.com/
r1 - hklm\software\microsoft\internet explorer\main
search page = http://minisearch.startnow.com/
start page = http://www.startnow.com/
r1 - hkcu\software\microsoft\internet explorer\search
searchassistant = http://minisearch.startnow.com/
r1 - hkcu\software\microsoft\internet explorer\search
customizesearch = http://minisearch.startnow.com/
r1 - hklm\software\microsoft\internet explorer\search
default_search_url = http://minisearch.startnow.com/
r0 - hklm\software\microsoft\internet explorer\search
searchassistant = about:blank
r0 - hklm\software\microsoft\internet explorer\search
customizesearch = http://minisearch.startnow.com/
r0 - hkcu\software\microsoft\internet explorer\toolbar
r3 - default urlsearchhook is missing
o2 - bho: popup manager - {08e74c67-99a6-45c7-94da-a397a8fd8082} - (no file)
o16 - dpf: {74d05d43-3236-11d4-bdcd-00c04f9a3b61} (housecall besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
o16 - dpf: {b38870e4-7ecb-40da-8c6a-595f0a5519ff} (msnmessengersetupdownloadcontrol class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
o16 - dpf: {c5e28b9d-0a68-4b50-94e9-e8f6b4697514} (nsvplayx control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab


--------------------------------------------------------------------------------
HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :
--------------------------------------------------------------------------------
Nothing found.

--------------------------------------------------------------------------------
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :
--------------------------------------------------------------------------------
o4 - global startup: microsoft find fast.lnk = c:\program files\microsoft office\office\findfast.exe
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office10\osa.exe
o4 - global startup: office startup.lnk = c:\program files\microsoft office\office\osa.exe

--lee

[jazzymina]

Thanks Lee,

Ik was looking through my hijack this log and I decided I wanted to know kind pf program  C:\WINDOWS\System32\svchost.exe was.  I looked up the term svchost.exe.

Some websites said that I was infected with a Netskyworm?? Is this true, or does scvhost.exe belongs to Microsoft? In my hijack log it appears twice, does this mean that one of them is a virus?

 

[Eddy]

svchost.exe is a legitimate windows file, but as with any file it can be infected.

svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated. Note: svchost.exe is a process which is registered as the W32.Welchia.Worm. It takes advantage of the Windows LSASS vulnerability, which creates a buffer overflow and instigates your computer to shut down. To see more information about this vulnerability please look at the following Microsoft bulletin: http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx This is a registered security risk and should be removed immediately.

[jazzymina]

Okay,

But I have all the recent windows updates. I don't understand whether this thing is a virus or just belongs to windows? It pops up three times in the log? I am confused If so, why hasn´t Avast warned me about it...

[Eddy]

a system process belonging to the Microsoft Windows Operating System

Doesn't that give you a clue?

[jazzymina]

Yes, ofcourse. But what does this mean then=


: svchost.exe is a process which is registered as the W32.Welchia.Worm. It takes advantage of the Windows LSASS vulnerability, which creates a buffer overflow and instigates your computer to shut down. To see more information about this vulnerability please look at the following Microsoft bulletin: http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx This is a registered security risk and should be removed immediately.

How do I know if the file is infected or not?