Author Topic: [RESOLVED] Win32: VB-QEH Trojan  (Read 4167 times)

0 Members and 1 Guest are viewing this topic.

dagr

  • Guest
[RESOLVED] Win32: VB-QEH Trojan
« on: October 21, 2010, 09:21:54 AM »
Hi,

I'm using AVAST 5.x (updated 20 Oct. 2010) on a Windows 7 (64-bit) laptop. Every time I run Avast it detects a Trojan called Win32:VB-QEH which is in a $RNMQR6G.scr file located in C:\$Recycle.Bin\.....

I accept the Avast default corrective action (Quarantine), but when I reboot, it is still there.

Any ideas how to get rid of this?

Thanks
David.
« Last Edit: October 27, 2010, 08:25:12 PM by dagr »

Offline mikaelrask

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1556
Re: Win32: VB-QEH Trojan
« Reply #1 on: October 21, 2010, 09:40:34 AM »
first welcome to the forum.

there are a few ways you can deal with that kind of infection the firts opition and many hwo is forgetting that, is to try a boot scan witha avast and see if it can deal with infection.

http://www.schmahl.net/avastbootscan.php

if this isent working try malwarebytes antimalware and see if that could find and deal with the infection.

download install scan and don't forget to update before scanning.

http://www.malwarebytes.org/

good luck and let us know how it goes or if you need more help.
Windows 8.1 amd a10-5700 64 bit
12 GB ram 1 tb hard drive. Avast 18, MBAM

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37527
  • Not a avast user
Re: Win32: VB-QEH Trojan
« Reply #2 on: October 21, 2010, 09:41:34 AM »
do you have anything in the recycle bin ? what happens if you empty it ?

also scan with this

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always run update before you scan so you have the latest database
click on the remove selected button to quarantine anything found
please post the scan log here

dagr

  • Guest
Re: Win32: VB-QEH Trojan
« Reply #3 on: October 21, 2010, 09:52:53 AM »
Thanks for the quick replies.

Avast won't let me do the boot scan because it says it can't do it on a Win64 system.

I will try Malwarebytes and report back this evening.

dagr

  • Guest
Re: Win32: VB-QEH Trojan
« Reply #4 on: October 22, 2010, 09:43:25 AM »
MalwareBytes found 3 infected files and has apparently got rid of them. Here is the MalwareBytes log (before I got rid of them):

Quote
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4907

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

22/10/2010 09:24:46
mbam-log-2010-10-22 (09-24-46).txt

Scan type: Full scan (C:\|)
Objects scanned: 377838
Time elapsed: 1 hour(s), 0 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\$Recycle.Bin\S-1-5-21-4204358262-3773558385-2041547693-1003\$RNMQR6G.scr (Worm.Palevo) -> No action taken.
C:\Users\xxxxx\AppData\Local\Temp\CSM2B76.tmp (Adware.RelevantKnowledge) -> No action taken.
C:\Users\xxxxx\AppData\Local\Temp\MSI2ABD.tmp (Adware.RelevantKnowledge) -> No action taken.
[/size]


Thanks again for your help.
David.

SafeSurf

  • Guest
Re: Win32: VB-QEH Trojan
« Reply #5 on: October 23, 2010, 10:32:05 AM »
Hello dagr,

When you ran MBAM, you were supposed to put the infected items into quarantine, but instead your report says "no action taken." so the infection is still in your machine.

Please update MBAM again, and run a full scan again, but this time when it finds an infection, put it into quarantine where it is safe there.  Please read the instructions below:

·   Click update so you have latest database before scanning.
·   Under Settings:
o   General: Automatically Save File After Scan Completes is checked off
o   Scanner SettingsCheck all boxes
o   Updater: Download and install update if available is checked off
·   Once the program has loaded, select "Perform FULL Scan", then click Scan.
·   The scan may take some time to finish, so please be patient.
·   When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
·   Click the “remove selected” button to quarantine anything found.  You will find the infection details under the Quarantine tab.
·   The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
·   Copy & Paste the entire report in your next reply.

dagr

  • Guest
Re: Win32: VB-QEH Trojan
« Reply #6 on: October 23, 2010, 07:25:36 PM »
Hi,

I did get rid of the infected files. Here is the last three lines of the updated log (the rest of the log is the same), after removal:

Quote
Files Infected:
C:\$Recycle.Bin\S-1-5-21-4204358262-3773558385-2041547693-1003\$RNMQR6G.scr (Worm.Palevo) -> Quarantined and deleted successfully.
C:\Users\Laura\AppData\Local\Temp\CSM2B76.tmp (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
C:\Users\Laura\AppData\Local\Temp\MSI2ABD.tmp (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

Thanks again.

SafeSurf

  • Guest
Re: Win32: VB-QEH Trojan
« Reply #7 on: October 24, 2010, 10:36:22 AM »
Is your machine acting normally now?  If so, it's a good idea now if you do to a good cleaning of your machine:

1. Something a lot of us use here is CCleaner, a freeware system optimization, privacy and cleaning tool.  There is a Slim version available as well at http://www.piriform.com/ccleaner/builds - 4th option down.  It removes unused files (cache, temporary Internet files, etc.) from your system - allowing Windows to run faster and freeing up valuable hard disk space.  It also cleans traces of your online activities such as your Internet history.  Additionally it contains a fully featured registry cleaner (I suggest making a back up in Documents as a "just in case").

2. After running CCleaner, Download TFC by OldTimer to your desktop.
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
·   Please double-click TFC.exe to run it.  (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
·   It will close all programs when running, so make sure you have saved all your work before you begin.
·   Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.  Let it run uninterrupted to completion.
·   Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Since WormPalevo is a mass mailing type of worm with a medium threat level that spreads and attaches itself via emails.  You need to be careful in the future to not click on untrustworthy links.  This worm is able to steal information, invade your privacy as well as send the information which it captures to various malicious third parties.  Therefore I suggest that you change your passwords just in case.

I also suggest that you rescan your machine by making sure the Avast definitions are up to date, and run a Quick scan, and update MBAM and run a Quick scan.  If all comes out clean, then I'm a happy camper.  :D   

I would continue to do run MBAM in the future (remember to update prior to scanning) regularly as well as keeping Avast up to date, thereby layering your protection.  Also consider hardening your browser for extra security (add-on's etc.).  You can also check to make sure your software is up to date with the free Secunia Software Inspector http://secunia.com/vulnerability_scanning/personal/ since software is changing constantly; the vendor's direct download link is available from this site making it easy to update your software.  Many of us here use this and scan our machines weekly.  These are other ways to help prevent malware in the future.

Please let me know if you have any questions. 

When you feel that your issue is now resolved/fixed, please go back to the first open post in this topic, click the modify button in that Post and change the title/subject, add [Resolved] to the beginning of the title so this thread can be closed. 

Feel free to come back any time you need help, to learn something new, or just to ask questions.  We are here 24/7 for your convenience.  Thank you for allowing me to assist you.  :)



 

dagr

  • Guest
Re: [RESOLVED] Win32: VB-QEH Trojan
« Reply #8 on: October 27, 2010, 08:26:27 PM »
Thanks once again for all the help and tips. It has been definitively solved.

Cheers
David.