VBBOT - B Trojan - Virus, Spyware, Malware Removal

G,Day

Tech Samm told me to log for help here with removing the trojan virus VBBOT - B.

I will copy the Hijack this file on here for your reference. Please my old man is p**sing me off atm so I really need this sorted out asap.

Cheers

Cobain

Logfile of HijackThis v1.99.1
Scan saved at 6:11:41 PM, on 5/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\tcpcheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\udpcheck.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.qfind.net/search.php?qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qfind.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [tcp checker] tcpcheck.exe
O4 - HKLM\..\RunServices: [tcp checker] tcpcheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [tcp checker] tcpcheck.exe
O4 - HKCU\..\RunServices: [tcp checker] tcpcheck.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxdm88544AU
O8 - Extra context menu item: Add banner url(s) to AdsCleaner - C:\Program Files\AdsCleaner Trial\System\Scripts\off_banner.htm
O8 - Extra context menu item: Add selected links to Link Container - C:\Program Files\AdsCleaner Trial\System\Scripts\off_collector_sel.htm
O8 - Extra context menu item: Bookmark all links in AdsCleaner - C:\Program Files\AdsCleaner Trial\System\Scripts\off_all.htm
O8 - Extra context menu item: Bookmark selected link(s) in AdsCleaner - C:\Program Files\AdsCleaner Trial\System\Scripts\off_sel.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open all links in new windows - C:\Program Files\AdsCleaner Trial\System\Scripts\off_open_all.htm
O8 - Extra context menu item: Open selected link(s) in new windows - C:\Program Files\AdsCleaner Trial\System\Scripts\off_open_sel.htm
O8 - Extra context menu item: Say to AdsCleaner Team about banner - C:\Program Files\AdsCleaner Trial\System\Scripts\off_report_ad.htm
O8 - Extra context menu item: Show domain links - C:\Program Files\AdsCleaner Trial\System\Scripts\off_domain_links.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au
O16 - DPF: ConferenceRoom Java Client - http://chat.bigpond.com/java/cr.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28177.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downlo...thv32_EN_XP.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6AA93DF6-6757-4338-9087-F7601DE18402} - http://akamai.downlo...ICE_1040_XP.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downlo...ice_4_EN_XP.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo...tpe32_EN_XP.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28578.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4139BB73-A965-45AD-BC85-B66955975F96}: NameServer = 203.2.75.132 198.142.0.51
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Srv32 - Unknown owner - C:\WINDOWS\system32\srv32.exe (file missing)
O23 - Service: TCPIP Managing Service (TCPIPManagingService) - Brought to you by the Bandwidth Bandits - C:\WINDOWS\SYSTEM32\tcpcheck.exe

Hi Cobain_86

Sorry for the delay in response. The forum has been very busy lately.

You do have some problems there. Please do these on-line scans.

http://housecall.trendmicro.com/ Put on 'Autoclean' and delete what it can't clean

http://www.pandasoft...n_principal.htm Accept default settings, save the log to somewhere you can find.

Then download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install the program.

There should be a icon for ewido on your desktop. Double-click to run it.
Update ewido:
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a cup of coffee...
If ewido finds anything, it will pop up a notification. You can select clean and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on Save Report. This will create a text file.

Please then paste the contents of the ewido text file, the Panda ActiveScan log and post them with a new HijackThis log.

VBBOT - B Trojan

#1
Cobain_86

Posted 08 June 2005 - 06:16 AM

Advertisements

#2
ilago

Posted 17 June 2005 - 09:49 PM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us