Jump to content

Build Theme!
  •  
  • Infected?

Welcome to What the Tech Forums - Register now for FREE

We're your place for tech questions. Join 87494 others, and join the conversation. Ask questions. Find answers. Share your ideas and opinions. Browse our community. You'll find experts who enjoy helping others. Who explain technical issues in a non-technical way that anyone can understand. Create an account today (it's 100% free)!

Create an Account Login to Account


Photo

Help! Trojan: Downloader.vb.3.f


  • This topic is locked This topic is locked
10 replies to this topic

#1 BASSRUPTURE

BASSRUPTURE

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 15 June 2004 - 06:13 PM

Hi, I'm running windows98. I was infected with a trojan horse virus (Downloader.VB.3.F). I am seeking expert help on how to remove the virus from my computer. Thanks.

#2 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 15 June 2004 - 06:54 PM

Greetings and welcome to TomCoyote.com!

May your day be blessed by those you love and those you love be blessed by HIM. - Coyote


Gee.. with a nickname like "bassrupture" you should have gotten infected with a "worm" instead of a "trojan". At least then you'd have some bait. ;)

OK.. Enough attempts at humor on my part. :weee:

Actually, I couldn't find that exact trojan in my searches. But I found similar ones, so we're going to try the removal technique used for the "similar" trojans.

First, boot your PC in "safe" mode. Use the link in my signature to tell you how if you are unsure.

Next, get online and run the free virus scan/removal tool here:

http://housecall.trendmicro.com/

If it finds something but fails to remove it, it will tell tell you. Save that info and supply it in your next post, please. :)

After the virus scan/removal, reboot in normal mode.

Next, please make a permanent folder (not on the desktop) for Hijack This! (suggest "C:\HJT\"), and download it (from the link in my signature) into that folder.

If required a tutorial is here = Hijackthis Folder Tutorial

Run it from that folder.

Click "Scan".

DO NOT "FIX" ANYTHING WITH IT YET!!!
FIXING THE WRONG THING COULD RENDER YOUR SYSTEM INOPERABLE!!!

Click "Save log".

Reply to this thread, and post the ENTIRE CONTENTS of the log file into this thread and we'll proceed from there. :)

#3 BASSRUPTURE

BASSRUPTURE

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 17 June 2004 - 02:43 AM

Hello Micah 6:8

Thanks for your warm welcome and much appreciated reply.

I went into Safe Mode and tried signing on to my account, but my drivers for my modern doesn't seem to be responding under Safe Mode. So I can't access Trendmicro.com.

I then rebooted windows (normal) and just ran trendmicro hoping it would pickup something, but nothing was detected. Below is the Hijackthis filelogs.

Thanks

Logfile of HijackThis v1.97.7
Scan saved at 9:59:33 PM, on 6/16/04
Platform: Windows 98 SE (Win9x 4.10.1998A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\VETMSG9X.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\RAMBOOSTER\RAMBOOSTER.EXE
C:\DDWIN\VOICEBAR.EXE
C:\DDWIN\Dgnengin.exe
C:\DDWIN\DgnDemon.exe
C:\DDWIN\DGNDMN32.EXE
C:\DDWIN\DGNLAN32.EXE
C:\DDWIN\WPDEM32.EXE
C:\DDWIN\Dgninter.exe
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETTRAY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [RamBooster] C:\PROGRAM FILES\RAMBOOSTER\RAMBOOSTER.EXE
O4 - Startup: DragonDictate Classic Edition.lnk = C:\DDWIN\VOICEBAR.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#4 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 17 June 2004 - 06:25 AM

I don't see anything wrong in the log file.

How were you alerted that the trojan was present? From your resident virus protection?

Here are two other free online scanners/removers:

http://www.pandasoft...n_principal.htm

http://www3.ca.com/s...sinfo/scan.aspx

If you try all of them, and they all say they found nothing, then I'd say your're not actually infected.

Try the other two scanners, and post back and let me know the results. :)

#5 BASSRUPTURE

BASSRUPTURE

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 17 June 2004 - 06:24 PM

Hi Micah

I ran those viruses site. I actually have etrust, but nothing was detected.

I had 2 anti-virus program running when I was infected; AVG and Etrust. AVG gave me the name of the trojan virus (Downloader.VB.3.F). It said it healed ok, but I was still suspicious.
I went to my Add/Remove programs to see if there was anything that was installed. I found 2 programs I didn't recognize. They are Mediamotor and Viewpoint media player. I think there's another called S3Display. But I went ahead and tried to uninstall the first two I mentioned with no success.
Last night I tried to search more about this virus and I came up with one. I'd like to give you a link to it. So I can get your opinion, if I may.

#6 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 17 June 2004 - 07:34 PM

If it's this "mediamotor":

http://it.trendmicro...me=TROJ_ROING.A

It's not good.

"Viewpoint media player" is purported to be spyware as well. It is installed by AOL and AIM (and probably other things as well).

Send me all the links you want. I'll give you my opinion.

About your post:

I had 2 anti-virus program running when I was infected


It's not a good idea to have 2 antivirus programs running at the same time.

The "rule of thumb" I have been told is you should consider uninstalling the LAST one you installed.

Just something to think about. :)

#7 BASSRUPTURE

BASSRUPTURE

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 18 June 2004 - 12:14 AM

Yes, alot of spy carp** came with this virus. Here is the link I wanted you to see. Click here: How can you remove the Trojan horse Downloader.VB.3.F which is found n file c:\System Volume Information\_restore{ It seems to be a problem solver for windows XP, but I'm running windows98. And also I had AVG running first. Thanks

#8 BASSRUPTURE

BASSRUPTURE

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 18 June 2004 - 12:20 AM

sorry that link didn't come out right I'll try it again with this one.

http://www.faqfarm.com/Computer/33968

I hope this works

#9 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 19 June 2004 - 12:42 PM

Yup, that link worked. But like you said, it doesn't apply for '98 systems because you don't have "system restore". Since the online scans say you're clean, I would believe them. :)

#10 BASSRUPTURE

BASSRUPTURE

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 22 June 2004 - 08:29 PM

Hi Micah 6:8 I was able to take out Mediamotor. I just wanna thank you for all your cooperation and support. God bless and best regards

#11 dgosling

dgosling

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 2,499 posts

Posted 20 August 2004 - 02:14 PM

I am glad that we were able to help! I am closing this topic now, but if you need it reopened, please send an email to the following link(Click for address) with the Subject line of the email "Reopen".
To receive a response, please include in your email: the user name used in the post, details of why you need it reopened, and a valid link to the post.

Emails with bad links to the post, emails that are not from the original poster, and emails that do not have "ReOpen" as the subject line, will be deleted without being opening.

Please start a New Topic if this is not your thread. Thank-you for your co-operation.

Edited by dgosling, 20 August 2004 - 04:11 PM.




Similar Topics: Help! Trojan: Downloader.vb.3.f     x


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users