Help.... Any info onWin32/Trojan Downloader.VB.DB trojan

Discussion in 'NOD32 version 2 Forum' started by Qbee&1C, Sep 13, 2004.

Thread Status:
Not open for further replies.
  1. Qbee&1C

    Qbee&1C Registered Member

    Joined:
    Sep 12, 2004
    Posts:
    3
    Location:
    Van-Canada
    Have NOD32........... support has been okay up to this point.
    Have obtained trojan in C:\Documents and Settings\S\Local Settings\Temporary Internet Files\Content.ie5\xoe9Ap6Y\chedownzip[1].cab>>CAB>>mm20.ocx-win32/Trojan Downloader.VB.DB trojan
    Have erased temp files, have tried to separate@ delete but cannot get rid of.
    Recently read in colum NOD32 not so good with Trojans...... interesting!
    I'm going through it and would appricate any help or suggestions how to deal with this crap!!
    I guess in the end, I'll be looking at Full Formatting.
    Whats even more frustrating is was no deliberate download....... was at a cheat site for daughter just viewing!!
    Thanks again!
    Also NOD32 has a good support, but have not been evective with this one!
    Blue Moon
     
  2. kairii

    kairii Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    76
    switch to firefox :)
    u'd be better to use an antitrojan program with NOD32.
     
  3. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    Switching to Firefox won't guarantee anything, I'm using it and still manage to get a trojan.

    Try cleaning with NOD32 in Safe Mode, and try scanning with http://www.safer-networking.org/en/index.html Spybot-S&D in Safe Mode also as it might remove the start-up entries for the trojan.

    I'm sure you can get rid of the trojan without formatting, if the above doesn't work try running a trial of TDS3 or KAV. You could also post in the TDS forum as there are some extremely helpful and knowledgeable people there who helped me clean my system when NOD32 refused to remove a trojan I'd contracted.
     
  4. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    Actually dumping temp internet files should have gotten rid of the trojan (unless there is a copy of it in your Restore folder). Also, you can run an online scan with Computer Associates EZ Antivirus scanner at:

    http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Just to be sure EVERYTHING is gone and your system is TOTALLY clean, can you do the following after installing the latest Nod32 from www.nod32.com:


    Step 1. Install Zone Alarm (free) – Firewall with visual outgoing alerts to see what is trying to access the internet.
    http://www.zonelabs.com


    Step 2. Download Stinger available here: do NOT run this YET.
    http://vil.nai.com/vil/stinger/


    Step 3. MAKE SURE NOD32 IS FULLY UP TO DATE with the latest virus signatures.


    Step 4. Turn OFF System Restore, this process depends on your operating system:


    Windows XP Instructions

    1. Right click on the "My Computer" icon on the Windows desktop
    2. Click "Properties"
    3. Click on the "System Restore"
    4. Place a tick in "Turn off System Restore on all Drives"
    5. Click OK
    6. Close and restart your system.


    OR


    Windows ME Instructions

    1. Right click on the "My Computer" icon on the Windows desktop
    2. Click "Properties"
    3. Click on "Performance"
    4. Click "File system"
    5. Click "Troubleshooting"
    6. Check "Disable system restore"
    7. Click on OK
    8. Close and restart your system.


    Step 5. Delete your TEMP files by doing the following: open up Internet Explorer> Tools> Internet Options> General TAB> Temporary Internet Files> Delete Files> Delete All Offline Content.


    Step 6. Restart your system again in “SAFE MODE” by pressing/tapping F8 while booting up.


    Step 7. Start a scan with Nod32 while in SAFE MODE by doing the following: Start> All Programs> Eset> Nod32.


    CHECK THE FOLLOWING BEFORE YOU START YOUR SCAN:

    “Actions” TAB
    Make sure Quarantine is ticked, both for “If a virus is found” and “Uncleanable viruses”.

    “Setup” TAB
    Objects to diagnose – place a tick in all boxes.
    Diagnostic methods – place a tick in all boxes.
    Heuristic sensitivity – place a tick in “Deep”.
    Extensions – place a tick in “Scan all files”.

    “Scanning targets” TAB
    Double click on ALL of your Hard Drives so there is a RED tick shown
    Click “Clean”


    Make SURE Quarantine is ticked with EVERYTHING that is detected BEFORE you DELETE anything that is found. If you are not sure whether it is safe to delete an infected file, quarantine allows restoration of a file at a later time/date.


    If the scan finds a “Probable NewHeur_PE virus found”, please do the following:

    1. Place a tick in the Quarantine check-box
    2. Select Delete
    3. Send the quarantined file to Eset: samples@nod32.com this file can be found here: C> Program files> Eset> Infected


    Step 8. Run a scan with “Stinger” the program you downloaded above.


    Step 9. Reboot your system into normal mode.


    Step 10. Run a further online scan found here: http://housecall.trendmicro.com/


    Step 11. Install update and run Spybot Search and Destroy (free) – Spyware removal and protection, with registry monitor.
    http://beam.to/spybotsd


    Step 12. Install update and run Adaware (free) – Spyware removal. What Spybot Search and Destroy doesn’t pick up, this will.
    http://www.lavasoftusa.com


    Step 13. Install and run CWShredder available here:
    https://www.wilderssecurity.com/showthread.php?t=14086


    Step 14. Make sure your Windows is FULLY up-to-date by doing the following: While on the Internet, Click on Internet Explorer (the Blue “e”), Click on Tools (on the bar at the top of your screen in Internet Explorer), Click on Windows Update. This will take you to the Microsoft Windows Update page where you need to follow the on screen prompts, starting with “Scan for Updates”. Install ALL “Critical Updates” and “Service Packs”.

    WEEKLY – check this is “Up to Date”.



    REPEAT ALL THE ABOVE STEPS, this time EVERYTHING should come up clean…



    Now that your system is clean you may want to take a look here for further discussion on security and how to make your system that much stronger:

    https://www.wilderssecurity.com/showthread.php?t=45284&page=1&pp=25

    and here for more:

    https://www.wilderssecurity.com/showthread.php?t=43117


    Hope this helps…

    Let us know how you go…

    Cheers :D
     
  6. Qbee&1C

    Qbee&1C Registered Member

    Joined:
    Sep 12, 2004
    Posts:
    3
    Location:
    Van-Canada
    I wanted to take a moment @ thank all the people who responed to my problem, just the time @ effort was greatly appricated.........
    I have learned a great deal over the last few days.
    What was disturbing for me was the manner the Trojan was obtained....... no specific download, just browsing!
    Anyway, tried numeroud methods, to no avail to destroy, vanish this Trojan, W32/TrojanDownloader.VB.DB
    I got fed up with dealing with this Trojan @ as things were begging to esculate, I just did a Full Format, which did indeed clear the problem.
    But it was only today I noticed Blackspears advice, input.........
    I will keep this for future reference Blackspear, thank-you!
    I understand that NOD32 is getting a full overhaul @several issues are being dealt with.......... one being the Trojan factor.
    I have heard great things about NOD32, I hope in the future they stay the course @ deal with any problems @ offer support.
    This is one of the things which drew me to NOD32, was the support!
    I will add the last week, there was little feed back after several E-mails @ leaving a voice message at the company to please return my call when possible...................
    It was only recently that I understand ,there is a lot of things taking place at this time with NOD32, so this may have been a factor.
    Anyway, again thank-you for all input @ support, much appricated !!
    Qbee&1C
     
  7. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA

    NOD32 is making good progress for this browsing issue with their addition of the IMON HTTP scanner.

    The IMON HTTP scanning is working well here on a game machine used by teenages. Below is example of the log. I removed the links per this forums policy. Also, no slowdown on this P4 2.8 machine.

    Time Module Object Name Virus Action User Info

    9/6/2004 0:23:01 AM IMON (edit) Win32/TrojanDownloader.QDown.L trojan connection terminated

    8/28/2004 2:42:47 AM IMON (edit) Win32/TrojanDownloader.IstBar.NAD trojan connection terminated

    8/23/2004 7:44:38 AM IMON (edit) Win32/SecondThought.C trojan connection terminated

    8/23/2004 7:44:30 AM IMON (edit) Win32/TrojanDownloader.VB.DB trojan connection terminated

    Note: The NOD32 HTTP scanner did stop TrojanDownloader.VB.DB trojan on that machine.
     
    Last edited: Sep 14, 2004
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Like Stan999 was saying the new HTTP scanner adds a really good layer of defense.

    If you have a moment take a look at the last 2 links that I sent you regarding discussions on tightening security, those links again are here and here for more.


    My pleasure, For the most part what I have suggested fixes the greater majority of problems out there...

    And my further advice is IF the above does NOT fix your problem please download and run Hijack This found here:

    https://www.wilderssecurity.com/showthread.php?t=12516

    and post your log at one of the forums found here:

    http://a-sap.org/

    Keep in mind the following quote:

    I forgot to add the above in, however by this stage it looks like you had used the “fix all” approach ;) :D


    Yes they have their hands full at the moment ;) Oh well you can expect that with a rapidly growing company, no growth without a little pain :D

    Cheers :D
     
  9. sakharg

    sakharg Registered Member

    Joined:
    Jun 22, 2003
    Posts:
    62
    Blackspear,

    apologies if this has been covered before, but what does the HTTP scanner do that AMON doesn't or should? There's no redundancy here between the HTTP scanner and the real time monitor?
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    IMON now has a HTTP scanner see here for more information.

    The HTTP scanner becomes your first line of defence and should stop Viruses and Trojans from entering onto your system.

    Hope this helps...

    Cheers :D
     
  11. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    the original problem[first post ] is almost the exact same thing as what i saw on a friend of mines pc. lots of trojans. biggest problem for me was code based trojan in operating memory.

    i believe it came from .dll file on a questionable web site, from there trojan downloader added more an more.

    nod32 was not running on the system when it was infected, the system was using norton 2002 way out of date, although an up to date security scan was preformed by symantec online and given clean bill of health, real problems started when friend tried to delete,
     
  12. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    It is a lot more efficient and safer to detect and stop an infection prior to downloading it to your machine as opposed to allowing an infection to download to your machine and later detecting it with AMON or the NOD32 On Demand Scanner and having to remove it at that point.

    The HTTP scanner also provides additional useful information as to the URL that contains the infection that you wouldn't have available with AMON or the On Demand Scanner.

    Example:
    Time Module Object Name Virus Action User Info

    9/14/2004 14:37:13 PM
    IMON archive http://www.eicar.org/download/eicarcom2.zip Eicar test file connection terminated

    9/14/2004 14:37:07 PM
    IMON archive http://www.eicar.org/download/eicar_com.zip Eicar test file connection terminated

    9/14/2004 14:36:58 PM
    IMON file http://www.eicar.org/download/eicar.com Eicar test file connection terminated
     
    Last edited: Sep 15, 2004
Thread Status:
Not open for further replies.