Win32.VB.tr (FALSE POSITIVE)?

i using Nod 32 and, from my research, "Win32.VB.tr" appears to be a Trojan. I just want to confirm that this is not a false positive before I try to delete using SpyBot Search & Destroy.

Any suggestions are welcome!

Adendum: Right now I am using VNC and that is why you do not see Nod 32 in my System Tray.

 

One more screenshot.

Windows XP Pro SP2
Nod32, SAS, AVG 7.5 anti-spyware
Intel iMac, 4 GB of RAM

 

I'd suggest expanding that node in S&D seen in your 2nd screenshot to get more details about it. If it refers to a file, please send it in a password protected archive to samples[at]eset.com with this thread's url enclosed.

 

Hello Marcos:

I'm not sure what you mean by "expanding that node"? I went ahead and allowed S&D to delete this file or threat. I did a scan with Nod32, the results were no threat found. I'm not sure if this is a false positive?

This threat or file now appears to be gone from my machine. I am not sure how to send this file "password-protected archive" to the address above. Can you explain how to do this?

Thanks.

 

'Expanding the node' means you should click on the '+' sign which appears before the trojan name in Spybot. This will allow you to see more detail about the trojan.

A free file archive program such as 7-Zip (http://www.7-zip.org/) will allow you to send a password protected archive.

 

I decided to delete Win32.VB.tr yesterday around 6:30 p.m. last night. Now when I scan with Nod32, S&D, SAS, or AVG 7.5 Anti-Spyware, there are no signs of Win32.VB.tr. Sunbelt Research Lab (source) states that this is a Trojan. I am not 100% certain.

How should I proceed?

TIA

 

One last screenshot.

Reinstalling Windows on an Intel iMac is going to be a pain!

 

Nuke. The problem is there is no indication as to EXACTLY what Spybot has picked up. It could be a left over temporary files, a single registry setting or the complete virus. You were asked to expand the node which means to click on the [+] sign so we could see EXACTLY what Spybot has found. Without that these screen-shots are pointless. If there is a way to show what is in the Spybot quarantine then it would be helpful to post a picture of that here (with the node expanded) and the screen adjusted so we can see EXACTLY what Spybot has found.

Other wise all your post says is "Spybot has found something, i can't say exactly what, but NOD32 can't detect it. Is it a false positive?"

 

Sorry, my mistake. I was thinking quarantining but failed to take action.

Thanks.

 

Hi!

It looks like trash in temp directory.

 

the next thing that you will be asked to do is: maximize the window in order that the full path and filename can be seen

 

I must be getting dumber. Here it is maximized.

 

OK. That file (whilst it looks like a Temp File) can be a critical part of the virus itself. I've noticed many of them using TMP files...

ZIP the file and send it to Eset as per Marcos posting above

 

A log from ESET SysInspector would be appreciated as well.

 

Marcos, thanks. I will work on the log.

I may send you a PM if I get stuck.

 

If I missed a step, please let me know.

 

You haven't missed anything . Just send the zipped log file as requested

 

I sent the zipped log file, yesterday.

A question I apologize for, does it still need to be sent in a password-protected archive (http://www.7-zip.org/)?

Thanks.

 

No , not necessary . The log file should be blocked and it doesn't need to be sent in a password protected archive

 

Thank You!