Win32.VB.tr (FALSE POSITIVE)?

Discussion in 'ESET NOD32 Antivirus' started by Nuke, May 29, 2008.

Thread Status:
Not open for further replies.
  1. Nuke

    Nuke Registered Member

    Joined:
    Sep 19, 2006
    Posts:
    134
    Location:
    USA
    i using Nod 32 and, from my research, "Win32.VB.tr" appears to be a Trojan. I just want to confirm that this is not a false positive before I try to delete using SpyBot Search & Destroy.

    Any suggestions are welcome!

    Adendum: Right now I am using VNC and that is why you do not see Nod 32 in my System Tray.
     

    Attached Files:

  2. Nuke

    Nuke Registered Member

    Joined:
    Sep 19, 2006
    Posts:
    134
    Location:
    USA
    One more screenshot.

    Windows XP Pro SP2
    Nod32, SAS, AVG 7.5 anti-spyware
    Intel iMac, 4 GB of RAM
     

    Attached Files:

    Last edited: May 29, 2008
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'd suggest expanding that node in S&D seen in your 2nd screenshot to get more details about it. If it refers to a file, please send it in a password protected archive to samples[at]eset.com with this thread's url enclosed.
     
  4. Nuke

    Nuke Registered Member

    Joined:
    Sep 19, 2006
    Posts:
    134
    Location:
    USA
    Hello Marcos:

    I'm not sure what you mean by "expanding that node"? I went ahead and allowed S&D to delete this file or threat. I did a scan with Nod32, the results were no threat found. I'm not sure if this is a false positive?

    This threat or file now appears to be gone from my machine. I am not sure how to send this file "password-protected archive" to the address above. Can you explain how to do this?

    Thanks.
     
  5. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,741
    Location:
    New York City
    'Expanding the node' means you should click on the '+' sign which appears before the trojan name in Spybot. This will allow you to see more detail about the trojan.

    A free file archive program such as 7-Zip (http://www.7-zip.org/) will allow you to send a password protected archive.
     
  6. Nuke

    Nuke Registered Member

    Joined:
    Sep 19, 2006
    Posts:
    134
    Location:
    USA
    I decided to delete Win32.VB.tr yesterday around 6:30 p.m. last night. Now when I scan with Nod32, S&D, SAS, or AVG 7.5 Anti-Spyware, there are no signs of Win32.VB.tr. Sunbelt Research Lab (source) states that this is a Trojan. I am not 100% certain.

    How should I proceed?

    TIA
     
  7. Nuke

    Nuke Registered Member

    Joined:
    Sep 19, 2006
    Posts:
    134
    Location:
    USA
    One last screenshot.

    Reinstalling Windows on an Intel iMac is going to be a pain!
     

    Attached Files:

  8. PaulB2005

    PaulB2005 Registered Member

    Joined:
    Apr 19, 2005
    Posts:
    525
    Nuke. The problem is there is no indication as to EXACTLY what Spybot has picked up. It could be a left over temporary files, a single registry setting or the complete virus. You were asked to expand the node which means to click on the [+] sign so we could see EXACTLY what Spybot has found. Without that these screen-shots are pointless. If there is a way to show what is in the Spybot quarantine then it would be helpful to post a picture of that here (with the node expanded) and the screen adjusted so we can see EXACTLY what Spybot has found.

    Other wise all your post says is "Spybot has found something, i can't say exactly what, but NOD32 can't detect it. Is it a false positive?"
     
  9. Nuke

    Nuke Registered Member

    Joined:
    Sep 19, 2006
    Posts:
    134
    Location:
    USA
    Sorry, my mistake. I was thinking quarantining but failed to take action.

    Thanks.
     

    Attached Files:

  10. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hi!

    It looks like trash in temp directory.
     
  11. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    the next thing that you will be asked to do is: maximize the window in order that the full path and filename can be seen ;)
     
  12. Nuke

    Nuke Registered Member

    Joined:
    Sep 19, 2006
    Posts:
    134
    Location:
    USA
    I must be getting dumber. Here it is maximized.
     

    Attached Files:

    • dumb.JPG
      dumb.JPG
      File size:
      124.4 KB
      Views:
      30
  13. PaulB2005

    PaulB2005 Registered Member

    Joined:
    Apr 19, 2005
    Posts:
    525
    OK. That file (whilst it looks like a Temp File) can be a critical part of the virus itself. I've noticed many of them using TMP files...

    ZIP the file and send it to Eset as per Marcos posting above

     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
  15. Nuke

    Nuke Registered Member

    Joined:
    Sep 19, 2006
    Posts:
    134
    Location:
    USA
    Marcos, thanks. I will work on the log.

    I may send you a PM if I get stuck.
     
  16. Nuke

    Nuke Registered Member

    Joined:
    Sep 19, 2006
    Posts:
    134
    Location:
    USA
    If I missed a step, please let me know.
     

    Attached Files:

  17. ASpace

    ASpace Guest

    You haven't missed anything . Just send the zipped log file as requested
     
  18. Nuke

    Nuke Registered Member

    Joined:
    Sep 19, 2006
    Posts:
    134
    Location:
    USA
    I sent the zipped log file, yesterday.

    A question I apologize for, does it still need to be sent in a password-protected archive (http://www.7-zip.org/)?

    Thanks.
     
  19. ASpace

    ASpace Guest

    No , not necessary . The log file should be blocked and it doesn't need to be sent in a password protected archive
     
  20. Nuke

    Nuke Registered Member

    Joined:
    Sep 19, 2006
    Posts:
    134
    Location:
    USA
    Thank You!
     
Thread Status:
Not open for further replies.