1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.


Discussion in 'Virus & Other Malware Removal' started by toby1944, Jan 17, 2006.

Thread Status:
Not open for further replies.
  1. toby1944

    toby1944 Thread Starter

    Dec 30, 2005
    Can anyone please give me some info on Trojan Win32.vb.apv
    Any help greatly appreciated
  2. khazars


    Feb 15, 2004
    hi, welcome to TSG.

    there's no info on it!

    Download hijack this from the link below.Please do this. Click here:


    to download HijackThis. Click scan and save a logfile, then post it here so
    we can take a look at it for you. Don't click fix on anything in hijack this
    as most of the files are legitimate.
  3. toby1944

    toby1944 Thread Starter

    Dec 30, 2005
    I ran a Karspesky online scan and here is the results

    Tuesday, January 17, 2006 13:22:22
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky On-line Scanner version:
    Kaspersky Anti-Virus database last update: 17/01/2006
    Kaspersky Anti-Virus database records: 161134

    Scan Settings:
    Scan using the following antivirus database: standard
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:

    Scan Statistics:
    Total number of scanned objects: 18750
    Number of viruses found: 1
    Number of infected objects: 4
    Number of suspicious objects: 0
    Duration of the scan process: 1021 sec

    Infected Object Name - Virus Name
    C:\System Volume Information\_restore{D7734848-81D6-465F-8136-1544BD12CC40}\RP48\A0009542.exe/data0004 Infected: Backdoor.Win32.VB.apv
    C:\System Volume Information\_restore{D7734848-81D6-465F-8136-1544BD12CC40}\RP48\A0009542.exe Infected: Backdoor.Win32.VB.apv
    C:\System Volume Information\_restore{D7734848-81D6-465F-8136-1544BD12CC40}\RP49\A0009603.exe/data0004 Infected: Backdoor.Win32.VB.apv
    C:\System Volume Information\_restore{D7734848-81D6-465F-8136-1544BD12CC40}\RP49\A0009603.exe Infected: Backdoor.Win32.VB.apv

    Scan process completed.
  4. toby1944

    toby1944 Thread Starter

    Dec 30, 2005
    Here is the HJ log

    Logfile of HijackThis v1.99.1
    Scan saved at 14:58:08, on 17/01/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\CConnect\CConnect.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/broadband/broadband.htm
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
    O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136308743187
    O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe" /service (file missing)
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  5. khazars


    Feb 15, 2004
    that's ok they are in system restore so they aint going anywhere!

    go to this site and download these tools and once you get both
    adaware Se 1.6 and spybot, update both of them.

    Set adaware to do a full system scan and deselect, "search for neglible risk
    entries". Click next to start the scan. Delete everything adaware finds.

    reboot and now run spybot

    Spybot: Search and destroy.

    Delete what spybot finds marked in red. After updating spybot hit the
    immunize button.

    reboot again

    With CWshredder close all browsers and programmes and select the FIX button.

    Go here and download Microsoft Antispyware Beta. First in the top menu click
    File then Check for updates to download the definitons updates.

    After updating look in the right side of the main window under "Run Quick
    Scan Now" and click Spyware scan options. In that window put a tick by Run a
    full system scan and then put a check by all three options below that then
    click Run Scan now.

    When the scan is finished, let it fix anything that it finds (have it
    quarantine the items that have that option rather than delete just in case.
    It is a beta program and there may be false positives)

    Restart your computer.

    All tools can be downloaded at the link below and found on that page!

    . Microsoft® Windows AntiSpyware
    . Trend micro CWShredder
    . AdAware SE personal


    you have ewido and spysweeper, update them and run a scan with both! Run ewido in safe mode!

    boot to safe mode and run this bat file!

    * Click here for info on how to boot to safe mode if you don't already know


    * Now copy these instructions to notepad and save them to your desktop. You
    will need them to refer to in safe mode.

    * Restart your computer into safe mode now. Perform the following steps in
    safe mode:

    When in Safe Mode, open notepad and paste in the following lines:

    del c:\ *.tmp
    del %temp%\*.tmp /f
    del %windir%\prefetch\*.*
    del %windir%\temp\*.* /f
    del C:\documents and settings\*\local settings\temp\*.* /f

    Save to your desktop as 'clean.bat'...Before you save,set 'file types' to
    all types. ( *.*)

    DoubleClick on "clean.bat", and say Yes to the prompt.

    reboot back to normal mode and run a scan here!

    Run ActiveScan online virus scan here


    When the scan is finished, anything that it cannot clean have it delete it.
    Make a note of the file location of anything that cannot be deleted so you
    can delete it yourself.
    - Save the results from the scan!

    post another hijack this log, the ewido and active scan logs
  6. GioAG


    Jan 6, 2006
    Hello Toby1944,

    At first impression, your HJT log looks clean so far I will analize with more detail and I will let you know if something bad comes up.

    Meanwhile, the only 4 infections kasperksi found are located inside the System Restore backup files, this means that if you go back in time doing a System Restore, your computer will be infected automatically, so is no point in try to save the restore points you have till now, you will have to clear the restore points in order to get rid of the infected system restore backup files, and scan again to see if everything comes nice and clean.

    To clear System restore files do the follow:

    Go to Start > Control Panel > System > System Restore tab
    CHECK the box "Turn off system restore on all drives"
    Click OK

    Perform a new scan with Kaspersky and see if everything is clean now

    If everything is clean:

    Open Start > Control Panel > System > System Restore tab again.
    CLEAR the box "Turn off system restore on all drives"
    Click OK

    What this does is get rid of all the backup system restore files and creates a new system restore point fresh and clean.

    I hope these tips can help u.

    My best regards
  7. toby1944

    toby1944 Thread Starter

    Dec 30, 2005
    Thank you GioAG.........the problem is now solved.............your help is greatly appreciated
  8. khazars


    Feb 15, 2004
    you need to re-enable system restore and make a new restore point!
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/434817

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice