cancel
Showing results for 
Search instead for 
Did you mean: 

Generic VB.z trojan getting detected very often and deleted

hi All,

   hoping someone can help me here. Am getting a constant Generic VB.z trojan alert from McAfee which deletes a tmp file creation process onto the temp folder. I have updated to the latest DAT's and also am using Artemis high Alert level to scan through my laptop. Does not find anything. Also, McAfee does not detect any file creation onto the temp folder till I am connected to the internet. I dont normally use IE, but as soon as I do, I end up getting popups. I have run SuperAntispyware, Malwarebytes and numerous scans of McAfee as well, and none are able to pick this up. I also referred to the following information on McAfee on this http://vil.nai.com/vil/content/v_171235.htm for which I already have the latest DAT''s but unfortunately, still no luck. Also, this is a svchost generated file. I have gone through process explorer as well and looked through every svchost program. Did not find any unusual dll's or exe files in there. Any help would be greatly appreciated.

Do let me know.

Thanks.

Labels (1)
6 Replies
McAfee Employee dmeier
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Generic VB.z trojan getting detected very often and deleted

Two things come to mind:

1. The svchost you mention, isn't the "real" svchost, and is simply undetected malware dropping files.

2. Svchost is the proper file expected on the system, but something is injected into it, causing it to misbehave.

You mentioned procexp, which is good if you know quite a bit about what you are looking for.  However, if the details are foggy, I would use "GMER"  (GMER.net).  You can launch the .exe and it will do a quick scan right up front, and then you can hit the "scan" button on the right, to scan the entire system. Once that is complete, you can save the log down to the system.

If you like, you can post that log up here, and we can see if there is anything obvious.

- David

Highlighted

Re: Generic VB.z trojan getting detected very often and deleted

Hi david,

   thanks for your reply. I have attached the log generated by GMER. There was a warning stating that there was a change on ROOTKIT processes. Please let me know if there is something you notice.

Thanks again.

McAfee Employee dmeier
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Generic VB.z trojan getting detected very often and deleted

So it points to "Disk   -    \Device\Harddisk0\DR0  -  sector 00: rootkit-like behavior;       -      <-- ROOTKIT !!!"

MBR infectors are somewhat rare, but they certainly do still exist.  Hard to say if this is the real culprit, or perhaps a "false detection" of GMER, against a legitimate change to your MBR (master boot record)

I would probably use the tool below, to capture your MBR, and then submit it to McAfee labs.  (probably should open up a service request with us as well)

http://download.nai.com/products/mcafee-avert/SAVEINFO.ZIP

- David

Re: Generic VB.z trojan getting detected very often and deleted

Device          \Driver\00001244 -> \Driver\iaStor \Device\Harddisk0\DR0          8AC6F50C

This is also a sign of a rootkit that might have modified the iaStor.sys file.

Re: Generic VB.z trojan getting detected very often and deleted

Thanks for the info guys. Not sure what else to do. I have escalated to our local IT guys in my company to log ticket with McAfee as they are also not able to figure this out. Please do let me know if there is anything else I can do.

cheers

Re: Generic VB.z trojan getting detected very often and deleted

The author of GMER has created a tool that you can run that may remove this problem. This is a command line utility for 32-bit Windows 2000 and later.

http://www2.gmer.net/mbr/mbr.exe

Use MBR -t at the command prompt to check for the rootkit, MBR -f to fix it if it is detected.

I also have made a Boot CD you can create to scan and clean your computer from known infections that can be detected by the AV or allows for manual removal.

Secured2k BootCD - Malware/Rootkit Removal

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community