HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

W32/VB-EMU Virus

by Miramichi / March 13, 2007 7:59 PM PDT

I can't find any information on this virus. This is all I have. W32/VB-EMU:VB-Backdoor-PEK-based!Maximus. D:system volume information\_restore(84E8505B-26B1-...\AD099197.exe Any information would be appreciated, especially if I can get information on removal.I have a Dell desktop with a windows xp operating system.I have tried tha Malware Removal (Microsoft), Wndows Defender, Microsoft on line scan and Freedom. I have also tried restoring to a previous date.

Discussion is locked
You are posting a reply to: W32/VB-EMU Virus
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: W32/VB-EMU Virus
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Miramichi
by tomron / March 13, 2007 10:33 PM PDT
In reply to: W32/VB-EMU Virus
Collapse -
In addition
by tomron / March 13, 2007 11:01 PM PDT
In reply to: Miramichi

You might have too scan in safe mode after you disabled system restore.

Tom

Collapse -
All I can see, is that the infected file
by Marianna Schmudlach / March 14, 2007 12:42 AM PDT
In reply to: W32/VB-EMU Virus

is in your system restore:

D:system volume information\_restore(84E8505B-26B1-...\AD099197.exe

You only have to purge your system restore points:

http://www.pchell.com/virus/systemrestore.shtml

Reboot your computer and scan again with you Anti Virus and you should be fine.

Collapse -
Virus
by Miramichi / March 14, 2007 8:15 PM PDT

I tried your suggestions. I get a message telling me that my Freedom software has detected the virus and tells me it will delete the file after the next reboot. I disabled system restore and rebooted. I've both enabled system restore and left it off but I continue to get the message that I still have this virus. Anything else I can Try?

Collapse -
See the link provided by Tomron
by Donna Buenaventura / March 14, 2007 8:25 PM PDT
In reply to: Virus

It says:
"Troj/VB-CZD is a Trojan for the Windows platform.

When first run Troj/VB-CZD copies itself to <Windows>\services.exe.

The following registry entries are created to run Troj/VB-CZD on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<Random Characters>
<Windows>\services.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<Random Characters>
<Windows>\services.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
<Random Characters>
<Windows>\services.exe"

If you have that trojan infected file then disabling System Restore is not a solution until you disinfected the system because it is running during startup with random characters. That is if you have such trojan.

Scan using the tools that Tomron suggested (AVG antispyware - this is freeware and TrojanHunter - this trial version)
Scan in safe mode.

Or you can run an online scan using Housecall:
http://uk.trendmicro-europe.com/enterprise/about_us/sitemap.php

Collapse -
Tricky Virus
by Miramichi / March 16, 2007 10:49 PM PDT

I have tried everything suggested and still no luck. Thankyou for your suggestions. I ran three anti virus programs in safe mode and windows. The Sophos anti-virus program said that the volume drive where the virus is located could not be scanned. Any way I can get at it?

Collapse -
volume drive
by Marianna Schmudlach / March 17, 2007 2:32 AM PDT
In reply to: Tricky Virus
Collapse -
Just a thought
by Donna Buenaventura / March 17, 2007 4:13 AM PDT
In reply to: Tricky Virus

You mentioned in your previous post that you disabled System Restore and rebooted but your antivirus is still finding it.
I think you should try this first:
1. Configure your antivirus to not to scan the System Volume Information (the System Restore) then reboot so your antivirus will not longer hold the infected file that is in System Restore
2. Next, disable System Restore
3. Reboot so Windows will delete your restore points that contains the infection
4. Scan the system using your antivirus
5. Enable System Restore then it is up to you if you want it to include to scan the System Restore but it's good idea to include it in scanning so you will know whether your restore points includes infection.

The reason why I suggest the #1 is because your antivirus seems trying to "hold" that infected file to do the action it want (to delete it after next reboot). This means your AV is hold on the infected file but it couldn't delete it since it's expected because items in System Restore are being reverted back System Restore. Explanation by Microsoft on this is at How antivirus software and System Restore work together

Let us know how it goes.

Collapse -
w32/vb-emu:vb - backdoor - HRS based! Maximus
by Cooperm4n / June 14, 2007 6:20 AM PDT
In reply to: Tricky Virus

Hi

How did you get on with this glitch? My son's PC has developed the same error message as yours. I have tried all of the suggestions in the above thread but nothing has worked.

Help...anyone!

Cooperm4n

Collapse -
If it can't be removed
by Donna Buenaventura / June 14, 2007 6:38 AM PDT
Collapse -
w32/vb-emu:vb - backdoor - HRS based! Maximus
by Cooperm4n / June 18, 2007 6:01 PM PDT
In reply to: If it can't be removed

Thanx Donna

Castlecops had a look but the only option, because of the nature of the infection, was a format and re-install of XP.

All is well so far...

Cooperm4n

Collapse -
OK. Thanks for posting back.
by Donna Buenaventura / June 20, 2007 10:12 AM PDT

Hope you will not have a problem again.

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

HOLIDAY GIFT GUIDE 2017

Cameras that make great holiday gifts

Let them start the new year with a step up in photo and video quality from a phone.