New to the forums here as i’d never had a problem before. I cant tell if this is a false positive or if there is an actual problem with my pc. Im running win 7 pro 64bit, and i just recently got a Win32:VB-RAF [Trj] warning, saying its Process 1480 [explorer.exe]. i’ve tried researching this but have come up with no results for the Win32:VB-RAF [Trj]. I’ve tried other scanners like f-secure online scanner, malware bytes, and they do not show any problem. i’ve run sfc to check for the integrity of explorer.exe and still nothing. please help.
Windows 7 64 bit - now this can be very easy to fix, dependant on the variant
First clear any associated files
http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.
Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Then repair the 32 bit version
Go to start > All Programs > Accessories
Right Click Command Prompt and select run as administrator
When the prompt opens type the following bolded text and press enter
sfc /scannow (Note: There is a space between sfc and /scannow)
On completion reboot
Ooops forgot to add this
Download OTL to your Desktop
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
c:\system volume information|_REGISTRY_MACHINE_SOFTWARE;true;true;true /FP
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs
when you say clear any associate files. how do you mean? delete them from the system? im not sure what is associate with explorer.exe and deleting it might be difficult.
here’s mbam’s report
and 2 otl files uploaded.
Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5742
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
2/11/2011 4:17:49 PM
mbam-log-2011-02-11 (16-17-49).txt
Scan type: Quick scan
Objects scanned: 167301
Time elapsed: 1 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
No there may have been some files that were triggering a re-infection, however, both explorers report as legitimate. Are you still getting the alerts ?
If you are then do the following
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[]Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Ok. when i try to run combofix it gives me a message that command has stopped working, trying in safe mode. something was preventing it from running with win 7 fully up and running. so i did some research and combofix is only for 32bit machines. And yes. the problem persists.
Combofix does work on 64 bit systems - I have trialed it on my system
I will now try to remove manually whatever it is that is blocking the other tools, if the AV portion fails to run then go direct to the analysis section. The zip file reports will need to be uploaded to Mediafire and post the sharing link.
This can be done in safe mode
Download AVPTool from Here to your desktop
Run the programme you have just downloaded to your desktop (it will be randomly named )
First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.
http://i1224.photobucket.com/albums/ee362/Essexboy3/avpfront.jpg
Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop
Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users[i]your name[/i]\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip
http://i1224.photobucket.com/albums/ee362/Essexboy3/avpmanual.jpg
Autoscan: completed 22 minutes ago (events: 2, objects: 1289654, time: 01:15:33)
2/12/2011 4:44:08 PM Task started
2/12/2011 5:59:41 PM Task completed
not much to report on the av scan. Analysis scan
http://www.mediafire.com/?syju3jlxsyi4l0p
There is nothing showing there that would explain the problems
Could you confirm that Combofix did not work in safe mode ?
Also does the alert come from a scan being run or one of the shields
combofix finally worked in safemode. not sure what the problem was previously but here’s the log. and the detection is from a custome scan that runs nightly that scans all hard disks, memory, auto starts, and rootkits.
Combofix removed some HTML files and Gif’s so they may have originated from there
I also notice these programmes, I assume they are not running at the same time
F-Secure
Microsoft Security Client
scans all hard disks, memory, auto starts, and rootkits. As the detections are in memory only I would lean towards False positives
Are you experiencing any unusual behaviour on your system
Those 2 were removed before trying any of the steps from this thread. I tried myself to see if other scanners would pick up on the problem. None did. and for unusual behavior Nothing that i’ve noticed except for avast keeps putting an icon on my desktop. doesn’t happen too often. but i have no icons, only folders on my desktop so it keeps popping up.
I would for now, remove the memory scan element as I can see no signs of malware on your system
I uninstalled Avast to see if it was actually stalling a trojan from installing but keeping it in memory. ran ccleaner/ccleaners registry fixer. malwarebytes came up with no results. downloaded a fresh copy of avast, remade my custom scan and ran once, no virus to report. restarted and am running a second time.
OK are you doing a memory scan as well ?
yes. the first showed no sign of that trojan. the second scan is nearly 82% finished and still no sign. it would usually appear around 30% as thats about the stage where it would scan the memory. I will have to watch it when it goes into its sceduled scan tonight, like you had said previously there could of been something retrying to install itself and only does so at specific times.
2nd scan completed, no signs of the problem. Both scans scanned the memory also so if nothing appears tonight at scheduled scan than the previous avast installation had some issues.
I received this same virus on explorer.exe. I ran a quick scan again and it didn’t find anything. Perhaps this is just a false positive?
I followed the steps you posted and here is the results:
Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5764
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
2/14/2011 2:30:35 PM
mbam-log-2011-02-14 (14-30-35).txt
Scan type: Quick scan
Objects scanned: 170696
Time elapsed: 3 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
No unusual behavior on system that I can see.
Hello,
I got similar issue.
First alert from Avast with “win32:vb-raf” found in a file in
C:\Users\xxxxxx\AppData\Roaming\Microsoft\Windows\Recent
folder (xxxxxx being my account name). File moved to quarantine.
And nothing more so far.
Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.orgDatabase version: 5920
Windows 6.1.7600
Internet Explorer 8.0.7600.163852011-03-01 22:53:12
mbam-log-2011-03-01 (22-53-12).txtScan type: Quick scan
Objects scanned: 164011
Time elapsed: 3 minute(s), 9 second(s)Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0Memory Processes Infected:
(No malicious items detected)Memory Modules Infected:
(No malicious items detected)Registry Keys Infected:
(No malicious items detected)Registry Values Infected:
(No malicious items detected)Registry Data Items Infected:
(No malicious items detected)Folders Infected:
(No malicious items detected)Files Infected:
(No malicious items detected)
Quick scan by Avast - nothing.
I’m running Windows 7 Home Premium 64bit.
Should I be worried ?