FRIHOSTFORUMSSEARCHFAQTOSBLOGSCOMPETITIONS
You are invited to Log in or Register a free Frihost Account!


vbsys2.dll = Trojan horse?





Vlien
I Googled some information before posting this and it appears to be a Trojan virus. I have already deleted it in the main C folder on my computer, but I've noticed it's also in the win32 folder. Can I just delete it like that? Or isn't that enough? Because other forums mention going into the registry or something...
Oh, the symptoms. I always got this message that appeared when I first opened my Internet Explorer (only one time each time after you've started your computer) which said "can't download file from www7.logih.......". And I also removed 777.htm in my main folder as it appeared to open this message.
Jaan
Yeh, most trojans, you can only get rid of by reformatting. Do you have AV?
If you can, I suggest reformatting.
Vlien
Ehm... reformatting, like, delete everthing from your C drive? Probably you mean something else; I'm no good at this sorta things Smile
erlendhg
Yup, that´s what formatting means, to delete all information, and formate the disk. Then you would probably want to backup your documents and stuff, first. And after formatting, you would have to reinstall Windows (I think).
Teddy1
Try Spyware Doctor 3.8 (message me for details as it doesn't provide trial, i'll provide you with full). Spyware Doctor has been rated the best for a while now and removes Spyware, Adware, Malware, Keyloggers, Trojans and blocks pop-ups and can filter unsafe sites. It also protects against malicious ActiveX plug-ins that your browser may have installed without consent. Spyware Doctor also removes the "Hi-jacked Homepage" as it is formerly known. Let's just say this program is the bee's knee's when it comes to internet security. I am happy to own such software. Most virus' don't require re-format to rid, that's not good if you have alot of data that you wish to keep Very Happy.

erlendhg wrote:
Yup, that´s what formatting means, to delete all information, and formate the disk. Then you would probably want to backup your documents and stuff, first. And after formatting, you would have to reinstall Windows (I think).


Then what if the files that they have backed up are infected, then he has demolished the objective of re-formatting. I know of this due to experience. That's why i strongly suggest you try my theory first before completely re-formatting your hard disk. Oh and yes that does require a re-installation of windows. Smile
Vlien
Thanks for your help, but I've found something else. Only... you will need to tell me if it's safe to apply!

I found it on: http://www.xpounded.netfirms.com/xFree6.html

The code goes as follows:

Dim instructions
Dim notice
instructions = "Free6_Cleaner is a VBS file that will create a *.REG file that will help you clean your system of Free6" & vbcrlf
instructions = instructions & "The *.Reg file is/has-been created on your dektop." & vbcrlf
instructions = instructions & "To clean Free6:" & vbcrlf
instructions = instructions & vbtab & "1. Double-Click the file 'CleanFree6.reg' located on your Desktop." & vbcrlf
instructions = instructions & vbtab & "2. Restart You System." & vbcrlf
instructions = instructions & vbtab & "3. Browse to %SystemRoot%\System32\vbsys2.dll" & vbcrlf
instructions = instructions & vbtab & vbtab & "(%SystemRoot% is a short way to say your system folder: usually c:\windows)" & vbcrlf
instructions = instructions & vbtab & "4. Rename or/and Move/Remove the file vbsys2.dll" & vbcrlf
instructions = instructions & vbtab & "5. The Free6 popups should be gone! Mention us." & vbcrlf
instructions = instructions & vbtab & "Xpounded."
notice = "It appears that your system is free of Free6."
Function RegRead(key)
Dim Sh, sRet
Set Sh = CreateObject("WScript.Shell")
sKey = key
On Error Resume Next
sRet = Sh.RegRead(sKey)
On Error Goto 0
Set Sh = Nothing
RegRead = sRet
End Function

Function RegFileToCleanFree6(strCLSSID)
Dim ret
ret="REGEDIT4" & vbcrlf
ret=ret & ";Xpounded File to Remove Probable Free6 Hijacker vbsys2" & vbcrlf
ret=ret & ";" & vbcrlf
ret=ret & ";HKEY_CLASSES_ROOT\CLSID\" & strCLSSID & "\InProcServer32" & vbcrlf
ret=ret & ";REG_EXPAND_SZ @ C:\WINDOWS\System32\vbsys2" & vbcrlf
ret=ret & "[HKEY_CLASSES_ROOT\CLSID\" & strCLSSID & "\InProcServer32]" & vbcrlf
ret=ret & "@=-" & vbcrlf
ret=ret & "[-HKEY_CLASSES_ROOT\CLSID\" & strCLSSID & "\InProcServer32]" & vbcrlf & vbcrlf
ret=ret & ";HKEY_CLASSES_ROOT\CLSID\" & strCLSSID & vbcrlf
ret=ret & ";REG_EXPAND_SZ @ System Check Application" & vbcrlf & vbcrlf
ret=ret & "[HKEY_CLASSES_ROOT\CLSID\" & strCLSSID & "]" & vbcrlf
ret=ret & "@=-" & vbcrlf
ret=ret & "[-HKEY_CLASSES_ROOT\CLSID\" & strCLSSID & "]" & vbcrlf & vbcrlf
ret=ret & ";HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\" & strCLSSID & "\InProcServer32" & vbcrlf
ret=ret & ";REG_EXPAND_SZ @ C:\WINDOWS\System32\vbsys2" & vbcrlf
ret=ret & "[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\" & strCLSSID & "\InProcServer32]" & vbcrlf
ret=ret & "@=-" & vbcrlf
ret=ret & "[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\" & strCLSSID & "\InProcServer32]" & vbcrlf & vbcrlf
ret=ret & ";HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\" & strCLSSID & vbcrlf
ret=ret & ";REG_EXPAND_SZ @ System Check Application" & vbcrlf
ret=ret & "[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\" & strCLSSID & "]" & vbcrlf
ret=ret & "@=-" & vbcrlf
ret=ret & "[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\" & strCLSSID & "]" & vbcrlf & vbcrlf
ret=ret & ";HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" & vbcrlf
ret=ret & ";REG_SZ SystemCheck2 " & strCLSSID & vbcrlf
ret=ret & "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]" & vbcrlf
ret=ret & chr(34) & "SystemCheck2" & chr(34) & "=-" & vbcrlf & vbcrlf
ret=ret & ";HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" & vbcrlf
ret=ret & ";REG_SZ SystemCheck2 " & strCLSSID & vbcrlf
ret=ret & "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]" & vbcrlf
ret=ret & chr(34) & "SystemCheck2" & chr(34) & "=-" & vbcrlf
RegFileToCleanFree6 = ret
End Function

Sub saveFile(path,sContent)
Dim result
Set result = fso.createTextFile(path,True)
result.Write sContent
result.Close
Set result = Nothing
End Sub

Dim fso, desktop, WshShell
set WshShell = WScript.CreateObject("WScript.Shell")
desktop = WshShell.SpecialFolders("Desktop")
set WshShell = Nothing
Set fso = createObject("Scripting.FileSystemObject")

free6CLSSID=RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2")
If free6CLSSID <> "" Then
regFile = RegFileToCleanFree6(free6CLSSID)
saveFile desktop & "\CleanFree6.reg", regFile
saveFile desktop & "\CleanFree6.txt", instructions
Else
saveFile desktop & "\CleanFree6.txt", notice
End If
msgbox "Read the 'CleanFree6.txt' instructions on your Desktop to Clean free6 from your system",vbokonly,"Completed"


I'm not trying to gain points in an unfair way, just need to know if I can use this, as Norton stopped the script, which is quite normal I suppose
This code needed to be saved as Free6_Cleaner.vbs ...
SFMeatwad
http://forum.networktechs.com/showthread.php?t=50

This should help you.
looksbad
if your problem still persists visit http://www.gladiator-antivirus.com ( a place where trained and certified professionals help you clean your pc, they have helped me alot) go to the forums go to the "Help Think You Are Infected?" Topic and read the pinned article "Guidelines for Posting in This Forum" grab a copy of hijackthis
(http://www.merijn.org/programs.php#hijackthis) <--- I got mine there

the Guidelines part will take you from there..
Teddy1
Yes that code is safe, I used to write Visual Basic so yeah. You could try that but i would say the easiest way is to use a professional anti-virus like gladiator anti-virus as mentioned above. Smile
Vlien
Thanks a lot, people! Smile
Teddy1
No problem, Always willing to help. Wink
Chris24
Just download avg anitivirus and let it do its work.....
lSaKenl
Heh, that Visual Basic code looks like it works, but you gotta think that most people who use trojans, they change the reg modes and stuff so programs like that wont work, so all you gotta do is:

Go to start
Run
"regedit"
HKEY LOCAL MACHINE
Software
Windows
Run

and delete the reg of the file you dont want to run each time windows runs, and you can leave it like that, or delete the file too, anyway, it wouldnt run if you dont click it :p
Related topics
Bogus Microsoft Security Update Circulates
Michael Jackson 'Suicide' virus spreads
What is the best antivirus progrem?
Unlimited Downloads - Templates, Scripts, eBooks
Error when Mozilla is run
Trojan Emits Bogus, Risqué Google AdSense Ads
i need advice for anti virus..
First Mac OS X Worm a Wake-Up Call
Hackers use Trojan to target bank customers in 3 countries
Explain your current avatar!
ATTENTION: The Orkut Worm!!
Trojan horse (generic)
trojan horse virus & shut down problem
Did you hear about Trojan.Brisv.A ? (HELP!)
Reply to topic    Frihost Forum Index -> Computers -> Computer Problems and Support

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.