topic Re: System Infected: Worm W32.VBNA.b Activity in Norton 360

System Infected: Worm W32.VBNA.b Activity

ssapra — Fri, 06 Jul 2012 18:47:06 GMT

Hello Norton community,

I am using Norton Security Suite 2012. I have been getting a lot of intrusion attempts (every ten minutes; sometimes every hour). Here are all of the details.

Severity: High

Activity: An intrustion attempt by api.ipinfodb.com was blocked.

Status: Blocked

Recommended Action: No action required

IPS Alert Name: System Infected: Worm W32.VBNA.b Activity

Attacking Computer: api.ipinfodb.com (67.212.77.13, 80)

Can anyone please advise how I can fix this?

This is the text when I copy this alert to the clipboard:

Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description
2012-07-06 13:33:17,High,An intrusion attempt by api.ipinfodb.com was blocked.,Blocked,No Action Required,System Infected: Worm W32.VBNA.b Activity,No Action Required,No Action Required,"api.ipinfodb.com (67.212.77.13, 80)",api.ipinfodb.com/v2/ip_query_country.php?key=e4e497e1ec0a03c3e5e49ab8868bdc755b520583cbf4e31605a016d82147ec63&timezone=off,67.212.77.13 (67.212.77.13),"TCP, www-http"
Network traffic from api.ipinfodb.com/v2/ip_query_country.php?key=e4e497e1ec0a03c3e5e49ab8868bdc755b520583cbf4e31605a016d82147ec63&timezone=off matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSWOW64\CALC.EXE. To stop being notified for this type of traffic, in the Actions panel, click Stop Notifying Me.

Re: System Infected: Worm W32.VBNA.b Activity

Quads — Sat, 07 Jul 2012 00:29:05 GMT

ANY other user other than the thread starter is not to use any instructions, scripts or proceedures, The work though in cleaning a system is individual and only for that system due to a number of factors.

Please do not run any tools unless instructed to do so.

We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability. Do as the instructions ask nothing extra or run things twice
If I ask a Question just answer it, don't run anything unless it states.
Major steps used:

1. Find

2. Break

3. Destroy

4. Cleanup (including system as a whole)

Please read every post completely before doing anything.

Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes )
Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.

Please read carefully

1. Please download aswMBR hxxp://public.avast.com/~gmerek/aswMBR.exe to your desktop. (replace the hxxp with http)
Double click the aswMBR.exe icon to run it
it will ask to download extra definitions - ALLOW IT / Yes
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and Please attach the log in the post back, Don't have the program fix anything.

Quads

Re: System Infected: Worm W32.VBNA.b Activity

ssapra — Sat, 07 Jul 2012 03:37:48 GMT

Thank you for replying.

I have attached the aswMBR.txt file.

Just a question, I noticed that the MBR.dat file was also created. Since you have not told me anything about this file, I assume I should just leave it alone?

Re: System Infected: Worm W32.VBNA.b Activity

Quads — Sat, 07 Jul 2012 04:05:59 GMT

Download OTL http://www.bleepingcomputer.com/download/otl/

Disable Norton for say 30 minutes

Start OTL,

Click the Scan All Users checkbox.

Change file age to 90 days

Press the

An OTL.txt and extras.txt will be created.

Quads

Re: System Infected: Worm W32.VBNA.b Activity

ssapra — Sat, 07 Jul 2012 04:14:30 GMT

The scan is running now. Would you like me to post these .txt files after the scan finishes?

Re: System Infected: Worm W32.VBNA.b Activity

Quads — Sat, 07 Jul 2012 04:18:25 GMT

What do you think?? You can use the advanced program youself and I will leave you to it.

Quads

Re: System Infected: Worm W32.VBNA.b Activity

ssapra — Sat, 07 Jul 2012 04:29:17 GMT

The scan finished. Here are the .txt files.

Please, sir. I do not know what to do after running the scan. There does not appear to be any notifications regarding the results of the scan, but this is probably in the two .txt files that have been generated. Please, I need your help to work through this.

Re: System Infected: Worm W32.VBNA.b Activity

Quads — Sat, 07 Jul 2012 04:42:30 GMT

Ok, a user that uses VM and sandboxie with files like test, a handful of programs for security torrenting, toolbars that are iffy, and it looks like Malware leftovers.

You should know how to remove the malware yourself.

Quads

Re: System Infected: Worm W32.VBNA.b Activity

ssapra — Sat, 07 Jul 2012 05:12:53 GMT

Sir, I downloaded sandboxie TODAY and I have not used it because I didn't know how to get it to work. Please, I'm begging you, tell me how to remove the malware. How would I know the source? Just remove all of these toolbars? I really need your help. All I ask is for a little of your time.

PLEASE.

I will be honest with you. I do NOT know how to remove the malware.

Re: System Infected: Worm W32.VBNA.b Activity

Quads — Sat, 07 Jul 2012 05:24:06 GMT

No,

I will let you keep installing programs and using them including VM, I can see some of the malware objects and what appears that you also had or have as well as the programs.

"How would I know the source" that is what the programs are for and the use other the likes of VM, but I don't use VM like software.

Good luck with all the programs, items VM, Sandboxie and the Malware.

Quads

Re: System Infected: Worm W32.VBNA.b Activity

ssapra — Sat, 07 Jul 2012 12:19:43 GMT

So I keep installing programs to find the source?

You can see the malware objects? Well, what are they?

I'm still confused how installing programs will help me find the source. And why do you keep mentioning VM?

Re: System Infected: Worm W32.VBNA.b Activity

Quads — Sun, 08 Jul 2012 00:07:49 GMT

You have programs like VM installed, (doesn't think I can read logs by the looks) and test files. So I am not touching this system and it's setups with users that use these programs for testing.

I do see some of the objects as I have already stated, but no, with the way the system is I am not saying or doing anything else.

Quads