How To Remove Virusburst (removal Instructions)

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > Spyware and Malware Removal Guides and Reading Room

How to use the self-help guides

This forum contains self-help guides on removing common malware and viruses. These guides can be advanced so please use them at your own risk.

If after following the self-help guide, or you can not find an appropriate guide, then you can receive step-by-step instructions directly from one of our experts by following the instructions in this topic: Preparation Guide For Use Before Posting A Hijackthis Log

How To Remove Virusburst (removal Instructions)

Options

Grinler View Member Profile	Aug 31 2006, 05:06 PM Post #1
Bleep Bleep! Group: Admin Posts: 31,022 Joined: 24-January 04 From: USA Member No.: 3	How to remove VirusBurst (Removal Instructions) What this program does: VirusBurst is a anti-spyware program that is known to issue fake warnings on your computer in order to manipulate you into buying its full commercial version. The program is generally installed by a Trojan that automatically downloads and installs the program. An image of the program is below: VirusBurst Program If you are infected with this program you will receive warnings in your task bar stating that you are infected with spyware and to run its special anti-spyware tool. This tool turns out to be the commercial version of VirusBurst. These warnings are fake and are a goad to have you buy the commercial version of this software. The current text for these alerts is "System detected virus activities. They may cause critical system failure. Please, use antimalware software to clean and protect your system from parasite programs. Click this baloon to get all available software." An example of this alert is below: VirusBurst Fake alert Tools Needed for this fix: Roguescanfix (VirusBurst Removal Tool) smitRem.exe FixVB.reg Symptoms in a HijackThis Log: O4 - HKLM\..\Run: [VirusBurst] C:\Program Files\VirusBurst\VirusBurst.exe /h Add/Remove Programs control panel entry: VirusBurst 6.1 Guide Updates: 08/31/06 - Initial guide creation. 08/31/06 - Updated guide to include instructions on automated removal using RogueScanFix. Choose the removal method you would like to use: Automated Removal (Easier, but requires a working Internet connection.) Manual Removal (Does not require a working Internet Connection and should be used if automated does not work.) Automated Removal Instructions: Print out these instructions as we will need to close every window that is open later in the fix. Download roguescanfix_setup.exe from here: roguescanfix_setup.exe Confirm that the file roguescanfix_setup.exe now resides on your desktop. Double-click on the roguescanfix_setup.exe file found on your desktop. Select your language from the drop down menu and then press the OK button. Now press the Next button. Select the option that says I accept the agreement and press the Next button Press the Next button again. Now click on the Install button. The installation program will start installing RogueScanFix into C:\Program Files\Roguescanfix and then display a new screen. At the next screen, leave the checkmark in the Launch RogueScanFix and press the Finish button. RogueScanFix will automatically be started and you will be presented with the Credits screen. At this screen press the spacebar and you will be presented with a menu. Press the number 1 on your keyboard and press enter. At the next screen simply press the spacebar on your computer to start the removal process. Note: Please note that when the program starts it will download a program from the Internet that it needs to use during the cleanup. If your firewall gives an alert about this, please allow the download.exe or run.bat program to access the Internet. When the program starts, your desktop will disappear, which is normal, so please do not be concerned. It will then start the VirusBurst uninstallation program. When that program starts, click on the Uninstall button. When it has finished uninstalling, you can then press the OK button to finish the uninstalling of VirusBurst. When this program is finished, and it was able to delete all the files, you will see a small prompt that says Completed script execution. Simply press the OK button. It will then open the Brute Force Uninstaller program. Close this by press ing the Exit button. If there a notepad open called task.txt, you can close that as well. Now continue to Step 11. If there were more files that needed to be deleted, the program will prompt you to reboot your computer. Press the Yes button and allow the computer to reboot. When you are back at the desktop, close the task.txt notepad if it is open, and proceed to Step 11. Go to this page and click on the smitRem Download Link link to download smitRem.exe. When downloading smitRem.exe save it to your desktop. You will now see an icon on your desktop that looks like the one below. Double-click on the smitRem.exe file. You will now see a screen similar to the one below. Click on the Start button and the program will start extracting the files into a folder on your desktop called smitRem. When it is finished, click on the OK button. If you look on your desktop you will now see a folder called smitRem. Next, please reboot your computer into Safe Mode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. When you are at the logon prompt, log in as an Administrator When your computer has started in safe mode and you see the desktop. Close all open Windows. Open the smitRem folder on your desktop and the contents of the folder will be similar to the image below. Double-click on the RunThis.bat file, as shown by the arrow in the image above, to start the tool. When the tool starts you will see a series of screens with information on them. Read each screen, and when you are finished reading it, simply press any key on your keyboard. After reading the various screens that appear, the program will start the removal process. If there is an uninstaller present for an infection that smitRem removes it will start this uninstaller. Simply click on the Uninstall button and allow the uninstaller to finish. When it is completed, it will close automatically and smitRem will prompt you to continue. Now you should press any key to continue. When no more uninstallers can be found, the tool will continue. Your desktop will disappear and you will start seeing text scroll across the screen. This is normal and nothing to be concerned about. When smitRem has finished running it will automatically start the Disk Cleanup program as shown by the image below. This program will remove all Temp, Temporary Internet Files, and empty your Recycle Bin in order to remove any leftover files installed by this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will be back at your desktop. When the tool is finished, it will will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or the partition where your operating system is installed. Examining that log should show that the infection was cleaned. Reboot your computer back to normal mode. Perform an onlinescan with Panda: Panda Online Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button Enter your Country Enter your State/Province Enter your e-mail address and click send Select either Home User or Company Click the big Scan Now button If it wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a few minutes) When download is complete, click on Local Disks to start the scan Your computer should now be free of the VirusBurst infection. If you are still receiving taskbar security warnings stating that you are infected open C:\Program Files\RoguesScanFix\task.txt and paste the contents of that log into a new topic in the HijackThis Logs Analysis or the Am i Infected forums and someone will advise you as to your next step. When posting the topic please also mention that you have already done the steps in this guide. If you are still having problems with other spyware or malware after removing VirusBurst, then please follow the steps outlined in the topic linked below: Preparation Guide For Use Before Posting A Hijackthis Log Manual Removal Instructions: Print out these instructions as we will need to close every window that is open later in the fix. Download FixVB.reg to your desktop by right clicking on the following link and then selecting Save Link As or Save File as, depending on your browser. FixVB.reg Download Link Confirm that the file FixVB.reg now resides on your desktop as we will need it later. Go to this page and click on the smitRem Download Link link to download smitRem.exe. When downloading smitRem.exe save it to your desktop. You will now see an icon on your desktop that looks like the one below. Double-click on the smitRem.exe file. You will now see a screen similar to the one below. Click on the Start button and the program will start extracting the files into a folder on your desktop called smitRem. When it is finished, click on the OK button. If you look on your desktop you will now see a folder called smitRem. Go to your desktop and double click on the FixVB.reg file that you downloaded earlier. When it asks if you would like to merge the information, press the Yes button and then the OK button. Click on the Start button and then select the Run option. In the Open: field type c:\windows\system32 and then press the OK button. When the folder appears, if it says These files are hidden, click on the Show the contents of this folder option. We now need to make it so you can see hidden files. Click on the Tools menu and select Folder Options. Click on the View tab. Under the Hidden files and folders category select Show hidden files and folders. Uncheck Hide protected operating system files. Press Apply and then OK. If you still can not see the file, then undo these changes and skip to step 11. Scroll through the list of files in this folder and look for eowygj.dll. Right-click on eowygj.dll and select rename. Rename the file to eowygj.dll.bad. Look for the file duxzj.dll and rename the file to duxzj.dll.bad. Look for the file gtpbx.dll and rename the file to gtpbx.dll.bad. Look for the file xtgwjrm.dll and rename the file to xtgwjrm.dll.bad. Look for the file wuwbxp.dll and rename the file to wuwbxp.dll.bad. Look for the file oqabf.dll and rename the file to oqabf.dll.bad. Look for the file qxfgcg.dll and rename the file to qxfgcg.dll.bad. Look for the file syycum.dll and rename the file to syycum.dll.bad. Look for the file titiau.dll and rename the file to titiau.dll.bad. Look for the file zphnok.dll and rename the file to zphnok.dll.bad. Look for the file gqagksr.dll and rename the file to gqagksr.dll.bad. Look for the file httge.dll and rename the file to httge.dll.bad. Look for the file tazth.dll and rename the file to tazth.dll.bad. Look for the file dpfwu.dll and rename the file to dpfwu.dll.bad. Look for the file ficqv.dll and rename the file to ficqv.dll.bad. Look for the file qnusjji.dll and rename the file to qnusjji.dll.bad. Note: Please rename any of the above files that you may find. If you do not find any of these files, then you should post a note about it in the Am I Infected? forum. After you rename the file, you can close the System32 folder window. Next, please reboot your computer into Safe Mode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. When you are at the logon prompt, log in as a user with administrator privileges or one that has permission to delete files in the C:\Windows folder. When your computer has started in safe mode and you see the desktop. Click on the Start Menu Click on the Control Panel option. Double-click on the Add or Remove Programs icon. Find the entries for VirusBurst 6.1 and double-click on it to uninstall the program. Follow the prompts to uninstall the program, but do not allow it to reboot the computer if it asks. When it has completed uninstalling you can close Add or Remove Programs and your Control Panel. Delete the following files and folders (Do not be concerned if this folder does not exist): C:\Windows\System32\eowygj.dll.bad C:\Windows\System32\xtgwjrm.dll.bad C:\Windows\System32\gtpbx.dll.bad C:\Windows\System32\wuwbxp.dll.bad C:\Windows\System32\oqabf.dll.bad C:\Windows\System32\duxzj.dll.bad C:\Windows\System32\qxfgcg.dll.bad C:\Windows\System32\syycum.dll.bad C:\Windows\System32\titiau.dll.bad C:\Windows\System32\\zphnok.dll C:\Windows\System32\httge.dll C:\Windows\System32\gqagksr.dll C:\WINDOWS\System32\tazth.dll C:\WINDOWS\system32\dpfwu.dll C:\WINDOWS\System32\ficqv.dll C:\Windows\System32\qnusjji.dll C:\Program Files\VirusBurst\ Close all open Windows. Open the smitRem folder on your desktop and the contents of the folder will be similar to the image below. Double-click on the RunThis.bat file, as shown by the arrow in the image above, to start the tool. When the tool starts you will see a series of screens with information on them. Read each screen, and when you are finished reading it, simply press any key on your keyboard. After reading the various screens that appear, the program will start the removal process. If there is an uninstaller present for an infection that smitRem removes it will start this uninstaller. Simply click on the Uninstall button and allow the uninstaller to finish. When it is completed, it will close automatically and smitRem will prompt you to continue. Now you should press any key to continue. When no more uninstallers can be found, the tool will continue. Your desktop will disappear and you will start seeing text scroll across the screen. This is normal and nothing to be concerned about. When smitRem has finished running it will automatically start the Disk Cleanup program as shown by the image below. This program will remove all Temp, Temporary Internet Files, and empty your Recycle Bin in order to remove any leftover files installed by this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will be back at your desktop. When the tool is finished, it will will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or the partition where your operating system is installed. Examining that log should show that the infection was cleaned. Reboot your computer back to normal mode. Perform an onlinescan with Panda: Panda Online Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button Enter your Country Enter your State/Province Enter your e-mail address and click send Select either Home User or Company Click the big Scan Now button If it wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a few minutes) When download is complete, click on Local Disks to start the scan Your computer should now be free of the VirusBurst infection. If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below: Preparation Guide For Use Before Posting A Hijackthis Log This is a self-help guide. Use at your own risk. BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum. If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you. -------------------- Lawrence Become a BleepingComputer fan: Facebook

Grinler View Member Profile	Sep 5 2006, 09:52 AM Post #2
Bleep Bleep! Group: Admin Posts: 31,022 Joined: 24-January 04 From: USA Member No.: 3	Updated guide for removal of the 2 new infectors: C:\Windows\System32\gtpbx.dll C:\Windows\System32\duxzj.dll -------------------- Lawrence Become a BleepingComputer fan: Facebook

Grinler View Member Profile	Sep 5 2006, 11:01 AM Post #3
Bleep Bleep! Group: Admin Posts: 31,022 Joined: 24-January 04 From: USA Member No.: 3	Guide updated to include new infector: C:\Windows\System32\xtgwjrm.dll -------------------- Lawrence Become a BleepingComputer fan: Facebook

Grinler View Member Profile	Sep 9 2006, 03:51 PM Post #4
Bleep Bleep! Group: Admin Posts: 31,022 Joined: 24-January 04 From: USA Member No.: 3	Updated for new infectors: C:\Windows\System32\wuwbxp.dll C:\Windows\System32\oqabf.dll -------------------- Lawrence Become a BleepingComputer fan: Facebook

Grinler View Member Profile	Sep 14 2006, 10:21 AM Post #5
Bleep Bleep! Group: Admin Posts: 31,022 Joined: 24-January 04 From: USA Member No.: 3	Updated for two new infectors: C:\Windows\System32\qxfgcg.dll C:\Windows\System32\syycum.dll -------------------- Lawrence Become a BleepingComputer fan: Facebook

Grinler View Member Profile	Sep 20 2006, 11:55 AM Post #6
Bleep Bleep! Group: Admin Posts: 31,022 Joined: 24-January 04 From: USA Member No.: 3	Updated for new variant: C:\Windows\System32\titiau.dll -------------------- Lawrence Become a BleepingComputer fan: Facebook

Grinler View Member Profile	Sep 20 2006, 12:17 PM Post #7
Bleep Bleep! Group: Admin Posts: 31,022 Joined: 24-January 04 From: USA Member No.: 3	Another new infector: C:\Windows\System32\\zphnok.dll -------------------- Lawrence Become a BleepingComputer fan: Facebook

Grinler View Member Profile	Sep 28 2006, 02:31 PM Post #8
Bleep Bleep! Group: Admin Posts: 31,022 Joined: 24-January 04 From: USA Member No.: 3	Updated for two new infectors: C:\Windows\System32\httge.dll C:\Windows\System32\gqagksr.dll -------------------- Lawrence Become a BleepingComputer fan: Facebook

Grinler View Member Profile	Oct 9 2006, 06:54 PM Post #9
Bleep Bleep! Group: Admin Posts: 31,022 Joined: 24-January 04 From: USA Member No.: 3	Guide updated to remove the 3 newest infectors: C:\WINDOWS\System32\tazth.dll C:\WINDOWS\system32\dpfwu.dll C:\WINDOWS\System32\ficqv.dll -------------------- Lawrence Become a BleepingComputer fan: Facebook

« Next Oldest · Spyware and Malware Removal Guides and Reading Room · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 3rd July 2009 - 07:49 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List \| Virus Removal Guides
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides Archive