How To Remove Virusburster Or Virusbursters (removal Instructions)

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > Spyware and Malware Removal Guides and Reading Room

How to use the self-help guides

This forum contains self-help guides on removing common malware and viruses. These guides can be advanced so please use them at your own risk.

If after following the self-help guide, or you can not find an appropriate guide, then you can receive step-by-step instructions directly from one of our experts by following the instructions in this topic: Preparation Guide For Use Before Posting A Hijackthis Log

How To Remove Virusburster Or Virusbursters (removal Instructions)

Options

Grinler View Member Profile	Oct 29 2006, 10:18 AM Post #1
Bleep Bleep! Group: Admin Posts: 28,225 Joined: 24-January 04 From: USA Member No.: 3	How to remove VirusBurster or VirusBursters (Removal Instructions) What these programs do: VirusBurster and VirusBursters are the same programs with slightly different names. VirusBurster and VirusBursters are anti-spyware programs that are known to issue fake warnings on your computer in order to manipulate you into buying the full commercial version. These programs are generally installed by a Trojan that automatically downloads and installs the program. An image of the VirusBursters program is below: VirusBursters Program If you are infected with this program you will receive warnings in your task bar stating that you are infected with spyware and to run its special anti-spyware tool. This tool turns out to be the VirusBursters or VirusBurster programs that were downloaded to your computer without your permission. These warnings are fake and are a goad to have you buy the commercial version of these software. The title for this fake security alert is Critical System Error! or Critical System Errors! and the text for these alerts can be either: System detected virus activities. They may cause critical system failure. Please, use AntiSpyware software to clean and protect your system from parasite programs. Click this baloon to get all available software. or System detected virus activities. They may cause critical system failure. Please, use antimalware software to clean and protect your system from parasite programs. Click this baloon to get all available software. Examples of these fake alerts are shown below: VirusBursters Fake alert VirusBurster Fake alert VirusBurst or VirusBursters are a direct morph from a previous rogue anti-spyware program called VirusBurst. Though the information for this program has been changed to reflect new names, VirusBursters or VirusBurst, they have been shown to be hosted form the same locations, IP addresses, or even domains. Tools Needed for this fix: SmitFraudFix (Automated Fix) FixVBS (Only needed for manual fix) Symptoms in a HijackThis Log: O4 - HKLM\..\Run: [VirusBursters] C:\Program Files\VirusBursters\virusbursters.exe /h O4 - HKLM\..\Run: [VirusBurster] C:\Program Files\VirusBurster\virusburster.exe /h O4 - HKLM\..\Run: [Virus-Bursters] C:\Program Files\Virus-Bursters\virus-bursters.exe /h Add/Remove Programs control panel entry: VirusBursters 6.2 Virus-Bursters 6.3 VirusBurster 6.3 Guide Updates: 10/29/06 - Initial guide creation. 10/29/06 - Added automated removal via SmitFraudFix 12/12/06 - Added information about VirusBurster (same program) Choose the removal method you would like to use: Automated Removal (Easier, but requires a working Internet connection.) Manual Removal (Does not require a working Internet Connection and should be used if automated method does not work.) Automated Removal Instructions for VirusBursters and VirusBurst: Print out these instructions as we will need to close every window that is open later in the fix. Download SmitfraudFix.exe from here and save it to your desktop: SmitFraudFix.exe Confirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps. The icon will look like the one below: Next, please reboot your computer into Safe Mode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. When you are at the logon prompt, log in as the user you were performing the previous steps as. When your computer has started in safe mode, and you see the desktop, close all open Windows. Now, double-click on the SmitFraudfix icon that should be residing on your desktop.The icon will look like the one below: When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen. You will now see a menu as shown in the image below. Press the number 2 on your keyboard and the press the enter key to choose the option *Clean (safe mode recommended).* The program will start cleaning your computer and go through a series of cleanup processes. When it is done, it will automatically start the Disk Cleanup program as shown by the image below. This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will should continue with step 11. When Disk Cleanup is finished, you will be presented with an option asking Do you want to clean the registry ? (y/n). At this screen you should press the Y button on your keyboard and then press the enter key. When this last routine is finished, you will be presented with a red screen stating Computer will reboot now. Close all applications. You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot. Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer. Examine this log, and when you are done, close the Notepad screen. Your computer should now be free of the VirusBursters, Virus-Bursters and VirusBurster infection. If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below: Preparation Guide For Use Before Posting A Hijackthis Log Manual Removal Instructions for VirusBursters and VirusBurst: These steps may appear to be long and daunting. They are, though, quite easy to do and consist of so many steps only because I have written them in an extremely detailed manner. Print out these instructions as we will need to close every window that is open later in the fix. Download FixVBS.reg to your desktop by right clicking on the following link and then selecting Save Link As or Save File as, depending on your browser. FixVBS.reg Download Link Confirm that the file FixVBS.reg now resides on your desktop as we will need it later. Download SmitfraudFix.exe from here and save it to your desktop: SmitFraudFix.exe Confirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps. The icon will look like the one below: Go to your desktop and double click on the FixVBS.reg file that you downloaded earlier. When it asks if you would like to merge the information, press the Yes button and then the OK button. Click on the Start button and then select the Run option. In the Open: field type c:\windows\system32 and then press the OK button. When the folder appears, if it says These files are hidden, click on the Show the contents of this folder option. We now need to make it so you can see hidden files. Click on the Tools menu and select Folder Options. Click on the View tab. Under the Hidden files and folders category select Show hidden files and folders. Uncheck Hide protected operating system files. Press Apply and then OK. If you still can not see the file, then undo these changes and skip to step 11. Scroll through the list of files in this folder and look for rrtcany.dll. Right-click on rrtcany.dll and select rename. Rename the file to rrtcany.dll.bad. Look for the file veklo.dll and rename the file to veklo.dll.bad. Look for the file okkmtv.dll and rename the file to okkmtv.dll.bad. Look for the file impgsje.dll and rename the file to impgsje.dll.bad. Look for the file sacskza.dll and rename the file to sacskza.dll.bad. Look for the file cfltygd.dll and rename the file to cfltygd.dll.bad. Look for the file jbtazy.dll and rename the file to jbtazy.dll.bad. Look for the file fmrmhc.dll and rename the file to fmrmhc.dll.bad. Look for the file dcvwaah.dll and rename the file to dcvwaah.dll.bad. Look for the file oebxpba.dll and rename the file to oebxpba.dll.bad. Look for the file xxfgmy.dll and rename the file to xxfgmy.dll.bad. Look for the file tpedvf.dll and rename the file to tpedvf.dll.bad. Look for the file dbqlrij.dll and rename the file to dbqlrij.dll.bad. Look for the file vcehaeb.dll and rename the file to vcehaeb.dll.bad. Look for the file xqpauzx.dll and rename the file to xqpauzx.dll.bad. Look for the file mlraakb.dll and rename the file to mlraakb.dll.bad. Look for the file qrzsyr.dll and rename the file to qrzsyr.dll.bad. Note: Please rename any of the above files that you may find. If you do not find any of these files, then you should post a note about it in the Am I Infected? forum. After you rename the file, you can close the System32 folder window. Next, please reboot your computer into Safe Mode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. When you are at the logon prompt, log in as the same user which you had done the previous steps. When your computer has started in safe mode and you see the desktop, click on the Start Menu button. Click on the Control Panel option. Double-click on the Add or Remove Programs icon. Find the entries for VirusBursters 6.2, Virus-Bursters 6.3 or VirusBurster 6.3 and double-click on it to uninstall them if found. Follow the prompts to uninstall the program, but do not allow it to reboot the computer if it asks. When it has completed uninstalling you can close Add or Remove Programs and your Control Panel. Delete the following files and folders (Do not be concerned if this folder does not exist): C:\Windows\System32\rrtcany.dll C:\Windows\System32\veklo.dll C:\Program Files\VirusBursters\ C:\Program Files\Virus-Bursters\ C:\Program Files\VirusBurster\ C:\Windows\System32\okkmtv.dll.bad C:\Windows\System32\impgsje.dll.bad C:\Windows\System32\sacskza.dll.bad C:\Windows\System32\jbtazy.dll.bad C:\Windows\System32\cfltygd.dll.bad C:\Windows\System32\fmrmhc.dll.bad C:\Windows\System32\dcvwaah.dll.bad C:\Windows\System32\oebxpba.dll.bad C:\Windows\System32\xxfgmy.dll.bad C:\Windows\System32\tpedvf.dll.bad C:\Windows\System32\dbqlrij.dll.bad C:\Windows\System32\vcehaeb.dll.bad C:\Windows\System32\xqpauzx.dll.bad C:\Windows\System32\mlraakb.dll.bad C:\Windows\System32\qrzsyr.dll.bad Close all open Windows. Now, double-click on the SmitFraudfix icon that should be residing on your desktop.The icon will look like the one below: When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen. When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen. You will now see a menu as shown in the image below. Press the number 2 on your keyboard and the press the enter key to choose the option *Clean (safe mode recommended).* The program will start cleaning your computer and go through a series of cleanup processes. When it is done, it will automatically start the Disk Cleanup program as shown by the image below. This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will should continue with step 25. When Disk Cleanup is finished, you will be presented with an option asking Do you want to clean the registry ? (y/n). At this screen you should press the Y button on your keyboard and then press the enter key. When this last routine is finished, you will be presented with a red screen stating Computer will reboot now. Close all applications. You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot. Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer. Examine this log to see what files were found, and when you are done, close the Notepad screen. We next perform an online scan with Panda to find any possible inactive remnants from this infection: Panda Online Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button Enter your Country Enter your State/Province Enter your e-mail address and click send Select either Home User or Company Click the big Scan Now button If it wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a few minutes) When download is complete, click on Local Disks to start the scan When the online scan has been completed, let it remove what it finds, and then you can close Internet Explorer. Your computer should now be free of the VirusBursters, Virus-Bursters, and VirusBurster infection. If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below: Preparation Guide For Use Before Posting A Hijackthis Log This is a self-help guide. Use at your own risk. BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum. If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you. -------------------- Lawrence

Grinler View Member Profile	Nov 3 2006, 11:00 AM Post #2
Bleep Bleep! Group: Admin Posts: 28,225 Joined: 24-January 04 From: USA Member No.: 3	Guide Updated to remove the latest infectors: C:\Windows\System32\okkmtv.dll C:\Windows\System32\impgsje.dll -------------------- Lawrence

Grinler View Member Profile	Nov 3 2006, 01:55 PM Post #3
Bleep Bleep! Group: Admin Posts: 28,225 Joined: 24-January 04 From: USA Member No.: 3	Updated to include another new infector: C:\Windows\System32\sacskza.dll -------------------- Lawrence

Grinler View Member Profile	Nov 12 2006, 04:52 PM Post #4
Bleep Bleep! Group: Admin Posts: 28,225 Joined: 24-January 04 From: USA Member No.: 3	Updated for new infectors: C:\Windows\System32\jbtazy.dll C:\Windows\System32\cfltygd.dll -------------------- Lawrence

Grinler View Member Profile	Nov 19 2006, 03:19 PM Post #5
Bleep Bleep! Group: Admin Posts: 28,225 Joined: 24-January 04 From: USA Member No.: 3	Two new infectors released: C:\Windows\System32\fmrmhc.dll C:\Windows\System32\dcvwaah.dll -------------------- Lawrence

Grinler View Member Profile	Nov 20 2006, 08:58 AM Post #6
Bleep Bleep! Group: Admin Posts: 28,225 Joined: 24-January 04 From: USA Member No.: 3	New infector added: C:\Windows\System32\oebxpba.dll -------------------- Lawrence

Grinler View Member Profile	Nov 27 2006, 10:47 AM Post #7
Bleep Bleep! Group: Admin Posts: 28,225 Joined: 24-January 04 From: USA Member No.: 3	Two new infectors released: C:\Windows\System32\xxfgmy.dll C:\Windows\System32\tpedvf.dll -------------------- Lawrence

Grinler View Member Profile	Nov 27 2006, 10:56 AM Post #8
Bleep Bleep! Group: Admin Posts: 28,225 Joined: 24-January 04 From: USA Member No.: 3	Updated again for new infector: C:\Windows\System32\dbqlrij.dll -------------------- Lawrence

Grinler View Member Profile	Dec 4 2006, 10:53 AM Post #9
Bleep Bleep! Group: Admin Posts: 28,225 Joined: 24-January 04 From: USA Member No.: 3	Updated for the new infector: C:\Windows\System32\vcehaeb.dll -------------------- Lawrence

Grinler View Member Profile	Dec 4 2006, 12:37 PM Post #10
Bleep Bleep! Group: Admin Posts: 28,225 Joined: 24-January 04 From: USA Member No.: 3	Updated for two more infections: C:\Windows\System32\xqpauzx.dll C:\Windows\System32\mlraakb.dll -------------------- Lawrence

Grinler View Member Profile	Dec 12 2006, 02:04 PM Post #11
Bleep Bleep! Group: Admin Posts: 28,225 Joined: 24-January 04 From: USA Member No.: 3	Updated guide to include information about the same program under a slightly different name: VirusBurster. Also added new infector: C:\Windows\System32\qrzsyr.dll -------------------- Lawrence

« Next Oldest · Spyware and Malware Removal Guides and Reading Room · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 18th July 2008 - 02:20 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides