08-Sep-06 / To: Bleepingcomputer.com
Re: VirusBurst Remov Proc Revise; new strain?
Intel P4 1.7 GHz, 256 MB RAM; Win XP Pro SP2; 40 BG HD (F32)
First off, like to thank Grindler (er, Grinler) for that excellent virusburst
info & tools links. Unfortunately I was unable to reply at that article.
I did want to mention to him the following diffugilty w/ one link:
1. Re: Slight correction to VirusBurst Removal Procedure.
(a) First, "rename" downloaded *FixVB.reg.txt* to *FixVB.reg*
If necessary to run, right-click on FixVB.reg, choose 'open with'
and browse to and select C:\Windows\regedit.exe, click OK to let
the Registry Editor do its thing.
2. Re: Newer strain?
My recollections/notes, bit hazy. Didn't come across bleepingcomputer
and procedure 'til day after, when searched for clues via another pc.
Then copied Removal tools and xfered all via diskette to infected pc.
Symptoms about same as described by bleeping. Here are some terms:
Security Troubleshooting (DeskTop shortcut)
One is address I saw when the malware re-directed me when tried Net.
Another was from right-click on flashing Alert in notification area
of DeskTop taskbar. Think that also caused the malware to run.
3. General comment.
Don't know exactly how I caught this bugger but most likely by
one of those weird google re-directs and/or drive by some porno
site. In either case, it drove me bonkers as can't stand flashing
messages and, worse, denial of net access.
The greedy, money-hungry criminals responsible for this kind of
extortion attempt should be prosecuted to the fullest extent of
the law. Their names and addresses should be released to the
public (where guilt is proven) so that public shame and wrath can
take their course. In the end, this latter might turn out to be the
only effective antidote for ridding the planet of this atrocity.
Public disclosure of proven transgressors seems to have worked
well in Singapore, at least.
In effect, it's worse than terrorism because it's difficult to root
out and affects more people, and, all things considered, has equal
or greater economic, health and frustration impacts.
Initially ran some to-hand anti-malware/virus aps without much result.
Later ran 'Spyware Doctor', 'Webroot Spysweeper' and Spybot' and each
did find a few related trojans, etc. SD found the most (5) but the
trial version would not delete them; though it did graciously give
locations and descriptions. AVG and McAfee found nothing in this case.
Spybot found and apparently cured 3 of those found by SD. However, if
recollect correctly, some later resurfaced. AdAware ineffective here.
During and after the above, we did some hunting and brute force
removals via DOS. In previous cases this approach worked well enough
and often without additional resort to commercial scans.
I can not remember precisely the order in which things occured but
it seems that ultimately, in the end, things *apparently* righted
themselves *sufficiently*, at least, via the application of both DOS and
anti-malware in equal measure because all activity appeared to have
However, I was still reluctant to go on Net, in event the danger
re-surfaced and loaded more infections into the machine. Moreover,
SD was still showing another 2 or 3 problems.
It was at about this time I was able to get access to another pc
and ran into bleepingcomputer.com (via Google) and reckoned I'd better
have a 2nd shot at things via the tools offered there.
The Grindler-provided bleepingcomputer Removal Procedure seems to have
put the final nail in the coffin (no, I did not run a Panda check yet).
After the apparent cure, today, "Spyware Doctor" found nothing but,
surprisingly, 'Spy Sweeper' did find the 'trojan downloader-zlob'.
Note: If interested, pls see my (negative?) comment re 'Spy Sweeper', at end.
5. Day 1 hunt & peck via DOS.
For the record, the following is some hazy history of 1st stage panic &
troubleshooting via DOS, which may be of some benefit to those in similar
Used DOS cmd line and XTREE GOLD (old DOS File Mgr) to help speed
things up via its instant file content viewer and its text & binary
editors. Though I did not, it may have been better to first re-boot
to 'Safe Mode' before going on w/ some of the abovementioned. Either that,
or I should have booted via DOS boot diskette, instead of just dropping out
to DOS window.
a. checked Registry (Find) for any 'virus' and 'virusburst' strings.
This found me 1 or 2 relevant ones which I deleted.
b. also checked for other relevant strings (re: SYMPTOMS..., above);
ex: 'homepage', 'teston', etc. ...
c. checked 'Program Files' and Windows, prefetch, System and System32
directories (folders) for files created/surreptitiously-downloaded
on the *date* and within *time segment* when virus activity first
surfaced. Did not scan for rootkit activity as yet.
The above process went smoothly and quickly via 'XTREE' - it helped
me find and delete a number of relevant files & links. The Viewer helped
to quickly pin down and confirm suspected files.
In retrospect tho', there were at least 2 straws in the ointment:
(1) For some reason, The process did not reveal any "eowygj.dll"
in the result at this time and
(2) I could not identify the purpose of 2 files, which I later temp-
renamed, zipped up w/ pw protection and tempP-quarantined in
a separate folder. These were:
"GTPBX.DLL" and "wpa.dbl"
Due to infection, I could not go on net to ID them (will do soon).
Other items found manually (except where noted), and deleted or
- "BSZIP.DLL", labeled as infected by "REMOVEIT PRO XT2-SE"
(think it was in system32 folder)
- one 'VirusBurst' file in "prefetch" folder
- C:\Documents and Settings\(user)\Local...\temp\nrsu.tmp\Au_.exe
- something somewhere w/ "VB188..." in it
- C:\Program Files\Virusburst (deleted whole folder)
- something about ISADON.DLL mentioned by some ap (which I never
found anywhere) and later, got Win shut down error message:
"CAN'T RUN ISAMONITOR.EXE ...."
To be sure, forgot how I found it, but did delete a line in the
registry (possibly wrongfully) that showed up when I looked for
'ISADON' in registry. That line was:
Not sure yet how I'm going to get that back, if it's needed. But
so far, no problems after last re-boot.
Later, cleared all I/E history and caches and also ran 'Disk Cleanup'
The system later *appeared* to be clean, except that the Alert icon
was still flashing, At one stage it was still able to execute when
clicked on but the window it brought up was devoid of address and
everything else (looked about as pathetic as a lost kitten in space).
In any case, I had disconnected the Net long before that, as didn't
want more infections to come aboard.
Eventually I "hid" and "disbled" the icon via right click on Taskbar
& select Properties, Taskbar, Hide Inactive Icons, Customize... which
was like sweeping things under the rug. Finally, after more DOS
processing, etc., it went away altogether and currently there's no
record of it left in that 'Customize' menu.
The proof in the pudding will come when go on the net with this post.
Might add that I ran Spyware Doctor, et. al., sometime during and
also after the above goings on. At one stage the latter showed 5
infections (listed in 6., below)
6. Finally, today, to make doubly sure that all was gone and the thing
wouldn't try to re-infect me when I was ready to go on Net, I
started off with the bleeping... Removal procedure.
First I merged the new stuff into the registry. Then I booted to Safe
Mode and did a bit more cleanup work and scans b4 running 'smithrem'.
The cleanup found a bit more, including a rather benign cookie
"(currentuser)@www.safetyhomepage.txt" and forgot what else,
which I deleted. Later cleared recycle again and also ran Disk
Did again scan registry manually and also checked 'Add/Remove
Programs'. In the latter I found some without any ID or info
and which I couldn't track down.
Spyware Doctor had by now still found 5 remaining problems:
PSGuard Desktop Hijacker C:\Documents and Settings\All
Users\Start Menu\Online Security Guide.url High
PSGuard Desktop Hijacker C:\Documents and Settings\All
Users\Start Menu\Security Troubleshooting.url High
SpyAxe C:\System Volume Information\
I was able to locate and delete the first 2 manually but didn't
mess with System Volume Information. Nor could I find the last 2
in the Registry.
I'm not too up on Registry issues; so one problem I had was w/ the
ID of the Hives. Spyware Doctor begins the entries w/ "HKLM...", for
one thing, while the Hive names in my registry start w/ "HKEY"; not
sure if "HKLM" is the traditional, older prefix or what.
In any case, could not find those "Run##..." entries anywhwere and
am wondering whether this is some kind of SD BS or what.
I'm not too worried, 'though, because after running 'smithrem',
everything seems to be clean now, except for that "zlob" thing
I found on a final run and quarantined with 'Spy Sweeper'.
The following items were found - and are STILL - in "Add/Remove"
and I have not yet been able to find their actual location nor
identify them because there is absolutely no info on them (not
even a date or size) in Add/Remove:
1 - Internet Explorer Security Plug In 2006 (?)
(not sure where the above came from because, in so far as
am aware, this pc, tho' not my personal, hasn't been
updated for long time.
2 - Internet Security Add On (?)
3 - Safety Alerter 2006 (?)
Also some Services/Processes/StartUps look a bit suspicious as
no ID given. Here are some:
1 - INSTALLDRIVER TABLE MANAGER (stopped) (looks OK, tho')
2 - MACHINE DEBUG MANAGER (running) (looks OK, tho')
3 - OFFICE SOURCE ENGINE (stopped)
1 - IMJPMIG (IMJPMIG.EXE) C:\Windows\IME\..........
2 - IMSINST c:\WINDOWS\SYSTEM32\IME\......
3 - TINTSETP C:\Windows\System32\IME\..........
4 - E-54I352 (or E-S4I3S2)
HIJACKTHIS LOG made; but looks OK. Mentions missing file
I temp renamed but does not mention the other one:
"wpa.dbl". Will send log if the cleanup didn't work.
Spy Sweeper Note:
Altho' Spy Sweeper is quite good, it leaves a few things to be
desired. For example:
- at end of sweep and when advancing to "next", and so on, to have it
ultimately quarantine or delete the malware, there seems to be no
immediate indication of the job having been done.
- if I decline to click "finish" and first go to check the "log", I
find there's later no way to "get back" to where I just came from.
- the log did show that 'zlob' was cleaned out of many places in
the registry and was quarantined. However, there were literally
tons of entries in the log, re:
"Warning: Failed to open file ------ Access denied"
"Warning: Failed to open file ------ The process cannot access
the file because it is being used by another process"
and I'm wondering what it may be missing because of 'no access'.
- In some cases, one cannot select and copy to clipboard important
text which may appear in it's GUI, results, etc.
4:43 PM (Thai time) 07-Sep-06 / update
On net. So far so good. All is updating OK automatically, so on,
so forth. No sign of bug yet. Only thing, my "cwshredder" hung up.
Was a bit too much activity at start. OK now. Might re-boot.
6:24 AM (Thai time) 08-Sep-06
Will try register and post soon.
PS - Something odd about the spell checker again here (similar
to what I got when submitted my Intro). It says "Scanned 1959 words.
Found 163 to be corrected - but only highlighted (re-fonted) my
"Sep" entry in the date at top. All else seemed OK.
(Sorry, Grinler, got your name spelling slightly off in my intro submission.