Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virusburst Success Story & Rocedure Update


  • Please log in to reply
3 replies to this topic

#1 jed2

jed2

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Thailand
  • Local time:10:06 PM

Posted 07 September 2006 - 08:32 PM

08-Sep-06 / To: Bleepingcomputer.com

Re: VirusBurst Remov Proc Revise; new strain?

Intel P4 1.7 GHz, 256 MB RAM; Win XP Pro SP2; 40 BG HD (F32)
-------------------------------------------------------------------------

First off, like to thank Grindler (er, Grinler) for that excellent virusburst
info & tools links. Unfortunately I was unable to reply at that article.
I did want to mention to him the following diffugilty w/ one link:

1. Re: Slight correction to VirusBurst Removal Procedure.

(a) First, "rename" downloaded *FixVB.reg.txt* to *FixVB.reg*

(:thumbsup: If necessary to run, right-click on FixVB.reg, choose 'open with'
and browse to and select C:\Windows\regedit.exe, click OK to let
the Registry Editor do its thing.


2. Re: Newer strain?

My recollections/notes, bit hazy. Didn't come across bleepingcomputer
and procedure 'til day after, when searched for clues via another pc.
Then copied Removal tools and xfered all via diskette to infected pc.

Symptoms about same as described by bleeping. Here are some terms:

Security Troubleshooting (DeskTop shortcut)
testonsecurity.com
www.virusburst.com
http://safetyhomepage.net

One is address I saw when the malware re-directed me when tried Net.
Another was from right-click on flashing Alert in notification area
of DeskTop taskbar. Think that also caused the malware to run.


3. General comment.

Don't know exactly how I caught this bugger but most likely by
one of those weird google re-directs and/or drive by some porno
site. In either case, it drove me bonkers as can't stand flashing
messages and, worse, denial of net access.

The greedy, money-hungry criminals responsible for this kind of
extortion attempt should be prosecuted to the fullest extent of
the law. Their names and addresses should be released to the
public (where guilt is proven) so that public shame and wrath can
take their course. In the end, this latter might turn out to be the
only effective antidote for ridding the planet of this atrocity.
Public disclosure of proven transgressors seems to have worked
well in Singapore, at least.

In effect, it's worse than terrorism because it's difficult to root
out and affects more people, and, all things considered, has equal
or greater economic, health and frustration impacts.


4. Overview.

Initially ran some to-hand anti-malware/virus aps without much result.

Later ran 'Spyware Doctor', 'Webroot Spysweeper' and Spybot' and each
did find a few related trojans, etc. SD found the most (5) but the
trial version would not delete them; though it did graciously give
locations and descriptions. AVG and McAfee found nothing in this case.

Spybot found and apparently cured 3 of those found by SD. However, if
recollect correctly, some later resurfaced. AdAware ineffective here.

During and after the above, we did some hunting and brute force
removals via DOS. In previous cases this approach worked well enough
and often without additional resort to commercial scans.

I can not remember precisely the order in which things occured but
it seems that ultimately, in the end, things *apparently* righted
themselves *sufficiently*, at least, via the application of both DOS and
anti-malware in equal measure because all activity appeared to have
been suppressed.

However, I was still reluctant to go on Net, in event the danger
re-surfaced and loaded more infections into the machine. Moreover,
SD was still showing another 2 or 3 problems.

It was at about this time I was able to get access to another pc
and ran into bleepingcomputer.com (via Google) and reckoned I'd better
have a 2nd shot at things via the tools offered there.

The Grindler-provided bleepingcomputer Removal Procedure seems to have
put the final nail in the coffin (no, I did not run a Panda check yet).

After the apparent cure, today, "Spyware Doctor" found nothing but,
surprisingly, 'Spy Sweeper' did find the 'trojan downloader-zlob'.

Note: If interested, pls see my (negative?) comment re 'Spy Sweeper', at end.

-----------------------------------------------------------------------------


5. Day 1 hunt & peck via DOS.

For the record, the following is some hazy history of 1st stage panic &
troubleshooting via DOS, which may be of some benefit to those in similar
situation.

Used DOS cmd line and XTREE GOLD (old DOS File Mgr) to help speed
things up via its instant file content viewer and its text & binary
editors. Though I did not, it may have been better to first re-boot
to 'Safe Mode' before going on w/ some of the abovementioned. Either that,
or I should have booted via DOS boot diskette, instead of just dropping out
to DOS window.

a. checked Registry (Find) for any 'virus' and 'virusburst' strings.
This found me 1 or 2 relevant ones which I deleted.

b. also checked for other relevant strings (re: SYMPTOMS..., above);
ex: 'homepage', 'teston', etc. ...

c. checked 'Program Files' and Windows, prefetch, System and System32
directories (folders) for files created/surreptitiously-downloaded
on the *date* and within *time segment* when virus activity first
surfaced. Did not scan for rootkit activity as yet.

The above process went smoothly and quickly via 'XTREE' - it helped
me find and delete a number of relevant files & links. The Viewer helped
to quickly pin down and confirm suspected files.

In retrospect tho', there were at least 2 straws in the ointment:

(1) For some reason, The process did not reveal any "eowygj.dll"
in the result at this time and

(2) I could not identify the purpose of 2 files, which I later temp-
renamed, zipped up w/ pw protection and tempP-quarantined in
a separate folder. These were:

"GTPBX.DLL" and "wpa.dbl"

Due to infection, I could not go on net to ID them (will do soon).

Other items found manually (except where noted), and deleted or
quarantined were:

- "BSZIP.DLL", labeled as infected by "REMOVEIT PRO XT2-SE"
(think it was in system32 folder)

- one 'VirusBurst' file in "prefetch" folder

- C:\Documents and Settings\(user)\Local...\temp\nrsu.tmp\Au_.exe

- something somewhere w/ "VB188..." in it

- C:\Program Files\Virusburst (deleted whole folder)

- something about ISADON.DLL mentioned by some ap (which I never
found anywhere) and later, got Win shut down error message:

"CAN'T RUN ISAMONITOR.EXE ...."

To be sure, forgot how I found it, but did delete a line in the
registry (possibly wrongfully) that showed up when I looked for
'ISADON' in registry. That line was:

"{202a961f-23ae-42b1-9505-ffe3c818d717}"

Not sure yet how I'm going to get that back, if it's needed. But
so far, no problems after last re-boot.


Later, cleared all I/E history and caches and also ran 'Disk Cleanup'


The system later *appeared* to be clean, except that the Alert icon
was still flashing, At one stage it was still able to execute when
clicked on but the window it brought up was devoid of address and
everything else (looked about as pathetic as a lost kitten in space).

In any case, I had disconnected the Net long before that, as didn't
want more infections to come aboard.

Eventually I "hid" and "disbled" the icon via right click on Taskbar
& select Properties, Taskbar, Hide Inactive Icons, Customize... which
was like sweeping things under the rug. Finally, after more DOS
processing, etc., it went away altogether and currently there's no
record of it left in that 'Customize' menu.

The proof in the pudding will come when go on the net with this post.


Might add that I ran Spyware Doctor, et. al., sometime during and
also after the above goings on. At one stage the latter showed 5
infections (listed in 6., below)


6. Finally, today, to make doubly sure that all was gone and the thing
wouldn't try to re-infect me when I was ready to go on Net, I
started off with the bleeping... Removal procedure.

First I merged the new stuff into the registry. Then I booted to Safe
Mode and did a bit more cleanup work and scans b4 running 'smithrem'.

The cleanup found a bit more, including a rather benign cookie
"(currentuser)@www.safetyhomepage[2].txt" and forgot what else,
which I deleted. Later cleared recycle again and also ran Disk
Cleanup again.

Did again scan registry manually and also checked 'Add/Remove
Programs'. In the latter I found some without any ID or info
and which I couldn't track down.

Spyware Doctor had by now still found 5 remaining problems:

PSGuard Desktop Hijacker C:\Documents and Settings\All
Users\Start Menu\Online Security Guide.url High

PSGuard Desktop Hijacker C:\Documents and Settings\All
Users\Start Menu\Security Troubleshooting.url High

SpyAxe C:\System Volume Information\
_restore{AF403676-DA7D-488C-B3A5-B9E50A154C67}\RP87\A0033377.dll Elevated

Trojan.Popuper HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer\Run##homepage.monitor.exe High

Trojan.Popuper HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer\Run##pmsngr.exe High


I was able to locate and delete the first 2 manually but didn't
mess with System Volume Information. Nor could I find the last 2
in the Registry.

I'm not too up on Registry issues; so one problem I had was w/ the
ID of the Hives. Spyware Doctor begins the entries w/ "HKLM...", for
one thing, while the Hive names in my registry start w/ "HKEY"; not
sure if "HKLM" is the traditional, older prefix or what.

In any case, could not find those "Run##..." entries anywhwere and
am wondering whether this is some kind of SD BS or what.

I'm not too worried, 'though, because after running 'smithrem',
everything seems to be clean now, except for that "zlob" thing
I found on a final run and quarantined with 'Spy Sweeper'.

---------------------------------------------------------------

The following items were found - and are STILL - in "Add/Remove"
and I have not yet been able to find their actual location nor
identify them because there is absolutely no info on them (not
even a date or size) in Add/Remove:

1 - Internet Explorer Security Plug In 2006 (?)

(not sure where the above came from because, in so far as
am aware, this pc, tho' not my personal, hasn't been
updated for long time.

2 - Internet Security Add On (?)

3 - Safety Alerter 2006 (?)


Also some Services/Processes/StartUps look a bit suspicious as
no ID given. Here are some:

Service:

1 - INSTALLDRIVER TABLE MANAGER (stopped) (looks OK, tho')
2 - MACHINE DEBUG MANAGER (running) (looks OK, tho')
3 - OFFICE SOURCE ENGINE (stopped)

Startup:

1 - IMJPMIG (IMJPMIG.EXE) C:\Windows\IME\..........
2 - IMSINST c:\WINDOWS\SYSTEM32\IME\......
3 - TINTSETP C:\Windows\System32\IME\..........
4 - E-54I352 (or E-S4I3S2)

HIJACKTHIS LOG made; but looks OK. Mentions missing file
I temp renamed but does not mention the other one:
"wpa.dbl". Will send log if the cleanup didn't work.

-------------------------------------------------------------

Spy Sweeper Note:

Altho' Spy Sweeper is quite good, it leaves a few things to be
desired. For example:

- at end of sweep and when advancing to "next", and so on, to have it
ultimately quarantine or delete the malware, there seems to be no
immediate indication of the job having been done.

- if I decline to click "finish" and first go to check the "log", I
find there's later no way to "get back" to where I just came from.

- the log did show that 'zlob' was cleaned out of many places in
the registry and was quarantined. However, there were literally
tons of entries in the log, re:

"Warning: Failed to open file ------ Access denied"
"Warning: Failed to open file ------ The process cannot access
the file because it is being used by another process"

and I'm wondering what it may be missing because of 'no access'.

- In some cases, one cannot select and copy to clipboard important
text which may appear in it's GUI, results, etc.

------------------------------------------------------------------

4:43 PM (Thai time) 07-Sep-06 / update

On net. So far so good. All is updating OK automatically, so on,
so forth. No sign of bug yet. Only thing, my "cwshredder" hung up.
Was a bit too much activity at start. OK now. Might re-boot.

6:24 AM (Thai time) 08-Sep-06

Will try register and post soon.

Regards,

jed2...

PS - Something odd about the spell checker again here (similar
to what I got when submitted my Intro). It says "Scanned 1959 words.
Found 163 to be corrected - but only highlighted (re-fonted) my
"Sep" entry in the date at top. All else seemed OK.

(Sorry, Grinler, got your name spelling slightly off in my intro submission. :flowers:

jed2... :trumpet:

BC AdBot (Login to Remove)

 


#2 jed2

jed2
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Thailand
  • Local time:10:06 PM

Posted 07 September 2006 - 10:08 PM

To: bleepingcomputer.com
10:00 AM (local, Thai time), 08-Sep-06 / virusburst - new developments?
-----------------------------------------------------------------------------------

This is a quick follow-up on my first post. Stuff I ran into this morning
but haven't analyzed yet.

This data gathered via Google and the sites it took me to. Search strings
used at Google and/or the target sites were: gtpbx. PCODEC,

CAN ANYONE CONFIRM ANY OF THE BELOW, PLEASE ??? I SEEM TO BE
RUNNING OK BUT I STILL HAVE SOME OF THE BELOWMENTIONED IN
MY MACHINE.

----------------------------------------------------------------------------------

Here's a summary of details (below ====== line) found.

It looks like following are also related to "virusburst":

C:\Windows\System32\gtpbx.dll
C:\Windows\System32\duxzj.dll
C:\Program files\PCODEC
fastload.dll

CONFIRM ABOVE ON YOUR OWN. They may have to be deleted in
SafeMode or after DOS floppy boot. PCODEC is definitely
a problem (AVG scan-confirmed).

Scan your system first w/, for example, AVG, Spyware Doctor,
Spy Sweeper, Spybot, etc., etc.


Not sure: (check links under ====== line, below

"DisplayName"="Internet Explorer Security Plugin 2006"
"DisplayName"="Internet Security Add-On"
"DisplayName"="Public Messenger ver 2.03"
"DisplayName"="Safety Alerter 2006"

===========================================================

http://forums.spywareinfo.com/index.php?showtopic=84627

re: c:\program Files\pcodec folder content looks suspicious. Can't view some files
in XTREE (in XP DOS window). Others have suspicious content. Refers to 'Password Manager"
and "PornMag".

PCODEC downloaded to my machine same morning as infection appeared (date/time stamp)

--------------------------------------------
from: http://securitygarden.blogspot.com/

"Two new variants of the VirusBurst infector have been discovered today. These files when run on a
computer will issue the fake security alerts and download/install VirusBurst onto your computer.

The two new infectors are:

* C:\Windows\System32\gtpbx.dll
* C:\Windows\System32\duxzj.dll"

---------------------------------------------
Refer to this link (hope you can read some japanese)

http://translate.google.com/translate?hl=e...bbs.cgi%3Fmode%
3Done%26number%3D84547%26type%3D84545%26space%3D15%26no%

3D0&sa=X&oi=translate&resnum=10&ct=result&prev=/search%3Fq%3Dgtpbx.dll%26hl%3Den%26lr%3D%26sa%3DG

Among some of the entries, we have those I queried in my first post:

下記をインターネットに接続状態で[プログラムの追加と削除]からアンインストールします。
http://wiki.higaitaisaku.com/wiki.cgi?acti...Uk9-PRiqerTvbqg

"DisplayName"="Internet Explorer Security Plugin 2006"
"DisplayName"="Internet Security Add-On"
"DisplayName"="Public Messenger ver 2.03"
"DisplayName"="Safety Alerter 2006"

plenty more given...
-----------------------------------------------

re: gtpbx

http://temerc.com/phpBB2/viewtopic.php?p=9507


------------------------------------------------

more info: (need google translate)

http://64.233.179.104/translate_c?hl=en&am...ev=/search%3Fq%
3Dgtpbx.dll%26start%3D10%26hl%3Den%26lr%3D%26sa%3DN

------------------------------------------------------

http://translate.google.com/translate?hl=e...m/bugbear-y-el-
dichoso-doble-acento-vt13210.html&sa=X&oi=translate&resnum=6&ct=result&prev=/search%3Fq%
3Dgtpbx.dll%26start%3D10%26hl%3Den%26lr%3D%26sa%3DN

files mentioned for inspection:

gtpbx.dll
fastload.dll

-------------------------------------------------------

more interesting stuff at:

http://translate.google.com/translate?hl=e.../www.paules-pc-
forum.de/phpBB2/ptopic,523587.html&sa=X&oi=translate&resnum=7&ct=result&prev=/search%3Fq%
3Dgtpbx.dll%26start%3D10%26hl%3Den%26lr%3D%26sa%3DN

and at:

http://virus-protect.org/artikel/spyware/spywarequake.html

-------------------------------------------------------

During my search just now, AVG auto-downloaded a long update and started scanning.
Apparently 'smithrem' didn' finish the job. AVG deleted 4 CODEC entries (an item I
suspected) and I'm shortly going to delete the entire folder via DOS.

AVG also said it deleted 2 entries in System restore (my earlier Volume Info? report)
which I thought 'smithrem' already cleaned.

------------------------------------------------------

jed2... :thumbsup:

Yikes! Messed up that last edit but good! :flowers:

Edited by jed2, 07 September 2006 - 10:18 PM.


#3 jed2

jed2
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Thailand
  • Local time:10:06 PM

Posted 09 September 2006 - 06:55 AM

09-Sep-06 / To: Bleepingcomputer.com

Re: (1) VirusBurst Remov Proc Revise; (2) new strain?
Looks like I counted my chickens before they were hatched! :thumbsup:

Problem solved - for good now, though (cross my toads) :flowers:

Scuse the rambling rants in my last 2 posts. The panic & confusion
at the time didn't help any. Suffice it to say, none of the measures
taken at the time (including 'smithrem) seemed to have conclusively
put paid to the bug because soon after, "virusburst" returned with a
vengence.

After sleeping on it for a while, went back to the battle. A lucky
insight appears to have helped. I'ts been smooth sailing ever since.
The blow-by-blow is related below. Hope it helps someone in
similar bind.

------------------------------------------------------------

On the 8th I gathered my thoughts and concluded that there might
have been a link between 'virusburst' and "SPYWARE DOCTOR". This
may seem unpalatable to some but after having un-installed the latter
(which was a battle in itself), all *finally* came right. Not to say
that 'smitrem' and all the other efforts were in vain. They did their
part. They just weren't enough to completely finish the job.

I wish I could remember from where I downloaded SD. It may have
popped up somewhere in the majorgeeks download chain because
that's where I got most of my stuff that day.

-------------------------------------------------------------

The following are some summarized extracts from my notes of 8th:

It appears that the 'smitrem' cure, et. al., might be slightly out
of date already as 'virusburst' seems to be morphing rapidly.

All seemed normal on several boots and during and immediately after
this morning's short Net access when checked email, downloaded couple
topical articles from Tech Republic and did a bit of research on the
bug via Google.

Subsequent checks showed the bug was back again, but under cover
this time. no more flashing alerts, etc., trying to extort users
to download their AV.

One Spyware Doctor scan found 31 items this trip, a good bunch being
nasty trojans. Another type found 14 items. And that was just from
this morning's brief surfing session.

There were only about 50 cookies that got thru but a good number of
them being nasties.

Unfortunately, all kinds of things went haywire after that. For a
while, couldn't even boot to safe mode, nor find certain directories
and files associated w/ the bug, even via DOS! nor even run XTREE.
It's as if the bug knew it was being hunted.

Explorer became unresponsive after first or 2nd runs; so on and so
forth; also, error messages and aborts when attempting scans w/
certain aps. This was in Safe Mode.

Looked like the bug had evolved. Reckoned I must have had a remnant
left in the system that allowed it to regroup, updates itself and go on the
offensive w/ newer exploits, with a vengeance. Could be the author
is modifying the bug as based on reviews of posted countermeasures at
sites like these.

Currently I'm scanning again in Safe Mode.

McAfees's just found some Trojans in the System Volume_Restore...
but I thought these had already been handled earlier by AVG.

On completion, the 3 trojans were listed as already having been
deleted automatically by McAfee - though I never configured it for
that before! Something was odd.

Another interesting development. I did not notice it listed in the
results but McAfee just said:

"The file *smitrem.exe* can not be deleted"

This is very odd as "smitrem" is supposed to be the reputable cure.

I wonder what's going on!? It did quarantine the file when I told
it to; it SAID it did, anyway.

Another odd thing, when I brought up McAfee, I noted:

"scan disabled"

Been using it regularly and never reset that option either! Looks
like maybe 'virusburst' just got smarter!

More scans. Nothing much found except via Spyware Doctor, which
keeps nagging / warning me to buy it before cleaning what it
found. Looks almost like a final ultimatum, or else!

Had an hour's nap to clear the cobwebs. Thereafter it struck me
that I'd downloaded SPYWARE DOCTOR and a few others I ran across
during my search for some utilities on the net and that soon after
the problems started.

SD had earlier discovered some nasty Registry entries not found
by any other ap and which I subsequently could not locate in the
Registry.

I'd also wondered about the SD path listing - "HKLM" vs. "HKM".
Yet Hijackthis & SpySweeper use same HKLM prefixes. So may be OK (?).

To test my hunch, I uninstalled Spyware Doctor (admittedly, after
some other scans and corrections were made first).

Sure enough, SD fought like hell to stop Windows. It stopped the
uninstall dead in its tracks and tried to go on net to call mom.

Fortunately, I'd physically disconnected earlier, when noted
off-and-on Network-monitor icon activity, when nothing was supposed
to be there. Also wanted to pre-empt possible 'virusburst'calls home.

Add/Remove also started to hang and so on. SD fought tooth and nail
to stop the uninstall, it seemed; pleading/warning messages; non-
stop HD activity (which worried me) and so on. Finally got it out
(I think). Did a few more checks to try confirm.

Thereafter Explorer et. al., ran smoothly again; much faster too.

Does look like SD and virusburst might be related. Can't say for
sure yet (hard to believe). See how she goes.

Still have those 3 suspect items in Add/Remove. Checked earlier and
found mention of them all in a list w/ other suspicious related
files at a Japanese forum site. I'd already deleted or quaranteed
some of those on that list. Am unable to fully ID or decipher that
site but it shows up in Google if search string includes a portion
of one of the ADD/REMOVE items in question.

-----------------------------------------------------

Evening...

Just scanned w/ 'AVG AntiRootkit Beta' and 'blbeta'. Nothing found.
Nothing significant via Hijackthis either.

One more Registry check... Wow! things went really fast and smooth
this time; nothing like before. Nothing found, though.

Quick DiskCleanup & IE cache cleanups, etc. Lightning speed this time!
Things looking up.

-----------------------------------------------------

Well, I'm on the net again and no sluggishness nor redirects nor
extortionist alerts or other impediments encountered so far. Feels
like smooth and clean sailing. Perhaps it's all gone for good now.

So there you have it. You can draw your own conclusions re Spyware
Doctor. All I know is that uninstalling it put the last nail in the
'virusburst' coffin at my end. Like to hear of similar results
from anyone who tries it.

Question is, how to immunize against another attack?


Cheers :inlove:

Jed...

(love these crazy icons) :trumpet:

#4 jed2

jed2
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Thailand
  • Local time:10:06 PM

Posted 09 September 2006 - 07:03 AM

Looks like forgot the checkmark. Appreciate any feedback.

jed2 :thumbsup:

PS. Wish there were a more direct way to notify Grinler re new developments on a timely topic so that he may
have a gander and, where applicaple, update his posts/instructions on critical topics such as this one. for instance,
the 2 suggestions regarding " "rename" downloaded *FixVB.reg.txt* to *FixVB.reg* " and *SPYWARE DOCTOR*,
if confirmed as correct, could ease the pain for some visitors looking for solutions here. Conversely, if incorrect,
this should be noted to avoid confusion. My apologies, if this has already been done. Perhaps I better have a look
see, if I can find it again. Age does wonders for the memory.

Edited by jed2, 09 September 2006 - 07:29 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users