Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems With The Virusburst Problem


  • Please log in to reply
3 replies to this topic

#1 ryonrex

ryonrex

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 09 September 2006 - 10:26 PM

Hello, my name's Ryan.
Now that the pleasantries are out of the way...

Today I managed to pick up the Virusburst trojan most likely along with a Windows Media codec. Needless to say it started to really piss me off after a few hours of that friggin bubble message.
I was very thankful when I found this site's guide to removing the thing; however, I've run into a problem.

When I click your link to the roguescanfix file, I get this message:



Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator to inform of the time the error occurred and of anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Web Server at martijnc.be



I guess that means the file is missing from somewhere?
I did download the SmitfraudFix file and ran it, and here were my results:

SmitFraudFix v2.85

Scan done at 20:07:56.78, 09/09/06
Run from C:\Documents and Settings\Fred\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Fred\Application Data


Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

C:\DOCUME~1\Fred\FAVORI~1


Desktop


C:\Program Files

C:\Program Files\Media-Codec\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{168cf174-6dab-461c-a761-a7adfa5a5719}"="campy"

[HKEY_CLASSES_ROOT\CLSID\{168cf174-6dab-461c-a761-a7adfa5a5719}\InProcServer32]
@="C:\WINDOWS\system32\wuwbxp.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{168cf174-6dab-461c-a761-a7adfa5a5719}\InProcServer32]
@="C:\WINDOWS\system32\wuwbxp.dll"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

Scanning wininet.dll infection


End



At the moment I put the Media-Codec files in quarantine with Panda Platinum 06. They pissed me off. :thumbsup:

So anyway, if anyone can help that would be really great.

Thankyou,

Ryan

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:25 PM

Posted 10 September 2006 - 03:33 AM

Let's continue with smitfraudfix.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Once in Safe Mode, open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
Also post a new Hijackthis log.

David

#3 ryonrex

ryonrex
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 14 September 2006 - 08:28 PM

Well I managed to accidentally remove Virusburst. o_O

See, for some reason my CD/DVD drive has stopped working. So as per a friend's advice I did a system restore to about a month ago, in hopes of fixing it. The drive still isn't working, but as an unexpected side-effect, Virusburst is now gone! Hahaha. Pretty cool I gotta say. I'm not sure if anyone else has tried this yet so I thought mentioning it would be a good idea.

Now, I don't know if it's completely gone; if I restore my computer back to the future, does that mean VB will come back? Should I take more action in removing it?

Thanks,

Ryan

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:25 PM

Posted 15 September 2006 - 07:44 AM

The CD/DVD drive not working is probably a hardware problem and system restore would not have any affect on fixing it. Sounds like you used a restore date prior to getting the VirusBurst infection. You still should do thorough anti-virus and anti-spyware scans to ensure your computer is clean of any other malware. Once confirming you have a clean machine, you should purge your old system restore points and create a new one that you can use.

Graphics for doing this are in the following links if you need them.
How to Create a Restore Point.
How to use Cleanmgr.

Keep a log and write down the date so you remember in case you need to use it again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users