Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virus Burst/virus Busters Trojan Horse


  • Please log in to reply
1 reply to this topic

#1 torianne123

torianne123

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 26 November 2006 - 07:20 PM

Hi, I've noticed others on this site have the same issue as I have. The Virus Burst/Virus Buster Trojan Horse. I have the system tray notification popping up constantly telling me that I have a virusand it redirects my homepage to errordns.com. When I figured out that I have the virus, I uninstalled the Goldec program through add/remove programs which seemed to do absolutely nothing. Any advice would be appreciated. Please note that this is a corporate computer.

Logfile of HijackThis v1.99.1
Scan saved at 7:07:46 PM, on 11/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\navnt\DefWatch.exe
C:\WINDOWS\system32\NALNTSRV.EXE
C:\PROGRA~1\navnt\Rtvscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\PROGRA~1\NavNT\SavRoam.exe
C:\WINDOWS\system32\SurveyPCService.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\Compuware\Vantage Agent\OPTSA.exe
C:\WINDOWS\system32\wm.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Gold Codec\isamonitor.exe
C:\Program Files\Gold Codec\pmsngr.exe
C:\WINDOWS\WWW.EXE
C:\PROGRA~1\navnt\vptray.exe
C:\Program Files\Gold Codec\isamini.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Gold Codec\pmmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\FileNet\IDM\fnsysmgr.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\naldesk.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\navnt\vpc32.exe
C:\Documents and Settings\x487843\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo
O1 - Hosts: 172.27.36.52 aqdp002-filenet-nch-server
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {ae18da4e-be15-4925-81bb-890c04af0200} - C:\Program Files\Gold Codec\isaddon.dll
O3 - Toolbar: Protection Bar - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - C:\Program Files\Gold Codec\iesplugin.dll
O4 - HKLM\..\Run: [WWW] C:\WINDOWS\WWW.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\navnt\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [0FileNET System Manager] C:\Program Files\FileNet\IDM\fnsysmgr.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Nal] C:\WINDOWS\system32\naldesk.exe /ns
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...US_ZJxdm090YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://exchange.wachovia.net
O15 - Trusted Zone: *.wachovia.authoria.com
O15 - Trusted Zone: *.fub.com
O15 - Trusted Zone: *.wachovia.com
O15 - Trusted Zone: *.wachovia.net
O15 - Trusted Zone: *.wachoviabillpay.com
O16 - DPF: CIPRSNTL - https://ciprs.wachovia.net/ciprsonline/src/CIPRSNTL.cab
O16 - DPF: {1D62D002-7C93-11D5-893E-0004AC6E65BA} (STARS25.Client25) - http://gub-wec1.ntserver.fub.com/research/STIARS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = retail.msds.wachovia.net
O17 - HKLM\Software\..\Telephony: DomainName = retail.msds.wachovia.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B2193B4-CE43-402C-AD91-BE37818FAE1F}: NameServer = 69.78.96.14 66.174.95.44
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = retail.msds.wachovia.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = isa.Wachovia.net,infra.fub.com,csm.fub.com,wachovia.net,wachovia.com,fub.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = isa.Wachovia.net,infra.fub.com,csm.fub.com,wachovia.net,wachovia.com,fub.com
O20 - Winlogon Notify: CPRSNtfy - C:\WINDOWS\SYSTEM32\CPRSNtfy.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: gimmicks - {40dcff6e-af8d-4183-8ebe-a82270ac449e} - C:\WINDOWS\system32\dcvwaah.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\navnt\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\system32\NALNTSRV.EXE
O23 - Service: NetOp Helper ver. 7.65 (2004342) (NetOp Host for NT Service) - Danware Data A/S - C:\Program Files\Danware Data\NetOp Remote Control\Host\NHOSTSVC.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\navnt\Rtvscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: SAVRoam - symantec - C:\PROGRA~1\NavNT\SavRoam.exe
O23 - Service: PC Survey (SurveyPCService) - First Union Capital Markets - C:\WINDOWS\system32\SurveyPCService.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: Vantage Agent (VantageAgent) - Compuware - C:\Program Files\Compuware\Vantage Agent\OPTSA.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\system32\wm.exe

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:49 PM

Posted 26 November 2006 - 10:30 PM

Hello torianne123,

I am SifuMike and I will be helping you. :thumbsup:

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users