Having Serious Problems - Virus/Spyware/Trojans :(

[Tanya]

Quote:

Originally Posted by Klaas Koopman

Tried to do the online scams, but then my pc got jammed, didn't do anything, had to reboot.


I noticed what the virus is, it's called: VirusBurst. Anyone who can help me get rid of it? Cause I hate the continuous popups of all the naked people! ugh

VB is a trojan btw. It gives you an icon in the system tray and keeps giving *rude* popups and sometimes warnings that ur system is so infected it's about to blow.

First:
Kill processes: virusburst.exe

To do this click ctrl+alt+del and select SDMonitor.exe then click end task.

Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\VirusBurst
HKEY_CLASSES_ROOT\TypeLib\{728E63B0-5165-4E98-9C83-EF987EEB66C9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{728E6 3B0-5165-4E98-9C83-EF987EEB66C9}
HKEY_LOCAL_MACHINE\SOFTWARE\VirusBurst
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\VirusBurst

Then
Unregister DLLs:
duxzj.dll, eowygj.dll, gtpbx.dll, httge.dll, oqabf.dll, gqagksr.dll, qxfgcg.dll, syycum.dll, titiau.dll, wuwbxp.dll, xtgwjrm.dll, zphnok.dll

This can be done simply by opening the run window and typing cmd then hit ok.
When the Command Prompt window will appear, change the directory to the DLL location "IScript7.dll".
Type the cd command (it is used to change the current directory), hit space and enter the full path to the DLL.
Press enter.
This will change the current directory to that you have entered. To display directory contents use the dir command.

Within the exact directory type this command: regsvr32 /u [dll_name] and press enter
If the DLL was registered in the system and the operation was successful, you should see a message that says "DllUnregisterServer in IScript7.dll succeeded."

If you have accidentally unregistered harmless DLL, you can register it back by invoking regsvr32 command without the /u key: regsvr32 [dll_name]. This will undo the changes.


Then simply,
Delete files:
virusburst.exe, duxzj.dll, eowygj.dll, gtpbx.dll, httge.dll, oqabf.dll, gqagksr.dll, qxfgcg.dll, syycum.dll, titiau.dll, wuwbxp.dll, xtgwjrm.dll, zphnok.dll, vb.ini


and finally
Delete directories:
C:\Program Files\VirusBurst


theres always the easy way of doing all this, simply download Spyware DOctor form a secure source, and it will get rid of it for u, but doing it manually will insure uve gotten rid of it 100%

Hope that helps...few!

[Klaas Koopman]

Quote:

Originally Posted by Tanya

VB is a trojan btw. It gives you an icon in the system tray and keeps giving *rude* popups and sometimes warnings that ur system is so infected it's about to blow.

First:
Kill processes: virusburst.exe

To do this click ctrl+alt+del and select SDMonitor.exe then click end task.

Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\VirusBurst
HKEY_CLASSES_ROOT\TypeLib\{728E63B0-5165-4E98-9C83-EF987EEB66C9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{728E6 3B0-5165-4E98-9C83-EF987EEB66C9}
HKEY_LOCAL_MACHINE\SOFTWARE\VirusBurst
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\VirusBurst

Then
Unregister DLLs:
duxzj.dll, eowygj.dll, gtpbx.dll, httge.dll, oqabf.dll, gqagksr.dll, qxfgcg.dll, syycum.dll, titiau.dll, wuwbxp.dll, xtgwjrm.dll, zphnok.dll

This can be done simply by opening the run window and typing cmd then hit ok.
When the Command Prompt window will appear, change the directory to the DLL location "IScript7.dll".
Type the cd command (it is used to change the current directory), hit space and enter the full path to the DLL.
Press enter.
This will change the current directory to that you have entered. To display directory contents use the dir command.

Within the exact directory type this command: regsvr32 /u [dll_name] and press enter
If the DLL was registered in the system and the operation was successful, you should see a message that says "DllUnregisterServer in IScript7.dll succeeded."

If you have accidentally unregistered harmless DLL, you can register it back by invoking regsvr32 command without the /u key: regsvr32 [dll_name]. This will undo the changes.


Then simply,
Delete files:
virusburst.exe, duxzj.dll, eowygj.dll, gtpbx.dll, httge.dll, oqabf.dll, gqagksr.dll, qxfgcg.dll, syycum.dll, titiau.dll, wuwbxp.dll, xtgwjrm.dll, zphnok.dll, vb.ini


and finally
Delete directories:
C:\Program Files\VirusBurst


theres always the easy way of doing all this, simply download Spyware DOctor form a secure source, and it will get rid of it for u, but doing it manually will insure uve gotten rid of it 100%

Hope that helps...few!

First of all I would like to thank you for taking the time to help me out!

BUT!! * oh oh!

I type ctrl-alt-del and I don't see the SDMonitor.exe. Second how do I delete those registry values ( where? )

thanks once again!

[Tanya]

Quote:

Originally Posted by Klaas Koopman

First of all I would like to thank you for taking the time to help me out!

BUT!! * oh oh!

I type ctrl-alt-del and I don't see the SDMonitor.exe. Second how do I delete those registry values ( where? )

thanks once again!

First
Launch the Registry Editor. Press the Start button and then click Run. Type in regedit into the Open: field. Then click on the OK button.

Now
This program consists of two panes. Use the left pane to navigate to certain registry key. In the right pane you'll see values, which belong to that selected key.

To edit/modify/delete the value, right-click on it and select the Delete (in your case) option from the appeared menu.

That simple...but look

If its ur first time to do this... just simply back up the Windows registry before editing it, so that you can quickly restore it later if something goes wrong. Nothing to worry too much about though...

as to Killing the processes "virusburst.exe", it 'should' appear in the windows task manager/ processes tab ....double check because u may have missed it. If its not there, ur best bet is u should Disconnect from the net while doing this, because ull most likely rendor its activity useless whyle u extract it. After you do so, re-boot and 'the' connect to the net.

Hope that helps

[Tanya]

1. Download Pocket KillBox or KillBox utility.

2. Press Start > Settings, and open the Control Panel. Launch the Add or Remove Programs tool. In the list of installed software find the VirusBurst entry. Uninstall the corresponding program.

3. Download the HijackThis program. Run a system scan, then fix the following entries (if present):
O2 - BHO: (no name) - { [CLSID, a combination of letters and digits] } - [filename]
O3 - BHO: Protection Bar - { [CLSID, a combination of letters and digits] } - [filename]
O4 - HKLM\..\Run: [VirusBurst] C:\Program Files\VirusBurst\virusburst.exe

4. Now restart your system in Safe Mode. This step is very important!

5. Once in Safe Mode, use either Pocket KillBox or KillBox to delete all the files from the list above present in your system.

Malicious files in C:\WINDOWS\System32 or C:\WINNT\System32:
duxzj.dll
eowygj.dll
gqagksr.dll
gtpbx.dll
httge.dll
oqabf.dll
qxfgcg.dll
syycum.dll
titiau.dll
wuwbxp.dll
xtgwjrm.dll
zphnok.dll

Malicious files in C:\Program Files\VirusBurst:
virusburst.exe
vb.ini

6. Delete the following directories (if present):
C:\Program Files\VirusBurst
C:\Program Files\PCODEC


If This does not work, and you do not wish to re-install your OS then the only other way that will work for sure is by using either Spy Sweeper or PC Tolls Spyware Doctor, but I don't think the trial versians will do more than reveal the locations of these files. The paid for versions will delete all traces of the trojan.

I really feal sorry for you, having to deal with all this crap, the trojan and all...I hate it when that happens to me sometimes, and sorry I couldn't have helped till now.

[chatxplanet]

Hey Klaas. Don't ya just LOVE all that privacy invading and hardware / file destruction people do anymore? Of course, sarcasm runs deep in that statement lol.

Try this lil prog. It's what I use and it kills, fixes and repairs just about anything out there because not only does it scan for infected progs and files, but it also scans and looks for infected .dll files. (I had a royal dousy that embedded and clocked itself in the registry and this killed it)

here's the link: http://www.xblock.com

then select: try it free now. That is the freeware version.

Also, whenever you are scanning for malicious code / files / etc. never reboot during the actual scan EVEN if you are instructed to! Do this AFTER all scanning and cleaning has been done! Alot of code have reboot protection commands in the shell files to prevent you from actually killing them by forcing a fake popup that tells you to 'reboot to uninstall'. Legitimate files / programs only require you to reboot to finish AFTER the initial uninstall.


Hopefully that helps

Dan

[Lynn Quario]

You could try this forum as it has removal instructions:

http://www.bleepingcomputer.com/forums/topic63896.html


Lynn

[muratozcirpici]

i think use Kaspersky

[Tanya]

Quote:

Originally Posted by muratozcirpici

i think use Kaspersky

my way is better

for the record, Kasperskey has had a rough history of flaws!

Quote:

An attacker could exploit the heap overflow vulnerability to commandeer systems that run Kaspersky's products..

and so on..just so you know

[Klaas Koopman]

okay I turned off my internet connection, then tried to to find the registry keys but they weren't in there :S no virusburst keys or anything else for that mather which you told me in the message above!

what's going on here?

[Julie]

If you are having problems with Trojans, might I suggest Lifestyles or Durex?

Ok, sorry for the lame joke.

[Tanya]

Quote:

Originally Posted by Julie

If you are having problems with Trojans, might I suggest Lifestyles or Durex?

Ok, sorry for the lame joke.

It's not a lame joke...i laughed

[Julie]

Yay!

[Bestmiler]

I knew someone would make a joke like that lol

[Bernard]

Once you get your rig fixed, I second the AVG recommendation metioned earlier. It's worked really well for me.

Another recommendation is to stay away from pr0n....

[Tanya]

I just really hope Klaas gets this all fixed

[Klaas Koopman]

Quote:

Originally Posted by Tanya

I just really hope Klaas gets this all fixed

still didn't fix it Tanya.


It seems everything you people say is like outdated or something? cause you tell me to find certain reg keys etc, which don't exist, and kill process which isn't there.... has the virus updated itself?

[bizops]

Another tip for you who have a computer that has viruses on it that your antivirus software can't get rid of (because it is comprimised) or won't let you install new antivirus software is to take the infected harddrive, put it in a good machine and use the good machine to fix the infected harddrive. Put it this way: if you needed brain surgery would you have more success doing it yourself or getting someone to do it for you? Think on that...

For those of you too that would bring up that the infected disk would infect the good one, it hasn't happened to me yet with over ten times using this technique.

[Tomassi]

maybe you have something else?

[Klaas Koopman]

no cause when I click on the boxes that popup like errors it gets me to the virusburst homepage :S

[littleFella]

Quote:

Originally Posted by Klaas Koopman

no cause when I click on the boxes that popup like errors it gets me to the virusburst homepage :S

That is one of the things you should not do. As a matter of fact, unless you absolutely trust the site that gave you a popup box, you should never dismiss it by clicking any elements withing the client area of that box. Some of them may be executing some code that you don't want to be executed. I always advise people to dismiss those pesky boxes by either hitting the ESC key, or by clicking the Close border icon (X in the top right corner of the dialog).

That won't cure your PC but may help keeping new garbage from coming in.