Problem with virusburst malware

[daddystabz]

I made the mistake of clicking a link the other night and now I am infected with virusburst malware on the computer I use at my mother's house. It is a real pain.

I have some experience with some of you from a problem I had on another computer you all helped me fix recently so knowing some of your procedures, I ran scans with ad-aware, AVG, and Spybot S&D. I eliminated all they found but I still have the Critical System Error flashing thingy in my taskbar that is the trademark of this malware infection.

I am going to follow the instructions that I saw in another thread that you all gave someone else that suffered with this issue. Is there a special part of the forum I'm supposed to post my HJT log to?

Also: one other issue. When I go to boot into safe mode under normal user....I noticed in my control panel that the normal user on this machine that I use all the time is listed also as the system admin. Would this be a problem with the steps I read on another thread to remove this malware? Should I make or try to use a different user account instead?

Thanks in advance!

 

[howard_hopkinso]

Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as an attachments into this thread, only after doing the above.

Regards Howard

This thread is for the use of daddystabz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[daddystabz]

I already ran all those things you mentioned.

Besides what I described above I also turned off system restore, opened up all hidden system files for viewing and tried booting into safe mode. I was unable to boot into safe mode...it keeps looping over and over again to the menu where you can select which mode. I went ahead and went into the machine in normal mode.

I then went to add/remove programs and looked to remove WinMediaCodec. There was nothing listed there associated with it.

Then I looked for isamini.exe in the running processes but did not see it listed there and promptly exited out of task manager.

Next I ran HijackThis! and scanned. I was able to find
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} -
C:\Program Files\WinMediaCodec\isaddon.dll
there and I checked the box and had HJT remove it. There was no other listing there I could find that was related to virsburst.

I next went to delete C:\WINDOWS\system32\titiau.dll but did not see the file in the folder there.

Next I located C:\Program Files\WinMediaCodec and deleted the entire folder, followed by deleting the quarantined files in AVG/Ewido anti-spyware.

I then ran Killbox and pointed it to delete the following at reboot:
C:\Program Files\WinMediaCodec\isaddon.dll
C:\Program Files\WinMediaCodec\isamonitor.exe
C:\Program Files\WinMediaCodec\isamini.exe

I clicked the last one and chose to let it restart but got an alert window saying some entry was removed by external process and the system didn't reboot. I rebooted manually to see if that might help finalize this.

Now I will run HJT and AVG again and save their logs to attach here.

 

[daddystabz]

Here is my fresh and current HJT log.

 

[howard_hopkinso]

You shouldn`t be fixing things yourself as this makes it harder for me to know what`s happening.

Once I have your HJT and AVG-Antispyware logs, I`ll be in a better position to advise you.

Regards Howard

This thread is for the use of daddystabz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Viewpoint
Viewpoint Manager

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ViewMgr.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - C:\WINDOWS\system32\dpfwu.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Viewpoint Delete the entire folder.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to enter into killbox.

C:\WINDOWS\system32\dpfwu.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard

This thread is for the use of daddystabz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[daddystabz]

All the steps I've followed were done so based on the steps you always have us take first when someone reports a problem. I remembered them from a problem I had recently that you all helped me solve. I then followed the exact steps that you all advised another forum member here to take who had the exact same issue I'm having.

I have attached my fresh AVG scan log to this message and deleted all the things it found.

I will now do what you posted above.

Keep in mind that I have not been able to boot into safe mode on this machine...everytime I try it loops me right back to the selection menu again to pick what mode to go in under.

 

[daddystabz]

I just finished the steps you recommended to me (without being in safe mode since I seem to be unable to get into it right now minus a boot disk), and now it seems that when I reboot the critical error message is gone! It seems like the problem is fixed now. The system seems to be running fine.

I ran HJT and here is my fresh/new log.

Thanks for the help!

 

[howard_hopkinso]

Your HJT log is now clean.

Have HJT fix this inactive enty.

O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of daddystabz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.