Hello everyone,

I had problems with VirusBurster and I googled for help and this forum helped me very much. I think by following your guidelines and using my trusty anti/adware&virus programs, I may have cleaned my computers (I have 2 and I'll be posting a 2nd thread, because the problem is a bit different on each pc). Well here goes:

I have WinXP with SP2, Mozilla Firefox 1.5.0.7 (with adblock and adblock g) both up to date.

lavasoft ad-aware personal SE1R129 26.10.2006 : finds no problems (this was the 1st program that found and removed VirusBurster)

spybot s&d 11/3 up to date : finds no problems - No immediate threats were found

highjackthis (renamed as sweeper.exe) v1.99.1 : finds nothing suspicious, I'll be posting the log afterwards

after running smitfraud fix, nothing suspicious came up - I'll post the rapport txt afterwards

avg antispyware 7.5 uptodate - found no threats


I'll be posting these logs and I'd like your professional opinions on what I should do next.

log of hijackthis 1.99.1

Logfile of HijackThis v1.99.1
Scan saved at 5:05:50 μμ, on 5/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\GusNukem\Επιφάνεια εργασίας\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

rapport txt

SmitFraudFix v2.119

Scan done at 16:33:33,01, ‰¬¨ 05/11/2006
Run from C:\Documents and Settings\GusNukem\„§ *α¤œ ˜ œ¨š˜©ε˜\SmitfraudFix
OS: Microsoft Windows XP [λ΅›¦©ž 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\GusNukem


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\GusNukem\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\GusNukem\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

avg free antispyware 7.5 report

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:22:55 μμ 5/11/2006

+ Scan result:



Nothing found.


::Report end

The problem arose after browsing sites of dubious content (I had opened a new tab in firefox and a popup in it informed me I had won in some type of casino and I couldn't close neither that tab or firefox); ad-aware and spybot s&d detected and cleaned the problem (I ran them simultaneously!) and I googled for virusburster and found this forum. I have done more or less everything you consulted briankbl to do ( http://short-media.com/forum/showthread.php?p=433982 ) and what it says to do in this ( http://www.short-media.com/forum/showthread.php?t=51142 ) sticky thread.

I think I have cleaned the problem, but is there anything else to do?

Do you see any other problems?

A couple of hours later, AVG Free spontaneously detected and claims it has healed the Trojan horse Generic2.GDO. Hmm...

Hi fontas-x! Good job on removing VirusBurster! :thumbsup:

Do you have an active Firewall running?

Your HijackThis log is clean. :)

Everything looks good, but you need to update Java as older versions have vulnerabilities that malware can use to infect systems.

Follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-1_5_0_09- windowsi586-p.exe to install the newest version.

:)

Thanks for your reply T1000!

As for your questions: no, I'm afraid I only use the WinXP firewall. I tried installing ZoneAlarm, as Skywalker45 advised briankbl, but: a.it cut off my internet connection to the computer and b. after installing it, I couldn't access/run it in any way and when I tried to run it through the start menu I got a message saying I didn't have permission to do so. After I uninstalled it, my internet connection returned. Also, I think ZoneAlarm has its features limited after 15 days. Can you recommend a good firewall, completely lacking time-related restrictions?

the Trojan horse Generic2.GDO : This puzzles me. It came up after all this meticulous disinfection and I can't see where it originated from. I had AVG free - and all the other programs I've mentioned above - clear my computer not many hours back. This has happened at odd times before. And every time AVG free claims to successfully heal the infected file. Do you guys trust AVG free explicitly, or should I try buying a similar program?

Java : Is there some (automated) way to avoid this manual process every time a new Java Runtime Environment gets released?

Ho fontas-x!

As for your questions: no, I'm afraid I only use the WinXP firewall. I tried installing ZoneAlarm, as Skywalker45 advised briankbl, but: a.it cut off my internet connection to the computer and b. after installing it, I couldn't access/run it in any way and when I tried to run it through the start menu I got a message saying I didn't have permission to do so. After I uninstalled it, my internet connection returned. Also, I think ZoneAlarm has its features limited after 15 days. Can you recommend a good firewall, completely lacking time-related restrictions?
Sorry to hear about your Zone Alarm troubles. It seems that some people have problems with it, while others do not.

This link (http://www.freebyte.com/antivirus/#freefirewalls) has a selection of Firewalls. I havn't used any of them before, but the known one's are Kerio, Outpost, Comodo and obviously Zone Alarm. You could test some out and see which one you like. Remember to only have one Firewall running.

However, if your happy with Windows Firewll, that is fine. Just remember it only blocks incoming traffic and not outgoing. While a software Firewall, like Zone Alarm does both.

the Trojan horse Generic2.GDO : This puzzles me. It came up after all this meticulous disinfection and I can't see where it originated from. I had AVG free - and all the other programs I've mentioned above - clear my computer not many hours back. This has happened at odd times before. And every time AVG free claims to successfully heal the infected file. Do you guys trust AVG free explicitly, or should I try buying a similar program?
No anti-virus or anti-spyware program is going to be able to detect every piece of malware and be able to remove it. That said, AVG anti-virus is a good program. AVG should tell you where the infected file is. If you can find out that info and post it here, that would be a big help.

Also, AVG anti-virus just releasd a new version, 7.5. If you still have 7.1, you should update now.

Java : Is there some (automated) way to avoid this manual process every time a new Java Runtime Environment gets released?
As far as I'm aware, no! I wish there was.

:)

Glad I could be of assistance! The help you received here was free. Please read through some of these Prevention Tips (http://www.short-media.com/forum/showthread.php?t=39435) that Short-Media offers.

This topic is now closed. If you wish it reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.

If you are not the user who started this thread, you must start a new Thread (http://www.short-media.com/forum/newthread.php?do=newthread&f=57) instead :)

Would you also be interested to join Short-Media (Team #93) with the Folding@Home Project? More information available at this link:
http://www.short-media.com/forum/showthread.php?t=29803