Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


How To Remove Bube.d Aka Win32.beavis Aka Isrvs

  • Please log in to reply
No replies to this topic

#1 Grinler


    Lawrence Abrams

  • Admin
  • 43,659 posts
  • Gender:Male
  • Location:USA
  • Local time:11:52 AM

Posted 18 February 2005 - 05:04 PM

How to remove Bube.d aka Win32.Beavis aka isrvs

This article is reproduced with permission from the write up on how to cure this infection by Calamity Jane.

Bube.d aka Win32.Beavisis a new infection. The only program I have found so far that removesit properly is KAV Personal 5.0 (you can get a free 30 day trial, fullyfunctional that will remove it for you). We have found a number of AVsdetect and claim to cure it but instead, they quarantine and/or deletethe infected explorer.exe leaving you with no desktop.

This infection can download over 100 different malwares, but sometypical entries you might see in a log look like this (and aftercleaning offline, they come right back as soon as you connect to theinternet)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = »searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »searchmiracle.com/sp.php
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\boln.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: (no name) - {2B5E7117-24E7-5914-3794-A3D089E4A773} - (no file)
O2 - BHO: (no name) - {57798B92-1E52-BB11-3BF1-51F50C193253} - (no file)
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [tibs5] C:\WINNT\system32\tibs5.exe
O4 - HKLM\..\Run: [12C.tmp] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\12C.tmp.exe 0 10001
O4 - HKLM\..\Run: [Web Service] C:\WINNT\system32\sm.exe
O4 - HKLM\..\Run: [12C.tmp.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\12C.tmp.exe 0 10001
O4 - HKLM\..\Run: [version] C:\WINNT\system32\Mthnzl.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Yfkadl.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [15E.tmp] C:\WINNT\TEMP\15E.tmp.exe 3 10001
O4 - HKLM\..\Run: [15E.tmp.exe] C:\WINNT\TEMP\15E.tmp.exe 3 10001
O4 - HKLM\..\Run: [4.tmp] C:\WINNT\TEMP\4.tmp.exe 0 10001
O4 - HKLM\..\Run: [4.tmp.exe] C:\WINNT\TEMP\4.tmp.exe 0 10001
O4 - HKLM\..\Run: [rE4W37i] jdbtil.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvayb32.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2bleeped.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\wnim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\wnim.dll

Here is the article about the malware you have

The file infecting AdWare saga continues
Roel February 10, 2005 | 15:28 MSK

We are currently seeing an increase in cases which involve file infecting AdWare.

These new viruses are more sophisticated than the one we previouslyreported and append malicious code to Windows' explorer.exe. Theviruses belong to the Virus.Win32.Bube family.

For example, Virus.Win32.Bube.d downloads AdWare and Trojans,including: AdWare.ISearch.d, Trojan-Clicker.Win32.Agent.bn,Trojan.Win32.LowZones.ai and PornWare.Dialer.Salc.

Disinfection in this case is tricky, as explorer.exe is animportant Windows process. Additionally, the malware tries to preventremoval by disabling system restore, infecting the explorer.exeresiding in %sysdir%\dllcache and lowering overall system security.

Things can get extra complicated as an AV can block access to the infected explorer.exe.

Go here to download the free KAV Personal 5.0 Trial (good for 30 days)

Click on *downloads* on the left menu

Then scroll down and click on *trial versions*

Then choose *Kaspersky Anti-Virus Personal 5.0*

You will then have a list of the trial downloads to choose from (choose a location closest to you)

Choose *save* and it should create and save to a KAV folder on your hard drive

Navigate to the KAV folder and doubleclick on kav5.0trial_personalen.exe to install it.

You will see this screen showing the default folder it will install into. Click on *next*

If KAV detects another AV running on your PC it will advise you to uninstall it.
You can do that or you can disable the existing AV program and then press *yes* to continue.
The way to disable resident protection differs for differentanti-virus programs. You might try right clicking on the icon for yourAV program in the Windows System tray (on the lower right hand part ofthe screen) and looking at the different options.
Alternatively, you may disable your AV from starting with Windows usingmsconfig (Start > Run and type msconfig and OK. Click on the StartupTab, uncheck all the startups relating to your AntiVirus and reboot).
The important thing is to set your current AV *not* to scan as your files are accessed, so that KAV can do its job

In my case, I just disabled the resident protection on EZ AV and that worked just fine without uninstalling it.

Next you will see the Kaspersky Anti-Virus Personal 5.0 Setup Wizard.It will advise you to close all other applications before startingsetup. Do that and then press *Next* to continue.

You will then be presented with the License Agreement. Read that and when done you can agree to continue.

Next is the Customer Information screen. Just fill that in as you prefer and click on *next* to continue

You will be presented with some important KAV notes. I copied these and saved in Wordpad to refer back to if needed.

Please remove the green checkmark the box that says *Operate according to Recommended settings* This is so we can do a custom install.

Press *next* to continue after you have read those and unchecked the box for recommended settings

On the next screen, please uncheck the box for *use real-time protection against network attacks*
This has been known to cause problems on PCs running certainfirewalls, you can try enabling it later after the initial install andscan.

You may leave the *iStreams technology* box checked if you like (Idid) but it is generally recommended not to checkmark that box if youare going to uninstall KAV again after the infection has been removed.

Now it will choose the Destination folder (mine was fine as pre-selected by KAV). Click *next* to continue

Now you will get the *finish* screen

KAV will now open. If you are running a firewall, allow KAV toconnect to get the updates it needs. Wait while the updates aredownloaded and installed

Now get the *extended database*of updates as well, to remove the AdWare that Virus.Win32.Bube. mayhave downloaded. Look under *Settings*, and then *Configure Updater*Choose Extended Database. Click *OK* and then Check for Updates and you will get another smaller update which will install.

Now click on *Settings* and choose *Configure On-demand scan settings* and select *Perform recommended action*and click *OK*. You might prefer to set the scan level to maximum, justto be sure that nothing is hiding in an email database.

Close KAV and any open programs you have running.

It is recommended you run the scan in SAFE MODE

* Boot into safe mode.
How to start the computer in Safe mode (here are instructions if you need them)
Once you have booted into safe mode as XP can still allow an internet connection in safe mode

Physically Disconnect from the Internet

* Open KAV but do not start the scan yet

* now and this is very important :

* Press Ctrl + ALT+DEL and bring up task manager, go to processestab and right click on explorer.exe and then select stop process

Now your desktop will go blank and you will have no taskbar ormenu etc you will still have taskmanager and KAV open on desktop so donot close them

* Now Start a full system scan. Click on the protection tab and Choose *Scan My Computer
* It will take some time probably 2 or 3 hours and will delete any infected files it finds
* KAV will disinfect all files detected as Virus.Win32.Bube and many related malware it has downloaded.
* when it has finished then on the Taskmanger press file/newtask and type explorer to regain the desktop etc.
* Close KAV &Taskmanager
* Reboot back into normal mode.

Additional cleanup may be needed. Please be sure to post in the forum if you have any questions.

IMPORTANT NOTE! This virus changessecurity settings your trusted zone and in the Windows Security Center.Please be sure to check all of your security settings Afterdisinfecting.
If you are asked to post a KAV log from your scan. Here's how:

Click on *View Reports*

When you go to View reports, you will see a list. You rightclick on thereport *Full Scan* and a menu opens: choose *export detailed report tofile* which allows you to save it Smile It defaults as a .csv file, but I found I could save as .txt. Give it a name and click *save* to save the log.

Then you can attach your report to a reply for review.
If you have lost explorer.exe
If you have lost Explorer.exe from attempted cleaning with another AVthen ask for help on the forums as each version of windows needsslightly different treatment

This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users