Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Bubnix.AB


  • This topic is locked This topic is locked
4 replies to this topic

#1 acolyth

acolyth

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 02 June 2010 - 02:02 PM

Hello,
after virus data base update, my eset32 detected Win32/Bubnix.AB but I don't know how to remove it.

I performed all steps from Preparation Guide so I attach files. Hope you can help me guys.

Big thx.



DDS.txt:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Wojtek at 1:25:32,27 on 2010-06-02
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1250.48.1033.18.2038.1302 [GMT 2:00]

AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
E:\OpenOffice.org 2.4\program\soffice.exe
E:\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Wojtek\Desktop\dds.scr
C:\WINDOWS\system32\SearchProtocolHost.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: IeCatch2 Class: {a5366673-e8ca-11d3-9cd9-0090271d075b} - c:\progra~1\flashget\jccatch.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\j2re1.4.2_03\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\wojtek\startm~1\programs\startup\openof~1.lnk - e:\openoffice.org 2.4\program\quickstart.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBC}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145956553203
DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} - hxxp://67.15.101.33/g_bin/pl/poker_2_0_0_49.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\wojtek\applic~1\mozilla\firefox\profiles\45th87lk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npganymedenet.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPPOKER.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2007-5-22 33856]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2008-7-1 468224]
S2 gupdate1c9c0c97d8c118;Google Update Service (gupdate1c9c0c97d8c118);c:\program files\google\update\GoogleUpdate.exe [2009-4-19 133104]
S3 USBVSP;USBVSP;c:\windows\system32\drivers\usbvsp.sys --> c:\windows\system32\drivers\Usbvsp.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 2005\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-06-01 21:34:28 0 d-----w- c:\docume~1\wojtek\applic~1\Malwarebytes
2010-06-01 21:33:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-01 21:33:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-01 21:33:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-01 21:33:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-01 20:59:07 0 d-sha-r- C:\cmdcons
2010-06-01 20:55:05 98816 ----a-w- c:\windows\sed.exe
2010-06-01 20:55:05 77312 ----a-w- c:\windows\MBR.exe
2010-06-01 20:55:05 256512 ----a-w- c:\windows\PEV.exe
2010-06-01 20:55:05 161792 ----a-w- c:\windows\SWREG.exe
2010-06-01 20:54:54 0 d-----w- C:\ComboFix

==================== Find3M ====================

2010-06-01 23:25:34 741376 ----a-w- c:\windows\system32\drivers\zhqqngn.sys
2010-06-01 23:25:34 586240 ----a-w- c:\windows\system32\drivers\Cdaudio.sys
2010-04-16 19:10:56 0 ----a-w- c:\windows\system32\drivers\Sfloppy.sys
2010-04-16 19:10:50 90112 ----a-w- c:\windows\DUMP7f71.tmp
2010-04-15 16:29:42 586240 ----a-w- c:\windows\system32\drivers\wceusbsh.sys
2010-04-15 16:29:41 586240 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2010-04-15 16:29:27 586240 ----a-w- c:\windows\system32\drivers\TDTCP.sys
2010-04-15 16:29:25 586240 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-04-15 16:29:24 586240 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-04-15 16:29:23 586240 ----a-w- c:\windows\system32\drivers\serial.sys
2010-04-15 16:29:22 586240 ----a-w- c:\windows\system32\drivers\serenum.sys
2010-04-15 16:29:21 586240 ----a-w- c:\windows\system32\drivers\rfcomm.sys
2010-04-15 16:29:13 586240 ----a-w- c:\windows\system32\drivers\parport.sys
2010-04-15 16:29:09 586240 ----a-w- c:\windows\system32\drivers\nwlnkfwd.sys
2006-05-03 09:06:54 163328 -csh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 -csh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 -csh--r- c:\windows\system32\nbDX.dll

============= FINISH: 1:26:03,21 ===============

Attached Files


Edited by acolyth, 02 June 2010 - 02:05 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 05 June 2010 - 09:33 PM

Hi and welcome. smile.gif

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 acolyth

acolyth
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 09 June 2010 - 01:40 PM

Hi,

thx for support.

1. I did all the steps and left my computer for GMER test, - during this test ESET was all the time prompting that it found a virus in *.sys file (many files from C:\windows\system32\drivers directory).
2. When I come back to computer, it had blue screen so I restarted it but windows did not run. I've verified that it stops on loading \windows\System32\Drivers\Isapnp.sys file
3. I performed all actions from http://support.microsoft.com/kb/315311 but it did not help
4. I've found on some forum that I should delete all *.sys files (stored C:\windows\system32\drivers directory) which have 0kb size - so I did it and it helped - windows turned on.
5. I did again all the steps and attach logs to the post.


Regards,
acolyth

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 09 June 2010 - 06:41 PM

Hello.

Infection doesn't appear to be removed.

Did you run Combofix before?

We are going to run it again...

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 17 June 2010 - 08:37 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users