Bube.d (Beavis) Removal [ISRVS], Spyware keep returning after removal! |
Security Troubleshooting and Support Forum Rules:Please post HijackThis Logs in the HijackThis Logs and Assistance forum.
  |
Bube.d (Beavis) Removal [ISRVS], Spyware keep returning after removal! |
  Feb 20 2005, 12:59 AM
Post
#1
|
|||||||
  Group: Admin Posts: 550 Joined: 22-February 04 Member No.: 105  |
Bube.d aka Win32.Beavis is a new infection. The only program I have found so far that removes it properly is KAV Personal 5.0 (you can get a free 30 day trial, fully functional that will remove it for you). We have found a number of AVs detect and claim to cure it but instead, they quarantine and/or delete the infected explorer.exe leaving you with no desktop. This infection can download over 100 different malwares, but some typical entries you might see in a log look like this (and after cleaning offline, they come right back as soon as you connect to the internet)
We are finding that some users are blocked from the KAV site due to changes in the HOSTS file. If you cannot get to the download link provided or are having trouble updating KAV, please try the following: Download the Hoster from here: http://www.funkytoad.com/download/hoster.zip Press 'Restore Original Hosts' and press 'OK' Exit Program. Note: if you were using a custom Hosts file you will need to replace any of those entries yourself You must get the updates before scanning Detailed instructions for updating are below. Go here to download the free KAV Personal 5.0 Trial (good for 30 days) http://www.kaspersky.com/index.html OR HERE: http://www.kaspersky.com/trials Click on *downloads* on the left menu Then scroll down and click on *trial versions* Then choose *Kaspersky Anti-Virus Personal 5.0* You will need to register for the trial version. You will then have a list of the trial downloads to choose from (choose a location closest to you) Choose *save* and it should create and save to a KAV folder on your hard drive Navigate to the KAV folder and doubleclick on kav5.0trial_personalen.exe to install it. You will see this screen showing the default folder it will install into. Click on *next*  If KAV detects another AV running on your PC it will advise you to uninstall it. You can do that or you can disable the existing AV program and then press *yes* to continue. The way to disable resident protection differs for different anti-virus programs. You might try right clicking on the icon for your AV program in the Windows System tray (on the lower right hand part of the screen) and looking at the different options. Alternatively, you may disable your AV from starting with Windows using msconfig (Start > Run and type msconfig and OK. Click on the Startup Tab, uncheck all the startups relating to your AntiVirus and reboot). The important thing is to set your current AV *not* to scan as your files are accessed, so that KAV can do its job  In my case, I just disabled the resident protection on EZ AV and that worked just fine without uninstalling it. Next you will see the Kaspersky Anti-Virus Personal 5.0 Setup Wizard. It will advise you to close all other applications before starting setup. Do that and then press *Next* to continue. You will then be presented with the License Agreement. Read that and when done you can agree to continue. Next is the Customer Information screen. Just fill that in as you prefer and click on *next* to continue You will be presented with some important KAV notes. I copied these and saved in Wordpad to refer back to if needed. Please remove the green checkmark the box that says *Operate according to Recommended settings* This is so we can do a custom install.  Press *next* to continue after you have read those and unchecked the box for recommended settings On the next screen, please uncheck the box for *use real-time protection against network attacks* This has been known to cause problems on PCs running certain firewalls, you can try enabling it later after the initial install and scan.  You may leave the *iStreams technology* box checked if you like (I did) but it is generally recommended not to checkmark that box if you are going to uninstall KAV again after the infection has been removed. Now it will choose the Destination folder (mine was fine as pre-selected by KAV). Click *next* to continue Now you will get the *finish* screen KAV will now open. If you are running a firewall, allow KAV to connect to get the updates it needs. Wait while the updates are downloaded and installed  Now get the *extended database* of updates as well, to remove the AdWare that Virus.Win32.Bube. may have downloaded. Look under *Settings*, and then *Configure Updater* Choose Extended Database. Click *OK* and then Check for Updates and you will get another smaller update which will install.  Now click on *Settings* and choose *Configure On-demand scan settings* and select *Perform recommended action* and click *OK*. You might prefer to set the scan level to maximum, just to be sure that nothing is hiding in an email database.  After clearing the HOSTS file with Hoster, if you still cannot connect to the internet to get the updates on an infected PC, follow the steps below for Manual Updating If update was successful, please proceed to the Scanning Section.
SCANNING Close KAV and any open programs you have running. It is recommended you run the scan in SAFE MODE * Boot into safe mode. How to start the computer in Safe mode (here are instructions if you need them) http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam Once you have booted into safe mode as XP can still allow an internet connection in safe mode Physically Disconnect from the Internet * Open KAV but do not start the scan yet * now and this is very important : * Press Ctrl + ALT+DEL and bring up task manager, go to processes tab and right click on explorer.exe and then select stop process Now your desktop will go blank and you will have no taskbar or menu etc you will still have taskmanager and KAV open on desktop so do not close them * Now Start a full system scan. Click on the protection tab and Choose *Scan My Computer * It will take some time probably 2 or 3 hours and will delete any infected files it finds * KAV will disinfect all files detected as Virus.Win32.Bube and many related malware it has downloaded. * when it has finished then on the Taskmanger press file/newtask and type explorer to regain the desktop etc. * Close KAV &Taskmanager * Reboot back into normal mode. Additional cleanup may be needed. Please be sure to post in the forum if you have any questions. IMPORTANT NOTE! This virus changes security settings your trusted zone and in the Windows Security Center. Please be sure to check all of your security settings After disinfecting. ................................ If you are asked to post a KAV log from your scan. Here's how: Click on *View Reports*  When you go to View reports, you will see a list. You rightclick on the report *Full Scan* and a menu opens: choose *export detailed report to file* which allows you to save it :-) It defaults as a .csv file, but I found I could save as .txt. Give it a name and click *save* to save the log.  Then you can attach your report to a reply for review. ................................. If you have lost explorer.exe If you have lost Explorer.exe from attempted cleaning with another AV or tool, Please contact Microsoft's PCSAFETY. This is a free service and toll-free call. 1-866-PCSAFETY or 1-866-727-2338 This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada. For support outside the United States and Canada, please contact your Microsoft Help and Support worldwide. Go to this page and choose your region from the box in the upper right corner: http://support.microsoft.com/?pr=SecurityHome ............................................................... New Development! {25 Mar 2005} KAV does clean most of the infection but does not fix the registry settings that were changed by the Bube trojan (and it's accompanying multiple spyware infections) that lower many security settings on the victim's PC. I asked Microsoft to look into the Bube infections and the security settings particularly. They have been studying the different variants and the settings that are changed. I got an email this morning from them. I have been notified by the Microsoft Services and Field Security Support Team that the current signatures for the Microsoft Antispyware software will remove all variants thru Bube.E currently and put the WU and IE Zone settings back to default. They are working on further variants, so updating the definitions is critical. Microsoft Antispyware Beta1 is free and available for Microsoft Windows 2000, Windows XP, or Windows Server™ 2003 You can get the download here: http://www.microsoft.com/athome/security/s...re/default.mspx Be SURE to get the latest updates for the program (just open the program and Click on the *Spyware Definitions* to update the program before scanning)  Edited 21 Feb 2005: Added Hosts file replacement info Edited 25 Feb 2005: Added Microsoft hotline to contact if explorer.exe if missing Edited 02 Mar 2005: Added Manual Updating Instructions and Alternate download links Edited 25 Mar 2005: Added instructions to download and update Microsoft Antispyware program to fix security settings. Edited 08 Apr 2005: Hoster link changed [i]Edited 27 Nov 2005: replaced alternate download link for Kav Personal 5.0 This post has been edited by CalamityJane: Nov 27 2005, 09:36 PM -------------------- Proud Member of ASAP since 2004
Microsoft MVP Windows-Security 2003-2009 |
||||||
 |
 
|
||||||
| Guest_DC_* |
Feb 27 2005, 08:28 AM
Post
#2
|
|
Guests |
I just had to sort out a Windows 98 PC infected with this. It produced another symptom too. You can install and run old versions of Grisoft AVG 7.0 free edition (e.g. 300a419), but if you either update AVG over the internet or install a later version in the first place (e.g. the current download which is 300a456), then when the PC reboots at the end of ths installation, it gives the message "Error loading explorer.exe. You must reinstall Windows." Rebooting to safe mode and uninstallng AVG allows the PC to boot again.
If anyone else gets this syptom, I suggest using SFC to restore c:\windows\explorer.exe from the install CD. BTW the date on the modified explorer.exe is not recent, it looks as old as the installation, otherwise I would have spotted it earlier. I eventualy dicovered that the PC had this virus by installing AVG in customised mode, turning off Resident Shield and doing a full scan. AVG Free now detects this virus (it didn't 24 hours ago), however on seeing AVG detect a virus in Explorer.exe I immediately stopped the scan before AVG could quarantine or delete it. |
|
|
|
| Guest_Alison_* |
 Mar 7 2005, 09:18 PM
Post
#3
|
|
Guests |
 I have also had trouble with the isearch toolbar , i tried the kaspersky software but it did not completely remove isearch from my pc . And after searching the internet for more advice on how to remove it i came across the following unistall link , I have used it and it has completetly removed it from my pc. hxxp://toolbar.isearch.com/uninstall/ I have killed the hyperlink! Read this post at Wilder's to see that the uninstall link brings other problems with it! This post has been edited by Bobbi Flekman: Mar 8 2005, 01:23 PM |
|
|
|
|
Mar 25 2005, 07:45 PM
Post
#4
|
|
|
Group: Admin Posts: 550 Joined: 22-February 04 Member No.: 105 |
Edited to add: New Developements 25 Mar 2005!
-------------------- Proud Member of ASAP since 2004
Microsoft MVP Windows-Security 2003-2009 |
|
|
|
| Guest_Guest_* |
Apr 8 2005, 12:10 AM
Post
#5
|
|
Guests |
hi, ive gt a bube virus on my comp and 1 of the steps requires me 2 go in 2 safe mode but i cannot, wen i try 2 get in 2 it a list of files come up and then jus stops! so wot can i do
|
|
|
|
|
Apr 8 2005, 12:52 AM
Post
#6
|
|
|
Group: Admin Posts: 550 Joined: 22-February 04 Member No.: 105 |
Go ahead and run it in normal mode. You made need to reboot and scan again, but it should be able to fix explorer.exe in normal mode.
-------------------- Proud Member of ASAP since 2004
Microsoft MVP Windows-Security 2003-2009 |
|
|
|
|
Apr 9 2005, 02:07 AM
Post
#7
|
|
|
Group: Admin Posts: 550 Joined: 22-February 04 Member No.: 105 |
Original Instruction has been edited to reflect the new link for the Hoster Program:
http://www.funkytoad.com/download/hoster.zip -------------------- Proud Member of ASAP since 2004
Microsoft MVP Windows-Security 2003-2009 |
|
|
|
|
Apr 10 2005, 03:05 PM
Post
#8
|
|
|
Group: Admin Posts: 550 Joined: 22-February 04 Member No.: 105 |
@judyjupiter:
I have moved your post to a thread of it's own in the forum to get help. You have two replies. You can follow it here: http://forums.maddoktor2.com/index.php?showtopic=3786 -------------------- Proud Member of ASAP since 2004
Microsoft MVP Windows-Security 2003-2009 |
|
|
|
|
Apr 15 2005, 04:36 AM
Post
#9
|
|
|
Group: Admin Posts: 550 Joined: 22-February 04 Member No.: 105 |
@infoplz
I have moved your post to a topic of it's own to receive assistance. You can follow it here infoplz Own Topic Here (Qoologic Trojan) http://forums.maddoktor2.com/index.php?showtopic=3881 -------------------- Proud Member of ASAP since 2004
Microsoft MVP Windows-Security 2003-2009 |
|
|
|
| Guest_Guest_* |
Apr 25 2005, 01:01 AM
Post
#10
|
|
Guests |
Ive been infected with the baddest mofo on the block. It changes my start page on IE, and even Microsoft antispyware doesnt see it. It only shows up as a registry value change, Ive deleted the value over and over again, cant find an .EXE running anywhere to pin it down. It laughs at everything. The only thing I can find is the registry value changing to
Value 17 Name: Start Page Type: REG_SZ Data: http://%72%6c%2e%77%65%62%74%72%61%63%65%72%2e%63%63/%2d/?%70%63%73%63%6d Im gonna run KAV, and some online scans...I know its leeched to something I always run, but nothing is seeing. Anyone have any ideas? Anyone know what this is? Is this hijack this? DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.312 Thanks, Craig |
|
|
|
| Guest_Harry Crack_* |
 Jul 9 2005, 09:42 AM
Post
#11
|
|
Guests |
It managed to attach to msoffice.exe on my system. AVG picked it up but could do nothing to heal it. I had it removed anyway and re-installed the file from the CD.
Seems to be OK for now. |
|
|
|
|
Nov 26 2005, 07:16 PM
Post
#12
|
|
 Group: ASAP VIP Posts: 52 Joined: 17-February 05 Member No.: 2,669 |
Just to tell you, the Kaspersky Trial links are broken
|
|
|
|
|
Nov 27 2005, 09:38 PM
Post
#13
|
|||
|
Group: Admin Posts: 550 Joined: 22-February 04 Member No.: 105 |
Thanks! The main download link was ok but you're right about the Alternate links were no longer working. I replaced them with a link to the trial downloads page. 
-------------------- Proud Member of ASAP since 2004
Microsoft MVP Windows-Security 2003-2009 |
||
|
|
|
||
 |
| Lo-Fi Version | Time is now: 9th February 2010 - 12:23 AM |
