Win32:Bubak[rtk] and Win32:Bubnix-J [Rtk]

help me please. Avast has found this two virus and it can’t remove its. How I can remove?
Thanks
Francexi

Have you tried avast boot scan ?
http://sites.google.com/site/spg20scottsweb/home/avast-5-boot-time-scan

also try this

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always run update before you scan so you have the latest database
click the remove selected button to quarantine anything found
you may post the scan log here

1.http://sites.google.com/site/rootrepeal/
download it hen run it,when a GUI open click on report tab then click scan
a new window will popup then tick all items and press ok,the scan will begin when it finish a notepad will open containing the report which you should attach here so we can help
2.download dr.web cure it and scan system with it[url]http://www.freedrweb.com/cureit/?lng=en/url]
3.I wont recommend boot time scan until i see the report of root repeal

this is the log of malwarebites

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Versione database: 4503

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

29/08/2010 22.43.40
mbam-log-2010-08-29 (22-43-40).txt

Tipo di scansione: Scansione veloce
Elementi esaminati: 166416
Tempo trascorso: 9 minuti, 5 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 2
Valori di registro infetti: 1
Voci infette nei dati di registro: 3
Cartelle infette: 0
File infetti: 1

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Valori di registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spy protector (Rogue.SpyProtector) -> Quarantined and deleted successfully.

Voci infette nei dati di registro:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Cartelle infette:
(Non sono stati rilevati elementi nocivi)

File infetti:
C:\Documents and Settings\Francesco\Dati applicazioni\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.

this is the log of rootrepeal

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2010/08/30 09:09
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAC049000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xAE758000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: icmvklx.sys
Image Path: icmvklx.sys
Address: 0xF75F7000	Size: 54016	File Visible: No	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAB6FC000	Size: 49152	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\francesco\dati applicazioni\mozilla\firefox\profiles\4y3ll2p9.default\sessionstore.js
Status: Size mismatch (API: 61363, Raw: 60850)

Path: C:\Documents and Settings\Francesco\Impostazioni locali\Apps\2.0\OC7DKMDT.QKO\AC3OD2PD.0DT\manifests\LogMeIn Hamachi.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Francesco\Impostazioni locali\Apps\2.0\OC7DKMDT.QKO\AC3OD2PD.0DT\manifests\LogMeIn Hamachi.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Francesco\Impostazioni locali\Apps\2.0\OC7DKMDT.QKO\AC3OD2PD.0DT\manifests\LogMeIn Host Software.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Francesco\Impostazioni locali\Apps\2.0\OC7DKMDT.QKO\AC3OD2PD.0DT\manifests\LogMeIn Host Software.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Francesco\Impostazioni locali\Apps\2.0\OC7DKMDT.QKO\AC3OD2PD.0DT\manifests\LogMeInBootstrapper.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Francesco\Impostazioni locali\Apps\2.0\OC7DKMDT.QKO\AC3OD2PD.0DT\manifests\LogMeInBootstrapper.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 025	Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac0696b8

#: 041	Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac069574

#: 065	Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac069a52

#: 068	Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac06914c

#: 119	Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac06964e

#: 122	Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac06908c

#: 128	Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac0690f0

#: 177	Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac06976e

#: 204	Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac06972e

#: 247	Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac0698ae

==EOF==

and this is the registry of avast

http://img801.imageshack.us/img801/7047/scani.jpg

Uploaded with ImageShack.us

Avast couldn’t remove tbpanel.sys and aec.sys, asynmac.sys, atmarpc.sys auto-create itself while the boot

the security task manager has found this file sysrda32.exe in the directory on automatic run

up

So Malwarebytes removed some infections, is the problem gone ? or du you need more help ?

I can PM Essexboy so he can have a look at the rootrepeal log

the pc is still infected. Malwarebites has removed the wrog infection. At the boot of my user the welcome music of windows start a few MINUTES after acces and if i press the start button before i listen the welcome music the computer stall.

I recomend you follow this guide from Essexboy and post the log`s
http://forum.avast.com/index.php?topic=53253.0

To avoid using 20 post with copy and paste you have to attach the log`s

Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. )

Have sendt PM to Essexboy so he will look at the logs when he arrives later today…

okay,

Name: icmvklx.sys
Image Path: icmvklx.sys
Address: 0xF75F7000 Size: 54016 File Visible: No Signed: -
Status: -

Is the bad driver,so from the main gui of root repeal from the drivers tab press scan then navigate to"icmvklx.sys",right click then dump file to desktop after that you can scan it with virus total"default name is dumped.sys".
After that close all your running application and save all your works,then right click again on “icmvklx.sys” and click Force Delete"this may lead to a BSoD"
An alternative way is to download ThreatKiller from here http://www.novirusthanks.org/products/threat-killer/
and execute the attached file"kill.txt"

so these are the logs of OTL
Now i have done what superhacker says
the software return me an error

Threat Killer - Scriptable Malware Remover 1.7.2.0
http://www.novirusthanks.org
Log started on 30/08/2010 at 15.49.29
Microsoft Windows XP 5.1 Service Pack 3 32-bit OS

[+] Script Executer Log:

(stop drivers) C:\WINDOWS\system32\DRIVERS\icmvklx.sys -> Error: Driver does not exist
(unload drivers) C:\WINDOWS\system32\DRIVERS\icmvklx.sys -> Error: Driver does not exist
Backup of C:\WINDOWS\system32\DRIVERS\icmvklx.sys failed.
(delete drivers) C:\WINDOWS\system32\DRIVERS\icmvklx.sys -> Error

End.


so delete it using root repeal"as my previous post"

root reapre don’t find anything drive named icmvklx.sys

Is this a legitimate copy of windows ? O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com. A USB you have been using was infected, and this shows signs of being a file infector

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O33 - MountPoints2\{504cc4b6-fa17-11de-8bd2-001d926108f8}\Shell\AutoRun\command - "" = G:\ji83j.exe -- File not found O33 - MountPoints2\{504cc4b6-fa17-11de-8bd2-001d926108f8}\Shell\open\Command - "" = G:\ji83j.exe -- File not found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

well, these are the file what essexboy want:

  • 08302010_195044.log it’s the log of fixes with OTL
  • OTL.txt it’s the log of quick scan with OTL
  • ComboFix.txt it’s… no, you know what it is

On completion of this run can you let me know what problems you are still having

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2010/08/07 14.30.31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Francesco\Impostazioni locali\Dati applicazioni\sAZFZ0OhLhLxtsx9A0 [2010/07/27 15.05.55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Francesco\Impostazioni locali\Dati applicazioni\p25QyNb6bOCyTFcsAH

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

well. The these are the logs

What problems are you experiencing now ?

At the boot of my user the welcome music of windows start a few MINUTES after access and if i press the start button before i listen the welcome music the computer stall. This happens since avast has reported the intrusion of a virus

You have a 3D injector programme running as a driver - it is this that may be causing the hiccups. Do you need it to run at start ?

I instal the 3d injector a week before the start of problem
the problem has started when avast has found the virus

I have unistalled the 3d driver.
Isn’t change anything