Trojan Downloader Bubnix (Hidden in C:\Windows\System32\Drivers)

[HeyArnold]

Hello, recently Ive been hit by Anti-Malware doctor, and Ill be as thorough as possible to make this easier for those who decide to help.

I am very experienced with Web design and coding so I know the differences between something legitimate and not, whent his pop up came up i realized It was a virus. So I searched around and foundt his site to be one of the first results and its program (MBAM) to be the fix.

Your right, it did delete Anti-Malware and alot of the trojans it already downloaded, I also manually went to Registrys and deleted some suspicious registrys.

MBAM kept finding Rootkit.bubnix and removed it but it keeps coming back.

// My conclusion

Heres the virus info: http://www.microsoft.com/security/portal/T...:Win32/Bubnix.A

It hides in C:\Windows\System\32\drivers under a randomly generated aliases ______.sys, in my case its nkjlup.sys so those who try to google these files are at a dead end because, its randomly generated.

I figured I would right that introduction and all my data that Ive gain because Ive seen people try to fix this.

// What Ive tried

- Safe mode scans

- Manual Removal

// Log

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4487

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18943

27/08/2010 11:45:35 AM

mbam-log-2010-08-27 (11-45-35).txt

Scan type: Quick scan

Objects scanned: 23830

Time elapsed: 8 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\system32\Drivers\nkjlup.sys (Rootkit.Bubnix) -> Quarantined and deleted successfully.

If you have this virus, I personally am getting google result redirects and an INSANE AMOUNT OF LAG with the internet, So bad that Im manaully transfering the logs (e.g. Unplugged ethernet cord from my pc, grabbed usb drive, transfered .txt after MBAM finsihed scanning, and ran to my laptop )

So this virus Ive seen people try to solve:

http://forums.malwarebytes.org/index.php?showtopic=61393 (Recently posted, Unsolved)

http://forums.malwarebytes.org/index.php?s...=60906&st=0 (Recently posted, Solved)

So I think this is rather a frequent virus, and I believe many of us require help to solve this. I scrolled down to the Solved post and found that "recovery console" would fix it, unfortuantely I own Vista and my recovery console is in the installation cd, which i no longer have. So im out of luck, considering that guy that solved it manually deleted it. (Note: In safe mode + Normal mode if you try to delete the ____.sys virus it will not let you, even in Safe mde With command prompt...)

So please, Computer IT techs, help me solve this problem.

[HeyArnold]

By the way, my Anti-Virus is Avast, Yes Ive detected the virus many times, but thats not the problem... Its the removal process.... If any IT techs can help that would be fantastic!

[Gammo]

Hi,

Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
  
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
  Click me
  If you can't disable them then just continue on.
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[HeyArnold]

Oh yeah, I forgot to add... I tried to System Restore 3 times, all of them failed and all of them were different sessiosn saved, so im guessing its the virus doing this....

[HeyArnold]

Thanks, Ill try that now and reply if it gets resolved.

[HeyArnold]

Okay, im back I just tried scanning and it came up with two files that are "suspicious" and they are the same files that I listed.... Are you sure i should "Skip" them instead of delete?

[HeyArnold]

Update: I just clicked skipped once and there was a log, I read over it and it wasnt really important... I scanned again with TDSSKILLER and instead of "Skip" i selected delete for both. After that, It asked for a reboot. Once the computer restarted i checked my directory where the virus was, and it is no longer

I didnt run Combofix, considering TDSSKILLER SOLVED THE PROBLEM!

Thank you very much Gammo and the Malwarebytes.org community

[Gammo]

Hi,

Please run ComboFix anyway, and include the C:\ComboFix.txt log in your next reply.

There could be more infections on your system, or some leftovers that are related to the infections that TDSSKiller deleted. This might sound a little harsh, but I'll decide when your PC is clean, OK?

[HeyArnold]

Hi,

Please run ComboFix anyway, and include the C:\ComboFix.txt log in your next reply.

There could be more infections on your system, or some leftovers that are related to the infections that TDSSKiller deleted. This might sound a little harsh, but I'll decide when your PC is clean, OK?

Well you saved me once, why not another , Ill update you with the logs soon.

[HeyArnold]

Combofix has been stuck in the blue console "Attempting to create a session restore point" for about 10 minutes...

[Gammo]

Hmm, OK. Please abort ComboFix by rebooting you PC.

Then download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• Check the box that says Scan All Users.
  
• Under the Custom Scan box paste this in
  netsvcs
  drivers32
  %SYSTEMDRIVE%\*.*
  %systemroot%\Fonts\*.com
  %systemroot%\Fonts\*.dll
  %systemroot%\Fonts\*.ini
  %systemroot%\Fonts\*.ini2
  %systemroot%\Fonts\*.exe
  %systemroot%\system32\spool\prtprocs\w32x86\*.*
  %systemroot%\REPAIR\*.bak1
  %systemroot%\REPAIR\*.ini
  %systemroot%\system32\*.jpg
  %systemroot%\*.jpg
  %systemroot%\*.png
  %systemroot%\*.scr
  %systemroot%\*._sy
  %APPDATA%\Adobe\Update\*.*
  %ALLUSERSPROFILE%\Favorites\*.*
  %APPDATA%\Microsoft\*.*
  %PROGRAMFILES%\*.*
  %APPDATA%\Update\*.*
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\System32\config\*.sav
  %PROGRAMFILES%\bak. /s
  %systemroot%\system32\bak. /s
  %ALLUSERSPROFILE%\Start Menu\*.lnk /x
  %systemroot%\system32\config\systemprofile\*.dat /x
  %systemroot%\*.config
  %systemroot%\system32\*.db
  %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
  %USERPROFILE%\Desktop\*.exe
  %PROGRAMFILES%\Common Files\*.*
  %systemroot%\*.src
  %systemroot%\install\*.*
  %systemroot%\system32\DLL\*.*
  %systemroot%\system32\HelpFiles\*.*
  %systemroot%\system32\rundll\*.*
  %systemroot%\winn32\*.*
  %systemroot%\Java\*.*
  %systemroot%\system32\test\*.*
  %systemroot%\system32\Rundll32\*.*
  %systemroot%\AppPatch\Custom\*.*
  %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
  %PROGRAMFILES%\PC-Doctor\Downloads\*.*
  %PROGRAMFILES%\Internet Explorer\*.tmp
  %PROGRAMFILES%\Internet Explorer\*.dat
  %USERPROFILE%\My Documents\*.exe
  %USERPROFILE%\*.exe
  %systemroot%\ADDINS\*.*
  %systemroot%\assembly\*.bak2
  %systemroot%\Config\*.*
  %systemroot%\REPAIR\*.bak2
  %systemroot%\SECURITY\Database\*.sdb /x
  %systemroot%\SYSTEM\*.bak2
  %systemroot%\Web\*.bak2
  %systemroot%\Driver Cache\*.*
  %PROGRAMFILES%\Mozilla Firefox\0*.exe
  %ProgramFiles%\Microsoft Common\*.*
  %ProgramFiles%\TinyProxy.
  %USERPROFILE%\Favorites\*.url /x
  %systemroot%\System32\Wbem\*.*
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  ipconfig /all
  nslookup google.com
  nslookup yahoo.com
  ping -n 2 google.com
  ping -n 2 yahoo.com
  route print
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time
    

[HeyArnold]

I let Combofix scan a little bit longer and it deleted a few more things then I went to check my laptop (where im posting from), when i came to my pc it was logging off, and has been for about 5 minutes..

"Logging of...." on the vista screen.....

I saw combofix on youtube and it said "Please let combofix reboot itself"

[Gammo]

Hi,

Wait another 10 minutes. Reboot the PC manually with the power button if it hasn't rebooted itself by then.

After that, include the C:\ComboFix.txt log in your next reply. If the file isn't created, then follow the OTL instruction in my previous post.

[HeyArnold]

I waited an extra few minutes to let it log off, still nothing so I restarted, when i logged in windows Combofix poped up saying something about creating logs do not run any prorgarms till finish...

Been waiting 5 minutes, should I still do otl or wait for the combofix log and post that?

[Gammo]

Wait an additional 10 minutes for the ComboFix log and post it.

You only have to follow the OTL instructions if ComboFix for some reason hangs and/or doesn't create a log file.

[HeyArnold]

I replied via PM

[Gammo]

Hi,

You can post all logs in this topic.

ComboFix 10-08-26.04 - Mike 27/08/2010 14:49:12.1.4 - x86

Microsoft

[Gammo]

Hi,

Download TFC to your desktop

• Open the file and close any other windows.
  
• It will close all programs itself when run, make sure to let it run uninterrupted.
  
• Click the Start button to begin the process. The program should not take long to finish its job
  
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
  

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Start Malwarebytes' Anti-Malware

• Once the program has loaded, click the "Update" tab and click the "Check For updates" button.
  
• Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
   
2. Click the button.
   
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. 
      
   2. Click on to download the ESET Smart Installer. Save it to your desktop.
      
   3. Double click on the icon on your desktop.
      
      
   4. Check
      
   5. Click the button.
      
   6. Accept any security warnings from your browser.
      
   7. Check
      
   8. Push the Start button.
      
   9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      
   10. When the scan completes, push
       
   11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
       
   12. Push the button.
       
   13. Push
       
       

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!