[gary rabbitt]

Hello,
Win98SE
I have been infected with the bube virus. A little history. I have been hit with lots of adware and spyware.
I have constantly fixed the BHO loader in Hijack This.
Ran Spybot SnD, AdAware, Stinger,Trojan Remover. I deleted the paths in the registry that pointed to an installer.
Upon receiving some of this malware, the temp internet folder showed the system accessed these sites:
67.19.178.86/connect.cgi?id=1742

67.19.178.86/connect.htm

Well among others too. I just had a Mac Afee pop up and say that C:windows/explorer was infected with the W32/Bube.gen virus and cannot be cleaned.
What should I do? I don't think Windows will run without it, if I am able to delete it right? Should I delete explorer.exe? Scanning it finds 3 files, one is infected inside of it I guess.
I selected "Quarrantine".
So, no matter what I have done in the last few days, all of a sudden there is spyware on the system.
BTW, upon startup, I have had popups come up with a Internet Explorer Toolbar thing, and almost every time Sitebar! install box comes up.
It takes a while to run all the spyware programs to get rid of this stuff.
Could the w32/Bube be causing this all to happen?
It just seems like there is something still remaining in the system, accessing the web, and I have looked in most of the registry, I could not find anything obvious.
Please help.
Thanks..... Gary
PS
As it stands right now, here is the HJT log:
Logfile of HijackThis v1.99.0
Scan saved at 1:38:18 AM, on 4/28/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\POPUP KILLER\POPUPKILLER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.hotmail.com
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PopUpKiller] C:\PROGRAM FILES\POPUP KILLER\POPUPKILLER.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\MCAFEE.COM\AGENT\MCREGWIZ.EXE /autorun
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\MCAFEE.COM\SHARED\MCAPPINS.EXE /v=3 /cleanup
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: PopUp Killer.lnk = C:\Program Files\PopUp Killer\PopUpKiller.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\CFGTLK\AIM.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.nai.com/amiuptodat...datePortal.cab

[gary rabbitt]

Hello,
Since I have discovered I have a virus that cannot be cleaned in explorer.exe, I would like to replace it if possible. Mcaffee cannot clean it.
Is it possible to simply pull it off a disc (don't know which cab file it's in) then replace it?
I am at a loss as to what to do, short of reinstalling. Mcaffee shows it's infected with the w32/Bube.gen virus.
I have a system restore disc, and can boot it to that disc, then go to the menu to "replace files" ? Would this apply also to explore.exe?
Before doing any drastic measures, I need to make a disc on anything I'd like to save, just in case I can't boot up any more.
Thanks for your help.
Gary Rabbitt.....

[OBP]

gary rabbit, I would suggest you mark this thread as solved with the thread tools at the top of the forum page and repost it on the Security Forum with the heading of "Infected by w32/Bube.gen virus".
That will get you expert help on removing the virus.

[khazars]

hi, welcome to TSG.

yes it can, and it's very difficult to clean on a win 98 machine. No, don't delete explorer.

You MUST make sure that your existing antivirus is disabled completely before installing Kapersky, the easiest way to do that is to go to start/run & type msconfig and press ok

on the screen that opens go to the start up tab untick any references to your antivirus in your case it will say Norton or Symantec
then on the services tab untick any Norton or Symantec entries
then press ok a few times to get back to windows and reboot

Download and install & configure Kapersky as described here

http://www.bleepingcomputer.com/foru...vs-t11662.html

http://forums.subratam.org/index.ph...ic=3466&hl=bube

Do NOT run it yet

go to start/run & type cmd then press return

then on the black dos like screen type the words in bold exactly as written
including the spaces

net stop delprot (hit enter) should get success in a few seconds.... or a
message saying the specified driver isn't installed in which case just run
kapersky & ignore the next line here then type
sc delete "delprot" (hit enter) should get immediate success
then type exit to get back to windows

Now run kapersky and when it has finished it could take about 2 to 3 hours
to run and clean up


download crap cleaner and run it.

Ccleaner

http://www.ccleaner.com/


navigate to the C:\Windows\Temp folder. Open the Temp folder and
go to Edit > Select All then Edit > Delete to delete the entire contents of
the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open.
Click Edit > Select All then Edit > Delete to delete the entire contents of
the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under
"Temporary Internet Files" Click "Delete Files". Put a check by "Delete
Offline Content" and click OK. Click on the Programs tab then click the
"Reset Web Settings" button. Click Apply then OK.

Run an online antivirus check from at least one and preferably 2 of the following sites....
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://support.f-secure.com/enu/home/ols.shtml


make sure autoclean is enabled on the scans

post another log

[Tapeuup]

maybe this will help

[Rollin' Rog]

>> I've merged the two threads, in case you need to replace explorer.exe you can try the instructions below. But I believe this infection usually needs more thorough cleaning so I would follow the advice given regarding Kaspersky AV.

Using SFC to extract files

1. Go to Start>Run and enter SFC and click OK
2. Check "Extract one File"
3. Enter the file name and click on "Start"
4. In the "Restore from" field enter:: D:\WIN98 [if 'D' is not the letter of your CD-Rom drive, modify appropriately]
5. Click OK

*if you do not have a Windows system CD, try subsitituting c:\windows\options\cabs in the"restore from field"

*note: in WinME, cabinet files may be found in the location: c:\windows\options\install

[gary rabbitt]

Thanks fellas,
I'll try Roger's first, (thanks for the merge of these threads, I wasn't sure where to post)the do the Kaspersky method if that doesn't work.
Tape,
I'd do the reinstall as a last resort, but I have too many things set up already and would take a long time to restore.
Ok, I'll let you know what happens.
Take care, Gary

[gary rabbitt]

Hi guys,
You are lifesavers!!
I used the SFC method to start with, restored the Explorer.exe with no problem. So far I have no indication of the Bube virus, knock on wood.
I appreciate all the help here, as in the past with other issues.

You may mark this thread as 'solved' if you wish.
Take care, and the best to you all.
Gary "Rabbitt"