[Aleksandra]

This is Bublik

https://www.virustotal.com/file/f1be09d ... 337535273/

Bublik/Bebloh

Can you change the topic title?

[thisisu]

For removal navigate to

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe
key "Debugger" will point to malicious file (in this case it was logonruser.exe). Delete key, reboot, delete dropper.

Additional notes:

The malicious file is moved to %sys32%
I did not find that removing the key alone and then rebooting as very effective as the key is practically instantly regenerated (therefore, as soon as you reboot, you still have the same problem).
I found the follow sequence of anti-malware tools most effective and least time consuming.
Roguekiller -> Detects and deletes the bad IFEO entry
Then run HitmanPro as it seems to consistently detect the bad .exe in %sys32%.
HitmanPro requires reboot in this case, but you should be good after that. ;)

Beware:
As EP_X0FF stated, deleting the IFEO is most important and should be prioritized. If you delete the bad .exe in %sys32% ONLY (and leave the IFEO entry still there), upon reboot, you will be stuck in infamous logon/logoff loop.
In this case, you must delete the bad IFEO entry while the OS is offline.

[markusg]

https://www.virustotal.com/file/74d74c0 ... 340029672/

[markusg]

https://www.virustotal.com/file/8256b37 ... /analysis/

[dumb110]

Nice copy paste from Mbam forum marksung! :lol:

[markusg]

it comes from my inbox.
im able to download from mbams forum but was not online for longer time

[Win32:Virut]

This is Bublik?

https://www.virustotal.com/file/b165fd2 ... /analysis/

[EP_X0FF]

This is Bublik?

https://www.virustotal.com/file/b165fd2 ... /analysis/

Yes. Inject decrypted copy into csrss.exe.

[markusg]

think its both bublik

[markusg]

sorry,
agzfgylmc.exe 
is encryption ransom ware