Trojan.Win32.Buzus.efrp

View previous topic View next topic Go down

Trojan.Win32.Buzus.efrp

Post by fraubau24 on 3rd June 2010, 4:05 pm

Hi, to start off the whole problem began with me transferring files from my old external hard drive to my desktop pc. I did scan it with my updated Avira before the whole transfer but nothing came of it. And so I finished that but I remember getting a notice when after I restarted the system a pop up notified me about a Generic Host Process error. Didn't mind it that much and the next day as I came home I got an alert from Avira telling me that it has detected Conficker.Y.12. Firstly I tried Safe Mode but the system wouldn't allow me to. Got the blue screen of death just by doing it. After rebooting to Normal mode I noticed that Avira has been disabled and that there's nothing I can do about it. I gave up on, unistalled it and replaced it with a trial version of Kaspersky Pure. Then what I did next was to export this from my laptop to the infected desktop >> HKLM\System\CurrentControlSet\Control\SafeBoot in an attempt to get to safe mode in my desktop. It did work which allowed to do a full scan with Kaspersky, which then resulted to the detection of this trojan.win32.buzus.efrp.



OTL logfile created on: 6/3/2010 11:21:46 PM - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\fraubau\Desktop\New Folder
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 67.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.36 Gb Total Space | 51.01 Gb Free Space | 74.63% Space Free | Partition Type: NTFS
Drive D: | 132.07 Gb Total Space | 15.69 Gb Free Space | 11.88% Space Free | Partition Type: NTFS
Drive E: | 97.65 Gb Total Space | 10.62 Gb Free Space | 10.87% Space Free | Partition Type: NTFS
Drive F: | 0.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-VV2IXWNG2T
Current User Name: fraubau
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/03 23:13:38 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\fraubau\Desktop\New Folder\OTL.exe
PRC - [2010/01/15 04:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2009/12/25 16:43:40 | 000,340,456 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe
PRC - [2009/12/21 17:34:38 | 000,743,992 | ---- | M] (Infowatch) -- C:\Program Files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
PRC - [2009/03/12 01:25:16 | 000,233,472 | ---- | M] (Teruten) -- C:\WINDOWS\system32\FsUsbExService.Exe
PRC - [2009/03/05 15:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/11/09 12:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2004/08/03 23:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/06/03 23:13:38 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\fraubau\Desktop\New Folder\OTL.exe
MOD - [2004/08/03 23:57:02 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/08/03 23:56:42 | 000,059,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cabinet.dll
MOD - [2004/08/03 22:01:18 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (ACDaemon)
SRV - [2010/01/15 04:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/12/25 16:43:40 | 000,340,456 | ---- | M] (Kaspersky Lab) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe -- (AVP)
SRV - [2009/12/21 17:34:38 | 000,743,992 | ---- | M] (Infowatch) [Auto | Running] -- C:\Program Files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe -- (CSObjectsSrv)
SRV - [2009/03/12 01:25:16 | 000,233,472 | ---- | M] (Teruten) [Auto | Running] -- C:\WINDOWS\system32\FsUsbExService.Exe -- (FsUsbExService)
SRV - [2008/11/09 12:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/04/07 08:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)


========== Driver Services (SafeList) ==========

DRV - [2010/06/02 14:21:47 | 000,315,408 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2010/03/15 22:51:59 | 010,232,352 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/12/14 12:44:24 | 000,088,632 | ---- | M] (Infowatch) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\CSCrySec.sys -- (CSCrySec)
DRV - [2009/12/14 12:44:24 | 000,039,352 | ---- | M] (Infowatch) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\CSVirtualDiskDrv.sys -- (CSVirtualDiskDrv)
DRV - [2009/10/27 12:02:14 | 000,023,936 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2009/10/14 20:18:34 | 000,036,880 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\klbg.sys -- (KLBG)
DRV - [2009/10/02 18:39:44 | 000,019,472 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2009/09/14 13:42:46 | 000,032,272 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5)
DRV - [2009/09/01 14:29:50 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1)
DRV - [2009/03/12 01:25:16 | 000,036,608 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2008/07/03 01:03:14 | 004,745,216 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/06/30 19:27:44 | 000,108,800 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/10/11 17:40:12 | 000,009,096 | R--- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\amdide.sys -- (amdide)
DRV - [2007/09/17 14:53:26 | 000,021,632 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2006/08/28 16:12:04 | 000,013,312 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\MTictwl.sys -- (NCPro)
DRV - [2006/08/28 16:12:04 | 000,013,312 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MTictwl.sys -- (MagicTune)
DRV - [2005/01/07 16:07:18 | 000,138,752 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = [You must be registered and logged in to see this link.]

IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
FF - prefs.js..extensions.enabledItems: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2}:0.9.86
FF - prefs.js..extensions.enabledItems: {27a03cf3-856f-46b8-91cb-7289f58c7e6e}:1.314
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.81
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100119091315
FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.5.8.6
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:9.0.0.192
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:0.6.20100112


FF - HKLM\software\mozilla\Firefox\extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/05/15 16:25:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/31 22:23:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/03 23:09:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files\Kaspersky Lab\Kaspersky PURE\THBExt [2010/06/02 14:22:26 | 000,000,000 | ---D | M]

[2009/07/11 10:36:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\fraubau\Application Data\Mozilla\Extensions
[2010/06/03 23:12:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\fraubau\Application Data\Mozilla\Firefox\Profiles\2xqcgogr.default\extensions
[2009/07/11 10:37:41 | 000,000,000 | ---D | M] (Finjan Secure Browsing) -- C:\Documents and Settings\fraubau\Application Data\Mozilla\Firefox\Profiles\2xqcgogr.default\extensions\{27a03cf3-856f-46b8-91cb-7289f58c7e6e}
[2009/12/14 18:53:16 | 000,000,000 | ---D | M] (ChatZilla) -- C:\Documents and Settings\fraubau\Application Data\Mozilla\Firefox\Profiles\2xqcgogr.default\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
[2010/02/18 07:46:07 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\fraubau\Application Data\Mozilla\Firefox\Profiles\2xqcgogr.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/06/03 22:41:39 | 000,000,000 | ---D | M] (Noscript) -- C:\Documents and Settings\fraubau\Application Data\Mozilla\Firefox\Profiles\2xqcgogr.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/04/09 00:18:43 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\fraubau\Application Data\Mozilla\Firefox\Profiles\2xqcgogr.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2010/06/03 22:41:39 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\fraubau\Application Data\Mozilla\Firefox\Profiles\2xqcgogr.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/01/19 19:15:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\fraubau\Application Data\Mozilla\Firefox\Profiles\2xqcgogr.default\extensions\nasanightlaunch@example.com
[2010/06/03 22:58:23 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/03 22:39:58 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/06/02 14:22:58 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/06/02 09:51:04 | 000,377,629 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 13018 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll (Yahoo! Inc)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] File not found
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 177
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm ()
O9 - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: DirectAnimation Java Classes [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll) - C:\Program Files\Kaspersky Lab\Kaspersky PURE\mzvkbd3.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky PURE\kloehk.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O24 - Desktop WallPaper: C:\Documents and Settings\fraubau\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\fraubau\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O27 - HKLM IFEO\ccSvcHst.exe : Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\conime.exe: Debugger - wmpdtn.exe ()
O27 - HKLM IFEO\egui.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\ekrn.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\KAV32.exe : Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\mrt.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\mrtstub.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\msascui.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\msmpeng.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\symlcsvc.exe : Debugger - ntsd -d (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/07/11 09:39:37 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/03 23:03:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/06/03 23:00:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee Security Scan
[2010/06/03 23:00:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2010/06/03 23:00:51 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee Security Scan
[2010/06/03 22:58:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/06/03 22:40:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/06/03 22:40:07 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/06/03 22:39:57 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/06/02 17:04:07 | 002,181,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2010/06/02 17:04:07 | 002,137,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2010/06/02 17:04:06 | 002,058,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2010/06/02 17:04:06 | 002,016,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2010/06/02 17:00:50 | 001,850,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\win32k.sys
[2010/06/02 14:22:29 | 000,039,352 | ---- | C] (Infowatch) -- C:\WINDOWS\System32\drivers\CSVirtualDiskDrv.sys
[2010/06/02 14:22:27 | 000,088,632 | ---- | C] (Infowatch) -- C:\WINDOWS\System32\drivers\CSCrySec.sys
[2010/06/02 14:21:58 | 000,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2010/06/02 14:21:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
[2010/06/02 14:21:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\InfoWatch
[2010/06/02 14:21:47 | 000,315,408 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2010/06/02 14:21:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
[2010/06/02 09:40:34 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\fraubau\Recent
[2010/06/02 09:40:05 | 000,289,144 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\VCCLSID.exe
[2010/06/02 09:40:05 | 000,288,417 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\SrchSTS.exe
[2010/06/02 09:40:05 | 000,135,168 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swreg.exe
[2010/06/02 09:40:05 | 000,087,552 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\VACFix.exe
[2010/06/02 09:40:05 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.exe
[2010/06/02 09:40:05 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.C.exe
[2010/06/02 09:40:05 | 000,082,432 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\404Fix.exe
[2010/06/02 09:40:05 | 000,080,384 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\o4Patch.exe
[2010/06/02 09:40:05 | 000,079,360 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swxcacls.exe
[2010/06/02 09:40:05 | 000,078,336 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\Agent.OMZ.Fix.exe
[2010/06/02 09:40:05 | 000,053,248 | ---- | C] (http://www.beyondlogic.org) -- C:\WINDOWS\System32\Process.exe
[2010/06/02 09:34:30 | 008,454,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shell32.dll
[2010/06/02 08:55:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fraubau\Desktop\New Folder
[2010/06/01 01:24:12 | 000,332,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll
[2010/06/01 01:05:43 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$hf_mig$
[2010/05/31 23:56:57 | 010,196,424 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\fraubau\Desktop\windows-kb890830-v3.7.exe
[2010/05/30 16:10:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fraubau\My Documents\EBooks
[2010/05/30 16:05:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fraubau\My Documents\PRINTERS
[2010/05/30 16:05:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fraubau\My Documents\Walkthroughs and FAQS
[2010/05/15 18:10:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fraubau\Application Data\HPAppData
[2010/05/15 16:25:32 | 000,000,000 | ---D | C] -- C:\Program Files\HP Photo Creations
[2010/05/15 16:25:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HP Photo Creations
[2010/05/15 16:25:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
[2010/05/15 16:24:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\Cache
[2010/05/15 16:24:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Hewlett-Packard
[2010/05/10 16:03:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fraubau\Local Settings\Application Data\Nero
[2010/05/10 15:24:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fraubau\My Documents\Nero
[2010/05/10 15:15:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fraubau\Application Data\Nero
[2010/05/10 15:13:11 | 000,000,000 | ---D | C] -- C:\Program Files\Nero
[2010/05/10 15:13:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nero
[2010/05/10 15:13:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nero
[2010/05/10 15:03:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\SmartPack
[2010/05/10 15:03:33 | 000,000,000 | ---D | C] -- C:\Program Files\SmartPack
[2010/05/10 14:41:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fraubau\Local Settings\Application Data\ArcSoft
[2010/05/10 14:41:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ArcSoft
[2010/05/10 14:41:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ArcSoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/03 23:09:18 | 000,276,202 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/06/03 23:09:04 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/03 23:09:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/03 23:08:23 | 009,175,040 | -H-- | M] () -- C:\Documents and Settings\fraubau\NTUSER.DAT
[2010/06/03 23:08:00 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\fraubau\ntuser.ini
[2010/06/03 23:06:35 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/06/03 23:03:51 | 000,000,732 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2010/06/03 23:00:51 | 000,001,619 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Scan Plus.lnk
[2010/06/03 23:00:51 | 000,001,611 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2010/06/03 21:53:35 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/02 17:01:58 | 000,142,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/02 17:01:01 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/02 14:53:10 | 000,000,851 | ---- | M] () -- C:\Documents and Settings\fraubau\Desktop\Kaspersky PURE.lnk
[2010/06/02 14:43:27 | 000,000,508 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/02 14:43:27 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/02 14:43:27 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/06/02 14:36:26 | 000,113,933 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2010/06/02 14:36:26 | 000,097,549 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2010/06/02 14:21:47 | 000,315,408 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2010/06/02 09:51:06 | 000,001,812 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2010/06/01 01:50:47 | 004,318,004 | -H-- | M] () -- C:\Documents and Settings\fraubau\Local Settings\Application Data\IconCache.db
[2010/05/31 23:37:30 | 010,196,424 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\fraubau\Desktop\windows-kb890830-v3.7.exe
[2010/05/31 23:29:10 | 000,502,752 | ---- | M] () -- C:\Documents and Settings\fraubau\Desktop\cfremover.exe
[2010/05/31 22:29:26 | 000,216,064 | -HS- | M] () -- C:\WINDOWS\System32\wmpdtn.exe
[2010/05/31 19:57:24 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\g45g.bat
[2010/05/31 17:58:32 | 000,000,572 | ---- | M] () -- C:\Documents and Settings\fraubau\My Documents\spider.sav
[2010/05/30 19:46:08 | 003,212,075 | ---- | M] () -- C:\Documents and Settings\fraubau\Desktop\GEDC0167.JPG
[2010/05/30 19:17:33 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/30 18:47:50 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/05/27 08:47:56 | 003,389,246 | ---- | M] () -- C:\Documents and Settings\fraubau\Desktop\GEDC0161.JPG
[2010/05/23 19:32:44 | 002,644,188 | ---- | M] () -- C:\Documents and Settings\fraubau\Desktop\GEDC0148.JPG
[2010/05/23 19:32:04 | 002,417,275 | ---- | M] () -- C:\Documents and Settings\fraubau\Desktop\GEDC0147.JPG
[2010/05/23 11:54:28 | 002,544,589 | ---- | M] () -- C:\Documents and Settings\fraubau\Desktop\GEDC0144.JPG
[2010/05/15 19:34:25 | 000,030,424 | ---- | M] () -- C:\Documents and Settings\fraubau\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/15 16:27:11 | 000,171,528 | ---- | M] () -- C:\WINDOWS\hphins32.dat
[2010/05/15 16:25:33 | 000,000,772 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Photo Creations.lnk
[2010/05/15 16:25:09 | 000,001,018 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Solution Center.lnk
[2010/05/12 19:40:52 | 000,110,865 | ---- | M] () -- C:\Documents and Settings\fraubau\My Documents\cpaprog.may.revised.pdf
[2010/05/10 16:03:42 | 000,001,024 | ---- | M] () -- C:\Documents and Settings\fraubau\.rnd
[2010/05/10 15:35:36 | 000,000,588 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/05/10 15:16:12 | 000,002,352 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Nero StartSmart Essentials.lnk
[2010/05/10 15:16:12 | 000,002,254 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Nero Home Essentials SE.lnk
[2010/05/10 15:04:48 | 000,001,564 | ---- | M] () -- C:\Documents and Settings\fraubau\Desktop\PLDS SmartPack Utility.lnk
[2010/05/09 22:03:47 | 000,000,151 | ---- | M] () -- C:\WINDOWS\PhotoSnapViewer.INI
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/03 23:06:35 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/06/03 23:03:51 | 000,000,732 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2010/06/03 23:00:51 | 000,001,619 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Scan Plus.lnk
[2010/06/03 23:00:51 | 000,001,611 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2010/06/02 17:00:59 | 000,001,355 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/06/02 14:53:10 | 000,000,851 | ---- | C] () -- C:\Documents and Settings\fraubau\Desktop\Kaspersky PURE.lnk
[2010/06/02 14:22:53 | 000,113,933 | ---- | C] () -- C:\WINDOWS\System32\drivers\klin.dat
[2010/06/02 14:22:53 | 000,097,549 | ---- | C] () -- C:\WINDOWS\System32\drivers\klick.dat
[2010/06/02 09:45:24 | 000,001,812 | ---- | C] () -- C:\WINDOWS\System32\tmp.reg
[2010/06/02 09:40:05 | 000,075,776 | ---- | C] () -- C:\WINDOWS\System32\WS2Fix.exe
[2010/06/02 09:40:05 | 000,051,200 | ---- | C] () -- C:\WINDOWS\System32\dumphive.exe
[2010/06/02 09:40:05 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\swsc.exe
[2010/05/31 23:56:56 | 000,502,752 | ---- | C] () -- C:\Documents and Settings\fraubau\Desktop\cfremover.exe
[2010/05/31 22:29:32 | 000,216,064 | -HS- | C] () -- C:\WINDOWS\System32\wmpdtn.exe
[2010/05/31 17:58:32 | 000,000,572 | ---- | C] () -- C:\Documents and Settings\fraubau\My Documents\spider.sav
[2010/05/30 20:16:48 | 002,417,275 | ---- | C] () -- C:\Documents and Settings\fraubau\Desktop\GEDC0147.JPG
[2010/05/30 20:16:47 | 002,644,188 | ---- | C] () -- C:\Documents and Settings\fraubau\Desktop\GEDC0148.JPG
[2010/05/30 20:15:07 | 002,544,589 | ---- | C] () -- C:\Documents and Settings\fraubau\Desktop\GEDC0144.JPG
[2010/05/30 20:14:35 | 003,212,075 | ---- | C] () -- C:\Documents and Settings\fraubau\Desktop\GEDC0167.JPG
[2010/05/30 20:14:07 | 003,389,246 | ---- | C] () -- C:\Documents and Settings\fraubau\Desktop\GEDC0161.JPG
[2010/05/30 19:17:33 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/30 19:07:05 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\g45g.bat
[2010/05/15 16:25:33 | 000,000,772 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Photo Creations.lnk
[2010/05/15 16:25:09 | 000,001,018 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Solution Center.lnk
[2010/05/15 16:23:13 | 000,171,528 | ---- | C] () -- C:\WINDOWS\hphins32.dat
[2010/05/15 16:23:13 | 000,000,558 | ---- | C] () -- C:\WINDOWS\hphmdl32.dat
[2010/05/12 19:40:52 | 000,110,865 | ---- | C] () -- C:\Documents and Settings\fraubau\My Documents\cpaprog.may.revised.pdf
[2010/05/10 15:16:12 | 000,002,352 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Nero StartSmart Essentials.lnk
[2010/05/10 15:16:12 | 000,002,254 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Nero Home Essentials SE.lnk
[2010/05/10 15:15:19 | 000,001,024 | ---- | C] () -- C:\Documents and Settings\fraubau\.rnd
[2010/05/10 15:03:33 | 000,001,564 | ---- | C] () -- C:\Documents and Settings\fraubau\Desktop\PLDS SmartPack Utility.lnk
[2009/11/29 00:25:14 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2009/11/22 00:56:19 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/08/08 12:10:57 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/01 21:15:14 | 000,000,319 | ---- | C] () -- C:\WINDOWS\game.ini
[2009/07/22 22:19:10 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDevice.Dll
[2009/07/22 22:19:10 | 000,036,608 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDisk.Sys
[2009/07/16 18:15:18 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS2I.DLL
[2009/07/11 10:07:10 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2009/07/11 10:01:16 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\drivers\MTictwl.sys
[2007/10/25 16:26:10 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2002/03/25 19:02:14 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2004/08/03 23:56:44 | 001,392,671 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msvbvm60.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/07/11 02:24:15 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/07/11 02:24:15 | 000,626,688 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/07/11 02:24:15 | 000,434,176 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2002/11/25 04:44:20 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2002/11/25 04:44:24 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[2009/03/12 01:25:16 | 000,036,608 | ---- | M] () -- C:\WINDOWS\system32\FsUsbExDisk.Sys
[2002/11/25 04:44:40 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2002/11/25 04:44:46 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2002/08/28 20:23:06 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2002/11/25 04:45:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2002/11/25 04:45:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2002/11/25 04:45:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2002/11/25 04:45:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2002/11/25 04:45:02 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2004/08/03 21:45:10 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2004/08/03 21:45:16 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2004/08/03 21:45:12 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2004/08/03 21:45:16 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2004/08/03 21:45:14 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2004/08/03 22:07:34 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2009/08/14 04:19:41 | 001,850,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.dll >
[2004/08/03 23:56:42 | 000,004,255 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv01nt5.dll
[2004/08/03 23:56:42 | 000,003,967 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv02nt5.dll
[2004/08/03 23:56:42 | 000,003,615 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv05nt5.dll
[2004/08/03 23:56:42 | 000,003,647 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv07nt5.dll
[2004/08/03 23:56:42 | 000,003,135 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv08nt5.dll
[2004/08/03 23:56:42 | 000,003,711 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv09nt5.dll
[2004/08/03 23:56:42 | 000,003,775 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv11nt5.dll
[2004/08/03 23:56:42 | 000,021,183 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv01nt5.dll
[2004/08/03 23:56:42 | 000,011,359 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv02nt5.dll
[2004/08/03 23:56:42 | 000,025,471 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv04nt5.dll
[2004/08/03 23:56:42 | 000,014,143 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv06nt5.dll
[2004/08/03 23:56:42 | 000,017,279 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv10nt5.dll
[2004/08/03 23:56:42 | 000,015,423 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
[2004/08/03 23:56:46 | 000,003,901 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\siint5.dll
[2004/08/03 23:56:48 | 000,011,325 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\vchnt5.dll

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2009/07/11 09:39:37 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/06/02 14:43:27 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2009/07/11 09:39:37 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/05/10 15:06:18 | 000,037,622 | ---- | M] () -- C:\DEBUG.TXT
[2009/07/11 09:39:37 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/06/03 22:55:46 | 000,006,117 | ---- | M] () -- C:\JavaRa.log
[2009/07/11 09:39:37 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2009/07/11 10:05:43 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/07/11 10:05:42 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2010/06/03 23:09:00 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2010/06/02 09:53:34 | 000,001,963 | ---- | M] () -- C:\rapport.txt
[2010/06/03 22:52:07 | 000,000,894 | ---- | M] () -- C:\Win32.Worm.Downladup.Gen.log

< %PROGRAMFILES%\*. >
[2009/11/11 11:43:19 | 000,000,000 | ---D | M] -- C:\Program Files\2K Sports
[2010/06/03 23:06:25 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2009/11/14 20:14:46 | 000,000,000 | ---D | M] -- C:\Program Files\Ahead
[2009/11/02 20:19:19 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2009/07/11 09:45:43 | 000,000,000 | ---D | M] -- C:\Program Files\ATI Technologies
[2010/01/20 20:59:58 | 000,000,000 | ---D | M] -- C:\Program Files\Carambis
[2009/07/19 13:03:21 | 000,000,000 | ---D | M] -- C:\Program Files\CCleaner
[2009/07/17 19:42:22 | 000,000,000 | ---D | M] -- C:\Program Files\Chikka Messenger
[2009/09/15 00:40:26 | 000,000,000 | ---D | M] -- C:\Program Files\Combined Community Codec Pack
[2010/06/03 23:03:40 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2009/07/11 09:37:27 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2010/03/13 21:26:42 | 000,000,000 | ---D | M] -- C:\Program Files\CoreCodec
[2009/07/22 22:19:12 | 000,000,000 | ---D | M] -- C:\Program Files\DIFX
[2009/09/09 12:31:04 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2009/07/25 12:07:23 | 000,000,000 | ---D | M] -- C:\Program Files\Haali
[2009/11/16 11:51:50 | 000,000,000 | ---D | M] -- C:\Program Files\hkSFV
[2010/05/15 16:25:04 | 000,000,000 | ---D | M] -- C:\Program Files\HP
[2010/05/15 16:25:33 | 000,000,000 | ---D | M] -- C:\Program Files\HP Photo Creations
[2010/05/10 15:27:14 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2009/07/11 10:07:08 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2010/06/03 22:39:54 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2010/06/02 14:21:58 | 000,000,000 | ---D | M] -- C:\Program Files\Kaspersky Lab
[2009/07/22 22:18:42 | 000,000,000 | ---D | M] -- C:\Program Files\MarkAny
[2010/06/03 23:00:51 | 000,000,000 | ---D | M] -- C:\Program Files\McAfee Security Scan
[2009/07/11 10:07:14 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger Off
[2009/08/08 12:10:29 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2009/07/11 09:41:06 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2010/01/18 21:55:34 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2009/08/08 12:09:42 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2010/01/20 21:03:49 | 000,000,000 | ---D | M] -- C:\Program Files\Motorola
[2009/07/11 10:07:08 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/04/04 18:05:48 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2010/01/18 21:55:28 | 000,000,000 | ---D | M] -- C:\Program Files\MSECache
[2009/07/11 09:37:23 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2009/07/11 09:37:16 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2010/05/10 15:13:11 | 000,000,000 | ---D | M] -- C:\Program Files\Nero
[2009/07/11 10:06:16 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2010/04/09 13:32:07 | 000,000,000 | ---D | M] -- C:\Program Files\NVIDIA Corporation
[2009/07/11 09:37:23 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2009/07/11 10:06:15 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2009/07/22 22:19:23 | 000,000,000 | ---D | M] -- C:\Program Files\PC Connectivity Solution
[2009/11/02 20:19:48 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2009/07/11 09:52:13 | 000,000,000 | ---D | M] -- C:\Program Files\Realtek
[2009/07/22 22:19:30 | 000,000,000 | ---D | M] -- C:\Program Files\Samsung
[2009/07/11 10:01:14 | 000,000,000 | ---D | M] -- C:\Program Files\SEC
[2010/05/10 15:04:47 | 000,000,000 | ---D | M] -- C:\Program Files\SmartPack
[2010/02/01 19:57:12 | 000,000,000 | ---D | M] -- C:\Program Files\Spybot - Search & Destroy
[2009/07/17 07:59:44 | 000,000,000 | ---D | M] -- C:\Program Files\Steam
[2009/07/11 09:44:05 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2010/05/15 15:49:17 | 000,000,000 | ---D | M] -- C:\Program Files\uTorrent
[2009/08/01 20:02:13 | 000,000,000 | ---D | M] -- C:\Program Files\Winamp
[2009/11/22 00:43:21 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2009/07/11 10:06:15 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2009/07/11 09:37:23 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2009/07/25 12:03:50 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2009/07/11 09:41:06 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2009/07/11 11:38:37 | 000,000,000 | ---D | M] -- C:\Program Files\Yahoo!

< %appdata%\*.* >
[2009/07/22 22:19:04 | 000,002,528 | ---- | M] () -- C:\Documents and Settings\fraubau\Application Data\$_hpcst$.hpc
[2010/03/07 04:02:31 | 000,000,859 | ---- | M] () -- C:\Documents and Settings\fraubau\Application Data\coreavc.ini
[2009/07/11 02:26:08 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\fraubau\Application Data\desktop.ini


< MD5 for: AGP440.SYS >
[2004/08/04 00:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2004/08/04 00:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2004/08/03 22:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2004/08/03 22:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2002/08/29 02:50:10 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2004/08/04 00:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2004/08/04 00:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2002/08/29 00:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2002/08/29 00:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys
[2002/08/29 00:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys
[2004/08/03 21:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/03 21:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: DISK.SYS >
[2002/08/29 02:50:10 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:disk.sys
[2004/08/04 00:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2004/08/04 00:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:disk.sys
[2004/08/03 21:59:56 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2004/08/03 21:59:56 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\system32\drivers\disk.sys
[2002/08/29 00:27:58 | 000,033,792 | ---- | M] (Microsoft Corporation) MD5=D1B16340CEACEECBF52340A0CBDF43E1 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys

< MD5 for: EVENTLOG.DLL >
[2004/08/03 23:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2004/08/03 23:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll
[2002/08/29 02:40:52 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2002/08/29 02:41:08 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2004/08/03 23:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2004/08/03 23:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/03 23:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2004/08/03 23:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2002/08/29 02:41:12 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

< MD5 for: USBSTOR.SYS >
[2002/08/29 02:50:10 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:usbstor.sys
[2004/08/04 00:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:usbstor.sys
[2004/08/04 00:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:usbstor.sys
[2004/08/03 22:08:48 | 000,026,496 | ---- | M] (Microsoft Corporation) MD5=6CD7B22193718F1D17A47A1CD6D37E75 -- C:\WINDOWS\ServicePackFiles\i386\usbstor.sys
[2004/08/03 22:08:48 | 000,026,496 | ---- | M] (Microsoft Corporation) MD5=6CD7B22193718F1D17A47A1CD6D37E75 -- C:\WINDOWS\system32\dllcache\usbstor.sys
[2004/08/03 22:08:48 | 000,026,496 | ---- | M] (Microsoft Corporation) MD5=6CD7B22193718F1D17A47A1CD6D37E75 -- C:\WINDOWS\system32\drivers\USBSTOR.SYS

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
< End of report >

fraubau24
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2010-06-02
OS OS : Windows XP
Points Points : 23848
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan.Win32.Buzus.efrp

Post by Crush on 3rd June 2010, 6:51 pm

Hello and Welcome to GeekPolice.net.

My name is Crush but, you can call me Chris too , and I will do my best to help get your problem resolved today.

I am currently a student in GeekPolice Academy, and will be a little delayed on each reply, as my instructors must review and approve each reply.

[You must be registered and logged in to see this link.]

If you have any questions, please ask, and I will do my best to get to the question promptly.

Please wait here, while I get the first set of instructions for you.

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42108
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan.Win32.Buzus.efrp

Post by Crush on 3rd June 2010, 7:41 pm

Hi,

I notice that you are using more than one antivirus program.
  • McAfee
  • Kaspersky

This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through.

It is important that only ONE antivirus program is running realtime protection.
I strongly suggest you either (1) uninstall all but one antivirus program through Control Panel->Add or remove Programs, OR (2) keep the programs, but leave all but one of them disabled most of the time.

You can still use them for scanning your computer.
======

Also, please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42108
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan.Win32.Buzus.efrp

Post by fraubau24 on 5th June 2010, 12:25 am

Hi Crush, thanks for your response. And yes I do admit I have forgotten to remove the McAfee that came with the Adobe reader update. Anyways that's uninstalled now. Here's the log from MBT.

And as MBT was doing the scan, Kas came up with another detection and it's a Net-Worm.Win32.Kolab.iri. Anyways just thought I'd mention it.


Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4170

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

6/5/2010 8:11:50 AM
mbam-log-2010-06-05 (08-11-50).txt

Scan type: Quick scan
Objects scanned: 136283
Time elapsed: 3 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conime.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrt.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

fraubau24
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2010-06-02
OS OS : Windows XP
Points Points : 23848
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan.Win32.Buzus.efrp

Post by Crush on 5th June 2010, 8:14 pm

Hi Fraubau,

How are things running now?

Please go to [You must be registered and logged in to see this link.] and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

  • Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Trojan.Win32.Buzus.efrp

    Post by fraubau24 on 6th June 2010, 4:11 am

    Hello, I've just completed the online scan and lookie here, I've come off clean I think. Now reposting the log...

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Sunday, June 6, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Sunday, June 06, 2010 00:08:25
    Records in database: 4204736
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\
    F:\

    Scan statistics:
    Objects scanned: 45327
    Threats found: 0
    Infected objects found: 0
    Suspicious objects found: 0
    Scan duration: 00:51:57

    No threats found. Scanned area is clean.

    Selected area has been scanned.

    fraubau24
    Beginner
    Beginner

    Posts Posts : 4
    Joined Joined : 2010-06-02
    OS OS : Windows XP
    Points Points : 23848
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Trojan.Win32.Buzus.efrp

    Post by Crush on 6th June 2010, 5:58 pm

    Hi fraubau,

    Congratulations!! Your PC is all clean! Big Grin

    To remove all of the tools we used and the files and folders they created do the following:
    Double click OTL.exe.

    • Click the CleanUp button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    There are many things you can do to keep this from happening again. You can think of a computer like a car. It requires basic maintenance to keep in tip top shape and ready to go. Would you drive your car 100,000 miles without changing the oil? The same principle applies here.

    Cleaning

    Now that your PC is free of malware, it is important to clean up your PC. There are several good free cleaners available. You should make sure to clean up your temp files regularly, at least once a week.

    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    Defragmenting Your Hard Disk

    Over time your PC can become fragmented, Windows comes with a defragmenting utility, however, it is very slow, and there are other options available.

    To use the defragmenter included with Windows either go to Start/Run and type dfrg.msc, hit enter; or
    right-click My Computer, choose Manage, Storage, Disk Defragmenter.

    In the Defragmenter utility, select your main partition/HD, generally C:\ and select analyze . The analysis report will tell you whether or not your disk needs to be defragmented, if it does, click defragment. Be patient, this can take a long time.

    Repeat for multiple partitions/hard disks.

    System Restore Cleanup Instructions

    If you are using Windows ME or XP then it is good to disable and re-enable system restore to make sure there are no infected files left in a restore point. (All restore points will be deleted that way)
    You can find instructions on how to disable and re-enable system restore here:

    [You must be registered and logged in to see this link.]

    [You must be registered and logged in to see this link.]

    Reading Tip:
    [You must be registered and logged in to see this link.]
    Keep Your System Updated

    Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

    Install the updates immediately, if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

    To update Windows and office

    Go to Start > All Programs > Microsoft Update

    Alternatively, you can visit the link below to update Windows and Office products.

    [You must be registered and logged in to see this link.]

    If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

    1. Go to Start > Control Panel > Automatic Updates
    2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
    3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

    Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

    Be careful when opening attachments and downloading files.

    1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
    2. Never open emails from unknown senders.
    3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These are called hoaxes. The email addresses used in the hoaxes can be easily spoofed. Check the antivirus vendor websites to be sure.
    4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

    Surf safely

    Many security exploits on websites are directed to users of Internet Explorer and Firefox.

    If you use Firefox, try the [You must be registered and logged in to see this link.] - which, by default, disables all scripts on all websites. If you trust the website, you can manually allow scripts to work.

    Backup regularly

    You never know when your PC will become unstable or become so infected that you can't recover it. Follow this [You must be registered and logged in to see this link.] to learn how to backup. Follow [You must be registered and logged in to see this link.] by Microsoft to restore your backups.

    Alternatively, you can use 3rd-party programs to back up your data. Examples of these can be found at
    [You must be registered and logged in to see this link.]

    Avoid P2P

    I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

    I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

    Prevent A Re-infection

    1. Winpatrol

    Winpatrol is a heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features [You must be registered and logged in to see this link.]

    You can get a [You must be registered and logged in to see this link.] of Winpatrol or use the [You must be registered and logged in to see this link.] for more features.

    You can read [You must be registered and logged in to see this link.] if you run into problems.

    2. Hosts File

    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    3. Spybot Search and Destroy

    Spybot Search & Destroy is another program for scanning spyware and adware. You are strongly encouraged to run a scan at least once per week.

    Spybot Search & Destroy can be downloaded from [You must be registered and logged in to see this link.].

    If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy [You must be registered and logged in to see this link.] at Bleeping Computer.

    4. SiteHound Toolbar

    [You must be registered and logged in to see this link.] is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spyware or other questionable content. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.

    ====

    Stand Up and Be Counted ---> [You must be registered and logged in to see this link.]<--- where you can make difference!

    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
    ============================================================
    See [You must be registered and logged in to see this link.] for more info about malware and prevention.
    Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site.
    Before the thread is archived, do you have any more questions?

    Happy surfing and stay clean!

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Trojan.Win32.Buzus.efrp

    Post by fraubau24 on 7th June 2010, 2:45 pm

    Hi Crush, glad to hear that. Thank you very much for your time and support, it's very much appreciated. Also thanks for the tips, these should really come in handy and I'll be sure to check them out the soonest. Again thanks and more power to you guys! Big Grin

    fraubau24
    Beginner
    Beginner

    Posts Posts : 4
    Joined Joined : 2010-06-02
    OS OS : Windows XP
    Points Points : 23848
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Trojan.Win32.Buzus.efrp

    Post by Crush on 7th June 2010, 5:01 pm

    Hi fraubau,

    No problem. Really glad I could help Smile

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    View previous topic View next topic Back to top

    - Similar topics

     
    Permissions in this forum:
    You cannot reply to topics in this forum