Win32.trojan.buzus

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

Win32.trojan.buzus

Post by Ferrarista on Wed 21 Jul 2010, 2:13 am

First topic message reminder :

Hello,

Yesterday my computer got infected with the Win32.trojan.buzus virus, I suspect it presented itself as a Java update. All sorts of malaware doctor screens popped up: I managed to get rid of those. Both Spybot S&C as well as Ad-aware detected the w32.t.b. infection and stated the threat was deleted/neutralised. However, each time I start up my laptop lots of erros occur and Ad-aware keeps telling me time and again the virus is still there, showing the names of all the infected files. My McAfee Antivirus Plus detected the threat as well and said the virus was neutralised but clearly that is not true.

Hopefully someone can help me. I have read this thread: [You must be registered and logged in to see this link.] I'be grateful if someone could go through these same procedures with me.

I will post my OTL logs in a minute.

Ferrarista

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-21
Operating System : Vista

View user profile

Back to top Go down


Re: Win32.trojan.buzus

Post by Sneakyone on Fri 23 Jul 2010, 6:39 am

You're welcome, glad to help.

OTL is a diagnostic tool, it stands for Old Timer List-it and OTC is clean up to hence the name Old Timer Clean-up.

OTC just removes the expert tools and other dangerous tools we used.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Win32.trojan.buzus

Post by Ferrarista on Sun 25 Jul 2010, 8:38 pm

Ok, I've done the OTC.exe, that went very quickly

I seem to have one final problem though, it rather comes out of the blue: I lost my desktop background when I started up, all the icons are still there fortunately, though I'm afraid they might no longer be after another reboot (as apperantly this is a problem that usually comes along with it)...

Trying to restore the background manually didn't help: apperantly it can only still show bmp files as background, no jpg files. Also (see link: [You must be registered and logged in to see this link.] when selecting a picture it shows all these vague icons whereas usually you'd see small scale sharp images of the files you have in a certain folder...

When looking in a folder and clicking some jpg files (one time) it takes a lot longer for the scaled down versions of the pictures to pop up in the left corner of the screen as well. Opening them and flicking through them goes as fast as always.

Furthermore I don't seem to have any problems.

Anyway, is this another malware problem? I did a Malwarebytes scan but everything was fine...

Ferrarista

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-21
Operating System : Vista

View user profile

Back to top Go down

Re: Win32.trojan.buzus

Post by Sneakyone on Mon 26 Jul 2010, 3:17 am

Hi,

Try right clicking on the image you want to make your background, then click on 'Set as Desktop Background'.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Win32.trojan.buzus

Post by Ferrarista on Mon 26 Jul 2010, 3:40 am

Nothing happens...

Actually when I open a map with pictures, videos or other files it no longer shows them, just their names (see here: [You must be registered and logged in to see this link.] I can still open them without a problem though...

Surely these two problems are related. Should I do another scan of some sort? Or has some setting been tweaked without me knowing it...


Ferrarista

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-21
Operating System : Vista

View user profile

Back to top Go down

Re: Win32.trojan.buzus

Post by Sneakyone on Mon 26 Jul 2010, 8:01 am

Hi,

Sounds like it could possibly be malware related.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com


Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Win32.trojan.buzus

Post by Ferrarista on Mon 26 Jul 2010, 8:46 pm

Very strange: just when I started to perform the combofix scan the problem was solved Perhaps it has to do with the fact I temporarily shut down McAfee en Adaware ?! Unexplicable really...I hope it won't come back as unexpected as it came...

Here is the Comboxfix log:

ComboFix 10-07-24.05 - DaniŽl 26-07-2010 10:57:20.2.2 - x86
Microsoftģ Windows Vistaô Home Basic 6.0.6002.2.1252.31.1043.18.3002.1862 [GMT 2]
Gestart vanuit: c:\users\DaniŽl\Desktop\commy.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Aanwezig AV is actief

.

(((((((((((((((((((( Bestanden Gemaakt van 2010-06-26 to 2010-07-26 ))))))))))))))))))))))))))))))
.

2010-07-26 09:24 . 2010-07-26 09:24 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-26 09:24 . 2010-07-26 09:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-26 09:24 . 2010-07-26 09:24 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-07-22 10:47 . 2010-07-22 10:47 -------- d-----w- c:\program files\Common Files\Java
2010-07-22 10:46 . 2010-07-22 10:46 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-22 10:46 . 2010-07-22 10:46 -------- d-----w- c:\program files\Java
2010-07-20 21:46 . 2010-07-20 21:46 -------- d-----w- c:\program files\ESET
2010-07-20 21:20 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-20 21:20 . 2010-07-20 21:20 -------- d-----w- c:\programdata\Malwarebytes
2010-07-20 21:20 . 2010-07-20 21:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 21:20 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-20 20:29 . 2010-07-20 21:08 -------- d-----w- C:\commy
2010-07-19 21:29 . 2010-06-16 23:00 15880 ----a-w- c:\windows\system32\lsdelete.exe

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-23 14:18 . 2008-11-08 01:30 -------- d-----w- c:\programdata\CyberLink
2010-07-23 14:15 . 2009-06-29 20:04 -------- d-----r- c:\program files\Skype
2010-07-23 14:15 . 2009-06-29 20:04 -------- d-----w- c:\programdata\Skype
2010-07-20 09:17 . 2008-11-08 08:41 667352 ----a-w- c:\windows\system32\perfh013.dat
2010-07-20 09:17 . 2008-11-08 08:41 126854 ----a-w- c:\windows\system32\perfc013.dat
2010-07-16 08:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-16 22:59 . 2010-06-17 08:50 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-06 10:24 . 2009-07-11 18:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 18:39 . 2010-06-04 18:39 -------- d-----w- c:\program files\Van Dale
2010-05-26 17:06 . 2010-06-10 13:57 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-10 13:57 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-04 05:59 . 2010-06-10 13:57 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-10 13:56 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-10 13:56 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-10 13:56 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13 . 2010-06-10 13:56 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 15:16 . 2010-04-27 21:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-27 15:16 . 2010-04-27 21:38 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-27 15:16 . 2010-04-27 21:38 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-04-27 15:16 . 2010-04-27 21:38 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 15:16 . 2010-04-27 21:38 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-27 15:16 . 2010-04-27 21:38 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-27 15:16 . 2010-04-27 21:38 160720 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-04-27 15:16 . 2010-04-27 21:38 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 15:16 . 2010-04-27 21:38 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-27 15:16 . 2010-04-27 21:38 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2008-11-08 08:56 . 2008-11-08 08:42 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-10 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-10 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-10 145944]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-13 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-06 210216]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-13 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-13 210216]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-24 1193848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^DaniŽl^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Antimalware Doctor.lnk]
path=c:\users\DaniŽl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Doctor.lnk
backup=c:\windows\pss\Antimalware Doctor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):24,c1,59,3d,86,51,ca,01

R2 gupdate1c9f7e28a6aca76;Google Update Service (gupdate1c9f7e28a6aca76);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-28 133104]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-06-30 1352832]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-04-27 83496]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-06-16 64288]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-04-27 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-04-27 160720]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 21504]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-04-27 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-04-27 141792]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-04-27 55456]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-04-27 312616]
S3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\system32\DRIVERS\OA004Ufd.sys [2008-06-03 144672]
S3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\system32\DRIVERS\OA004Vid.sys [2008-07-17 269760]


--- Andere Services/Drivers In Geheugen ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 09:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Inhoud van de 'Gedeelde Taken' map

2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-28 11:20]

2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-28 11:20]
.
.
------- Bijkomende Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = local
IE: &AOL-werkbalk Zoeken - c:\programdata\AOL\ieToolbar\resources\nl-NL\local\search.html
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
.
------- Bestandsassociaties -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS VERWIJDERD - - - -

AddRemove-HijackThis - c:\users\DaniŽl\Desktop\Anti Spyware\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-26 11:25
Windows 6.0.6002 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Voltooingstijd: 2010-07-26 11:33:54
ComboFix-quarantined-files.txt 2010-07-26 09:33

Pre-Run: 163.533.373.440 bytes beschikbaar
Post-Run: 159.345.565.696 bytes beschikbaar

- - End Of File - - 3BB894818FEDF4B80344A8FEF693C3B4

----------------------------------------

Anyway, I've done the scan but now I can hardly open ANYTHING !! I keep getting the message:

'Illegal operation attempted on a registry key that has been marked for deletion'

I get this message on almost everything I click on How do I make sure all these things are put off the list for deletion? By running sfc /scannow in safe mode (it doesn't let me do it in normal mode)? Can I be sure all these registry keys won't be deleted after a reboot?!

----------

I was able to do a Hijackthis scan, here is the log, maybe it can be helpful as well...:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:16:26, on 26-7-2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\DaniŽl\Desktop\Anti Spyware\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ˇĢ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100519104016.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: &AOL-werkbalk Zoeken - C:\ProgramData\AOL\ieToolbar\resources\nl-NL\local\search.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - [You must be registered and logged in to see this link.]
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - Unknown owner - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe (file missing)
O23 - Service: Google Update Service (gupdate1c9f7e28a6aca76) (gupdate1c9f7e28a6aca76) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8959 bytes

Ferrarista

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-21
Operating System : Vista

View user profile

Back to top Go down

Re: Win32.trojan.buzus

Post by Sneakyone on Tue 27 Jul 2010, 5:49 am

Hi.

Could you please reboot and see if this still occurs, it is a common problem with ComboFix, I don't think it is bad.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Win32.trojan.buzus

Post by Ferrarista on Tue 27 Jul 2010, 6:24 am

Thank god, it's ok now. Sorry for my panic reaction, I seem to have been going from one problem to another the past number of days and in this last instance I just wasn't sure what would happen in case of a reboot given that basically everything was on a deletion list...

All seems fine now, or did you see anything suspicious in any of the logs?

Sorry for me being such a nuisance...

Ferrarista

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-21
Operating System : Vista

View user profile

Back to top Go down

Re: Win32.trojan.buzus

Post by Sneakyone on Tue 27 Jul 2010, 6:34 am

Hi.

I don't see anything else, how is your computer running?


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Win32.trojan.buzus

Post by Ferrarista on Tue 27 Jul 2010, 6:40 am

I think as usual: always a (little) bit slow in the beginning but after that it's basically fine, eventhough you always want it to be faster

Ferrarista

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-21
Operating System : Vista

View user profile

Back to top Go down

Re: Win32.trojan.buzus

Post by Sneakyone on Tue 27 Jul 2010, 6:45 am

Hi.

Please download ATF Cleaner by Atribune.

    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, click No at the prompt.
Click Exit on the Main menu to close the program.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Win32.trojan.buzus

Post by Ferrarista on Tue 27 Jul 2010, 6:52 am

Done (cleared some 40 mb)


Ferrarista

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-21
Operating System : Vista

View user profile

Back to top Go down

Re: Win32.trojan.buzus

Post by Sneakyone on Tue 27 Jul 2010, 6:58 am

Hi.

Please have a look here: [You must be registered and logged in to see this link.]


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Win32.trojan.buzus

Post by Sponsored content Today at 9:37 pm


Sponsored content


Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum