WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


Trojan.Win32.Buzus.cmpt

2 posters

descriptionTrojan.Win32.Buzus.cmpt EmptyTrojan.Win32.Buzus.cmpt17th November 2009, 4:02 am

more_horiz
The trojan has infected system32\taskhosts.exe - removal is not an option for it will crumble my os in an instant. Disinfection isn't possible via Kaspersky IS 2010.

SOS

HT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:23 AM, on 11/17/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Razer\Lachesis\razerhid.exe
C:\Program Files\Razer\Lachesis\OSD.exe
C:\Program Files\Razer\Lachesis\razertra.exe
C:\Program Files\Razer\Lachesis\razerofa.exe
C:\Program Files\Mozilla Firefox 3.6 Beta 1\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
D:\Downloads\winlogon.scr
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Lachesis] C:\Program Files\Razer\Lachesis\razerhid.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: avp - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 6119 bytes



Very Much Thanks - Appreciate it

descriptionTrojan.Win32.Buzus.cmpt EmptyRe: Trojan.Win32.Buzus.cmpt17th November 2009, 5:11 am

more_horiz
Please download ComboFix Trojan.Win32.Buzus.cmpt Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com


Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

descriptionTrojan.Win32.Buzus.cmpt EmptyRe: Trojan.Win32.Buzus.cmpt17th November 2009, 6:20 am

more_horiz
ComboFix 09-11-17.01 - ak101ss 11/17/2009 14:11.1.4 - x86
Microsoft®️ Windows Vista™️ Ultimate 6.0.6002.2.1252.1.1033.18.3326.2319 [GMT 8:00]
Running from: c:\users\ak101ss\Desktop\commy.exe
Command switches used :: /stepdel
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-10-17 to 2009-11-17 )))))))))))))))))))))))))))))))
.

2009-11-17 04:33 . 2009-11-17 04:33 932368 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2009-11-17 04:33 . 2009-11-17 04:33 678416 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2009-11-17 04:33 . 2009-11-17 04:33 604688 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2009-11-17 04:33 . 2009-11-17 04:33 522768 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2009-11-17 04:33 . 2009-11-17 04:33 1096208 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2009-11-17 04:32 . 2009-11-17 04:32 397328 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\oeas.dll
2009-11-17 04:32 . 2009-11-17 04:32 311312 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys\i386\6.0\klif.sys
2009-11-17 04:32 . 2009-11-17 04:32 19472 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\kloehk.dll
2009-11-17 04:32 . 2009-11-17 04:32 109072 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2009-11-17 04:32 . 2009-11-17 04:32 397328 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\oeas.dll
2009-11-17 04:32 . 2009-11-17 04:32 17936 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\kloehk.dll
2009-11-17 04:32 . 2009-11-17 04:32 109072 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2009-11-17 04:32 . 2009-11-17 04:32 311312 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\6.0\klif.sys
2009-11-17 04:16 . 2009-11-17 04:16 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-11-17 04:16 . 2009-11-17 04:16 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-11-17 04:15 . 2009-11-17 04:15 -------- d-----w- c:\program files\Kaspersky Lab
2009-11-17 04:13 . 2009-11-17 04:13 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2009-11-17 03:51 . 2009-11-17 04:04 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-17 03:51 . 2009-11-17 03:52 8192 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-17 03:06 . 2009-11-17 05:56 4096 d-----w- c:\programdata\Kaspersky Lab
2009-11-16 19:18 . 2009-11-16 06:44 -------- d-----w- c:\windows\Debug
2009-11-16 19:11 . 2009-11-16 19:15 4096 d-----w- c:\windows\Panther
2009-11-16 19:11 . 2009-11-16 19:11 4096 d-----w- C:\Boot
2009-11-16 12:06 . 2009-11-17 03:03 45568 ----a-w- C:\bws-codmw02.exe
2009-11-16 11:31 . 2009-11-16 11:34 -------- d-----w- c:\users\ak101ss\AppData\Local\Microsoft Games
2009-11-16 08:44 . 2009-11-16 08:44 -------- d-----w- c:\program files\Common Files\Steam
2009-11-16 08:44 . 2009-11-17 04:27 8192 d-----w- c:\program files\Steam
2009-11-16 07:20 . 2009-11-16 07:24 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-16 07:20 . 2009-11-16 08:40 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-16 07:19 . 2009-11-16 07:19 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-11-16 07:05 . 2009-11-16 07:05 -------- d-----w- c:\users\ak101ss\AppData\Local\PunkBuster
2009-11-16 06:54 . 2006-10-26 11:58 30512 ----a-w- c:\windows\system32\mdimon.dll
2009-11-16 06:53 . 2009-11-16 06:53 4096 d-----w- c:\program files\Microsoft Works
2009-11-16 06:52 . 2009-11-16 06:52 -------- d-----w- c:\program files\Microsoft.NET
2009-11-16 06:19 . 2009-11-16 09:00 -------- d-----w- c:\program files\Activision
2009-11-16 06:05 . 2009-11-16 06:05 -------- d-----w- c:\users\ak101ss\AppData\Roaming\COWON
2009-11-16 05:52 . 2009-03-08 11:33 18944 ----a-w- c:\windows\system32\corpol.dll
2009-11-16 05:44 . 2009-11-16 05:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-16 05:44 . 2009-11-16 06:14 -------- d-----w- c:\program files\NVIDIA Corporation
2009-11-16 05:43 . 2009-10-28 04:41 76392 ----a-w- c:\windows\system32\OpenCL.dll
2009-11-16 05:43 . 2009-10-28 04:41 170600 ----a-w- c:\windows\system32\nvcod171.dll
2009-11-16 05:43 . 2009-10-28 04:41 11381352 ----a-w- c:\windows\system32\nvcompiler.dll
2009-11-16 05:42 . 2009-11-16 05:42 -------- d-----w- C:\NVIDIA
2009-11-16 05:42 . 2009-11-16 05:42 -------- d-----w- c:\users\ak101ss\AppData\Local\Microsoft Help
2009-11-16 05:42 . 2009-11-16 06:54 8192 d-----w- c:\programdata\Microsoft Help
2009-11-16 05:42 . 2009-11-16 05:42 -------- d-----r- C:\MSOCache
2009-11-16 05:41 . 2009-11-16 05:41 -------- d-----w- c:\users\ak101ss\AppData\Roaming\Outertech
2009-11-16 05:39 . 2009-11-17 05:55 4096 d-----w- c:\programdata\NVIDIA
2009-11-16 05:37 . 2009-11-16 05:37 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-16 05:35 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-16 05:34 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-11-16 05:34 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-11-16 05:34 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-11-16 05:30 . 2009-10-26 08:54 588392 ----a-w- c:\windows\system32\nvuninst.exe
2009-11-16 05:29 . 2009-06-15 14:54 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-11-16 05:29 . 2009-06-15 14:53 270848 ----a-w- c:\windows\system32\schannel.dll
2009-11-16 05:29 . 2009-06-15 14:52 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2009-11-16 05:29 . 2009-06-15 14:52 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-11-16 05:29 . 2009-06-15 23:15 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-11-16 05:29 . 2009-06-15 14:53 72704 ----a-w- c:\windows\system32\secur32.dll
2009-11-16 05:29 . 2009-06-15 12:48 9728 ----a-w- c:\windows\system32\lsass.exe
2009-11-16 05:27 . 2009-11-02 12:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-16 05:21 . 2009-11-17 05:56 -------- d-----w- c:\users\ak101ss\Tracing
2009-11-16 05:00 . 2009-11-16 05:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-16 05:00 . 2009-11-16 05:00 -------- d-----w- c:\program files\Java
2009-11-16 04:55 . 2009-11-16 04:55 -------- d-----w- c:\program files\Microsoft
2009-11-16 04:54 . 2009-11-16 04:54 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-16 04:54 . 2009-11-16 04:55 -------- d-----w- c:\program files\Windows Live
2009-11-16 04:54 . 2009-11-16 04:54 -------- d-----w- c:\windows\PCHEALTH
2009-11-16 04:29 . 2009-11-16 04:29 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-16 04:28 . 2009-11-16 05:41 4096 d-----w- c:\program files\GetDiz
2009-11-16 04:25 . 2009-02-11 03:55 14352 ----a-w- c:\windows\system32\drivers\AtiPcie.sys
2009-11-16 04:25 . 2009-11-16 04:25 9158 ----a-r- c:\users\ak101ss\AppData\Roaming\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2009-11-16 04:25 . 2009-11-16 04:25 -------- d-----w- c:\program files\Common Files\ATI Technologies
2009-11-16 04:24 . 2009-11-16 04:24 -------- d-----w- c:\program files\ATI
2009-11-16 04:24 . 2009-11-16 04:24 -------- d-----w- c:\program files\ATI Technologies
2009-11-16 04:19 . 2009-11-16 04:19 4096 d-----w- c:\program files\OpenVPN
2009-11-16 04:14 . 2009-11-16 04:14 4096 d-----w- c:\program files\MyDefrag v4.2.6
2009-11-16 04:13 . 2009-11-16 04:13 -------- d-----w- c:\program files\uTorrent
2009-11-16 04:12 . 2009-11-17 06:10 4096 d-----w- c:\users\ak101ss\AppData\Roaming\uTorrent
2009-11-16 04:11 . 2009-11-17 04:20 12288 d-----w- c:\program files\Garena
2009-11-16 03:51 . 2009-11-16 03:51 -------- d-----w- c:\windows\system32\Adobe
2009-11-16 03:51 . 2009-11-16 03:51 -------- d-----w- c:\windows\system32\Macromed
2009-11-16 03:50 . 2009-11-16 03:50 177024 ----a-w- c:\users\ak101ss\AppData\Roaming\Mozilla\Firefox\Profiles\nlxd155x.default\FlashGot.exe
2009-11-16 03:45 . 2009-11-16 03:45 0 ----a-w- c:\windows\nsreg.dat
2009-11-16 03:45 . 2009-11-16 03:45 -------- d-----w- c:\users\ak101ss\AppData\Local\Mozilla
2009-11-16 03:44 . 2009-11-16 03:44 552 ----a-w- c:\users\ak101ss\AppData\Local\d3d8caps.dat
2009-11-16 03:44 . 2009-11-17 04:27 -------- d-----w- c:\users\ak101ss\AppData\Roaming\Xfire
2009-11-16 03:44 . 2009-11-16 05:17 4096 d-----w- c:\programdata\Xfire
2009-11-16 03:44 . 2009-11-16 05:17 8192 d-----w- c:\program files\Xfire
2009-11-16 03:44 . 2009-11-16 04:27 -------- d-----w- C:\downloads
2009-11-16 03:44 . 2009-11-16 03:44 -------- d-----w- c:\users\ak101ss\AppData\Roaming\GrabPro
2009-11-16 03:44 . 2009-11-17 06:10 4096 d-----w- c:\users\ak101ss\AppData\Roaming\Orbit
2009-11-16 03:44 . 2009-11-16 03:44 4096 d-----w- c:\program files\Orbitdownloader
2009-11-16 03:43 . 2009-11-17 06:01 8192 d-----w- c:\program files\Mozilla Firefox 3.6 Beta 1
2009-11-16 03:43 . 2009-11-16 03:43 4096 d-----w- c:\program files\7-Zip
2009-11-16 03:41 . 2009-11-16 03:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-16 03:40 . 2009-11-17 04:16 16384 d-sh--w- c:\windows\Installer
2009-11-16 03:33 . 2009-11-16 03:35 4096 d-----w- c:\program files\Common Files\COWON
2009-11-16 03:33 . 2009-11-16 03:35 28672 d-----w- c:\program files\JetAudio
2009-11-16 03:33 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-16 03:33 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-11-16 03:33 . 2009-06-10 11:41 2868224 ----a-w- c:\windows\system32\mf.dll
2009-11-16 03:33 . 2009-07-15 12:39 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-11-16 03:31 . 2009-11-16 03:31 -------- d-----w- C:\DriveKey
2009-11-16 03:31 . 2009-06-04 12:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-11-16 03:31 . 2009-04-23 12:14 623616 ----a-w- c:\windows\system32\localspl.dll
2009-11-16 03:31 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2009-11-16 03:30 . 2009-11-16 03:30 8192 d-----w- c:\program files\CDBurnerXP
2009-11-16 03:30 . 2009-09-28 13:57 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2009-11-16 03:30 . 2009-11-16 03:30 -------- d-----w- c:\programdata\Razer
2009-11-16 03:30 . 2005-12-21 03:23 14592 ----a-w- c:\windows\system32\drivers\Usbicp.sys
2009-11-16 03:29 . 2009-11-16 03:29 -------- d-----w- c:\program files\CCleaner
2009-11-16 03:29 . 2009-06-10 11:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-11-16 03:28 . 2009-11-16 03:28 -------- d-----w- c:\program files\Razer
2009-11-16 03:28 . 2007-08-08 03:04 12032 ----a-w- c:\windows\system32\drivers\Lachesis.sys
2009-11-16 03:28 . 2009-11-16 03:28 -------- d-----w- c:\users\ak101ss\AppData\Roaming\InstallShield
2009-11-16 03:28 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-11-16 03:28 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-16 03:28 . 2009-07-15 12:39 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-11-16 03:28 . 2009-07-15 12:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-11-16 03:27 . 2009-04-23 12:15 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-11-16 03:27 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-11-16 03:27 . 2009-08-10 12:35 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-16 03:21 . 2009-11-16 07:00 75160 ----a-w- c:\users\ak101ss\AppData\Local\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-17 05:55 . 2009-11-16 05:47 35085 ----a-w- c:\programdata\nvModes.dat
2009-11-16 06:56 . 2009-11-16 03:26 4096 d--h--w- c:\program files\InstallShield Installation Information
2009-11-16 05:53 . 2009-11-16 05:53 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-16 05:37 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-16 05:37 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-16 05:37 . 2009-11-16 05:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-16 05:36 . 2009-11-16 03:21 680 ----a-w- c:\users\ak101ss\AppData\Local\d3d9caps.dat
2009-11-16 04:56 . 2009-11-16 04:56 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-11-16 03:32 . 2009-11-16 03:31 4096 d-----w- c:\program files\Teamspeak2_RC2
2009-11-16 03:31 . 2009-11-16 03:26 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-16 03:27 . 2009-11-16 03:26 -------- d--h--w- c:\program files\Temp
2009-11-16 03:26 . 2009-11-16 03:26 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-11-16 03:26 . 2009-11-16 03:26 -------- d-----w- c:\program files\Realtek
2009-10-28 04:41 . 2009-09-27 15:12 588392 ----a-w- c:\windows\system32\nvudisp.exe
2009-10-14 13:18 . 2009-10-14 13:18 36880 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-10-08 21:08 . 2009-11-16 05:33 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-11-16 05:33 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-11-16 05:33 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-02 11:39 . 2009-10-02 11:39 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys
2009-10-01 01:02 . 2009-11-16 05:33 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-11-16 05:33 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-11-16 05:33 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-11-16 05:33 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-11-16 05:33 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-11-16 05:33 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-11-16 05:33 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-11-16 05:33 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-11-16 05:33 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-11-16 05:33 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-11-16 05:33 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-11-16 05:33 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-09-27 15:12 . 2009-09-27 15:12 9509832 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2009-09-27 15:12 . 2009-09-27 15:12 795104 ----a-w- c:\windows\system32\dpinst.exe
2009-09-27 15:12 . 2009-09-27 15:12 7614056 ----a-w- c:\windows\system32\nvd3dum.dll
2009-09-27 15:12 . 2009-09-27 15:12 3310184 ----a-w- c:\windows\system32\nvwgf2um.dll
2009-09-27 15:12 . 2009-09-27 15:12 2169448 ----a-w- c:\windows\system32\nvcuvid.dll
2009-09-27 15:12 . 2009-09-27 15:12 1997416 ----a-w- c:\windows\system32\nvcuda.dll
2009-09-27 15:12 . 2009-09-27 15:12 1714792 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-09-27 15:12 . 2009-09-27 15:12 170600 ----a-w- c:\windows\system32\nvcod167.dll
2009-09-27 15:12 . 2009-09-27 15:12 170600 ----a-w- c:\windows\system32\nvcod.dll
2009-09-27 15:12 . 2009-09-27 15:12 11197032 ----a-w- c:\windows\system32\nvoglv32.dll
2009-09-27 15:12 . 2009-09-27 15:12 10984 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2009-09-27 15:12 . 2009-09-27 15:12 1074280 ----a-w- c:\windows\system32\nvapi.dll
2009-09-27 09:46 . 2009-09-27 09:46 4942440 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-27 09:46 . 2009-09-27 09:46 13949544 ----a-w- c:\windows\system32\nvcpl.dll
2009-09-25 02:10 . 2009-11-16 04:00 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-11-16 04:00 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-11-16 04:00 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-11-16 04:00 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-11-16 04:00 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-11-16 04:00 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-11-16 04:00 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-11-16 04:00 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-11-16 04:00 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-11-16 04:00 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-11-16 04:00 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-11-16 04:00 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-11-16 04:00 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-11-16 04:00 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-11-16 04:00 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-11-16 04:00 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-11-16 04:00 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-11-16 04:00 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-11-16 04:00 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-11-16 04:00 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-11-16 04:00 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-11-16 04:00 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-11-16 04:00 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-11-16 04:00 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-11-16 04:00 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-11-16 04:00 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-11-16 04:00 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-14 06:46 . 2009-09-14 06:46 21520 ----a-w- c:\windows\system32\drivers\klim6.sys
2009-09-10 16:48 . 2009-11-16 03:32 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 11:01 . 2009-09-09 11:01 27675 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-09-04 11:41 . 2009-11-16 03:32 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 09:44 . 2009-11-16 06:47 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 09:44 . 2009-11-16 06:47 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 09:44 . 2009-11-16 06:47 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 09:29 . 2009-11-16 06:47 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 09:29 . 2009-11-16 06:47 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 09:29 . 2009-11-16 06:47 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 09:29 . 2009-11-16 06:47 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 09:29 . 2009-11-16 06:47 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-01 07:29 . 2009-09-01 07:29 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-08-29 00:27 . 2009-11-16 03:34 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-11-16 03:34 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22 . 2009-11-16 05:53 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-11-16 05:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-11-16 05:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-11-16 05:53 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2005-06-08 04:10 . 2005-06-08 04:10 291840 --sh--r- c:\windows\System32\taskhosts.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2009-10-22 1700664]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lachesis"="c:\program files\Razer\Lachesis\razerhid.exe" [2008-10-14 172032]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-20 340456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):18,aa,f7,f7,a9,ba,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3142713675-929850633-1584756281-1000]
"EnableNotificationsRef"=dword:00000001

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\System32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\System32\drivers\klim6.sys [9/14/2009 2:46 PM 21520]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [11/17/2009 11:51 AM 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [9/27/2009 4:48 PM 240232]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\System32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\System32\drivers\Lachesis.sys [11/16/2009 11:28 AM 12032]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/21/2008 10:21 AM 21504]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\ak101ss\AppData\Roaming\Mozilla\Firefox\Profiles\nlxd155x.default\
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", true);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-17 14:17
Windows 6.0.6002 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\GarenaPEngine]
"ImagePath"="\??\c:\users\ak101ss\AppData\Local\Temp\GMN9FF6.tmp"
.
Completion time: 2009-11-17 14:19
ComboFix-quarantined-files.txt 2009-11-17 06:18

Pre-Run: 98,191,110,144 bytes free
Post-Run: 98,168,877,056 bytes free

- - End Of File - - 61C2391D9AE0AD75E4EA6CFA490D6EE8

descriptionTrojan.Win32.Buzus.cmpt EmptyRe: Trojan.Win32.Buzus.cmpt17th November 2009, 6:42 am

more_horiz
Trojan.Win32.Buzus.cmpt Mbamicontw5 Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

descriptionTrojan.Win32.Buzus.cmpt EmptyRe: Trojan.Win32.Buzus.cmpt17th November 2009, 7:09 am

more_horiz
No restart was required

EDIT : KASPERSKY IS '10 STILL NOTIFIES THAT THE VIRUS IS PRESENT EVEN AFTER THE SCAN.


Malwarebytes' Anti-Malware 1.41
Database version: 3185
Windows 6.0.6002 Service Pack 2

11/17/2009 3:08:05 PM
mbam-log-2009-11-17 (15-08-05).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 183362
Time elapsed: 17 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{o681su5w-e241-a001-12ck-i57dv207sbx0} (Generic.Bot.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cerberus (Backdoor.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

descriptionTrojan.Win32.Buzus.cmpt EmptyRe: Trojan.Win32.Buzus.cmpt17th November 2009, 7:57 am

more_horiz
Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

descriptionTrojan.Win32.Buzus.cmpt EmptyRe: Trojan.Win32.Buzus.cmpt17th November 2009, 9:51 am

more_horiz
RunThis.bat failed to initialize during safe mode.. however i ran the catchme... it didnt work..

EDIT : I did run as administrator, but still failed to launch the script

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-17 17:32:19
Windows 6.0.6002 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden services & system hive ...

scanning hȋdden registry entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden processes: 0
hȋdden services: 0
hȋdden files: 0

descriptionTrojan.Win32.Buzus.cmpt EmptyRe: Trojan.Win32.Buzus.cmpt17th November 2009, 4:18 pm

more_horiz
Please download the Kaspersky AVP Tool from Kaspersky-labs.com.
  • Save it to your desktop.
  • Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).
  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked:

    • System Memory
    • Startup Objects
    • Disk Boot Sectors.
    • My Computer.
    • Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
Note: This tool will self uninstall when you close it so please save the log before closing it.

descriptionTrojan.Win32.Buzus.cmpt EmptyRe: Trojan.Win32.Buzus.cmpt18th November 2009, 6:12 am

more_horiz
It's done, thanks alot. Appreciate it.

Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan.Win32.Buzus.cmpt File: C:\Windows\System32\taskhosts.exe

descriptionTrojan.Win32.Buzus.cmpt EmptyRe: Trojan.Win32.Buzus.cmpt18th November 2009, 6:15 am

more_horiz
Good.

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

descriptionTrojan.Win32.Buzus.cmpt EmptyRe: Trojan.Win32.Buzus.cmpt18th November 2009, 10:05 am

more_horiz
Malwarebytes' Anti-Malware 1.41
Database version: 3192
Windows 6.0.6002 Service Pack 2

11/18/2009 6:04:48 PM
mbam-log-2009-11-18 (18-04-48).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 183675
Time elapsed: 14 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{o681su5w-e241-a001-12ck-i57dv207sbx0} (Generic.Bot.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

descriptionTrojan.Win32.Buzus.cmpt EmptyRe: Trojan.Win32.Buzus.cmpt18th November 2009, 10:30 am

more_horiz
Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

descriptionTrojan.Win32.Buzus.cmpt EmptyRe: Trojan.Win32.Buzus.cmpt18th November 2009, 12:25 pm

more_horiz
Full Scan: completed 13 minutes ago (events: 2, objects: 265150, time: 00:58:51)
11/18/2009 7:10:38 PM Task started
11/18/2009 8:09:29 PM Task completed

descriptionTrojan.Win32.Buzus.cmpt EmptyRe: Trojan.Win32.Buzus.cmpt18th November 2009, 12:55 pm

more_horiz
Please use Internet Explorer and run a BitDefender Online scan

  • Please check I agree with the Terms and Conditions and click Start Here
  • You will need to allow an Active X install for the scan to run.
  • Leave the scanning options at default and click Start Scan
Please post the results in your next reply.

descriptionTrojan.Win32.Buzus.cmpt EmptyRe: Trojan.Win32.Buzus.cmpt15th December 2009, 7:30 am

more_horiz
BitDefender Online Scan will not load.

descriptionTrojan.Win32.Buzus.cmpt EmptyRe: Trojan.Win32.Buzus.cmpt15th December 2009, 7:33 am

more_horiz
Please run Trend Micro Housecall online scan.

  • Click Scan now.
  • Read and put a Check next to Yes I accept the terms of use.
  • Click the Launching HouseCall>> button.
  • If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  • You may receive a Security Warning about the TrendMicro Java applet, click YES.
  • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  • Please be patient while it installs, updates, and scans your system.
  • Once the scan is complete, it will take you to the summary page.
  • Under Cleanup options, choose clean all detected infections automatically.
  • Click the Clean now>> button.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.

descriptionTrojan.Win32.Buzus.cmpt EmptyRe: Trojan.Win32.Buzus.cmpt15th December 2009, 7:55 am

more_horiz
there is no longer a housecall online scan, it's a downloadable program in which gets stuck at the update progress window.

descriptionTrojan.Win32.Buzus.cmpt EmptyRe: Trojan.Win32.Buzus.cmpt15th December 2009, 10:19 am

more_horiz
Please run Panda ActiveScan online scan.

  • Click the big green Scan now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Once the scan is completed, please hit the notepad icon next to the text Export to:
  • Save it to a convenient location such as your Desktop
  • Post the contents of the ActiveScan.txt in your next reply

descriptionTrojan.Win32.Buzus.cmpt EmptyRe: Trojan.Win32.Buzus.cmpt

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum