Trojan.Win32.Buzus.lxqn

spud17

A friend absent-mindedly clicked on a 'flashing ad', and ended up with the 'Metropolitan Police' ransomware.

It's an ancient very low spec laptop running XP pro all up to date with free Avira.

Normal Mode and Safe Mode both gave a completely white screen.

Ctrl+Alt+Del was the only thing I found that was working.
Last evening after a bit of Gooogling/Bleeping Computer, I decided to try Kaspersky rescue disk. This took 2+ hrs to scan but removed Trojan.Win32.Buzus.lxqn.

This evening it booted up as normal and a Malwarebytes scan came back clear.

Any suggestions about my next action?

waddler_8

Make sure third party programs are updated, not just the OS.

Adobe Flash, Reader, Java RE etc. Make sure older versions are removed.

Secunia shows the most commonly targeted.

http://secunia.com/products/consumer/osi/online/

Oh, and flush system restore.

spud17

Yup, everything up to date, Flash, Java etc, just missing the latest MS updates (patch Tues).
He prefers to use IE, despite having Chrome with Adblock, I don't know which site he was on when he picked up the trojan, but it certainly would only have been the BBC or something similar.

Just noticed that DDS has stalled and the laptop is completely unresponsive.

waddler_8

spud17 wrote: »

Just noticed that DDS has stalled and the laptop is completely unresponsive.

Stilll having problems? Try this version.

LINK

Expand Scan & check attach.txt > Expand options for DDS.txt & uncheck Check MBR

See if that runs.

spud17

Getting late now, so will try that link tomorrow evening.
My bad, Java is out of date.
Just updating Avira, and looking to get rid of some of the accumulated carp.
ps have flushed system restore.

waddler_8

No problem.

DDS should only take 2-3 minutes in any case.

spud17

waddler_8 wrote: »

No problem.

DDS should only take 2-3 minutes in any case.

I know, but some of us have to be on site for 7.30am,
I've uninstalled all the BT router software and some other stuff I consider un-necessary (with his permission), DDS ran correctly from your link.

DDS (Ver_2011-09-30.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Laurence at 21:07:59 on 2012-08-17
#Option MBR scan is disabled.
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.447.241 [GMT 1:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://news.bbc.co.uk/
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - <orphaned>
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [Google Update] "c:\documents and settings\laurence\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [LXBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBTtime.dll,_RunDLLEntry@16
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234617541755
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234638542717
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 10.0.0.1
TCP: Interfaces\{7126894D-4990-43A6-90E8-A9BA52AA88C4} : DHCPNameServer = 10.0.0.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 https://www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-6-5 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-11-20 116608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-6-5 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-6-5 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-6-5 66616]
R3 Maestro;ESS Maestro2E Audio Driver (WDM);c:\windows\system32\drivers\essm2e.sys [2009-2-14 137600]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-14 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-12 250056]
S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-14 135664]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2010-9-27 584832]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 12872]
.
=============== Created Last 30 ================
.
2012-08-17 17:47:28 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-08-16 20:00:43

---

d

---

w- c:\program files\VS Revo Group
2012-08-15 21:11:27

---

d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-08-14 17:51:33 9232584 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
==================== Find3M ====================
.
2012-08-14 17:52:50 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-14 17:52:48 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05:18 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40:15 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-07-03 12:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-02 17:49:33 916992 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49:32 1469440

---

w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05:43 385024 ----a-w- c:\windows\system32\html.iec
2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 14:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 14:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 14:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 14:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
.
============= FINISH: 21:09:02.09 ===============

spud17

FYI, result of the Kaspersky Resue Disk scan,


Objects Scan: completed <1 minute ago (events: 13, objects: 96692, time: 02:07:59)
8/15/12 11:36 PM Task completed
8/15/12 11:35 PM Deleted: Trojan.Win32.Buzus.lxqn C:/Documents and Settings/Laurence/Local Settings/Temp/23082118loa4863851.exe
8/15/12 11:35 PM Detected: Trojan.Win32.Buzus.lxqn C:/Documents and Settings/Laurence/Local Settings/Temp/23082118loa4863851.exe
8/15/12 11:35 PM Deleted: Trojan.Win32.Buzus.lxqn C:/Documents and Settings/Laurence/Application Data/msconfig.dat
8/15/12 11:34 PM Disinfected: Trojan.Win32.Buzus.lxqn HKEY_USERS\S-1-5-21-1614895754-1343024091-1957994488-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon/Shell
8/15/12 11:31 PM Detected: Trojan.Win32.Buzus.lxqn C:/Documents and Settings/Laurence/Application Data/msconfig.dat
8/15/12 11:28 PM Untreated: Trojan.Win32.Buzus.lxqn C:/Documents and Settings/Laurence/Application Data/msconfig.dat Postponed
8/15/12 11:28 PM Detected: Trojan.Win32.Buzus.lxqn C:/Documents and Settings/Laurence/Application Data/msconfig.dat
8/15/12 9:46 PM Untreated: Trojan.Win32.Buzus.lxqn C:/Documents and Settings/Laurence/Local Settings/Temp/23082118loa4863851.exe Postponed
8/15/12 9:46 PM Detected: Trojan.Win32.Buzus.lxqn C:/Documents and Settings/Laurence/Local Settings/Temp/23082118loa4863851.exe
8/15/12 9:31 PM Untreated: Trojan.Win32.Buzus.lxqn C:/Documents and Settings/Laurence/Application Data/msconfig.dat Postponed
8/15/12 9:31 PM Detected: Trojan.Win32.Buzus.lxqn C:/Documents and Settings/Laurence/Application Data/msconfig.dat
8/15/12 9:27 PM Task started

waddler_8

It looks fine.

I would make sure this horrible software is uninstalled:

S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]

It looks as though it is, with only the service key remaining.


Check for rootkits?

It should only take a couple of minutes.

Download aswMBR and save it to your Desktop.

http://public.avast.com/~gmerek/aswMBR.exe

• Double click aswMBR.exe to run it.
• Set the AV Scan to (None)
• Click the Scan button.
• Wait till the scan reports "Scan finished successfully"
• Click Save log & save the log to your desktop.
• Click OK
• Two files will be created, aswMBR.txt & a file named MBR.dat
• Click EXIT.
• Copy & Paste the contents of aswMBR.txt into your next reply.

Don't click to fix anything yet, just post the log

waddler_8

spud17 wrote: »

FYI, result of the Kaspersky Resue Disk scan,

8/15/12 11:35 PM Detected: Trojan.Win32.Buzus.lxqn C:/Documents and Settings/Laurence/Local Settings/Temp/23082118loa4863851.exe

8/15/12 11:35 PM Deleted: Trojan.Win32.Buzus.lxqn C:/Documents and Settings/Laurence/Application Data/msconfig.dat

8/15/12 11:34 PM Disinfected: Trojan.Win32.Buzus.lxqn HKEY_USERS\S-1-5-21-1614895754-1343024091-1957994488-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon/Shell

Loads MSConfig.dat via the shell value of the winlogon key.

virustotal

ThreatExpert

CRDF Threat Center

spud17

I also saw the Spyhunter, think it remains from when he tried to get rid of one of those hoax virus messages that were around a couple of years back.

Already run aswMBR yesterday, but have just run it again

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-17 21:53:53

---

21:53:53.612 OS Version: Windows 5.1.2600 Service Pack 3
21:53:53.612 Number of processors: 1 586 0x806
21:53:53.612 ComputerName: LAURENCE-615FDE UserName: Laurence
21:53:54.443 Initialize success
21:54:03.936 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
21:54:03.936 Disk 0 Vendor: FUJITSU_MHV2040AH 00000096 Size: 38154MB BusType: 3
21:54:03.956 Disk 0 MBR read successfully
21:54:03.956 Disk 0 MBR scan
21:54:03.956 Disk 0 Windows XP default MBR code
21:54:03.956 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38154 MB offset 63
21:54:03.966 Disk 0 scanning sectors +78140160
21:54:04.067 Disk 0 scanning C:\WINDOWS\system32\drivers
21:54:21.982 Service scanning
21:54:36.774 Modules scanning
21:54:46.047 Disk 0 trace - called modules:
21:54:46.087 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
21:54:46.087 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8438d9c0]
21:54:46.087 3 CLASSPNP.SYS[f753afd7] -> nt!IofCallDriver -> \Device\00000076[0x84392180]
21:54:46.428 5 ACPI.sys[f74b1620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8438fd98]
21:54:46.428 Scan finished successfully
21:55:01.489 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Laurence\My Documents\MBR.dat"
21:55:01.519 The log file has been saved successfully to "C:\Documents and Settings\Laurence\My Documents\aswMBR 2.txt"