Help - Search - Members
Full Version: Detectado pero no eliminado -Trojan.Win32.Buzus.cdda
Kaspersky Lab Forum > Forum para usuarios hispanohablantes > Virus
fedeperez94
8.10.2009 19:40
KIS 2010 hace poco me mandaron una fotografia por msn, kaspersky la reporto con el troyano Trojan.Win32.Buzus.cdda pero apareció que no pudo eliminarlo Y busque en la carpeta de archivos recibido y no hay nada.

Este es lo que aparecio
08/10/2009 10:28:55 a.m. Cannot be deleted: Trojan.Win32.Buzus.cdda Microsoft Windows Search Protocol Host C:\USERS\FEDE\Documents\MIS ARCHIVOS RECIBIDOS\n765574915_1072944_2278picss.jpg.exe
RadarpSP
8.10.2009 19:44
Bienvenido.
Nos hace falta el log del avz para examinar el problema.
En las normas tienes el cómo http://forum.kaspersky.com/index.php?showtopic=84286
Pasa el antivirus tras iniciar el modo seguro.
fedeperez94
8.10.2009 21:21
QUOTE(RadarpSP @ 8.10.2009 11:44) *
Bienvenido.
Nos hace falta el log del avz para examinar el problema.
En las normas tienes el cómo http://forum.kaspersky.com/index.php?showtopic=84286
Pasa el antivirus tras iniciar el modo seguro.


08/10/2009 12:19:53 p.m. Windows version: Windows Vista ™ Home Premium, Build=6001, SP="Service Pack 1"
08/10/2009 12:19:53 p.m. System Restore: enabled
08/10/2009 12:20:06 p.m. 1.1 Searching for user-mode API hooks
08/10/2009 12:20:06 p.m. Analysis: kernel32.dll, export table found in section .text
08/10/2009 12:20:06 p.m. Function kernel32.dll:CreateProcessA (151) intercepted, method ProcAddressHijack.GetProcAddress ->76641C36->61F03F42
08/10/2009 12:20:06 p.m. Hook kernel32.dll:CreateProcessA (151) blocked
08/10/2009 12:20:06 p.m. Function kernel32.dll:CreateProcessW (154) intercepted, method ProcAddressHijack.GetProcAddress ->76641C01->61F04040
08/10/2009 12:20:06 p.m. Hook kernel32.dll:CreateProcessW (154) blocked
08/10/2009 12:20:06 p.m. Function kernel32.dll:FreeLibrary (335) intercepted, method ProcAddressHijack.GetProcAddress ->766808F8->61F041FC
08/10/2009 12:20:06 p.m. Hook kernel32.dll:FreeLibrary (335) blocked
08/10/2009 12:20:06 p.m. Function kernel32.dll:GetModuleFileNameA (503) intercepted, method ProcAddressHijack.GetProcAddress ->7668440D->61F040FB
08/10/2009 12:20:06 p.m. Hook kernel32.dll:GetModuleFileNameA (503) blocked
08/10/2009 12:20:06 p.m. Function kernel32.dll:GetModuleFileNameW (504) intercepted, method ProcAddressHijack.GetProcAddress ->766858E5->61F041A0
08/10/2009 12:20:06 p.m. Hook kernel32.dll:GetModuleFileNameW (504) blocked
08/10/2009 12:20:06 p.m. Function kernel32.dll:GetProcAddress (548) intercepted, method ProcAddressHijack.GetProcAddress ->7668B8B6->61F04648
08/10/2009 12:20:06 p.m. Hook kernel32.dll:GetProcAddress (548) blocked
08/10/2009 12:20:06 p.m. Function kernel32.dll:LoadLibraryA (759) intercepted, method ProcAddressHijack.GetProcAddress ->76669491->61F03C6F
08/10/2009 12:20:06 p.m. Hook kernel32.dll:LoadLibraryA (759) blocked
08/10/2009 12:20:06 p.m. >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
08/10/2009 12:20:06 p.m. Function kernel32.dll:LoadLibraryExA (760) intercepted, method ProcAddressHijack.GetProcAddress ->76669469->61F03DAF
08/10/2009 12:20:06 p.m. Hook kernel32.dll:LoadLibraryExA (760) blocked
08/10/2009 12:20:06 p.m. >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
08/10/2009 12:20:06 p.m. Function kernel32.dll:LoadLibraryExW (761) intercepted, method ProcAddressHijack.GetProcAddress ->766630C3->61F03E5A
08/10/2009 12:20:06 p.m. Hook kernel32.dll:LoadLibraryExW (761) blocked
08/10/2009 12:20:06 p.m. Function kernel32.dll:LoadLibraryW (762) intercepted, method ProcAddressHijack.GetProcAddress ->7666361F->61F03D0C
08/10/2009 12:20:06 p.m. Hook kernel32.dll:LoadLibraryW (762) blocked
08/10/2009 12:20:06 p.m. IAT modification detected: LoadLibraryW - 01940010<>7666361F
08/10/2009 12:20:06 p.m. Analysis: ntdll.dll, export table found in section .text
08/10/2009 12:20:06 p.m. Analysis: user32.dll, export table found in section .text
08/10/2009 12:20:06 p.m. Analysis: advapi32.dll, export table found in section .text
08/10/2009 12:20:06 p.m. Analysis: ws2_32.dll, export table found in section .text
08/10/2009 12:20:06 p.m. Analysis: wininet.dll, export table found in section .text
08/10/2009 12:20:06 p.m. Analysis: rasapi32.dll, export table found in section .text
08/10/2009 12:20:07 p.m. Analysis: urlmon.dll, export table found in section .text
08/10/2009 12:20:07 p.m. Analysis: netapi32.dll, export table found in section .text
08/10/2009 12:20:14 p.m. 1.2 Searching for kernel-mode API hooks
08/10/2009 12:21:58 p.m. Driver loaded successfully
08/10/2009 12:21:58 p.m. SDT found (RVA=137B00)
08/10/2009 12:21:58 p.m. Kernel ntkrnlpa.exe found in memory at address 8323F000
08/10/2009 12:21:58 p.m. SDT = 83376B00
08/10/2009 12:21:58 p.m. KiST = 832F78E0 (391)
08/10/2009 12:21:59 p.m. Function NtAlpcConnectPort (15) intercepted (8342B17B->90A26E06), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:00 p.m. >>> Function restored successfully !
08/10/2009 12:22:00 p.m. >>> Hook code blocked
08/10/2009 12:22:00 p.m. Function NtAlpcCreatePort (16) intercepted (833FB7B2->90A26F84), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:00 p.m. >>> Function restored successfully !
08/10/2009 12:22:00 p.m. >>> Hook code blocked
08/10/2009 12:22:00 p.m. Function NtAlpcSendWaitReceivePort (26) intercepted (8346AAC8->90A27014), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:00 p.m. >>> Function restored successfully !
08/10/2009 12:22:00 p.m. >>> Hook code blocked
08/10/2009 12:22:00 p.m. Function NtClose (30) intercepted (8345C8C5->90A25DF8), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:00 p.m. >>> Function restored successfully !
08/10/2009 12:22:00 p.m. >>> Hook code blocked
08/10/2009 12:22:00 p.m. Function NtConnectPort (36) intercepted (8340B7F1->90A264EA), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:00 p.m. >>> Function restored successfully !
08/10/2009 12:22:00 p.m. >>> Hook code blocked
08/10/2009 12:22:00 p.m. Function NtCreateEvent (3A) intercepted (834676A4->90A26816), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:00 p.m. >>> Function restored successfully !
08/10/2009 12:22:00 p.m. >>> Hook code blocked
08/10/2009 12:22:00 p.m. Function NtCreateFile (3C) intercepted (83465F86->90A25F66), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:00 p.m. >>> Function restored successfully !
08/10/2009 12:22:00 p.m. >>> Hook code blocked
08/10/2009 12:22:00 p.m. Function NtCreateMutant (43) intercepted (83475B97->90A266EE), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:00 p.m. >>> Function restored successfully !
08/10/2009 12:22:00 p.m. >>> Hook code blocked
08/10/2009 12:22:00 p.m. Function NtCreateNamedPipeFile (44) intercepted (8340D0A8->90A259D2), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:00 p.m. >>> Function restored successfully !
08/10/2009 12:22:00 p.m. >>> Hook code blocked
08/10/2009 12:22:00 p.m. Function NtCreatePort (47) intercepted (833D6581->90A265AA), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:00 p.m. >>> Function restored successfully !
08/10/2009 12:22:00 p.m. >>> Hook code blocked
08/10/2009 12:22:00 p.m. Function NtCreateSection (4B) intercepted (83488127->90A25B8C), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:00 p.m. >>> Function restored successfully !
08/10/2009 12:22:00 p.m. >>> Hook code blocked
08/10/2009 12:22:01 p.m. Function NtCreateSemaphore (4C) intercepted (8341F08E->90A26948), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:01 p.m. >>> Function restored successfully !
08/10/2009 12:22:01 p.m. >>> Hook code blocked
08/10/2009 12:22:01 p.m. Function NtCreateWaitablePort (73) intercepted (833CCC77->90A2664C), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:01 p.m. >>> Function restored successfully !
08/10/2009 12:22:01 p.m. >>> Hook code blocked
08/10/2009 12:22:01 p.m. Function NtFsControlFile (96) intercepted (8346893D->90A260C4), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:01 p.m. >>> Function restored successfully !
08/10/2009 12:22:01 p.m. >>> Hook code blocked
08/10/2009 12:22:01 p.m. Function NtOpenEvent (B8) intercepted (834250DF->90A268B8), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:01 p.m. >>> Function restored successfully !
08/10/2009 12:22:01 p.m. >>> Hook code blocked
08/10/2009 12:22:01 p.m. Function NtOpenFile (BA) intercepted (8344F5FD->90A25E34), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:01 p.m. >>> Function restored successfully !
08/10/2009 12:22:01 p.m. >>> Hook code blocked
08/10/2009 12:22:01 p.m. Function NtOpenMutant (BF) intercepted (8346C264->90A26786), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:01 p.m. >>> Function restored successfully !
08/10/2009 12:22:01 p.m. >>> Hook code blocked
08/10/2009 12:22:01 p.m. Function NtOpenSection (C5) intercepted (834677C2->90A2745C), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:01 p.m. >>> Function restored successfully !
08/10/2009 12:22:01 p.m. >>> Hook code blocked
08/10/2009 12:22:01 p.m. Function NtOpenSemaphore (C6) intercepted (833EA82B->90A269EA), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:01 p.m. >>> Function restored successfully !
08/10/2009 12:22:01 p.m. >>> Hook code blocked
08/10/2009 12:22:02 p.m. Function NtQueryDirectoryObject (DB) intercepted (83469498->90A27214), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:02 p.m. >>> Function restored successfully !
08/10/2009 12:22:02 p.m. >>> Hook code blocked
08/10/2009 12:22:02 p.m. Function NtReplyPort (10E) intercepted (83435EC8->90A26D74), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:02 p.m. >>> Function restored successfully !
08/10/2009 12:22:02 p.m. >>> Hook code blocked
08/10/2009 12:22:02 p.m. Function NtReplyWaitReceivePort (10F) intercepted (8345B2C7->90A26C3A), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:02 p.m. >>> Function restored successfully !
08/10/2009 12:22:02 p.m. >>> Hook code blocked
08/10/2009 12:22:02 p.m. Function NtSecureConnectPort (11E) intercepted (8340B203->90A261F0), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:02 p.m. >>> Function restored successfully !
08/10/2009 12:22:02 p.m. >>> Hook code blocked
08/10/2009 12:22:02 p.m. Function NtSetInformationToken (133) intercepted (8341A8F0->90A272C8), hook C:\Windows\system32\DRIVERS\klif.sys, driver recognized as trusted
08/10/2009 12:22:02 p.m. >>> Function restored successfully !
08/10/2009 12:22:02 p.m. >>> Hook code blocked
08/10/2009 12:22:06 p.m. Functions checked: 391, intercepted: 24, restored: 24
08/10/2009 12:22:06 p.m. 1.3 Checking IDT and SYSENTER
08/10/2009 12:22:06 p.m. Analysis for CPU 1
08/10/2009 12:22:06 p.m. Analysis for CPU 2
08/10/2009 12:22:06 p.m. Checking IDT and SYSENTER - complete
08/10/2009 12:22:16 p.m. 1.4 Searching for masking processes and drivers
08/10/2009 12:22:16 p.m. Checking not performed: extended monitoring driver (AVZPM) is not installed
08/10/2009 12:22:52 p.m. Driver loaded successfully
08/10/2009 12:22:52 p.m. 1.5 Checking of IRP handlers
08/10/2009 12:22:53 p.m. \driver\tcpip[IRP_MJ_CREATE_NAMED_PIPE] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:22:57 p.m. \driver\tcpip[IRP_MJ_READ] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:22:58 p.m. \driver\tcpip[IRP_MJ_WRITE] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:22:59 p.m. \driver\tcpip[IRP_MJ_QUERY_INFORMATION] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:00 p.m. \driver\tcpip[IRP_MJ_SET_INFORMATION] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:01 p.m. \driver\tcpip[IRP_MJ_QUERY_EA] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:02 p.m. \driver\tcpip[IRP_MJ_SET_EA] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:03 p.m. \driver\tcpip[IRP_MJ_FLUSH_BUFFERS] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:04 p.m. \driver\tcpip[IRP_MJ_QUERY_VOLUME_INFORMATION] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:04 p.m. \driver\tcpip[IRP_MJ_SET_VOLUME_INFORMATION] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:05 p.m. \driver\tcpip[IRP_MJ_DIRECTORY_CONTROL] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:05 p.m. \driver\tcpip[IRP_MJ_FILE_SYSTEM_CONTROL] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:06 p.m. \driver\tcpip[IRP_MJ_SHUTDOWN] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:06 p.m. \driver\tcpip[IRP_MJ_LOCK_CONTROL] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:07 p.m. \driver\tcpip[IRP_MJ_CREATE_MAILSLOT] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:07 p.m. \driver\tcpip[IRP_MJ_QUERY_SECURITY] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:08 p.m. \driver\tcpip[IRP_MJ_SET_SECURITY] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:09 p.m. \driver\tcpip[IRP_MJ_POWER] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:09 p.m. \driver\tcpip[IRP_MJ_SYSTEM_CONTROL] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:10 p.m. \driver\tcpip[IRP_MJ_DEVICE_CHANGE] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:11 p.m. \driver\tcpip[IRP_MJ_QUERY_QUOTA] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:11 p.m. \driver\tcpip[IRP_MJ_SET_QUOTA] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:11 p.m. \driver\tcpip[IRP_MJ_PNP] = 83264FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
08/10/2009 12:23:12 p.m. Checking - complete
08/10/2009 12:23:19 p.m. C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985
d\MSVCP80.dll --> Suspicion for Keylogger or Trojan DLL
08/10/2009 12:23:19 p.m. C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985
d\MSVCP80.dll>>> Behavioral analysis
08/10/2009 12:23:19 p.m. Behaviour typical for keyloggers not detected
08/10/2009 12:23:20 p.m. C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985
d\MSVCR80.dll --> Suspicion for Keylogger or Trojan DLL
08/10/2009 12:23:20 p.m. C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985
d\MSVCR80.dll>>> Behavioral analysis
08/10/2009 12:23:20 p.m. Behaviour typical for keyloggers not detected
08/10/2009 12:23:33 p.m. Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
08/10/2009 12:25:05 p.m. Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll"
08/10/2009 12:25:11 p.m. >> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
08/10/2009 12:25:11 p.m. >> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
08/10/2009 12:25:11 p.m. >> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
08/10/2009 12:25:11 p.m. > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
08/10/2009 12:25:11 p.m. >> Security: disk drives' autorun is enabled
08/10/2009 12:25:11 p.m. >> Security: administrative shares (C$, D$ ...) are enabled
08/10/2009 12:25:12 p.m. >> Security: anonymous user access is enabled
08/10/2009 12:25:14 p.m. >> Security: sending Remote Assistant queries is enabled
08/10/2009 12:25:52 p.m. >> Disable HDD autorun
08/10/2009 12:25:53 p.m. >> Disable autorun from network drives
08/10/2009 12:25:54 p.m. >> Disable CD/DVD autorun
08/10/2009 12:25:55 p.m. >> Disable removable media autorun
08/10/2009 12:25:57 p.m. System Analysis in progress
08/10/2009 12:58:23 p.m. System Analysis - complete
08/10/2009 12:58:23 p.m. Delete file:C:\Users\Fede\Desktop\Virus Removal Tool\is-HNDP5\LOG\avptool_syscheck.htm
08/10/2009 12:58:23 p.m. Delete file:C:\Users\Fede\Desktop\Virus Removal Tool\is-HNDP5\LOG\avptool_syscheck.xml
08/10/2009 12:58:23 p.m. Deleting service/driver: utixmtaz
08/10/2009 12:58:23 p.m. Delete file:C:\Windows\system32\Drivers\utixmtaz.sys
08/10/2009 12:58:23 p.m. Deleting service/driver: ujixmtaz
08/10/2009 12:58:23 p.m. Script executed without errors
Caos
8.10.2009 22:49
Como te ha comentado RadarpSp, revisate las normas del foro, y postea toda la información que en ellas se pide. Debes subir el fichero del gsi y del avz log para poderlos revisar (no pegar el texto en el foro).

Saludos
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.