How to Prevent and Remove the Trojan.Win32.Buzus

1. What is the Trojan.Win32.Buzus
Trojan Win32 Buzus, also known as Trojan.Buzus, is one of the more dangerous Trojans. This is because, once Trojan Win32 Buzus installs itself on your computer, it opens a security hole that is used by hackers to access your personal information, including credit card and Social Security numbers. Consequently, Trojan Win32 Buzus should be removed immediately to avoid serious privacy problems. Note that the removal steps below apply to the Windows Vista and Windows Seven operating systems.
2.Technical Details:
a. The following files were created in the system:
No. Filename Size
1 %Windir%\msefrt.dll 79,872 bytes
2 %System%\NvNcTray.exe 79,872 bytes
3 %System%\NvTaskbarIni.exe
[file and pathname of the sample #1] 489,984 bytes
Notes:
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
b. Memory Modifications
There was a new process created in the system:
Process Name Process Filename Main Module Size
NvNcTray.exe %System%\nvnctray.exe 90,112 bytes
Attention! The following processes were intentionally hidden from the user:
Process Name Main Module Size
[filename of the sample #1] 278,528 bytes
There were new memory pages created in the address space of the system process(es):
Process Name Process Filename Allocated Size
explorer.exe %Windir%\explorer.exe 20,480 bytes
The following modules were loaded into the address space of other process(es):
Module Name Module Filename
msefrt.dll %Windir%\msefrt.dll

The following system services were modified:
Service Name Display Name New Status Service Filename
ERSvc Error Reporting Service "Stopped" %System%\svchost.exe -k netsvcs
wscsvc Security Center "Stopped" %System%\svchost.exe -k netsvcs

Notes:
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
c. Registry Modifications
The following Registry Keys were created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Phuxobab
HKEY_LOCAL_MACHINE\SOFTWARE\Nvideo2
HKEY_CURRENT_USER\Software\Nvideo2
The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
UACDisableNotify = 0x00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
EnableLUA = 0x00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Phuxobab]
Yjutiheha = 32 01 32 03 37 05 33 07 38 09 49 0B 49 0D 3D 0F 22 11 25 13 52 15 50 17 2C 19 2E 1B 58 1D 29 1F 18 21 1A 23 16 25 67 27 6D 29 1F 2B 6A 2D 1B 2F 02 31 06 33 02 35 75 37 7B 39 0C 3B 7A 3D 7D 3F 40 41
Hxaluqidefay = 43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F 47 11 41 13 48 15 7B 17 6B 19 7F 1B 7A 1D 6C 1F 54 21 0C 23 40 25 4A 27 44 29 2A 2B
Sheqid = "168"
Lmehuqufuna = 31 01 31 03 35 05 30 07 08 09
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
Nvidia Control Center2 = "%System%\NvTaskbarIni.exe"
Pwulinubesida = "rundll32.exe "%Windir%\msefrt.dll",Startup"

so that NvTaskbarIni.exe runs every time Windows starts
so that msefrt.dll runs every time Windows starts
d. Other details
The following ports were open in the system:
Port Protocol Process
1090 TCP [file and pathname of the sample #1]
1091 TCP [file and pathname of the sample #1]
1093 TCP [file and pathname of the sample #1]
1094 TCP [file and pathname of the sample #1]

There were registered attempts to establish connection with the remote hosts. The connection details are:
Remote Host Port Number
136.248.126.131 25
65.55.88.22 25
202.150.208.66 80
72.233.89.199 80

The data identified by the following URL was then requested from the remote web server:
http://whatismyip.com/automation/n09230945.asp
e. Generated SMTP traffic
Email Senders:

Email Recipients:
[user's email address]

3. How-to's
a. How to prevent the Trojan.Win32.Buzus?
Please update the policy basic knowledge of Sax2 in time, Once Ax3soft sax2 detects the communication of these trojans, it will break them and ensure your network & business security.

b. How to Remove the Trojan.Win32.Buzus Manually?
Step 1 : End Processes
1. Press "Ctrl" + "Shift" + "Esc" to open the Windows Task Manager.
2.Click on the "Processes" tab of the Windows Task Manager.
3. Click on "Show Processes From All Users."
4. End the following processes. To end a process, right-click on it and select "End Process."
wshost32.exe
ccdrive32.exe
freddy73.exe
iexplorer7.exe
w7services.exe
winupdater09.exe
SYSTEMROOT\system32\rundll94.exe
SYSTEMROOT\system32\winamp.exe
SYSTEMROOT\System32\rs32net.exe
pwrmgr.exe
ncsjapi32.exe
5. Close the Windows Task Manager.

Step 2 : Delete Files
1. Click on the "Start" menu and then click on the "Search Programs and Files" box.
2. Search for and delete the following files. To delete a file, right-click on it and select "Delete."
wshost32.exe
ccdrive32.exe
freddy73.exe
iexplorer7.exe
w7services.exe
winupdater09.exe
Hotfix-KB5504305
pwrmgr.exe
ncsjapi32.exe
Intelli Mouse Pro Version 2.0B
SYSTEMROOT\system32\rundll94.exe
SYSTEMROOT\system32\winamp.exe
SYSTEMROOT\System32\rs32net.exe
3. Restart your computer.

c. How to Remove these trojans Instantly?

Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

4. Appendix
For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm.htm