LSASSV.EXE – Trojan Buzus removal

LSASSV.EXE size: 131997 bytes
LSASSV.EXE hash: 861F736B19A23FDDB8A7DBA640D2B5ED

Created files:

C:\windows\calc.exe
C:\windows\lsassv.exe
C:\windows\msrpc.exe
C:\windows\mui\rctfd.sys
C:\windows\regedit2.exe
C:\windows\wdfmgr.exe
%Common Startmenu%\Programs\Startup\AdobeLoader.scr

Autostart registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msrpc: c:\windows\msrpc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\wdfmgr: c:\windows\wdfmgr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\wdfmgr: c:\windows\wdfmgr.exe
HKLM\System\CurrentControlSet\Services\wdfmgr\SBIE_CheckPoint: C8000000
HKLM\System\CurrentControlSet\Services\wdfmgr\DependOnService: RpcSs
HKLM\System\CurrentControlSet\Services\wdfmgr\Description: Optimizes performance of Windows Presentation Foundation (WPF) applications by caching commonly used font data.
HKLM\System\CurrentControlSet\Services\wdfmgr\DisplayName: Windows Font Cache
HKLM\System\CurrentControlSet\Services\wdfmgr\Group: PlugPlay
HKLM\System\CurrentControlSet\Services\wdfmgr\ObjectName: LocalSystem
HKLM\System\CurrentControlSet\Services\wdfmgr\ImagePath: c:\windows\wdfmgr.exe
HKLM\System\CurrentControlSet\Services\wdfmgr\ErrorControl: 01000000
HKLM\System\CurrentControlSet\Services\wdfmgr\PlugPlayServiceType: 03000000
HKLM\System\CurrentControlSet\Services\wdfmgr\Start: 02000000
HKLM\System\CurrentControlSet\Services\wdfmgr\Type: 20010000
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdfmgr: c:\windows\wdfmgr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lsassv: c:\windows\lsassv.exe

Detected by UnHackMe:

LSASSV.EXE
Default location: %WinDir%\LSASSV.EXE

Dropper information:
MD5: b880fe2cc0e243ef510a4bdea0dcc495
File size: 131954 bytes