Infected with C:\windows\system\wmibus.exe

#1 andy_pondy


Posted 03 March 2009 - 02:55 PM

Referred here from: http://www.bleepingcomputer.com/forums/t/207822/infected-with-cwindowssystemwmibusexe/ ~ OB


I have been infected by some kind of trojan/virus located at C:\windows\system\wmibus.exe
This link contains the exact description of my problem

Even after cleaning the registry and deleting wmibus.exe and rebooting the file comes and back and all the registry settings come back. I have disabled the service wmibus from services.msc and run combofix and removed some of the exes which were found in system32 folder

In the registry there are also entries like the following which appear even after i delete them

Name: Type
Data: 0x1

Name: Start
Data: 0x3

Name: ErrorControl
Data: 0x0

Name: ImagePath
Data: \??\C:\WINDOWS\System32\Drivers\vpmveiun.sys


The main problem is the svchost.exe starts taking up 100 % cpu time and there is internet traffic even when there is no application running and accessing the internet. When I open the browser (ANY) i can not open any link. the "flow indicator" of the browser moves for a second and stops and no page or links open.

There is a file called ndisio.sys in the C:\windows\system32\drivers\ folder.
When searching google i found that this was a trojan and was told to delete it. When i delete this and reboot i lose my network connections and no properties show up when i click the network icon in the taskbar. to undo this problem i have to do a windows restore to get back to a previous day which has that file ndisio.sys

DDS (Ver_09-02-01.01) - NTFSx86
Run by Anand at 1:14:34.53 on Wed 03/04/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1363 [GMT 5.5:30]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Bret Taylor\Stickies\Stickies.exe
D:\Program Files\Apache2.2\bin\httpd.exe
D:\Program Files\Apache2.2\bin\httpd.exe
D:\Program Files\mySQL\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
D:\Program Files\uTorrent\uTorrent.exe
C:\Documents and Settings\Anand\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\localservice\rathyxv.exe \s
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
uRun: [Stickies] c:\program files\bret taylor\stickies\\Stickies.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - d:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\web2~1\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235912587375
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {3A619E52-4C9C-4C2D-93C1-0580AD7B796C} =,
TCP: {F7DA2B44-72ED-4CC9-AC44-2A32E28F16E8} =,
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\anand\applic~1\mozilla\firefox\profiles\s68rcopm.default\
FF - component: c:\documents and settings\anand\application data\mozilla\firefox\profiles\s68rcopm.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\anand\local settings\application data\google\update\\npGoogleOneClick7.dll
FF - plugin: d:\program files\divx\divx web player\npdivx32.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: d:\program files\picasa3\npPicasa3.dll
FF - plugin: d:\program files\real alternative\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\real alternative\browser\plugins\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-11-13 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-11-13 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-11-13 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-11-13 10760]
R2 Apache2.2;Apache2.2;d:\program files\apache2.2\bin\httpd.exe [2008-1-18 24635]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-11-13 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-11-13 49664]
S3 awrbifad;awrbifad;\??\c:\windows\system32\drivers\awrbifad.sys --> c:\windows\system32\drivers\awrbifad.sys [?]
S3 dukiqioa;dukiqioa;\??\c:\windows\system32\drivers\dukiqioa.sys --> c:\windows\system32\drivers\dukiqioa.sys [?]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-5-2 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-5-2 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-5-2 81288]
S3 tudefjav;tudefjav;\??\c:\windows\system32\drivers\tudefjav.sys --> c:\windows\system32\drivers\tudefjav.sys [?]
S3 uicycklh;uicycklh;\??\c:\windows\system32\drivers\uicycklh.sys --> c:\windows\system32\drivers\uicycklh.sys [?]
S3 vbjozare;vbjozare;\??\c:\windows\system32\drivers\vbjozare.sys --> c:\windows\system32\drivers\vbjozare.sys [?]
S3 zteusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\ZTEUsbser.sys [2008-6-11 97920]
S3 zwyizkrn;zwyizkrn;\??\c:\windows\system32\drivers\zwyizkrn.sys --> c:\windows\system32\drivers\zwyizkrn.sys [?]
S4 aawservice;Lavasoft Ad-Aware Service;d:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
S4 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-7-28 31592]
S4 sdAuxService;PC Tools Auxiliary Service;d:\program files\spyware doctor\pctsAuxs.exe [2008-5-2 356920]
S4 sdCoreService;PC Tools Security Service;d:\program files\spyware doctor\pctsSvc.exe [2008-5-2 1079176]

=============== Created Last 30 ================

2009-03-04 00:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-04 00:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-03 23:56 --d----- c:\windows\ERUNT
2009-03-03 23:51 --d----- C:\SDFix
2009-03-03 23:20 --d----- c:\docume~1\anand\applic~1\Malwarebytes
2009-03-03 23:20 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 23:20 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-03 00:35 2,184 a------- c:\windows\system32\wpa.dbl
2009-03-01 20:03 --d----- c:\docume~1\anand\applic~1\Wireshark
2009-03-01 18:34 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-03-01 18:02 --d----- c:\documents and settings\anand\OngameNetwork
2009-03-01 18:01 --ds-r-- c:\program files\WinDriveGuard
2009-02-27 22:18 67,584 ----h--- c:\windows\system32\secupdat.dat
2009-02-27 22:18 51,904 a------- c:\windows\system32\drivers\ndisio.sys
2009-02-26 00:22 --d----- c:\program files\Microsoft SQL Server
2009-02-26 00:22 --d----- c:\program files\Microsoft Synchronization Services
2009-02-26 00:22 --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-02-26 00:20 --d----- c:\windows\system32\Visual Studio 2008Templates
2009-02-26 00:20 --d----- c:\windows\system32\Visual Studio 2008
2009-02-02 22:02 --d-hr-- C:\$VAULT$.AVG

==================== Find3M ====================

2009-01-06 04:03 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-12-14 04:00 12,186,636 -------- C:\avg7qt.dat
2008-04-22 01:49 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

============= FINISH: 1:15:00.95 ===============

Edited by Orange Blossom, 04 March 2009 - 09:18 PM.

#2 andy_pondy

Posted 05 March 2009 - 01:45 PM


I am sorry to have taken up your time. But i was in a bit of a hurry so i decided to finally re-install windows XP.
Thanks a lot for your help, and I am sure there are many out there who are facing the same problem and will need your help. I hope i can track your help to them


#3 KoanYorel


    Bleepin' Conundrum

Posted 16 March 2009 - 08:18 PM

Thanks for informing us. Good luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

