Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with C:\windows\system\wmibus.exe


  • This topic is locked This topic is locked
2 replies to this topic

#1 andy_pondy

andy_pondy

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 03 March 2009 - 02:55 PM

Referred here from: http://www.bleepingcomputer.com/forums/t/207822/infected-with-cwindowssystemwmibusexe/ ~ OB

Hi

I have been infected by some kind of trojan/virus located at C:\windows\system\wmibus.exe
This link contains the exact description of my problem
http://www.threatexpert.com/report.aspx?md...c8acb3391f3f3f8

Even after cleaning the registry and deleting wmibus.exe and rebooting the file comes and back and all the registry settings come back. I have disabled the service wmibus from services.msc and run combofix and removed some of the exes which were found in system32 folder

In the registry there are also entries like the following which appear even after i delete them
------------------------------------------------------------------------------
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\vpmveiun

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vpmveiun
Name: Type
Type: REG_DWORD
Data: 0x1

Name: Start
Type: REG_DWORD
Data: 0x3

Name: ErrorControl
Type: REG_DWORD
Data: 0x0

Name: ImagePath
Type: REG_EXPAND_SZ
Data: \??\C:\WINDOWS\System32\Drivers\vpmveiun.sys

------------------------------------------------------------------------------

The main problem is the svchost.exe starts taking up 100 % cpu time and there is internet traffic even when there is no application running and accessing the internet. When I open the browser (ANY) i can not open any link. the "flow indicator" of the browser moves for a second and stops and no page or links open.

There is a file called ndisio.sys in the C:\windows\system32\drivers\ folder.
When searching google i found that this was a trojan and was told to delete it. When i delete this and reboot i lose my network connections and no properties show up when i click the network icon in the taskbar. to undo this problem i have to do a windows restore to get back to a previous day which has that file ndisio.sys




DDS (Ver_09-02-01.01) - NTFSx86
Run by Anand at 1:14:34.53 on Wed 03/04/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1363 [GMT 5.5:30]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Bret Taylor\Stickies\Stickies.exe
D:\Program Files\Apache2.2\bin\httpd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\Program Files\Apache2.2\bin\httpd.exe
D:\Program Files\mySQL\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
D:\Program Files\uTorrent\uTorrent.exe
svchost.exe
C:\Documents and Settings\Anand\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\localservice\rathyxv.exe \s
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
uRun: [Stickies] c:\program files\bret taylor\stickies\\Stickies.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - d:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\web2~1\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235912587375
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {3A619E52-4C9C-4C2D-93C1-0580AD7B796C} = 203.145.184.13,202.56.250.6
TCP: {F7DA2B44-72ED-4CC9-AC44-2A32E28F16E8} = 203.145.184.13,208.67.222.222
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\anand\applic~1\mozilla\firefox\profiles\s68rcopm.default\
FF - component: c:\documents and settings\anand\application data\mozilla\firefox\profiles\s68rcopm.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\anand\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: d:\program files\divx\divx web player\npdivx32.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: d:\program files\picasa3\npPicasa3.dll
FF - plugin: d:\program files\real alternative\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\real alternative\browser\plugins\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-11-13 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-11-13 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-11-13 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-11-13 10760]
R2 Apache2.2;Apache2.2;d:\program files\apache2.2\bin\httpd.exe [2008-1-18 24635]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-11-13 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-11-13 49664]
S3 awrbifad;awrbifad;\??\c:\windows\system32\drivers\awrbifad.sys --> c:\windows\system32\drivers\awrbifad.sys [?]
S3 dukiqioa;dukiqioa;\??\c:\windows\system32\drivers\dukiqioa.sys --> c:\windows\system32\drivers\dukiqioa.sys [?]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-5-2 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-5-2 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-5-2 81288]
S3 tudefjav;tudefjav;\??\c:\windows\system32\drivers\tudefjav.sys --> c:\windows\system32\drivers\tudefjav.sys [?]
S3 uicycklh;uicycklh;\??\c:\windows\system32\drivers\uicycklh.sys --> c:\windows\system32\drivers\uicycklh.sys [?]
S3 vbjozare;vbjozare;\??\c:\windows\system32\drivers\vbjozare.sys --> c:\windows\system32\drivers\vbjozare.sys [?]
S3 zteusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\ZTEUsbser.sys [2008-6-11 97920]
S3 zwyizkrn;zwyizkrn;\??\c:\windows\system32\drivers\zwyizkrn.sys --> c:\windows\system32\drivers\zwyizkrn.sys [?]
S4 aawservice;Lavasoft Ad-Aware Service;d:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
S4 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-7-28 31592]
S4 sdAuxService;PC Tools Auxiliary Service;d:\program files\spyware doctor\pctsAuxs.exe [2008-5-2 356920]
S4 sdCoreService;PC Tools Security Service;d:\program files\spyware doctor\pctsSvc.exe [2008-5-2 1079176]

=============== Created Last 30 ================

2009-03-04 00:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-04 00:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-03 23:56 --d----- c:\windows\ERUNT
2009-03-03 23:51 --d----- C:\SDFix
2009-03-03 23:20 --d----- c:\docume~1\anand\applic~1\Malwarebytes
2009-03-03 23:20 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 23:20 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-03 00:35 2,184 a------- c:\windows\system32\wpa.dbl
2009-03-01 20:03 --d----- c:\docume~1\anand\applic~1\Wireshark
2009-03-01 18:34 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-03-01 18:02 --d----- c:\documents and settings\anand\OngameNetwork
2009-03-01 18:01 --ds-r-- c:\program files\WinDriveGuard
2009-02-27 22:18 67,584 ----h--- c:\windows\system32\secupdat.dat
2009-02-27 22:18 51,904 a------- c:\windows\system32\drivers\ndisio.sys
2009-02-26 00:22 --d----- c:\program files\Microsoft SQL Server
2009-02-26 00:22 --d----- c:\program files\Microsoft Synchronization Services
2009-02-26 00:22 --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-02-26 00:20 --d----- c:\windows\system32\Visual Studio 2008Templates
2009-02-26 00:20 --d----- c:\windows\system32\Visual Studio 2008
2009-02-02 22:02 --d-hr-- C:\$VAULT$.AVG

==================== Find3M ====================

2009-01-06 04:03 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-12-14 04:00 12,186,636 -------- C:\avg7qt.dat
2008-04-22 01:49 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

============= FINISH: 1:15:00.95 ===============

Attached Files


Edited by Orange Blossom, 04 March 2009 - 09:18 PM.


BC AdBot (Login to Remove)

 


#2 andy_pondy

andy_pondy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 05 March 2009 - 01:45 PM

Hi,

I am sorry to have taken up your time. But i was in a bit of a hurry so i decided to finally re-install windows XP.
Thanks a lot for your help, and I am sure there are many out there who are facing the same problem and will need your help. I hope i can track your help to them

thanks
anand

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:01:21 PM

Posted 16 March 2009 - 08:18 PM

Thanks for informing us. Good luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users