Jump to content

advise please


Recommended Posts

Here is my HJT log. I am a bit confused about the last 2 entries(wmibus.exe and wmibusn.exe). I tried to fix the wmibus.exe(file missing) with HJT without success. Can you advise?

Logfile of HijackThis v1.99.1

Scan saved at 12:53:18 AM, on 3/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe

D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

D:\Program Files\PC Tools Firewall Plus\FWService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

D:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [00PCTFW] "D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetAll.htm

O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetVL.htm

O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEExt.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://home.mcafee.com

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650495031

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650473718

O17 - HKLM\System\CCS\Services\Tcpip\..\{350EC6BB-E936-4CFC-8829-910401F740B9}: NameServer = 172.16.0.1

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - D:\Program Files\PC Tools Firewall Plus\FWService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: WMI Bus Database (WMIBUS) - Unknown owner - C:\WINDOWS\system\wmibus.exe (file missing)

O23 - Service: WMI-Bus NOptic (WMIBUSn) - WMI Bus Application - C:\WINDOWS\system\wmibusn.exe

Link to post
Share on other sites

  • Staff

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Thank you.

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.34

Database version: 1835

Windows 5.1.2600 Service Pack 3

3/11/2009 6:04:02 PM

mbam-log-2009-03-11 (18-04-02).txt

Scan type: Quick Scan

Objects scanned: 61889

Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\sysdrv32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

And here is the HJT log AFTER running MBAM:

Logfile of HijackThis v1.99.1

Scan saved at 6:07:38 PM, on 3/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

D:\Program Files\PC Tools Firewall Plus\FWService.exe

D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe

C:\WINDOWS\system32\NOTEPAD.EXE

D:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [00PCTFW] "D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetAll.htm

O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetVL.htm

O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEExt.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://home.mcafee.com

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650495031

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650473718

O17 - HKLM\System\CCS\Services\Tcpip\..\{350EC6BB-E936-4CFC-8829-910401F740B9}: NameServer = 172.16.0.1

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - D:\Program Files\PC Tools Firewall Plus\FWService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: WMI Bus Database (WMIBUS) - Unknown owner - C:\WINDOWS\system\wmibus.exe (file missing)

O23 - Service: WMI-Bus NOptic (WMIBUSn) - WMI Bus Application - C:\WINDOWS\system\wmibusn.exe

Link to post
Share on other sites

  • Staff

Good, I see that MBAM already deleted the related driver.

Let's see what is still present there, besides the wmibusn.exe (and collect samples in a meanwhile).. so do next..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Edited to add..

Please go to this forum: http://www.malwarebytes.org/forums/index.php?showforum=55

Start a new thread and attach the C:\WINDOWS\system\wmibusn.exe file there.

Link to post
Share on other sites

Thank you miekiemoes. Actually I had already tried out Combofix before I posted here. Here is the log:

ComboFix 09-03-06.02 - A.CHOWDHURY 2009-03-09 15:14:36.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.659 [GMT 5.5:30]

Running from: c:\documents and settings\A.CHOWDHURY\My Documents\Downloads\Programs\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

FW: PC Tools Firewall Plus *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\A.CHOWDHURY\Application Data\inst.exe

c:\windows\system32\ap.exe.exe

c:\windows\system32\cv.exe.exe

c:\windows\system32\drivers\sysdrv32.sys

c:\windows\system32\pw.exe.exe

c:\windows\system32\qf.exe.exe

c:\windows\system32\qx.exe.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MSDDLL

-------\Service_msddll

((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 )))))))))))))))))))))))))))))))

.

2009-03-09 14:47 . 2009-03-09 14:47 704,000 -r-hs---- c:\windows\system\wmibusn.exe

2009-03-09 00:36 . 2009-03-09 00:36 707,584 --a------ c:\windows\system32\lm.exe

2009-03-08 23:28 . 2009-03-08 23:28 707,584 --a------ c:\windows\system32\xk.exe

2009-03-08 22:52 . 2009-03-08 22:52 707,584 --a------ c:\windows\system32\gg.exe

2009-03-08 22:46 . 2009-03-08 22:46 707,584 --a------ c:\windows\system32\ri.exe

2009-03-08 22:36 . 2009-03-08 22:36 707,584 --a------ c:\windows\system32\ol.exe

2009-03-08 21:26 . 2009-03-08 21:26 707,584 --a------ c:\windows\system32\pf.exe

2009-03-08 21:15 . 2009-03-08 21:15 707,584 --a------ c:\windows\system32\xq.exe

2009-03-08 21:09 . 2009-03-08 21:09 1,048,576 --------- c:\windows\system32\gq.exe

2009-03-08 20:59 . 2009-03-08 21:00 707,584 --a------ c:\windows\system32\ro.exe

2009-03-08 20:15 . 2009-03-08 20:15 <DIR> d-------- c:\program files\Common Files\Adobe

2009-03-08 18:22 . 2009-03-08 18:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-03-08 18:22 . 2009-03-08 18:22 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\SUPERAntiSpyware.com

2009-03-08 18:21 . 2009-03-08 18:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-03-08 00:10 . 2009-03-08 00:11 707,584 --a------ c:\windows\system32\vt.exe

2009-03-06 23:22 . 2009-03-06 23:22 694,272 --a------ c:\windows\system32\ec.exe

2009-03-06 23:05 . 2009-03-06 23:05 694,272 --a------ c:\windows\system32\vh.exe

2009-03-06 22:53 . 2009-03-06 22:53 694,272 --a------ c:\windows\system32\ny.exe

2009-02-28 22:57 . 2009-02-28 22:57 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\Alawar

2009-02-27 13:04 . 2009-02-27 13:17 <DIR> d-------- C:\SDFix

2009-02-26 17:46 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui

2009-02-26 14:02 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys

2009-02-26 13:58 . 2009-02-26 17:45 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\HouseCall 6.6

2009-02-26 08:55 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys

2009-02-26 08:55 . 2009-02-23 10:11 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys

2009-02-26 08:55 . 2008-09-22 12:29 97,408 --a------ c:\windows\system32\drivers\pctfw.sys

2009-02-26 08:55 . 2009-01-21 10:38 95,640 --a------ c:\windows\system32\drivers\pctplfw.sys

2009-02-26 08:55 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys

2009-02-25 14:51 . 2003-06-20 06:00 24,816 --a------ c:\windows\system32\mdimon.dll

2009-02-25 14:51 . 2009-02-25 14:51 376 --a------ c:\windows\ODBC.INI

2009-02-25 14:49 . 2009-02-25 14:49 <DIR> d-------- c:\program files\Microsoft ActiveSync

2009-02-25 14:48 . 2009-02-25 14:50 <DIR> d-------- c:\windows\SHELLNEW

2009-02-25 14:48 . 2009-02-25 14:48 <DIR> d-------- c:\program files\Microsoft.NET

2009-02-21 23:53 . 2009-02-21 23:53 <DIR> d-------- c:\windows\ERUNT

2009-02-18 21:02 . 2008-08-18 16:25 40,464 --a------ c:\windows\system32\drivers\hotcore3.sys

2009-02-15 10:13 . 2009-02-15 10:13 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\ComodoGroup

2009-02-15 10:12 . 2009-02-24 12:22 39,440 --a------ c:\windows\system32\drivers\csdf.sys

2009-02-15 10:12 . 2009-02-24 12:20 36,752 --a------ c:\windows\system32\drivers\crpf.sys

2009-02-15 10:12 . 2009-02-24 12:17 7,920 --a------ c:\windows\system32\cnat.exe

2009-02-13 01:04 . 2009-02-13 01:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer

2009-02-13 01:04 . 2009-01-05 16:18 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx

2009-02-13 01:04 . 2009-01-05 16:18 57,344 --a------ c:\windows\system32\QuickTime.qts

2009-02-12 00:28 . 2006-09-12 17:16 227,328 -r-hs---- c:\windows\system32\ac3DX.ax

2009-02-12 00:28 . 2006-03-11 03:18 169,472 -r-hs---- c:\windows\system32\MatroskaDX.ax

2009-02-12 00:28 . 2005-11-26 02:16 161,792 -r-hs---- c:\windows\system32\RealMediaDX.ax

2009-02-12 00:28 . 2006-01-13 04:53 123,904 -r-hs---- c:\windows\system32\AVCDX.ax

2009-02-12 00:28 . 2003-11-21 04:30 54,784 -r-hs---- c:\windows\system32\RLAPEDec.ax

2009-02-12 00:28 . 2004-04-27 04:30 37,888 -r-hs---- c:\windows\system32\RLMPCDec.ax

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-09 09:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-03-09 09:28 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\DMCache

2009-03-08 13:20 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\uTorrent

2009-03-03 09:39 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\dvdcss

2009-02-27 17:01 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\avidemux

2009-02-26 03:25 --------- d-----w c:\program files\Common Files\PC Tools

2009-02-25 07:32 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\gtk-2.0

2009-02-15 13:01 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\DVD Flick

2009-02-11 04:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 04:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-05 19:04 --------- d-----w c:\program files\Yahoo!

2009-02-05 19:04 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Yahoo!

2009-01-29 08:22 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Vso

2009-01-28 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink

2009-01-21 08:28 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Ultra Fractal 5

2009-01-21 08:02 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Fraqtive

2009-01-18 13:47 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

2009-01-15 12:12 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Thinstall

2009-01-12 15:29 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst

2009-01-12 15:29 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\PlayFirst

2008-12-12 21:47 3,751,995 ----a-w c:\windows\system32\GPhotos.scr

2008-09-02 04:35 47,360 ----a-w c:\documents and settings\A.CHOWDHURY\Application Data\pcouffin.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="d:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"00PCTFW"="d:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-02-23 2652056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.I420"= i420vfw.dll

"VIDC.ACDV"= ACDV.dll

"VIDC.MJPG"= pvmjpg30.dll

"vidc.CDVC"= cdvccodc.dll

"vidc.CDVH"= cdvhcodc.dll

"vidc.CUVC"= cuvccodc.dll

"vidc.CLLC"= cllccodc.dll

"vidc.CDV5"= cdv5codc.dll

"vidc.dfsc"= dfsc.dll

"msacm.dfscacm"= dfscacm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^24Online Client.lnk]

backup=c:\windows\pss\24Online Client.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

--a----t- 2008-09-15 15:32 133104 c:\documents and settings\A.CHOWDHURY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2005-09-20 10:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]

--a------ 2007-12-21 19:16 2573744 c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2005-09-20 10:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NexusServer]

--a------ 2007-03-26 17:45 389120 c:\program files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

--a------ 2005-09-20 10:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"d:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\eLitecore\\Cyberoam Client for 24Online\\CyberoamClient.exe"=

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [2009-02-15 36752]

R0 csdf;cdsf;c:\windows\system32\drivers\csdf.sys [2009-02-15 39440]

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2004-05-27 51564]

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-02-18 40464]

R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-02-26 159600]

R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]

R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]

R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-02-26 73840]

R2 WMIBUSn;WMI-Bus NOptic;c:\windows\system\wmibusn.exe [2009-03-09 704000]

R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-02-26 95640]

S3 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-05 206096]

S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

S3 WMIBUS;WMI Bus Database;"c:\windows\system\wmibus.exe" --> c:\windows\system\wmibus.exe [?]

S4 WMISYS;WMI System App;"c:\windows\system\wmisys.exe" --> c:\windows\system\wmisys.exe [?]

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Cmaudio - cmicnfg.cpl

MSConfigStartUp-TrueImageMonitor - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

uInternet Connection Wizard,ShellNext = iexplore

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Download all links with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetAll.htm

IE: Download FLV video content with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetVL.htm

IE: Download with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEExt.htm

IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

Trusted Zone: mcafee.com\home

TCP: {350EC6BB-E936-4CFC-8829-910401F740B9} = 172.16.0.1

FF - ProfilePath - c:\documents and settings\A.CHOWDHURY\Application Data\Mozilla\Firefox\Profiles\1bf5pbq8.default\

FF - component: c:\documents and settings\A.CHOWDHURY\Application Data\IDM\idmmzcc2\components\idmmzcc.dll

FF - component: c:\documents and settings\A.CHOWDHURY\Application Data\Mozilla\Firefox\Profiles\1bf5pbq8.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\A.CHOWDHURY\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll

FF - plugin: d:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: d:\program files\Real Alternative\browser\plugins\nppl3260.dll

FF - plugin: d:\program files\Real Alternative\browser\plugins\nprpjplug.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-09 15:18:50

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\windows\system\wmibusn.exe [544] 0x867388C0

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{11a65854-998a-4b4d-9bf5-c4a851806410}]

@Denied: (Full) (Everyone)

"Model"=dword:00000042

"Therad"=dword:0000001e

"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,

4b,7b,ad,04,7a,b1,b5,76,9b,27,47,b3,94,d4,80,e0,34,43,64,b7,1a,26,03,07,d6,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):31,88,1c,06,90,5c,de,29,d6,27,c3,7c,91,2c,68,ca,2f,e2,00,58,ed,

42,9c,c0,a8,ec,c2,fa,61,04,c1,7c,aa,71,cb,45,58,f7,71,25,00,00,00,00,00,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)

d:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3248)

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

d:\program files\Microsoft Office\OFFICE11\msohev.dll

.

------------------------ Other Running Processes ------------------------

.

d:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

d:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

d:\program files\PC Tools Firewall Plus\FWService.exe

.

**************************************************************************

.

Completion time: 2009-03-09 15:24:24 - machine was rebooted [A.CHOWDHURY]

ComboFix-quarantined-files.txt 2009-03-09 09:54:02

Pre-Run: 9,107,718,144 bytes free

Post-Run: 9,071,009,792 bytes free

234

As you can see,Combofix did remove c:\windows\system32\drivers\sysdrv32.sys(I have highlighted it earlier). But it returned ,because MBAM removed it today again.

As per your instructions, I am also attaching the wmibusn.exe file at the thread you gave link to.

Link to post
Share on other sites

  • Staff

Hi,

It's most probably the wmibusn.exe and other files reinstalling the highlighted driver again.

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\system32\lm.exe

c:\windows\system32\xk.exe

c:\windows\system32\gg.exe

c:\windows\system32\ri.exe

c:\windows\system32\ol.exe

c:\windows\system32\pf.exe

c:\windows\system32\ro.exe

c:\windows\system32\ec.exe

c:\windows\system32\vh.exe

Collect::[8]

c:\windows\system\wmibusn.exe

C:\Windows\system\wmibus.exe

c:\windows\system\wmisys.exe

c:\windows\system\wmibus.exe

c:\windows\system32\ny.exe

c:\windows\system32\vt.exe

c:\windows\system32\gq.exe

c:\windows\system32\xq.exe

Driver::

WMISYS

WMIBUS

WMIBUSn

Reglock::

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{11a65854-998a-4b4d-9bf5-c4a851806410}]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000000

"UpdatesDisableNotify"=dword:00000000

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. Then, please visit this site:

http://www.bleepingcomputer.com/submit-malware.php?channel=8

Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)

Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

ComboFix 09-03-06.02 - A.CHOWDHURY 2009-03-12 8:32:21.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.665 [GMT 5.5:30]

Running from: c:\documents and settings\A.CHOWDHURY\My Documents\Downloads\Programs\ComboFix.exe

Command switches used :: c:\documents and settings\A.CHOWDHURY\My Documents\Downloads\Programs\CFScript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

FW: PC Tools Firewall Plus *disabled*

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

c:\windows\system32\ec.exe

c:\windows\system32\gg.exe

c:\windows\system32\lm.exe

c:\windows\system32\ol.exe

c:\windows\system32\pf.exe

c:\windows\system32\ri.exe

c:\windows\system32\ro.exe

c:\windows\system32\vh.exe

c:\windows\system32\xk.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system\wmibusn.exe

c:\windows\system32\bg.exe.exe

c:\windows\system32\ca.exe.exe

c:\windows\system32\drivers\sysdrv32.sys

c:\windows\system32\ec.exe

c:\windows\system32\gg.exe

c:\windows\system32\gq.exe

c:\windows\system32\iu.exe.exe

c:\windows\system32\js.exe.exe

c:\windows\system32\km.exe.exe

c:\windows\system32\lm.exe

c:\windows\system32\ls.exe.exe

c:\windows\system32\mi.exe.exe

c:\windows\system32\ny.exe

c:\windows\system32\ol.exe

c:\windows\system32\pf.exe

c:\windows\system32\pj.exe.exe

c:\windows\system32\ri.exe

c:\windows\system32\ro.exe

c:\windows\system32\ro.exe.exe

c:\windows\system32\vc.exe.exe

c:\windows\system32\vh.exe

c:\windows\system32\vt.exe

c:\windows\system32\xk.exe

c:\windows\system32\xq.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_WMIBUS

-------\Legacy_WMIBUSN

-------\Legacy_WMISYS

-------\Service_WMIBUS

-------\Service_WMIBUSn

-------\Service_WMISYS

((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))

.

2009-03-11 23:52 . 2009-03-11 23:52 701,440 --a------ c:\windows\system32\xc.exe

2009-03-11 23:12 . 2009-03-11 23:12 701,440 --a------ c:\windows\system32\eo.exe

2009-03-11 00:47 . 2009-03-11 00:47 701,440 --a------ c:\windows\system32\uy.exe

2009-03-10 23:26 . 2009-03-10 23:26 701,440 --a------ c:\windows\system32\dr.exe

2009-03-10 13:37 . 2009-03-10 13:37 704,000 --a------ c:\windows\system32\fo.exe

2009-03-10 13:10 . 2009-03-10 13:10 704,000 --a------ c:\windows\system32\eg.exe

2009-03-09 23:43 . 2009-03-09 23:45 704,000 --a------ c:\windows\system32\hb.exe

2009-03-09 23:40 . 2009-03-09 23:40 820,012 --a------ c:\windows\system32\kq.exe

2009-03-09 23:30 . 2009-03-09 23:30 704,000 --a------ c:\windows\system32\na.exe

2009-03-08 20:15 . 2009-03-08 20:15 <DIR> d-------- c:\program files\Common Files\Adobe

2009-03-08 18:22 . 2009-03-08 18:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-03-08 18:22 . 2009-03-08 18:22 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\SUPERAntiSpyware.com

2009-03-08 18:21 . 2009-03-08 18:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-02-28 22:57 . 2009-02-28 22:57 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\Alawar

2009-02-27 13:04 . 2009-02-27 13:17 <DIR> d-------- C:\SDFix

2009-02-26 17:46 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui

2009-02-26 14:02 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys

2009-02-26 13:58 . 2009-02-26 17:45 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\HouseCall 6.6

2009-02-26 08:55 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys

2009-02-26 08:55 . 2009-02-23 10:11 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys

2009-02-26 08:55 . 2008-09-22 12:29 97,408 --a------ c:\windows\system32\drivers\pctfw.sys

2009-02-26 08:55 . 2009-01-21 10:38 95,640 --a------ c:\windows\system32\drivers\pctplfw.sys

2009-02-26 08:55 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys

2009-02-25 14:51 . 2003-06-20 06:00 24,816 --a------ c:\windows\system32\mdimon.dll

2009-02-25 14:51 . 2009-02-25 14:51 376 --a------ c:\windows\ODBC.INI

2009-02-25 14:49 . 2009-02-25 14:49 <DIR> d-------- c:\program files\Microsoft ActiveSync

2009-02-25 14:48 . 2009-02-25 14:50 <DIR> d-------- c:\windows\SHELLNEW

2009-02-25 14:48 . 2009-02-25 14:48 <DIR> d-------- c:\program files\Microsoft.NET

2009-02-21 23:53 . 2009-02-21 23:53 <DIR> d-------- c:\windows\ERUNT

2009-02-18 21:02 . 2008-08-18 16:25 40,464 --a------ c:\windows\system32\drivers\hotcore3.sys

2009-02-15 10:13 . 2009-02-15 10:13 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\ComodoGroup

2009-02-15 10:12 . 2009-02-24 12:22 39,440 --a------ c:\windows\system32\drivers\csdf.sys

2009-02-15 10:12 . 2009-02-24 12:20 36,752 --a------ c:\windows\system32\drivers\crpf.sys

2009-02-15 10:12 . 2009-02-24 12:17 7,920 --a------ c:\windows\system32\cnat.exe

2009-02-13 01:04 . 2009-02-13 01:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer

2009-02-13 01:04 . 2009-01-05 16:18 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx

2009-02-13 01:04 . 2009-01-05 16:18 57,344 --a------ c:\windows\system32\QuickTime.qts

2009-02-12 00:28 . 2006-09-12 17:16 227,328 -r-hs---- c:\windows\system32\ac3DX.ax

2009-02-12 00:28 . 2006-03-11 03:18 169,472 -r-hs---- c:\windows\system32\MatroskaDX.ax

2009-02-12 00:28 . 2005-11-26 02:16 161,792 -r-hs---- c:\windows\system32\RealMediaDX.ax

2009-02-12 00:28 . 2006-01-13 04:53 123,904 -r-hs---- c:\windows\system32\AVCDX.ax

2009-02-12 00:28 . 2003-11-21 04:30 54,784 -r-hs---- c:\windows\system32\RLAPEDec.ax

2009-02-12 00:28 . 2004-04-27 04:30 37,888 -r-hs---- c:\windows\system32\RLMPCDec.ax

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-12 03:06 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-03-11 18:40 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\gtk-2.0

2009-03-09 09:28 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\DMCache

2009-03-08 13:20 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\uTorrent

2009-03-03 09:39 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\dvdcss

2009-02-27 17:01 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\avidemux

2009-02-26 03:25 --------- d-----w c:\program files\Common Files\PC Tools

2009-02-15 13:01 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\DVD Flick

2009-02-11 04:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 04:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-05 19:04 --------- d-----w c:\program files\Yahoo!

2009-02-05 19:04 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Yahoo!

2009-01-29 08:22 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Vso

2009-01-28 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink

2009-01-21 08:28 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Ultra Fractal 5

2009-01-21 08:02 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Fraqtive

2009-01-18 13:47 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

2009-01-15 12:12 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Thinstall

2009-01-12 15:29 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst

2009-01-12 15:29 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\PlayFirst

2008-12-12 21:47 3,751,995 ----a-w c:\windows\system32\GPhotos.scr

2008-09-02 04:35 47,360 ----a-w c:\documents and settings\A.CHOWDHURY\Application Data\pcouffin.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="d:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"00PCTFW"="d:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-02-23 2652056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.I420"= i420vfw.dll

"VIDC.ACDV"= ACDV.dll

"VIDC.MJPG"= pvmjpg30.dll

"vidc.CDVC"= cdvccodc.dll

"vidc.CDVH"= cdvhcodc.dll

"vidc.CUVC"= cuvccodc.dll

"vidc.CLLC"= cllccodc.dll

"vidc.CDV5"= cdv5codc.dll

"vidc.dfsc"= dfsc.dll

"msacm.dfscacm"= dfscacm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^24Online Client.lnk]

backup=c:\windows\pss\24Online Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

--a----t- 2008-09-15 15:32 133104 c:\documents and settings\A.CHOWDHURY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2005-09-20 10:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]

--a------ 2007-12-21 19:16 2573744 c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2005-09-20 10:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NexusServer]

--a------ 2007-03-26 17:45 389120 c:\program files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

--a------ 2005-09-20 10:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"d:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\eLitecore\\Cyberoam Client for 24Online\\CyberoamClient.exe"=

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [2009-02-15 36752]

R0 csdf;cdsf;c:\windows\system32\drivers\csdf.sys [2009-02-15 39440]

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2004-05-27 51564]

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-02-18 40464]

R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-02-26 159600]

R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]

R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]

R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-02-26 73840]

R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-02-26 95640]

S3 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-05 206096]

S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

uInternet Connection Wizard,ShellNext = iexplore

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Download all links with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetAll.htm

IE: Download FLV video content with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetVL.htm

IE: Download with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEExt.htm

IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

Trusted Zone: mcafee.com\home

TCP: {350EC6BB-E936-4CFC-8829-910401F740B9} = 172.16.0.1

FF - ProfilePath - c:\documents and settings\A.CHOWDHURY\Application Data\Mozilla\Firefox\Profiles\1bf5pbq8.default\

FF - component: c:\documents and settings\A.CHOWDHURY\Application Data\IDM\idmmzcc2\components\idmmzcc.dll

FF - component: c:\documents and settings\A.CHOWDHURY\Application Data\Mozilla\Firefox\Profiles\1bf5pbq8.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\A.CHOWDHURY\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll

FF - plugin: d:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: d:\program files\Real Alternative\browser\plugins\nppl3260.dll

FF - plugin: d:\program files\Real Alternative\browser\plugins\nprpjplug.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-12 08:36:20

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)

d:\program files\SUPERAntiSpyware\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

d:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

d:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

d:\program files\PC Tools Firewall Plus\FWService.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-03-12 8:41:52 - machine was rebooted [A.CHOWDHURY]

ComboFix-quarantined-files.txt 2009-03-12 03:11:13

Pre-Run: 8,983,810,048 bytes free

Post-Run: 8,973,733,888 bytes free

236

Link to post
Share on other sites

  • Staff

Hi,

A new set of files were created in a meanwhile, but that's because you were still infected then...

Navigate to and delete the following files:

c:\windows\system32\xc.exe

c:\windows\system32\eo.exe

c:\windows\system32\uy.exe

c:\windows\system32\dr.exe

c:\windows\system32\fo.exe

c:\windows\system32\eg.exe

c:\windows\system32\hb.exe

c:\windows\system32\kq.exe

c:\windows\system32\na.exe

They won't come back since the WMIBUS got deleted.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Hi, thank you for all the help. I did as you have advised. When I first posted the HJT log I was not having any specific problem with my computer. Just made a HJT scan,and detected those suspicious entries. Even now ,I am not having any problem as such. Here is my just finished HJT log.

Logfile of HijackThis v1.99.1

Scan saved at 3:13:19 PM, on 3/12/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe

D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

D:\Program Files\PC Tools Firewall Plus\FWService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\system\msddll.exe

D:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [00PCTFW] "D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetAll.htm

O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetVL.htm

O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEExt.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://home.mcafee.com

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650495031

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650473718

O17 - HKLM\System\CCS\Services\Tcpip\..\{350EC6BB-E936-4CFC-8829-910401F740B9}: NameServer = 172.16.0.1

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - D:\Program Files\PC Tools Firewall Plus\FWService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: WMI-Bus NOptic (WMIBUSn) - WMI Bus Application - C:\WINDOWS\system\wmibusn.exe

Link to post
Share on other sites

  • Staff

Hi,

According to your logs, it regenerated...?

Can you rescan with Combofix again please? Because logs are really confusing now since It's unclear if latest HJT log was from before or afterwards.

Isn't your Avira detecting anything? Because it should detect all files as well though...

Link to post
Share on other sites

According to your logs, it regenerated...?

No, wmibus.exe did not regenerate. WMIbusn.exe was there along with wmibus.exe. Only the latter was deleted.

The HJT log is AFTER cleaning with Combofix.

Anyway, I am not too concerned about it at the moment.Maybe the processes are legitimate. But there are two things I would like to mention. First, sometimes a certain msddll.exe process was appearing in Task Manager. I could stop it and manually delete it from System folder. Second, an error message is appearing during shutdown, something like this: Error:Application error ipconfig.exe....the application failed to initialize....click ok to shut down.."But I do not need to click OK,,it shut downs ok.

Otherwise my PC is running fine. And yes,Avira is not catching anything with Antivir guard enabled.

And a big thanks for staying with me.I really appreciate it.

Link to post
Share on other sites

Here is the latest Combofix log:

ComboFix 09-03-10.03 - A.CHOWDHURY 2009-03-12 23:52:31.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.751 [GMT 5.5:30]

Running from: c:\documents and settings\A.CHOWDHURY\Desktop\ComboFix.exe

FW: PC Tools Firewall Plus *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))

.

2009-03-12 22:57 . 2009-03-12 22:58 1,048,576 --a------ c:\windows\system32\vw.exe

2009-03-12 14:08 . 2009-03-12 14:08 701,440 --a------ c:\windows\system32\ej.exe

2009-03-12 13:27 . 2009-03-12 13:28 701,440 --a------ c:\windows\system32\ns.exe

2009-03-12 13:25 . 2009-03-12 13:25 1,048,576 --a------ c:\windows\system32\lz.exe

2009-03-08 20:15 . 2009-03-08 20:15 <DIR> d-------- c:\program files\Common Files\Adobe

2009-03-08 18:22 . 2009-03-08 18:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-03-08 18:22 . 2009-03-08 18:22 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\SUPERAntiSpyware.com

2009-03-08 18:21 . 2009-03-08 18:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-02-28 22:57 . 2009-02-28 22:57 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\Alawar

2009-02-26 17:46 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui

2009-02-26 14:02 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys

2009-02-26 13:58 . 2009-02-26 17:45 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\HouseCall 6.6

2009-02-26 08:55 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys

2009-02-26 08:55 . 2009-02-23 10:11 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys

2009-02-26 08:55 . 2008-09-22 12:29 97,408 --a------ c:\windows\system32\drivers\pctfw.sys

2009-02-26 08:55 . 2009-01-21 10:38 95,640 --a------ c:\windows\system32\drivers\pctplfw.sys

2009-02-26 08:55 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys

2009-02-25 14:51 . 2003-06-20 06:00 24,816 --a------ c:\windows\system32\mdimon.dll

2009-02-25 14:51 . 2009-02-25 14:51 376 --a------ c:\windows\ODBC.INI

2009-02-25 14:49 . 2009-02-25 14:49 <DIR> d-------- c:\program files\Microsoft ActiveSync

2009-02-25 14:48 . 2009-02-25 14:50 <DIR> d-------- c:\windows\SHELLNEW

2009-02-25 14:48 . 2009-02-25 14:48 <DIR> d-------- c:\program files\Microsoft.NET

2009-02-21 23:53 . 2009-02-21 23:53 <DIR> d-------- c:\windows\ERUNT

2009-02-18 21:02 . 2008-08-18 16:25 40,464 --a------ c:\windows\system32\drivers\hotcore3.sys

2009-02-15 10:13 . 2009-02-15 10:13 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\ComodoGroup

2009-02-15 10:12 . 2009-02-24 12:22 39,440 --a------ c:\windows\system32\drivers\csdf.sys

2009-02-15 10:12 . 2009-02-24 12:20 36,752 --a------ c:\windows\system32\drivers\crpf.sys

2009-02-15 10:12 . 2009-02-24 12:17 7,920 --a------ c:\windows\system32\cnat.exe

2009-02-13 01:04 . 2009-02-13 01:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer

2009-02-13 01:04 . 2009-01-05 16:18 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx

2009-02-13 01:04 . 2009-01-05 16:18 57,344 --a------ c:\windows\system32\QuickTime.qts

2009-02-12 00:28 . 2006-09-12 17:16 227,328 -r-hs---- c:\windows\system32\ac3DX.ax

2009-02-12 00:28 . 2006-03-11 03:18 169,472 -r-hs---- c:\windows\system32\MatroskaDX.ax

2009-02-12 00:28 . 2005-11-26 02:16 161,792 -r-hs---- c:\windows\system32\RealMediaDX.ax

2009-02-12 00:28 . 2006-01-13 04:53 123,904 -r-hs---- c:\windows\system32\AVCDX.ax

2009-02-12 00:28 . 2003-11-21 04:30 54,784 -r-hs---- c:\windows\system32\RLAPEDec.ax

2009-02-12 00:28 . 2004-04-27 04:30 37,888 -r-hs---- c:\windows\system32\RLMPCDec.ax

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-12 18:19 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-03-12 17:54 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\DMCache

2009-03-11 18:40 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\gtk-2.0

2009-03-08 13:20 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\uTorrent

2009-03-03 09:39 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\dvdcss

2009-02-27 17:01 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\avidemux

2009-02-26 03:25 --------- d-----w c:\program files\Common Files\PC Tools

2009-02-15 13:01 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\DVD Flick

2009-02-11 04:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 04:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-05 19:04 --------- d-----w c:\program files\Yahoo!

2009-02-05 19:04 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Yahoo!

2009-01-29 08:22 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Vso

2009-01-28 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink

2009-01-21 08:28 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Ultra Fractal 5

2009-01-21 08:02 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Fraqtive

2009-01-18 13:47 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

2009-01-15 12:12 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Thinstall

2009-01-12 15:29 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst

2009-01-12 15:29 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\PlayFirst

2008-12-12 21:47 3,751,995 ----a-w c:\windows\system32\GPhotos.scr

2008-09-02 04:35 47,360 ----a-w c:\documents and settings\A.CHOWDHURY\Application Data\pcouffin.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.I420"= i420vfw.dll

"VIDC.ACDV"= ACDV.dll

"VIDC.MJPG"= pvmjpg30.dll

"vidc.CDVC"= cdvccodc.dll

"vidc.CDVH"= cdvhcodc.dll

"vidc.CUVC"= cuvccodc.dll

"vidc.CLLC"= cllccodc.dll

"vidc.CDV5"= cdv5codc.dll

"vidc.dfsc"= dfsc.dll

"msacm.dfscacm"= dfscacm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^24Online Client.lnk]

backup=c:\windows\pss\24Online Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00PCTFW]

--a------ 2009-02-23 10:49 2652056 d:\program files\PC Tools Firewall Plus\FirewallGUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]

--a------ 2008-06-12 14:28 266497 d:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

--a----t- 2008-09-15 15:32 133104 c:\documents and settings\A.CHOWDHURY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2005-09-20 10:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]

--a------ 2007-12-21 19:16 2573744 c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2005-09-20 10:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NexusServer]

--a------ 2007-03-26 17:45 389120 c:\program files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

--a------ 2005-09-20 10:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"d:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\eLitecore\\Cyberoam Client for 24Online\\CyberoamClient.exe"=

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [2009-02-15 36752]

R0 csdf;cdsf;c:\windows\system32\drivers\csdf.sys [2009-02-15 39440]

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2004-05-27 51564]

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-02-18 40464]

R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-02-26 159600]

R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]

R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]

R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-02-26 73840]

S2 WMIBUSn;WMI-Bus NOptic;"c:\windows\system\wmibusn.exe" --> c:\windows\system\wmibusn.exe [?]

S3 core86;Device Core x86;\??\c:\windows\system32\drivers\core86.sys --> c:\windows\system32\drivers\core86.sys [?]

S3 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-05 206096]

S3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-02-26 95640]

S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

uInternet Connection Wizard,ShellNext = iexplore

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Download all links with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetAll.htm

IE: Download FLV video content with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetVL.htm

IE: Download with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEExt.htm

IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

Trusted Zone: mcafee.com\home

TCP: {350EC6BB-E936-4CFC-8829-910401F740B9} = 172.16.0.1

FF - ProfilePath - c:\documents and settings\A.CHOWDHURY\Application Data\Mozilla\Firefox\Profiles\1bf5pbq8.default\

FF - component: c:\documents and settings\A.CHOWDHURY\Application Data\IDM\idmmzcc2\components\idmmzcc.dll

FF - component: c:\documents and settings\A.CHOWDHURY\Application Data\Mozilla\Firefox\Profiles\1bf5pbq8.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\A.CHOWDHURY\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll

FF - plugin: d:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: d:\program files\Real Alternative\browser\plugins\nppl3260.dll

FF - plugin: d:\program files\Real Alternative\browser\plugins\nprpjplug.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-12 23:53:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)

d:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-03-12 23:57:00

ComboFix-quarantined-files.txt 2009-03-12 18:26:00

Pre-Run: 9,126,821,888 bytes free

Post-Run: 9,112,104,960 bytes free

178

And the latest HJT log(after running Combofix):

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:14:12 AM, on 3/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe

D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

D:\Program Files\PC Tools Firewall Plus\FWService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IDMan.exe

C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEMonitor.exe

C:\Documents and Settings\A.CHOWDHURY\Desktop\Portables\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [00PCTFW] "D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetAll.htm

O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetVL.htm

O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEExt.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://home.mcafee.com

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650495031

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650473718

O17 - HKLM\System\CCS\Services\Tcpip\..\{350EC6BB-E936-4CFC-8829-910401F740B9}: NameServer = 172.16.0.1

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - D:\Program Files\PC Tools Firewall Plus\FWService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: WMI-Bus NOptic (WMIBUSn) - Unknown owner - C:\WINDOWS\system\wmibusn.exe (file missing)

--

End of file - 5907 bytes

BTW, I had submitted the zipped wmibusn.exe file at the link you mentioned earlier. I could not submit it as attachment since the size exceeded the limit. Any headways into it ?

Link to post
Share on other sites

  • Staff

Hi,

No need to submit the files anymore. I've already have them, also the wmibusn.exe. It's installed by the other ones.

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

C:\WINDOWS\system\wmibusn.exe

C:\WINDOWS\system\msddll.exe

c:\windows\system32\vw.exe

c:\windows\system32\ej.exe

c:\windows\system32\ns.exe

c:\windows\system32\lz.exe

Driver::

WMIBUSn

core86

msddll

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000000

"UpdatesDisableNotify"=dword:00000000

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

I copied that CFScript and was going to run that in Combofix. Then, just for the heck of it, I decided to run MBAM once more. After a Quick Scan thsi was the report:

Malwarebytes' Anti-Malware 1.34

Database version: 1842

Windows 5.1.2600 Service Pack 3

3/13/2009 9:21:08 AM

mbam-log-2009-03-13 (09-21-08).txt

Scan type: Quick Scan

Objects scanned: 62027

Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msddll (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMIBUSn (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

As you see, MBAM detected and deleted two registry keys related to msddll.exe and wmibusn.exe.

I was a bit optimistic now and ran HJT. Here is the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:30:40 AM, on 3/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe

D:\Program Files\PC Tools Firewall Plus\FWService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe

D:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Documents and Settings\A.CHOWDHURY\Desktop\Portables\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [00PCTFW] "D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetAll.htm

O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetVL.htm

O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEExt.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://home.mcafee.com

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650495031

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650473718

O17 - HKLM\System\CCS\Services\Tcpip\..\{350EC6BB-E936-4CFC-8829-910401F740B9}: NameServer = 172.16.0.1

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - D:\Program Files\PC Tools Firewall Plus\FWService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--

End of file - 5649 bytes

I was so happy to find NO mention of that dreaded O23-Service...wmibusn.exe.

Then I went into the list of services in windows(services.msc) and was relieved to find no wmibus.exe or wmibusn.exe there. The only WMI there was WMI performance adapter,which,as far as I know ,is a perfectly legitimate service.

So, my really helpful friend, should I run that CFScript in Combofix again ? Or should I just wait and see ?

Link to post
Share on other sites

  • Staff

Hi,

As you see, MBAM detected and deleted two registry keys related to msddll.exe and wmibusn.exe.
I know mbam now detects it, but there are still some files that need to get deleted that mbam didn't detect.

Can you change the cfscript, because I need some samples again. Normally MBAM should detect them with the latest version though, that's why the samples are needed.

Delete the cfscript and create this one instead:

Collect::[8]

C:\WINDOWS\system\wmibusn.exe

C:\WINDOWS\system\msddll.exe

c:\windows\system32\vw.exe

c:\windows\system32\ej.exe

c:\windows\system32\ns.exe

c:\windows\system32\lz.exe

Driver::

WMIBUSn

core86

msddll

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000000

"UpdatesDisableNotify"=dword:00000000

Then drag it into Combofix.

mwfThen, please visit this site:

http://www.bleepingcomputer.com/submit-malware.php?channel=8

Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)

Then click the "Send File" button below in order to upload it.

Also post the log from Combofix in your next reply. This is really important that you follow instructions.

Link to post
Share on other sites

ComboFix 09-03-10.03 - A.CHOWDHURY 2009-03-13 12:33:41.6 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.685 [GMT 5.5:30]

Running from: c:\documents and settings\A.CHOWDHURY\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\A.CHOWDHURY\Desktop\CFScript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

FW: PC Tools Firewall Plus *disabled*

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MSDDLL

-------\Legacy_WMIBUSN

-------\Service_core86

((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))

.

2009-03-13 10:34 . <DIR> c:\windows\LastGood.Tmp

2009-03-13 10:34 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2009-03-13 10:31 . 2009-03-13 10:31 <DIR> d-------- c:\program files\Panda Security

2009-03-13 01:01 . 2009-03-13 01:01 <DIR> d-------- C:\SDFix

2009-03-08 20:15 . 2009-03-08 20:15 <DIR> d-------- c:\program files\Common Files\Adobe

2009-03-08 18:22 . 2009-03-08 18:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-03-08 18:22 . 2009-03-08 18:22 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\SUPERAntiSpyware.com

2009-03-08 18:21 . 2009-03-08 18:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-02-28 22:57 . 2009-02-28 22:57 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\Alawar

2009-02-26 17:46 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui

2009-02-26 14:02 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys

2009-02-26 13:58 . 2009-02-26 17:45 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\HouseCall 6.6

2009-02-26 08:55 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys

2009-02-26 08:55 . 2009-02-23 10:11 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys

2009-02-26 08:55 . 2008-09-22 12:29 97,408 --a------ c:\windows\system32\drivers\pctfw.sys

2009-02-26 08:55 . 2009-01-21 10:38 95,640 --a------ c:\windows\system32\drivers\pctplfw.sys

2009-02-26 08:55 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys

2009-02-25 14:51 . 2003-06-20 06:00 24,816 --a------ c:\windows\system32\mdimon.dll

2009-02-25 14:51 . 2009-02-25 14:51 376 --a------ c:\windows\ODBC.INI

2009-02-25 14:49 . 2009-02-25 14:49 <DIR> d-------- c:\program files\Microsoft ActiveSync

2009-02-25 14:48 . 2009-02-25 14:50 <DIR> d-------- c:\windows\SHELLNEW

2009-02-25 14:48 . 2009-02-25 14:48 <DIR> d-------- c:\program files\Microsoft.NET

2009-02-21 23:53 . 2009-02-21 23:53 <DIR> d-------- c:\windows\ERUNT

2009-02-18 21:02 . 2008-08-18 16:25 40,464 --a------ c:\windows\system32\drivers\hotcore3.sys

2009-02-15 10:13 . 2009-02-15 10:13 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\ComodoGroup

2009-02-15 10:12 . 2009-02-24 12:22 39,440 --a------ c:\windows\system32\drivers\csdf.sys

2009-02-15 10:12 . 2009-02-24 12:20 36,752 --a------ c:\windows\system32\drivers\crpf.sys

2009-02-15 10:12 . 2009-02-24 12:17 7,920 --a------ c:\windows\system32\cnat.exe

2009-02-13 01:04 . 2009-02-13 01:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer

2009-02-13 01:04 . 2009-01-05 16:18 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx

2009-02-13 01:04 . 2009-01-05 16:18 57,344 --a------ c:\windows\system32\QuickTime.qts

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-13 07:07 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-03-13 05:05 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\DMCache

2009-03-11 18:40 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\gtk-2.0

2009-03-08 13:20 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\uTorrent

2009-03-03 09:39 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\dvdcss

2009-02-27 17:01 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\avidemux

2009-02-26 03:25 --------- d-----w c:\program files\Common Files\PC Tools

2009-02-15 13:01 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\DVD Flick

2009-02-11 04:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 04:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-05 19:04 --------- d-----w c:\program files\Yahoo!

2009-02-05 19:04 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Yahoo!

2009-01-29 08:22 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Vso

2009-01-28 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink

2009-01-21 08:28 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Ultra Fractal 5

2009-01-21 08:02 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Fraqtive

2009-01-18 13:47 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

2009-01-15 12:12 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Thinstall

2008-09-02 04:35 47,360 ----a-w c:\documents and settings\A.CHOWDHURY\Application Data\pcouffin.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="d:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"00PCTFW"="d:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-02-23 2652056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.I420"= i420vfw.dll

"VIDC.ACDV"= ACDV.dll

"VIDC.MJPG"= pvmjpg30.dll

"vidc.CDVC"= cdvccodc.dll

"vidc.CDVH"= cdvhcodc.dll

"vidc.CUVC"= cuvccodc.dll

"vidc.CLLC"= cllccodc.dll

"vidc.CDV5"= cdv5codc.dll

"vidc.dfsc"= dfsc.dll

"msacm.dfscacm"= dfscacm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^24Online Client.lnk]

backup=c:\windows\pss\24Online Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

--a----t- 2008-09-15 15:32 133104 c:\documents and settings\A.CHOWDHURY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2005-09-20 10:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]

--a------ 2007-12-21 19:16 2573744 c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2005-09-20 10:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NexusServer]

--a------ 2007-03-26 17:45 389120 c:\program files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

--a------ 2005-09-20 10:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"d:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\eLitecore\\Cyberoam Client for 24Online\\CyberoamClient.exe"=

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [2009-02-15 36752]

R0 csdf;cdsf;c:\windows\system32\drivers\csdf.sys [2009-02-15 39440]

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2004-05-27 51564]

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-02-18 40464]

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-03-13 28544]

R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-02-26 159600]

R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]

R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]

R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-02-26 73840]

R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-02-26 95640]

S3 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-05 206096]

S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PAVBOOT

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

uInternet Connection Wizard,ShellNext = iexplore

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Download all links with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetAll.htm

IE: Download FLV video content with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetVL.htm

IE: Download with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEExt.htm

IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

Trusted Zone: mcafee.com\home

TCP: {350EC6BB-E936-4CFC-8829-910401F740B9} = 172.16.0.1

FF - ProfilePath - c:\documents and settings\A.CHOWDHURY\Application Data\Mozilla\Firefox\Profiles\1bf5pbq8.default\

FF - component: c:\documents and settings\A.CHOWDHURY\Application Data\IDM\idmmzcc2\components\idmmzcc.dll

FF - component: c:\documents and settings\A.CHOWDHURY\Application Data\Mozilla\Firefox\Profiles\1bf5pbq8.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\A.CHOWDHURY\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll

FF - plugin: d:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: d:\program files\Real Alternative\browser\plugins\nppl3260.dll

FF - plugin: d:\program files\Real Alternative\browser\plugins\nprpjplug.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-13 12:37:34

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)

d:\program files\SUPERAntiSpyware\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

d:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

d:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

d:\program files\PC Tools Firewall Plus\FWService.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-03-13 12:42:45 - machine was rebooted [A.CHOWDHURY]

ComboFix-quarantined-files.txt 2009-03-13 07:12:00

Pre-Run: 8,988,553,216 bytes free

Post-Run: 8,974,827,520 bytes free

186

Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)

Sorry. Qoobox\Quarantine does not have that file.There are 2 folders ,namely C and Registry_backups and 2 files catchme.log and catchme.txt in Quarantine. Should I run Combofix again with that CFScript ?

BTW, I should mention that after the last MBAM scan I had deleted the following files manually:

c:\windows\system32\vw.exe

c:\windows\system32\ej.exe

c:\windows\system32\ns.exe

c:\windows\system32\lz.exe

Link to post
Share on other sites

  • Staff

Hi,

It would have been better if you just followed my instructions and didn't delete any files manually, because that explains why the zipfiles with the samples were not created since you already deleted them manually.

Anyway, this looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

It would have been better if you just followed my instructions and didn't delete any files manually, because that explains why the zipfiles with the samples were not created since you already deleted them manually.

Very sorry indeed. I probably became a bit overzealous after finding the clean HJT log. I did run the Panda online scan too.Everything seems fine now.The latest HJT scan did not show anything suspicious. I will just keep my fingers crossed. Any problem and I may need your help again. You really have been fantastic, friend. And I promise to be very obedient next time. :P:P:P

BTW, can you possibly point out the source of these backdoors ?

Link to post
Share on other sites

  • Staff

Hi,

I really have no clue how you got this backdoor. In most cases, such backdoors are spread via P2P software, such as Limewire, uTorrent etc...

As far as I can see, your problem started around 2009-03-06 22:53, because that was the date of the first dropped random exe.

I strongly suggest to change all your passwords, because they may be known. After all, this backdoor installed a hacktool, so all your passwords etc could be collected in a meanwhile.

Also,

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again! :P

Link to post
Share on other sites

  • Root Admin

Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.