22 replies to this topic

[sics66]

Here is my HJT log. I am a bit confused about the last 2 entries(wmibus.exe and wmibusn.exe). I tried to fix the wmibus.exe(file missing) with HJT without success. Can you advise?

Logfile of HijackThis v1.99.1
Scan saved at 12:53:18 AM, on 3/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [00PCTFW] "D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://home.mcafee.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650495031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650473718
O17 - HKLM\System\CCS\Services\Tcpip\..\{350EC6BB-E936-4CFC-8829-910401F740B9}: NameServer = 172.16.0.1
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - D:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WMI Bus Database (WMIBUS) - Unknown owner - C:\WINDOWS\system\wmibus.exe (file missing)
O23 - Service: WMI-Bus NOptic (WMIBUSn) - WMI Bus Application - C:\WINDOWS\system\wmibusn.exe

[miekiemoes]

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[sics66]

Thank you.

Here is the MBAM log:
Malwarebytes' Anti-Malware 1.34
Database version: 1835
Windows 5.1.2600 Service Pack 3

3/11/2009 6:04:02 PM
mbam-log-2009-03-11 (18-04-02).txt

Scan type: Quick Scan
Objects scanned: 61889
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\sysdrv32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

And here is the HJT log AFTER running MBAM:
Logfile of HijackThis v1.99.1
Scan saved at 6:07:38 PM, on 3/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\PC Tools Firewall Plus\FWService.exe
D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [00PCTFW] "D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://home.mcafee.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650495031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650473718
O17 - HKLM\System\CCS\Services\Tcpip\..\{350EC6BB-E936-4CFC-8829-910401F740B9}: NameServer = 172.16.0.1
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - D:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WMI Bus Database (WMIBUS) - Unknown owner - C:\WINDOWS\system\wmibus.exe (file missing)
O23 - Service: WMI-Bus NOptic (WMIBUSn) - WMI Bus Application - C:\WINDOWS\system\wmibusn.exe

[miekiemoes]

Good, I see that MBAM already deleted the related driver.

Let's see what is still present there, besides the wmibusn.exe (and collect samples in a meanwhile).. so do next..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Edited to add..

Please go to this forum: http://www.malwareby...hp?showforum=55
Start a new thread and attach the C:\WINDOWS\system\wmibusn.exe file there.

[sics66]

Thank you miekiemoes. Actually I had already tried out Combofix before I posted here. Here is the log:
ComboFix 09-03-06.02 - A.CHOWDHURY 2009-03-09 15:14:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.659 [GMT 5.5:30]
Running from: c:\documents and settings\A.CHOWDHURY\My Documents\Downloads\Programs\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: PC Tools Firewall Plus *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\A.CHOWDHURY\Application Data\inst.exe
c:\windows\system32\ap.exe.exe
c:\windows\system32\cv.exe.exe
c:\windows\system32\drivers\sysdrv32.sys
c:\windows\system32\pw.exe.exe
c:\windows\system32\qf.exe.exe
c:\windows\system32\qx.exe.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSDDLL
-------\Service_msddll


((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 )))))))))))))))))))))))))))))))
.

2009-03-09 14:47 . 2009-03-09 14:47 704,000 -r-hs---- c:\windows\system\wmibusn.exe
2009-03-09 00:36 . 2009-03-09 00:36 707,584 --a------ c:\windows\system32\lm.exe
2009-03-08 23:28 . 2009-03-08 23:28 707,584 --a------ c:\windows\system32\xk.exe
2009-03-08 22:52 . 2009-03-08 22:52 707,584 --a------ c:\windows\system32\gg.exe
2009-03-08 22:46 . 2009-03-08 22:46 707,584 --a------ c:\windows\system32\ri.exe
2009-03-08 22:36 . 2009-03-08 22:36 707,584 --a------ c:\windows\system32\ol.exe
2009-03-08 21:26 . 2009-03-08 21:26 707,584 --a------ c:\windows\system32\pf.exe
2009-03-08 21:15 . 2009-03-08 21:15 707,584 --a------ c:\windows\system32\xq.exe
2009-03-08 21:09 . 2009-03-08 21:09 1,048,576 --------- c:\windows\system32\gq.exe
2009-03-08 20:59 . 2009-03-08 21:00 707,584 --a------ c:\windows\system32\ro.exe
2009-03-08 20:15 . 2009-03-08 20:15 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-08 18:22 . 2009-03-08 18:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-08 18:22 . 2009-03-08 18:22 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\SUPERAntiSpyware.com
2009-03-08 18:21 . 2009-03-08 18:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-08 00:10 . 2009-03-08 00:11 707,584 --a------ c:\windows\system32\vt.exe
2009-03-06 23:22 . 2009-03-06 23:22 694,272 --a------ c:\windows\system32\ec.exe
2009-03-06 23:05 . 2009-03-06 23:05 694,272 --a------ c:\windows\system32\vh.exe
2009-03-06 22:53 . 2009-03-06 22:53 694,272 --a------ c:\windows\system32\ny.exe
2009-02-28 22:57 . 2009-02-28 22:57 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\Alawar
2009-02-27 13:04 . 2009-02-27 13:17 <DIR> d-------- C:\SDFix
2009-02-26 17:46 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-02-26 14:02 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-02-26 13:58 . 2009-02-26 17:45 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\HouseCall 6.6
2009-02-26 08:55 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys
2009-02-26 08:55 . 2009-02-23 10:11 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys
2009-02-26 08:55 . 2008-09-22 12:29 97,408 --a------ c:\windows\system32\drivers\pctfw.sys
2009-02-26 08:55 . 2009-01-21 10:38 95,640 --a------ c:\windows\system32\drivers\pctplfw.sys
2009-02-26 08:55 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys
2009-02-25 14:51 . 2003-06-20 06:00 24,816 --a------ c:\windows\system32\mdimon.dll
2009-02-25 14:51 . 2009-02-25 14:51 376 --a------ c:\windows\ODBC.INI
2009-02-25 14:49 . 2009-02-25 14:49 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-02-25 14:48 . 2009-02-25 14:50 <DIR> d-------- c:\windows\SHELLNEW
2009-02-25 14:48 . 2009-02-25 14:48 <DIR> d-------- c:\program files\Microsoft.NET
2009-02-21 23:53 . 2009-02-21 23:53 <DIR> d-------- c:\windows\ERUNT
2009-02-18 21:02 . 2008-08-18 16:25 40,464 --a------ c:\windows\system32\drivers\hotcore3.sys
2009-02-15 10:13 . 2009-02-15 10:13 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\ComodoGroup
2009-02-15 10:12 . 2009-02-24 12:22 39,440 --a------ c:\windows\system32\drivers\csdf.sys
2009-02-15 10:12 . 2009-02-24 12:20 36,752 --a------ c:\windows\system32\drivers\crpf.sys
2009-02-15 10:12 . 2009-02-24 12:17 7,920 --a------ c:\windows\system32\cnat.exe
2009-02-13 01:04 . 2009-02-13 01:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-13 01:04 . 2009-01-05 16:18 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2009-02-13 01:04 . 2009-01-05 16:18 57,344 --a------ c:\windows\system32\QuickTime.qts
2009-02-12 00:28 . 2006-09-12 17:16 227,328 -r-hs---- c:\windows\system32\ac3DX.ax
2009-02-12 00:28 . 2006-03-11 03:18 169,472 -r-hs---- c:\windows\system32\MatroskaDX.ax
2009-02-12 00:28 . 2005-11-26 02:16 161,792 -r-hs---- c:\windows\system32\RealMediaDX.ax
2009-02-12 00:28 . 2006-01-13 04:53 123,904 -r-hs---- c:\windows\system32\AVCDX.ax
2009-02-12 00:28 . 2003-11-21 04:30 54,784 -r-hs---- c:\windows\system32\RLAPEDec.ax
2009-02-12 00:28 . 2004-04-27 04:30 37,888 -r-hs---- c:\windows\system32\RLMPCDec.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-09 09:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-09 09:28 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\DMCache
2009-03-08 13:20 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\uTorrent
2009-03-03 09:39 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\dvdcss
2009-02-27 17:01 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\avidemux
2009-02-26 03:25 --------- d-----w c:\program files\Common Files\PC Tools
2009-02-25 07:32 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\gtk-2.0
2009-02-15 13:01 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\DVD Flick
2009-02-11 04:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 04:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-05 19:04 --------- d-----w c:\program files\Yahoo!
2009-02-05 19:04 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Yahoo!
2009-01-29 08:22 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Vso
2009-01-28 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-01-21 08:28 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Ultra Fractal 5
2009-01-21 08:02 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Fraqtive
2009-01-18 13:47 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-15 12:12 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Thinstall
2009-01-12 15:29 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-01-12 15:29 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\PlayFirst
2008-12-12 21:47 3,751,995 ----a-w c:\windows\system32\GPhotos.scr
2008-09-02 04:35 47,360 ----a-w c:\documents and settings\A.CHOWDHURY\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="d:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"00PCTFW"="d:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-02-23 2652056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.ACDV"= ACDV.dll
"VIDC.MJPG"= pvmjpg30.dll
"vidc.CDVC"= cdvccodc.dll
"vidc.CDVH"= cdvhcodc.dll
"vidc.CUVC"= cuvccodc.dll
"vidc.CLLC"= cllccodc.dll
"vidc.CDV5"= cdv5codc.dll
"vidc.dfsc"= dfsc.dll
"msacm.dfscacm"= dfscacm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^24Online Client.lnk]
backup=c:\windows\pss\24Online Client.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-15 15:32 133104 c:\documents and settings\A.CHOWDHURY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 10:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-12-21 19:16 2573744 c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 10:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NexusServer]
--a------ 2007-03-26 17:45 389120 c:\program files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2005-09-20 10:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\eLitecore\\Cyberoam Client for 24Online\\CyberoamClient.exe"=

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [2009-02-15 36752]
R0 csdf;cdsf;c:\windows\system32\drivers\csdf.sys [2009-02-15 39440]
R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2004-05-27 51564]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-02-18 40464]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-02-26 159600]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-02-26 73840]
R2 WMIBUSn;WMI-Bus NOptic;c:\windows\system\wmibusn.exe [2009-03-09 704000]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-02-26 95640]
S3 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-05 206096]
S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S3 WMIBUS;WMI Bus Database;"c:\windows\system\wmibus.exe" --> c:\windows\system\wmibus.exe [?]
S4 WMISYS;WMI System App;"c:\windows\system\wmisys.exe" --> c:\windows\system\wmisys.exe [?]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Cmaudio - cmicnfg.cpl
MSConfigStartUp-TrueImageMonitor - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all links with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetAll.htm
IE: Download FLV video content with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetVL.htm
IE: Download with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEExt.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: mcafee.com\home
TCP: {350EC6BB-E936-4CFC-8829-910401F740B9} = 172.16.0.1
FF - ProfilePath - c:\documents and settings\A.CHOWDHURY\Application Data\Mozilla\Firefox\Profiles\1bf5pbq8.default\
FF - component: c:\documents and settings\A.CHOWDHURY\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\documents and settings\A.CHOWDHURY\Application Data\Mozilla\Firefox\Profiles\1bf5pbq8.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\A.CHOWDHURY\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: d:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: d:\program files\Real Alternative\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\Real Alternative\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-09 15:18:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\windows\system\wmibusn.exe [544] 0x867388C0

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{11a65854-998a-4b4d-9bf5-c4a851806410}]
@Denied: (Full) (Everyone)
"Model"=dword:00000042
"Therad"=dword:0000001e
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,b3,94,d4,80,e0,34,43,64,b7,1a,26,03,07,d6,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):31,88,1c,06,90,5c,de,29,d6,27,c3,7c,91,2c,68,ca,2f,e2,00,58,ed,
42,9c,c0,a8,ec,c2,fa,61,04,c1,7c,aa,71,cb,45,58,f7,71,25,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
d:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3248)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
d:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
d:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
d:\program files\PC Tools Firewall Plus\FWService.exe
.
**************************************************************************
.
Completion time: 2009-03-09 15:24:24 - machine was rebooted [A.CHOWDHURY]
ComboFix-quarantined-files.txt 2009-03-09 09:54:02

Pre-Run: 9,107,718,144 bytes free
Post-Run: 9,071,009,792 bytes free

234

As you can see,Combofix did remove c:\windows\system32\drivers\sysdrv32.sys(I have highlighted it earlier). But it returned ,because MBAM removed it today again.
As per your instructions, I am also attaching the wmibusn.exe file at the thread you gave link to.

[miekiemoes]

Hi,

It's most probably the wmibusn.exe and other files reinstalling the highlighted driver again.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
c:\windows\system32\lm.exe
c:\windows\system32\xk.exe
c:\windows\system32\gg.exe
c:\windows\system32\ri.exe
c:\windows\system32\ol.exe
c:\windows\system32\pf.exe
c:\windows\system32\ro.exe
c:\windows\system32\ec.exe
c:\windows\system32\vh.exe
Collect::[8]
c:\windows\system\wmibusn.exe
C:\Windows\system\wmibus.exe
c:\windows\system\wmisys.exe
c:\windows\system\wmibus.exe
c:\windows\system32\ny.exe
c:\windows\system32\vt.exe
c:\windows\system32\gq.exe
c:\windows\system32\xq.exe
Driver::
WMISYS
WMIBUS
WMIBUSn
Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{11a65854-998a-4b4d-9bf5-c4a851806410}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. Then, please visit this site:
http://www.bleepingc...e.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.


After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[sics66]

ComboFix 09-03-06.02 - A.CHOWDHURY 2009-03-12 8:32:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.665 [GMT 5.5:30]
Running from: c:\documents and settings\A.CHOWDHURY\My Documents\Downloads\Programs\ComboFix.exe
Command switches used :: c:\documents and settings\A.CHOWDHURY\My Documents\Downloads\Programs\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: PC Tools Firewall Plus *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\ec.exe
c:\windows\system32\gg.exe
c:\windows\system32\lm.exe
c:\windows\system32\ol.exe
c:\windows\system32\pf.exe
c:\windows\system32\ri.exe
c:\windows\system32\ro.exe
c:\windows\system32\vh.exe
c:\windows\system32\xk.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system\wmibusn.exe
c:\windows\system32\bg.exe.exe
c:\windows\system32\ca.exe.exe
c:\windows\system32\drivers\sysdrv32.sys
c:\windows\system32\ec.exe
c:\windows\system32\gg.exe
c:\windows\system32\gq.exe
c:\windows\system32\iu.exe.exe
c:\windows\system32\js.exe.exe
c:\windows\system32\km.exe.exe
c:\windows\system32\lm.exe
c:\windows\system32\ls.exe.exe
c:\windows\system32\mi.exe.exe
c:\windows\system32\ny.exe
c:\windows\system32\ol.exe
c:\windows\system32\pf.exe
c:\windows\system32\pj.exe.exe
c:\windows\system32\ri.exe
c:\windows\system32\ro.exe
c:\windows\system32\ro.exe.exe
c:\windows\system32\vc.exe.exe
c:\windows\system32\vh.exe
c:\windows\system32\vt.exe
c:\windows\system32\xk.exe
c:\windows\system32\xq.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WMIBUS
-------\Legacy_WMIBUSN
-------\Legacy_WMISYS
-------\Service_WMIBUS
-------\Service_WMIBUSn
-------\Service_WMISYS


((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.

2009-03-11 23:52 . 2009-03-11 23:52 701,440 --a------ c:\windows\system32\xc.exe
2009-03-11 23:12 . 2009-03-11 23:12 701,440 --a------ c:\windows\system32\eo.exe
2009-03-11 00:47 . 2009-03-11 00:47 701,440 --a------ c:\windows\system32\uy.exe
2009-03-10 23:26 . 2009-03-10 23:26 701,440 --a------ c:\windows\system32\dr.exe
2009-03-10 13:37 . 2009-03-10 13:37 704,000 --a------ c:\windows\system32\fo.exe
2009-03-10 13:10 . 2009-03-10 13:10 704,000 --a------ c:\windows\system32\eg.exe
2009-03-09 23:43 . 2009-03-09 23:45 704,000 --a------ c:\windows\system32\hb.exe
2009-03-09 23:40 . 2009-03-09 23:40 820,012 --a------ c:\windows\system32\kq.exe
2009-03-09 23:30 . 2009-03-09 23:30 704,000 --a------ c:\windows\system32\na.exe
2009-03-08 20:15 . 2009-03-08 20:15 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-08 18:22 . 2009-03-08 18:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-08 18:22 . 2009-03-08 18:22 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\SUPERAntiSpyware.com
2009-03-08 18:21 . 2009-03-08 18:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-28 22:57 . 2009-02-28 22:57 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\Alawar
2009-02-27 13:04 . 2009-02-27 13:17 <DIR> d-------- C:\SDFix
2009-02-26 17:46 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-02-26 14:02 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-02-26 13:58 . 2009-02-26 17:45 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\HouseCall 6.6
2009-02-26 08:55 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys
2009-02-26 08:55 . 2009-02-23 10:11 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys
2009-02-26 08:55 . 2008-09-22 12:29 97,408 --a------ c:\windows\system32\drivers\pctfw.sys
2009-02-26 08:55 . 2009-01-21 10:38 95,640 --a------ c:\windows\system32\drivers\pctplfw.sys
2009-02-26 08:55 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys
2009-02-25 14:51 . 2003-06-20 06:00 24,816 --a------ c:\windows\system32\mdimon.dll
2009-02-25 14:51 . 2009-02-25 14:51 376 --a------ c:\windows\ODBC.INI
2009-02-25 14:49 . 2009-02-25 14:49 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-02-25 14:48 . 2009-02-25 14:50 <DIR> d-------- c:\windows\SHELLNEW
2009-02-25 14:48 . 2009-02-25 14:48 <DIR> d-------- c:\program files\Microsoft.NET
2009-02-21 23:53 . 2009-02-21 23:53 <DIR> d-------- c:\windows\ERUNT
2009-02-18 21:02 . 2008-08-18 16:25 40,464 --a------ c:\windows\system32\drivers\hotcore3.sys
2009-02-15 10:13 . 2009-02-15 10:13 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\ComodoGroup
2009-02-15 10:12 . 2009-02-24 12:22 39,440 --a------ c:\windows\system32\drivers\csdf.sys
2009-02-15 10:12 . 2009-02-24 12:20 36,752 --a------ c:\windows\system32\drivers\crpf.sys
2009-02-15 10:12 . 2009-02-24 12:17 7,920 --a------ c:\windows\system32\cnat.exe
2009-02-13 01:04 . 2009-02-13 01:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-13 01:04 . 2009-01-05 16:18 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2009-02-13 01:04 . 2009-01-05 16:18 57,344 --a------ c:\windows\system32\QuickTime.qts
2009-02-12 00:28 . 2006-09-12 17:16 227,328 -r-hs---- c:\windows\system32\ac3DX.ax
2009-02-12 00:28 . 2006-03-11 03:18 169,472 -r-hs---- c:\windows\system32\MatroskaDX.ax
2009-02-12 00:28 . 2005-11-26 02:16 161,792 -r-hs---- c:\windows\system32\RealMediaDX.ax
2009-02-12 00:28 . 2006-01-13 04:53 123,904 -r-hs---- c:\windows\system32\AVCDX.ax
2009-02-12 00:28 . 2003-11-21 04:30 54,784 -r-hs---- c:\windows\system32\RLAPEDec.ax
2009-02-12 00:28 . 2004-04-27 04:30 37,888 -r-hs---- c:\windows\system32\RLMPCDec.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 03:06 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-11 18:40 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\gtk-2.0
2009-03-09 09:28 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\DMCache
2009-03-08 13:20 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\uTorrent
2009-03-03 09:39 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\dvdcss
2009-02-27 17:01 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\avidemux
2009-02-26 03:25 --------- d-----w c:\program files\Common Files\PC Tools
2009-02-15 13:01 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\DVD Flick
2009-02-11 04:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 04:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-05 19:04 --------- d-----w c:\program files\Yahoo!
2009-02-05 19:04 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Yahoo!
2009-01-29 08:22 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Vso
2009-01-28 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-01-21 08:28 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Ultra Fractal 5
2009-01-21 08:02 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Fraqtive
2009-01-18 13:47 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-15 12:12 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Thinstall
2009-01-12 15:29 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-01-12 15:29 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\PlayFirst
2008-12-12 21:47 3,751,995 ----a-w c:\windows\system32\GPhotos.scr
2008-09-02 04:35 47,360 ----a-w c:\documents and settings\A.CHOWDHURY\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="d:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"00PCTFW"="d:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-02-23 2652056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.ACDV"= ACDV.dll
"VIDC.MJPG"= pvmjpg30.dll
"vidc.CDVC"= cdvccodc.dll
"vidc.CDVH"= cdvhcodc.dll
"vidc.CUVC"= cuvccodc.dll
"vidc.CLLC"= cllccodc.dll
"vidc.CDV5"= cdv5codc.dll
"vidc.dfsc"= dfsc.dll
"msacm.dfscacm"= dfscacm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^24Online Client.lnk]
backup=c:\windows\pss\24Online Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-15 15:32 133104 c:\documents and settings\A.CHOWDHURY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 10:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-12-21 19:16 2573744 c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 10:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NexusServer]
--a------ 2007-03-26 17:45 389120 c:\program files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2005-09-20 10:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\eLitecore\\Cyberoam Client for 24Online\\CyberoamClient.exe"=

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [2009-02-15 36752]
R0 csdf;cdsf;c:\windows\system32\drivers\csdf.sys [2009-02-15 39440]
R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2004-05-27 51564]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-02-18 40464]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-02-26 159600]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-02-26 73840]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-02-26 95640]
S3 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-05 206096]
S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all links with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetAll.htm
IE: Download FLV video content with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetVL.htm
IE: Download with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEExt.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: mcafee.com\home
TCP: {350EC6BB-E936-4CFC-8829-910401F740B9} = 172.16.0.1
FF - ProfilePath - c:\documents and settings\A.CHOWDHURY\Application Data\Mozilla\Firefox\Profiles\1bf5pbq8.default\
FF - component: c:\documents and settings\A.CHOWDHURY\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\documents and settings\A.CHOWDHURY\Application Data\Mozilla\Firefox\Profiles\1bf5pbq8.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\A.CHOWDHURY\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: d:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: d:\program files\Real Alternative\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\Real Alternative\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-12 08:36:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
d:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
d:\program files\PC Tools Firewall Plus\FWService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-12 8:41:52 - machine was rebooted [A.CHOWDHURY]
ComboFix-quarantined-files.txt 2009-03-12 03:11:13

Pre-Run: 8,983,810,048 bytes free
Post-Run: 8,973,733,888 bytes free

236

[miekiemoes]

Hi,

A new set of files were created in a meanwhile, but that's because you were still infected then...

Navigate to and delete the following files:

c:\windows\system32\xc.exe
c:\windows\system32\eo.exe
c:\windows\system32\uy.exe
c:\windows\system32\dr.exe
c:\windows\system32\fo.exe
c:\windows\system32\eg.exe
c:\windows\system32\hb.exe
c:\windows\system32\kq.exe
c:\windows\system32\na.exe

They won't come back since the WMIBUS got deleted.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[sics66]

Hi, thank you for all the help. I did as you have advised. When I first posted the HJT log I was not having any specific problem with my computer. Just made a HJT scan,and detected those suspicious entries. Even now ,I am not having any problem as such. Here is my just finished HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 3:13:19 PM, on 3/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system\msddll.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [00PCTFW] "D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://home.mcafee.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650495031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650473718
O17 - HKLM\System\CCS\Services\Tcpip\..\{350EC6BB-E936-4CFC-8829-910401F740B9}: NameServer = 172.16.0.1
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - D:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WMI-Bus NOptic (WMIBUSn) - WMI Bus Application - C:\WINDOWS\system\wmibusn.exe

[miekiemoes]

Hi,

According to your logs, it regenerated...?

Can you rescan with Combofix again please? Because logs are really confusing now since It's unclear if latest HJT log was from before or afterwards.

Isn't your Avira detecting anything? Because it should detect all files as well though...

[sics66]

Quote

According to your logs, it regenerated...?

No, wmibus.exe did not regenerate. WMIbusn.exe was there along with wmibus.exe. Only the latter was deleted.
The HJT log is AFTER cleaning with Combofix.
Anyway, I am not too concerned about it at the moment.Maybe the processes are legitimate. But there are two things I would like to mention. First, sometimes a certain msddll.exe process was appearing in Task Manager. I could stop it and manually delete it from System folder. Second, an error message is appearing during shutdown, something like this: Error:Application error ipconfig.exe....the application failed to initialize....click ok to shut down.."But I do not need to click OK,,it shut downs ok.
Otherwise my PC is running fine. And yes,Avira is not catching anything with Antivir guard enabled.

And a big thanks for staying with me.I really appreciate it.

[miekiemoes]

Hi,

Please run Combofix again, because malware is still up and running. You should be concerned, because it's a nasty backdoor you're dealing with. The msddll.exe process is also related + WMIbusn.exe.

[sics66]

Here is the latest Combofix log:

ComboFix 09-03-10.03 - A.CHOWDHURY 2009-03-12 23:52:31.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.751 [GMT 5.5:30]
Running from: c:\documents and settings\A.CHOWDHURY\Desktop\ComboFix.exe
FW: PC Tools Firewall Plus *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.

2009-03-12 22:57 . 2009-03-12 22:58 1,048,576 --a------ c:\windows\system32\vw.exe
2009-03-12 14:08 . 2009-03-12 14:08 701,440 --a------ c:\windows\system32\ej.exe
2009-03-12 13:27 . 2009-03-12 13:28 701,440 --a------ c:\windows\system32\ns.exe
2009-03-12 13:25 . 2009-03-12 13:25 1,048,576 --a------ c:\windows\system32\lz.exe
2009-03-08 20:15 . 2009-03-08 20:15 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-08 18:22 . 2009-03-08 18:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-08 18:22 . 2009-03-08 18:22 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\SUPERAntiSpyware.com
2009-03-08 18:21 . 2009-03-08 18:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-28 22:57 . 2009-02-28 22:57 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\Alawar
2009-02-26 17:46 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-02-26 14:02 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-02-26 13:58 . 2009-02-26 17:45 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\HouseCall 6.6
2009-02-26 08:55 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys
2009-02-26 08:55 . 2009-02-23 10:11 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys
2009-02-26 08:55 . 2008-09-22 12:29 97,408 --a------ c:\windows\system32\drivers\pctfw.sys
2009-02-26 08:55 . 2009-01-21 10:38 95,640 --a------ c:\windows\system32\drivers\pctplfw.sys
2009-02-26 08:55 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys
2009-02-25 14:51 . 2003-06-20 06:00 24,816 --a------ c:\windows\system32\mdimon.dll
2009-02-25 14:51 . 2009-02-25 14:51 376 --a------ c:\windows\ODBC.INI
2009-02-25 14:49 . 2009-02-25 14:49 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-02-25 14:48 . 2009-02-25 14:50 <DIR> d-------- c:\windows\SHELLNEW
2009-02-25 14:48 . 2009-02-25 14:48 <DIR> d-------- c:\program files\Microsoft.NET
2009-02-21 23:53 . 2009-02-21 23:53 <DIR> d-------- c:\windows\ERUNT
2009-02-18 21:02 . 2008-08-18 16:25 40,464 --a------ c:\windows\system32\drivers\hotcore3.sys
2009-02-15 10:13 . 2009-02-15 10:13 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\ComodoGroup
2009-02-15 10:12 . 2009-02-24 12:22 39,440 --a------ c:\windows\system32\drivers\csdf.sys
2009-02-15 10:12 . 2009-02-24 12:20 36,752 --a------ c:\windows\system32\drivers\crpf.sys
2009-02-15 10:12 . 2009-02-24 12:17 7,920 --a------ c:\windows\system32\cnat.exe
2009-02-13 01:04 . 2009-02-13 01:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-13 01:04 . 2009-01-05 16:18 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2009-02-13 01:04 . 2009-01-05 16:18 57,344 --a------ c:\windows\system32\QuickTime.qts
2009-02-12 00:28 . 2006-09-12 17:16 227,328 -r-hs---- c:\windows\system32\ac3DX.ax
2009-02-12 00:28 . 2006-03-11 03:18 169,472 -r-hs---- c:\windows\system32\MatroskaDX.ax
2009-02-12 00:28 . 2005-11-26 02:16 161,792 -r-hs---- c:\windows\system32\RealMediaDX.ax
2009-02-12 00:28 . 2006-01-13 04:53 123,904 -r-hs---- c:\windows\system32\AVCDX.ax
2009-02-12 00:28 . 2003-11-21 04:30 54,784 -r-hs---- c:\windows\system32\RLAPEDec.ax
2009-02-12 00:28 . 2004-04-27 04:30 37,888 -r-hs---- c:\windows\system32\RLMPCDec.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 18:19 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-12 17:54 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\DMCache
2009-03-11 18:40 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\gtk-2.0
2009-03-08 13:20 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\uTorrent
2009-03-03 09:39 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\dvdcss
2009-02-27 17:01 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\avidemux
2009-02-26 03:25 --------- d-----w c:\program files\Common Files\PC Tools
2009-02-15 13:01 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\DVD Flick
2009-02-11 04:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 04:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-05 19:04 --------- d-----w c:\program files\Yahoo!
2009-02-05 19:04 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Yahoo!
2009-01-29 08:22 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Vso
2009-01-28 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-01-21 08:28 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Ultra Fractal 5
2009-01-21 08:02 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Fraqtive
2009-01-18 13:47 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-15 12:12 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Thinstall
2009-01-12 15:29 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-01-12 15:29 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\PlayFirst
2008-12-12 21:47 3,751,995 ----a-w c:\windows\system32\GPhotos.scr
2008-09-02 04:35 47,360 ----a-w c:\documents and settings\A.CHOWDHURY\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.ACDV"= ACDV.dll
"VIDC.MJPG"= pvmjpg30.dll
"vidc.CDVC"= cdvccodc.dll
"vidc.CDVH"= cdvhcodc.dll
"vidc.CUVC"= cuvccodc.dll
"vidc.CLLC"= cllccodc.dll
"vidc.CDV5"= cdv5codc.dll
"vidc.dfsc"= dfsc.dll
"msacm.dfscacm"= dfscacm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^24Online Client.lnk]
backup=c:\windows\pss\24Online Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00PCTFW]
--a------ 2009-02-23 10:49 2652056 d:\program files\PC Tools Firewall Plus\FirewallGUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
--a------ 2008-06-12 14:28 266497 d:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-15 15:32 133104 c:\documents and settings\A.CHOWDHURY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 10:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-12-21 19:16 2573744 c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 10:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NexusServer]
--a------ 2007-03-26 17:45 389120 c:\program files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2005-09-20 10:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\eLitecore\\Cyberoam Client for 24Online\\CyberoamClient.exe"=

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [2009-02-15 36752]
R0 csdf;cdsf;c:\windows\system32\drivers\csdf.sys [2009-02-15 39440]
R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2004-05-27 51564]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-02-18 40464]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-02-26 159600]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-02-26 73840]
S2 WMIBUSn;WMI-Bus NOptic;"c:\windows\system\wmibusn.exe" --> c:\windows\system\wmibusn.exe [?]
S3 core86;Device Core x86;\??\c:\windows\system32\drivers\core86.sys --> c:\windows\system32\drivers\core86.sys [?]
S3 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-05 206096]
S3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-02-26 95640]
S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all links with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetAll.htm
IE: Download FLV video content with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetVL.htm
IE: Download with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEExt.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: mcafee.com\home
TCP: {350EC6BB-E936-4CFC-8829-910401F740B9} = 172.16.0.1
FF - ProfilePath - c:\documents and settings\A.CHOWDHURY\Application Data\Mozilla\Firefox\Profiles\1bf5pbq8.default\
FF - component: c:\documents and settings\A.CHOWDHURY\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\documents and settings\A.CHOWDHURY\Application Data\Mozilla\Firefox\Profiles\1bf5pbq8.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\A.CHOWDHURY\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: d:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: d:\program files\Real Alternative\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\Real Alternative\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-12 23:53:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-03-12 23:57:00
ComboFix-quarantined-files.txt 2009-03-12 18:26:00

Pre-Run: 9,126,821,888 bytes free
Post-Run: 9,112,104,960 bytes free

178


And the latest HJT log(after running Combofix):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:12 AM, on 3/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IDMan.exe
C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEMonitor.exe
C:\Documents and Settings\A.CHOWDHURY\Desktop\Portables\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [00PCTFW] "D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://home.mcafee.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650495031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650473718
O17 - HKLM\System\CCS\Services\Tcpip\..\{350EC6BB-E936-4CFC-8829-910401F740B9}: NameServer = 172.16.0.1
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - D:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WMI-Bus NOptic (WMIBUSn) - Unknown owner - C:\WINDOWS\system\wmibusn.exe (file missing)

--
End of file - 5907 bytes


BTW, I had submitted the zipped wmibusn.exe file at the link you mentioned earlier. I could not submit it as attachment since the size exceeded the limit. Any headways into it ?

[miekiemoes]

Hi,

No need to submit the files anymore. I've already have them, also the wmibusn.exe. It's installed by the other ones.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
C:\WINDOWS\system\wmibusn.exe
C:\WINDOWS\system\msddll.exe
c:\windows\system32\vw.exe
c:\windows\system32\ej.exe
c:\windows\system32\ns.exe
c:\windows\system32\lz.exe
Driver::
WMIBUSn
core86
msddll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[sics66]

I copied that CFScript and was going to run that in Combofix. Then, just for the heck of it, I decided to run MBAM once more. After a Quick Scan thsi was the report:

Malwarebytes' Anti-Malware 1.34
Database version: 1842
Windows 5.1.2600 Service Pack 3

3/13/2009 9:21:08 AM
mbam-log-2009-03-13 (09-21-08).txt

Scan type: Quick Scan
Objects scanned: 62027
Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msddll (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMIBUSn (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


As you see, MBAM detected and deleted two registry keys related to msddll.exe and wmibusn.exe.
I was a bit optimistic now and ran HJT. Here is the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:40 AM, on 3/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
D:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Documents and Settings\A.CHOWDHURY\Desktop\Portables\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [00PCTFW] "D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bsasee3y5d\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://home.mcafee.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650495031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235650473718
O17 - HKLM\System\CCS\Services\Tcpip\..\{350EC6BB-E936-4CFC-8829-910401F740B9}: NameServer = 172.16.0.1
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - D:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 5649 bytes


I was so happy to find NO mention of that dreaded O23-Service...wmibusn.exe.
Then I went into the list of services in windows(services.msc) and was relieved to find no wmibus.exe or wmibusn.exe there. The only WMI there was WMI performance adapter,which,as far as I know ,is a perfectly legitimate service.

So, my really helpful friend, should I run that CFScript in Combofix again ? Or should I just wait and see ?

[miekiemoes]

Hi,

Quote

As you see, MBAM detected and deleted two registry keys related to msddll.exe and wmibusn.exe.

I know mbam now detects it, but there are still some files that need to get deleted that mbam didn't detect.


Can you change the cfscript, because I need some samples again. Normally MBAM should detect them with the latest version though, that's why the samples are needed.

Delete the cfscript and create this one instead:


Collect::[8]
C:\WINDOWS\system\wmibusn.exe
C:\WINDOWS\system\msddll.exe
c:\windows\system32\vw.exe
c:\windows\system32\ej.exe
c:\windows\system32\ns.exe
c:\windows\system32\lz.exe
Driver::
WMIBUSn
core86
msddll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000

Then drag it into Combofix.
mwfThen, please visit this site:
http://www.bleepingc...e.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

Also post the log from Combofix in your next reply. This is really important that you follow instructions.

[sics66]

ComboFix 09-03-10.03 - A.CHOWDHURY 2009-03-13 12:33:41.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.685 [GMT 5.5:30]
Running from: c:\documents and settings\A.CHOWDHURY\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\A.CHOWDHURY\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: PC Tools Firewall Plus *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSDDLL
-------\Legacy_WMIBUSN
-------\Service_core86


((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))
.

2009-03-13 10:34 . <DIR> c:\windows\LastGood.Tmp
2009-03-13 10:34 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-03-13 10:31 . 2009-03-13 10:31 <DIR> d-------- c:\program files\Panda Security
2009-03-13 01:01 . 2009-03-13 01:01 <DIR> d-------- C:\SDFix
2009-03-08 20:15 . 2009-03-08 20:15 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-08 18:22 . 2009-03-08 18:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-08 18:22 . 2009-03-08 18:22 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\SUPERAntiSpyware.com
2009-03-08 18:21 . 2009-03-08 18:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-28 22:57 . 2009-02-28 22:57 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\Alawar
2009-02-26 17:46 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-02-26 14:02 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-02-26 13:58 . 2009-02-26 17:45 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\HouseCall 6.6
2009-02-26 08:55 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys
2009-02-26 08:55 . 2009-02-23 10:11 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys
2009-02-26 08:55 . 2008-09-22 12:29 97,408 --a------ c:\windows\system32\drivers\pctfw.sys
2009-02-26 08:55 . 2009-01-21 10:38 95,640 --a------ c:\windows\system32\drivers\pctplfw.sys
2009-02-26 08:55 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys
2009-02-25 14:51 . 2003-06-20 06:00 24,816 --a------ c:\windows\system32\mdimon.dll
2009-02-25 14:51 . 2009-02-25 14:51 376 --a------ c:\windows\ODBC.INI
2009-02-25 14:49 . 2009-02-25 14:49 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-02-25 14:48 . 2009-02-25 14:50 <DIR> d-------- c:\windows\SHELLNEW
2009-02-25 14:48 . 2009-02-25 14:48 <DIR> d-------- c:\program files\Microsoft.NET
2009-02-21 23:53 . 2009-02-21 23:53 <DIR> d-------- c:\windows\ERUNT
2009-02-18 21:02 . 2008-08-18 16:25 40,464 --a------ c:\windows\system32\drivers\hotcore3.sys
2009-02-15 10:13 . 2009-02-15 10:13 <DIR> d-------- c:\documents and settings\A.CHOWDHURY\Application Data\ComodoGroup
2009-02-15 10:12 . 2009-02-24 12:22 39,440 --a------ c:\windows\system32\drivers\csdf.sys
2009-02-15 10:12 . 2009-02-24 12:20 36,752 --a------ c:\windows\system32\drivers\crpf.sys
2009-02-15 10:12 . 2009-02-24 12:17 7,920 --a------ c:\windows\system32\cnat.exe
2009-02-13 01:04 . 2009-02-13 01:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-13 01:04 . 2009-01-05 16:18 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2009-02-13 01:04 . 2009-01-05 16:18 57,344 --a------ c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 07:07 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-13 05:05 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\DMCache
2009-03-11 18:40 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\gtk-2.0
2009-03-08 13:20 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\uTorrent
2009-03-03 09:39 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\dvdcss
2009-02-27 17:01 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\avidemux
2009-02-26 03:25 --------- d-----w c:\program files\Common Files\PC Tools
2009-02-15 13:01 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\DVD Flick
2009-02-11 04:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 04:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-05 19:04 --------- d-----w c:\program files\Yahoo!
2009-02-05 19:04 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Yahoo!
2009-01-29 08:22 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Vso
2009-01-28 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-01-21 08:28 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Ultra Fractal 5
2009-01-21 08:02 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Fraqtive
2009-01-18 13:47 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-15 12:12 --------- d-----w c:\documents and settings\A.CHOWDHURY\Application Data\Thinstall
2008-09-02 04:35 47,360 ----a-w c:\documents and settings\A.CHOWDHURY\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="d:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"00PCTFW"="d:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-02-23 2652056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.ACDV"= ACDV.dll
"VIDC.MJPG"= pvmjpg30.dll
"vidc.CDVC"= cdvccodc.dll
"vidc.CDVH"= cdvhcodc.dll
"vidc.CUVC"= cuvccodc.dll
"vidc.CLLC"= cllccodc.dll
"vidc.CDV5"= cdv5codc.dll
"vidc.dfsc"= dfsc.dll
"msacm.dfscacm"= dfscacm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^24Online Client.lnk]
backup=c:\windows\pss\24Online Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-15 15:32 133104 c:\documents and settings\A.CHOWDHURY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 10:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-12-21 19:16 2573744 c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 10:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NexusServer]
--a------ 2007-03-26 17:45 389120 c:\program files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2005-09-20 10:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\eLitecore\\Cyberoam Client for 24Online\\CyberoamClient.exe"=

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [2009-02-15 36752]
R0 csdf;cdsf;c:\windows\system32\drivers\csdf.sys [2009-02-15 39440]
R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2004-05-27 51564]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-02-18 40464]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-03-13 28544]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-02-26 159600]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-02-26 73840]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-02-26 95640]
S3 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-05 206096]
S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PAVBOOT
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all links with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetAll.htm
IE: Download FLV video content with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEGetVL.htm
IE: Download with IDM - c:\documents and settings\Default User\Local Settings\Temp\bsasee3y5d\IEExt.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: mcafee.com\home
TCP: {350EC6BB-E936-4CFC-8829-910401F740B9} = 172.16.0.1
FF - ProfilePath - c:\documents and settings\A.CHOWDHURY\Application Data\Mozilla\Firefox\Profiles\1bf5pbq8.default\
FF - component: c:\documents and settings\A.CHOWDHURY\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\documents and settings\A.CHOWDHURY\Application Data\Mozilla\Firefox\Profiles\1bf5pbq8.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\A.CHOWDHURY\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: d:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: d:\program files\Real Alternative\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\Real Alternative\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-13 12:37:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
d:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
d:\program files\PC Tools Firewall Plus\FWService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-13 12:42:45 - machine was rebooted [A.CHOWDHURY]
ComboFix-quarantined-files.txt 2009-03-13 07:12:00

Pre-Run: 8,988,553,216 bytes free
Post-Run: 8,974,827,520 bytes free

186

Quote

Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)

Sorry. Qoobox\Quarantine does not have that file.There are 2 folders ,namely C and Registry_backups and 2 files catchme.log and catchme.txt in Quarantine. Should I run Combofix again with that CFScript ?

BTW, I should mention that after the last MBAM scan I had deleted the following files manually:
c:\windows\system32\vw.exe
c:\windows\system32\ej.exe
c:\windows\system32\ns.exe
c:\windows\system32\lz.exe

[miekiemoes]

Hi,

It would have been better if you just followed my instructions and didn't delete any files manually, because that explains why the zipfiles with the samples were not created since you already deleted them manually.

Anyway, this looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[sics66]

Quote

It would have been better if you just followed my instructions and didn't delete any files manually, because that explains why the zipfiles with the samples were not created since you already deleted them manually.

Very sorry indeed. I probably became a bit overzealous after finding the clean HJT log. I did run the Panda online scan too.Everything seems fine now.The latest HJT scan did not show anything suspicious. I will just keep my fingers crossed. Any problem and I may need your help again. You really have been fantastic, friend. And I promise to be very obedient next time.
BTW, can you possibly point out the source of these backdoors ?

[miekiemoes]

Hi,

I really have no clue how you got this backdoor. In most cases, such backdoors are spread via P2P software, such as Limewire, uTorrent etc...
As far as I can see, your problem started around 2009-03-06 22:53, because that was the date of the first dropped random exe.

I strongly suggest to change all your passwords, because they may be known. After all, this backdoor installed a hacktool, so all your passwords etc could be collected in a meanwhile.

Also,

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!