Bullguard Antivirus Forum Download A Free Copy Of Bullguard Antivirus Software
Free Antivirus Forum - Learn about antivirus, firewalls and personal security Free Antivirus Forum - Learn about antivirus, firewalls and personal security
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Win32/Wixud.gen!B...Please help
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > Win32/Wixud.gen!B...Please help  
Forum Quick Jump
 
New Topic Locked Topic Printable version of : Win32/Wixud.gen!B...Please help
[ << Previous Thread | Next Thread >> ]

NSW1313
New Member


Date Joined Jun 2008
Total Posts : 7
  		   Posted 7-26-2008 9:14 (GMT +2)    Quote: Win32/Wixud.gen!B...Please helpAlert an admin about: Win32/Wixud.gen!B...Please help
Hello Bullgaurd Team...or anyone else that may be able to help.

My computer started running and working harder....using more and more cpu usage to run simple apps on my computer. I could simply hear it. Then "drwtsn.exe" started popping up with errors saying that apps had to close. My OS is windows xp media edition.

I scanned with my anti-virus which is Mcafee which came up with nothing but I was not convinced and scanned with
windows "liveone care." Liveone care came up with trojan downloader "Win32/Wixud.gen!b" but of course was "unable to clean" my computer or infected files. Infected files included "drwtsn.exe" and one other file. "Spybot" also came up with nothing. Please Help??!!. Thank You
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 13131
  		   Posted 7-27-2008 3:19 (GMT +2)    Quote: Win32/Wixud.gen!B...Please helpAlert an admin about: Win32/Wixud.gen!B...Please help
Hello smile
 
 
Let´s see what´s running on your computer -
 
Click here - ->>  http://www.bullguard.com/forum/14/Before-posting-a-log_43561.html 
 
 
After You have run the scan tools -
 
Reboot normally
 
Post Hijackthis log along with SuperAntiSpyware log, C: combofix TXT  in this topic
 
Please copy and paste your log. DO NOT add it as an attachment
Kindly do not annotate or format the log with color or font changes.
 
NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.
 

Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Back to Top
 

NSW1313
New Member


Date Joined Jun 2008
Total Posts : 7
  		   Posted 7-27-2008 6:11 (GMT +2)    Quote: Win32/Wixud.gen!B...Please helpAlert an admin about: Win32/Wixud.gen!B...Please help
Hello Touch. Thanks for the reply and your help. I am now in the process of filling your requests and just wanted to let you know I'm still here. http://www.bullguard.com/forum/emoticons/smile.gif
:-)
Back to Top
 

NSW1313
New Member


Date Joined Jun 2008
Total Posts : 7
  		   Posted 7-27-2008 7:17 (GMT +2)    Quote: Win32/Wixud.gen!B...Please helpAlert an admin about: Win32/Wixud.gen!B...Please help
Hello Touch,
Here they are.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 07/27/2008 at 11:19 AM
Application Version : 4.15.1000
Core Rules Database Version : 3518
Trace Rules Database Version: 1508
Scan type       : Complete Scan
Total Scan Time : 00:25:13
Memory items scanned      : 437
Memory threats detected   : 0
Registry items scanned    : 5583
Registry threats detected : 2
File items scanned        : 24348
File threats detected     : 3
Adware.Vundo Variant
 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{81AA6A16-B8CA-43C4-A347-A487764FF528}
Adware.Vundo Variant/Rel
 HKLM\SOFTWARE\Microsoft\RemoveRP
Adware.Tracking Cookie
 .indextools.com [ C:\Documents and Settings\nick\Application Data\Mozilla\Firefox\Profiles\4vl030tb.default\cookies.txt ]
 .indextools.com [ C:\Documents and Settings\nick\Application Data\Mozilla\Firefox\Profiles\4vl030tb.default\cookies.txt ]
Spyware.RelevantKnowledge
 C:\SYSTEM VOLUME INFORMATION\_RESTORE{089356D0-2498-4269-8D3A-69CF5E3E84EA}\RP370\A0073752.EXE
 C:\SYSTEM VOLUME INFORMATION\_RESTORE{089356D0-2498-4269-8D3A-69CF5E3E84EA}\RP370\A0073851.DLL
 C:\SYSTEM VOLUME INFORMATION\_RESTORE{089356D0-2498-4269-8D3A-69CF5E3E84EA}\RP370\A0073852.EXE
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:47 PM, on 7/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=213.41.71.164:80;gopher=213.41.71.164:80;http=213.41.71.164:80;https=213.41.71.164:80
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P10 /q C:\DOCUME~1\nick\LOCALS~1\Temp\HSPERF~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\9F002ARJ\AV-24A~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\9F1QXZ8I\AV-16A~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\9F1QXZ8I\NEWMED~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\SLOBCFK3\CUTIE4~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\9F1QXZ8I\CUTIE4~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\GTQZ4H2F\YOUNG_~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\K1Y3GP2F\PLAY-A~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\C1EZS5QF\YOUNG_~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\WXMNW1YB\PROMOT~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\SLOBCFK3\MPLOGI~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\GTQZ4H2F\PRODUC~4.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\GTQZ4H2F\PRODUC~2.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\ILWN0N8P\SEXY_Y~1.SH!
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
--
End of file - 8986 bytes
 
ComboFix 08-07-27.1 - nick 2008-07-27 11:51:00.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.550 [GMT -5:00]
Running from: C:\Documents and Settings\nick\My Documents\ComboFix.exe
 * Created a new restore point
 * Resident AV is active

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\atfhrtmu.ini
C:\WINDOWS\system32\dMVycMoq.ini
C:\WINDOWS\system32\dMVycMoq.ini2
C:\WINDOWS\system32\kmdtlcpm.ini
C:\WINDOWS\system32\legutroy.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mnrwveaq.ini
C:\WINDOWS\system32\nmwxuhwy.ini
C:\WINDOWS\system32\oWaayJjl.ini
C:\WINDOWS\system32\oWaayJjl.ini2
C:\WINDOWS\system32\xIhhOXyb.ini
C:\WINDOWS\system32\xIhhOXyb.ini2
.
(((((((((((((((((((((((((   Files Created from 2008-06-27 to 2008-07-27  )))))))))))))))))))))))))))))))
.
2008-07-27 10:51 . 2008-07-27 10:51 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-27 10:51 . 2008-07-27 10:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-27 10:51 . 2008-07-27 10:51 <DIR> d-------- C:\Documents and Settings\nick\Application Data\SUPERAntiSpyware.com
2008-07-27 10:51 . 2008-07-27 10:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-27 10:39 . 2008-07-27 10:39 <DIR> d-------- C:\Program Files\CCleaner
2008-07-27 03:31 . 2008-07-27 03:31 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-27 03:31 . 2008-07-27 03:31 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-27 03:31 . 2008-07-27 03:31 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-27 03:31 . 2008-07-27 03:31 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-27 03:29 . 2008-07-27 03:29 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-27 03:15 . 2008-04-13 19:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-07-27 03:14 . 2008-04-13 19:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-07-26 20:03 . 2000-07-15 06:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-07-25 18:21 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-07-25 18:21 . 2008-07-27 11:55 11,229 --a------ C:\WINDOWS\system32\Config.MPF
2008-07-25 18:19 . 2008-07-25 18:19 <DIR> d-------- C:\Program Files\McAfee.com
2008-07-25 18:19 . 2008-07-25 18:19 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-25 18:19 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-07-25 18:19 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-07-25 18:19 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-07-25 18:19 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-07-25 18:19 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-07-25 18:19 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-07-25 18:18 . 2008-07-26 01:00 <DIR> d-------- C:\Program Files\McAfee
2008-07-22 17:14 . 2008-07-26 15:04 <DIR> d-------- C:\WINDOWS\Lhsp
2008-07-22 17:13 . 2008-07-22 17:13 <DIR> d-------- C:\WINDOWS\speech
2008-07-22 17:13 . 2008-07-24 20:56 <DIR> d-------- C:\Program Files\KARI2
2008-07-22 17:13 . 2008-07-22 17:13 172,475 --a------ C:\WINDOWS\KARI2 Uninstaller.exe
2008-07-10 14:14 . 2008-07-10 14:15 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-06 00:53 . 2008-07-06 00:59 <DIR> d-------- C:\Program Files\7-Zip
2008-07-04 14:08 . 2008-07-04 14:08 <DIR> d-------- C:\MyAudio
2008-07-04 14:07 . 2008-07-04 14:08 <DIR> d-------- C:\Program Files\AoA Audio Extractor
2008-07-04 07:21 . 2008-07-19 20:25 16,384 --a------ C:\WINDOWS\system32\drwtsn.exe
2008-07-03 18:09 . 2008-07-26 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 19:53 --------- d-----w C:\Program Files\Oxin's Style!
2008-07-26 06:20 --------- d-----w C:\Program Files\Full Tilt Poker
2008-07-25 23:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-25 05:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-20 01:25 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-07-20 01:19 --------- d-----w C:\Program Files\Java
2008-07-18 00:26 --------- d-----w C:\Program Files\Bodog Poker
2008-07-10 19:14 --------- d-----w C:\Documents and Settings\nick\Application Data\AdobeUM
2008-06-30 23:39 --------- d-----w C:\Program Files\Microsoft.NET
2008-06-30 01:10 --------- d-----w C:\Program Files\Windows Live
2008-06-28 01:36 --------- d-----w C:\Documents and Settings\nick\Application Data\dvdcss
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 04:54 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-06-18 04:53 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-18 04:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-14 22:09 --------- d-----w C:\Program Files\Google
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 08:54 --------- d-----w C:\Documents and Settings\nick\Application Data\vlc
2008-06-08 06:54 --------- d-----w C:\Program Files\VideoLAN
2008-05-31 20:15 --------- d-----w C:\Program Files\HP
2008-05-31 08:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-05-29 04:55 --------- d-----w C:\Program Files\Pineapple Works
2007-08-07 23:47 88 --sha-r C:\WINDOWS\system32\5283EB2E49.sys
2007-08-07 23:53 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\program files\mcafee\mshr\ShrCL.EXE" [2007-12-04 13:32 111904]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 17:01 67584]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-05-29 13:49 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-05-29 13:49 86016]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-05-29 13:49 81920]
"ntiMUI"="c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2008-05-29 13:49 45056]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 15:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 15:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 15:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 15:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 15:00 455168]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-29 13:49 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3739648]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-09 19:45 16248320 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-08-09 19:45 2879488 C:\WINDOWS\SkyTel.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R3 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 17:46]
S3 sanyomdm;SANYO Composite USB Driver;C:\WINDOWS\system32\DRIVERS\sanyomdm.sys [2005-05-27 11:25]
S3 sanyoser;SANYO Serial Port Driver;C:\WINDOWS\system32\DRIVERS\sanyoser.sys [2005-05-27 11:25]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ABF6FCC4-B500-F359-F72A-AC5084B1A3BB}]
C:\WINDOWS\system32\scvhost
.
Contents of the 'Scheduled Tasks' folder
2008-07-25 C:\WINDOWS\Tasks\McDefragTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2008-07-25 C:\WINDOWS\Tasks\McQcTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2008-07-25 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
2008-05-16 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
- - - - ORPHANS REMOVED - - - -
Notify-cbXRIXom - cbXRIXom.dll

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page =
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyServer = ftp=213.41.71.164:80;gopher=213.41.71.164:80;http=213.41.71.164:80;https=213.41.71.164:80
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O8 -: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 -: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe

**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 11:54:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-07-27 11:57:15 - machine was rebooted [nick]
ComboFix-quarantined-files.txt  2008-07-27 16:57:11
Pre-Run: 58,676,342,784 bytes free
Post-Run: 58,571,993,088 bytes free
203 --- E O F --- 2008-07-25 05:04:35
Thanks again.
Back to Top
 

NSW1313
New Member


Date Joined Jun 2008
Total Posts : 7
  		   Posted 7-28-2008 4:44 (GMT +2)    Quote: Win32/Wixud.gen!B...Please helpAlert an admin about: Win32/Wixud.gen!B...Please help
Hello Touch: This is a snapshot or log of combofix with mcaffee disabled and a new HJT log.




ComboFix 08-07-27.1 - nick 2008-07-27 21:31:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.574 [GMT -5:00]
Running from: C:\Documents and Settings\nick\My Documents\ComboFix.exe
Command switches used :: /snapshot

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 )))))))))))))))))))))))))))))))
.

2008-07-27 21:02 . 2008-07-27 21:02 <DIR> d-------- C:\WINDOWS\LastGood
2008-07-27 12:06 . 2008-07-27 12:08 <DIR> d-------- C:\hjt
2008-07-27 10:51 . 2008-07-27 10:51 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-27 10:51 . 2008-07-27 10:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-27 10:51 . 2008-07-27 10:51 <DIR> d-------- C:\Documents and Settings\nick\Application Data\SUPERAntiSpyware.com
2008-07-27 10:51 . 2008-07-27 10:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-27 10:39 . 2008-07-27 10:39 <DIR> d-------- C:\Program Files\CCleaner
2008-07-27 03:31 . 2008-07-27 03:31 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-27 03:31 . 2008-07-27 03:31 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-27 03:31 . 2008-07-27 03:31 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-27 03:31 . 2008-07-27 03:31 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-27 03:29 . 2008-07-27 03:29 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-27 03:15 . 2008-04-13 19:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-07-27 03:14 . 2008-04-13 19:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-07-26 20:03 . 2000-07-15 06:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-07-25 18:21 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-07-25 18:21 . 2008-07-27 21:31 11,197 --a------ C:\WINDOWS\system32\Config.MPF
2008-07-25 18:19 . 2008-07-25 18:19 <DIR> d-------- C:\Program Files\McAfee.com
2008-07-25 18:19 . 2008-07-25 18:19 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-25 18:19 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-07-25 18:19 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-07-25 18:19 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-07-25 18:19 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-07-25 18:19 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-07-25 18:19 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-07-25 18:18 . 2008-07-26 01:00 <DIR> d-------- C:\Program Files\McAfee
2008-07-22 17:14 . 2008-07-26 15:04 <DIR> d-------- C:\WINDOWS\Lhsp
2008-07-22 17:13 . 2008-07-22 17:13 <DIR> d-------- C:\WINDOWS\speech
2008-07-22 17:13 . 2008-07-24 20:56 <DIR> d-------- C:\Program Files\KARI2
2008-07-22 17:13 . 2008-07-22 17:13 172,475 --a------ C:\WINDOWS\KARI2 Uninstaller.exe
2008-07-10 14:14 . 2008-07-10 14:15 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-06 00:53 . 2008-07-06 00:59 <DIR> d-------- C:\Program Files\7-Zip
2008-07-04 14:08 . 2008-07-04 14:08 <DIR> d-------- C:\MyAudio
2008-07-04 14:07 . 2008-07-04 14:08 <DIR> d-------- C:\Program Files\AoA Audio Extractor
2008-07-04 07:21 . 2008-07-19 20:25 16,384 --a------ C:\WINDOWS\system32\drwtsn.exe
2008-07-03 18:09 . 2008-07-26 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 19:53 --------- d-----w C:\Program Files\Oxin's Style!
2008-07-26 06:20 --------- d-----w C:\Program Files\Full Tilt Poker
2008-07-25 23:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-25 05:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-20 01:25 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-07-20 01:19 --------- d-----w C:\Program Files\Java
2008-07-18 00:26 --------- d-----w C:\Program Files\Bodog Poker
2008-07-10 19:14 --------- d-----w C:\Documents and Settings\nick\Application Data\AdobeUM
2008-06-30 23:39 --------- d-----w C:\Program Files\Microsoft.NET
2008-06-30 01:10 --------- d-----w C:\Program Files\Windows Live
2008-06-28 01:36 --------- d-----w C:\Documents and Settings\nick\Application Data\dvdcss
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 04:54 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-06-18 04:53 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-18 04:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-14 22:09 --------- d-----w C:\Program Files\Google
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 08:54 --------- d-----w C:\Documents and Settings\nick\Application Data\vlc
2008-06-08 06:54 --------- d-----w C:\Program Files\VideoLAN
2008-05-31 20:15 --------- d-----w C:\Program Files\HP
2008-05-31 08:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-05-29 18:49 98,304 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-05-29 18:49 86,016 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-05-29 18:49 81,920 ----a-w C:\WINDOWS\system32\igfxpers.exe
2008-05-29 04:55 --------- d-----w C:\Program Files\Pineapple Works
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\quartz.dll
2007-08-07 23:47 88 --sha-r C:\WINDOWS\system32\5283EB2E49.sys
2007-08-07 23:53 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\program files\mcafee\mshr\ShrCL.EXE" [2007-12-04 13:32 111904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 17:01 67584]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-05-29 13:49 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-05-29 13:49 86016]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-05-29 13:49 81920]
"ntiMUI"="c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2008-05-29 13:49 45056]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 15:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 15:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 15:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 15:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 15:00 455168]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-29 13:49 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3739648]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-09 19:45 16248320 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-08-09 19:45 2879488 C:\WINDOWS\SkyTel.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 17:46]
S3 sanyomdm;SANYO Composite USB Driver;C:\WINDOWS\system32\DRIVERS\sanyomdm.sys [2005-05-27 11:25]
S3 sanyoser;SANYO Serial Port Driver;C:\WINDOWS\system32\DRIVERS\sanyoser.sys [2005-05-27 11:25]

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ABF6FCC4-B500-F359-F72A-AC5084B1A3BB}]
C:\WINDOWS\system32\scvhost
.
Contents of the 'Scheduled Tasks' folder
2008-07-25 C:\WINDOWS\Tasks\McDefragTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2008-07-25 C:\WINDOWS\Tasks\McQcTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2008-07-25 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
2008-05-16 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.comcast.net/
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyServer = ftp=213.41.71.164:80;gopher=213.41.71.164:80;http=213.41.71.164:80;https=213.41.71.164:80
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O8 -: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 -: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 21:33:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-27 21:33:31
ComboFix-quarantined-files.txt 2008-07-28 02:33:25
ComboFix2.txt 2008-07-27 16:57:16

Pre-Run: 58,576,056,320 bytes free
Post-Run: 58,563,923,968 bytes free

171 --- E O F --- 2008-07-25 05:04:35




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:26 PM, on 7/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=213.41.71.164:80;gopher=213.41.71.164:80;http=213.41.71.164:80;https=213.41.71.164:80
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P10 /q C:\DOCUME~1\nick\LOCALS~1\Temp\HSPERF~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\9F002ARJ\AV-24A~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\9F1QXZ8I\AV-16A~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\9F1QXZ8I\NEWMED~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\SLOBCFK3\CUTIE4~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\9F1QXZ8I\CUTIE4~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\GTQZ4H2F\YOUNG_~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\K1Y3GP2F\PLAY-A~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\C1EZS5QF\YOUNG_~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\WXMNW1YB\PROMOT~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\SLOBCFK3\MPLOGI~1.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\GTQZ4H2F\PRODUC~4.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\GTQZ4H2F\PRODUC~2.SH! C:\DOCUME~1\nick\LOCALS~1\TEMPOR~1\Content.IE5\ILWN0N8P\SEXY_Y~1.SH!
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 8680 bytes


What do you see?
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 13131
  		   Posted 7-28-2008 7:54 (GMT +2)    Quote: Win32/Wixud.gen!B...Please helpAlert an admin about: Win32/Wixud.gen!B...Please help
Looks clean to Me. How are things running ?

Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Back to Top
 

NSW1313
New Member


Date Joined Jun 2008
Total Posts : 7
  		   Posted 7-28-2008 11:23 (GMT +2)    Quote: Win32/Wixud.gen!B...Please helpAlert an admin about: Win32/Wixud.gen!B...Please help
Seems to be running better...less cpu. Every once in a while I still get the "drwtsn.exe" error that says the app has to close but it never actually closes. It pops up even when there is no app running. No biggy. My main concern was the cpu and that seems to be gone. Thanks a lot touch. Your help is much appreciated.

My brothers computer is fubared. I may be back soon. Thanks again.

P.S...any idea what the "drwtsn.exe" thing is?
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 13131
  		   Posted 7-29-2008 8:42 (GMT +2)    Quote: Win32/Wixud.gen!B...Please helpAlert an admin about: Win32/Wixud.gen!B...Please help
I´m not sure, as the legal Windows drwtsn.exe have this name:
http://www.liutilities.com/products/wintaskspro/processlibrary/drwtsn32/
 
 
Rightclik on - drwtsn.exe - properties, and see if it is a Microsoft file ?

Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Back to Top
 

NSW1313
New Member


Date Joined Jun 2008
Total Posts : 7
  		   Posted 7-29-2008 11:45 (GMT +2)    Quote: Win32/Wixud.gen!B...Please helpAlert an admin about: Win32/Wixud.gen!B...Please help
Yes, the legal one is drwtsn32.exe. That is also in my system32 folder along with a regular drwtsn.exe application file. I right clicked on drwtsn.exe and clicked on properties and there is no "version tab." I'm feeling a little suspicious about this file because every other app file I click on in system32 has a version tab! I want to delete it. Should I delete it?
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 13131
  		   Posted 7-30-2008 8:55 (GMT +2)    Quote: Win32/Wixud.gen!B...Please helpAlert an admin about: Win32/Wixud.gen!B...Please help
I think you should delete it. If you want to check it, find the exact path, then upload it here, and have it scanned:
 
http://virusscan.jotti.org/

Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Back to Top
 

NSW1313
New Member


Date Joined Jun 2008
Total Posts : 7
  		   Posted 7-30-2008 11:42 (GMT +2)    Quote: Win32/Wixud.gen!B...Please helpAlert an admin about: Win32/Wixud.gen!B...Please help
Thanks
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 13131
  		   Posted 7-31-2008 9:28 (GMT +2)    Quote: Win32/Wixud.gen!B...Please helpAlert an admin about: Win32/Wixud.gen!B...Please help
No problem smile
 
 
 
Please  read Tony Klein's excellent article  about how to prevent against  spyware/hijackers in the future
http://www.castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html   

Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Back to Top
 
New Topic Locked Topic Printable version of : Win32/Wixud.gen!B...Please help
 
Forum Information
Currently it is Saturday, October 11, 2008 5:28 AM (GMT +2)
There are a total of 62.723 posts in 15.653 threads.
In the last 3 days there were 48 new threads and 106 reply posts. View Active Threads
Who's Online
This forum has 26698 registered members. Please welcome our newest member, smish10.
39 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Internet redirecting virus!!! HELP!! (0)11-10-2008 01:26:00 (smish10)
Internet redirecting virus!!! HELP!! (0)11-10-2008 01:25:39 (smish10)
Internet redirecting virus!!! HELP!! (0)11-10-2008 01:25:36 (smish10)
Internet redirecting virus!!! HELP!! (0)11-10-2008 01:25:33 (smish10)
Internet redirecting virus!!! HELP!! (0)11-10-2008 01:25:28 (smish10)


Need Support? Write to: | Forum Help Manual

Download free trial version of Bullguard