NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

View previous topic View next topic Go down

NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

Post by sparty on 28th May 2010, 7:10 pm

I'VE BEEN HIT 1ST BY THE TROJAN GENERIC.DX!PRM AND NOW GENERIC DOWNLOADER.X!DXZ. McAFEE CATCHES THE TROJAN AND HAS ALLOWED ME TO BLOCK CHANGES TO THE REGISTRY. HOWEVER, THE TROJAN OPENED UP AN UNWANTED WEBSITE (BULKMASTERS.COM???....NOT SURE) WHICH I COULDN'T CLOSE AND COULD NOT PERFORM ANY FUNCTIONS SUCH AS RUNNING MY MALWARE ANTISPYWARE PROGRAM. I SHUT DOWN MY DESKTOP AND REBOOTED AND NOW I'M FROZE AT THE BACKGROUND SCREEN WITH McAFEE CONTINUALLY FLASHING THE TROJAN REMOVAL ALERT FOR THE GENERIC DOWNLOADR.X!DXZ TROJAN. THE LOCATION OF THE TROJAN FILE IS C:\WINDOWS\SYSTEM32\DFRGUI32.DLL.

PLEASE HELP ASAP!! I'M SEARCHING ON MY LAPTOP FOR POSSIBLE SOLUTIONS AND THIS SITE WAS RECCOMENDED. I'M A NEW MEMBER.

THANKS FOR YOUR ASSISTANCE!

sparty
Novice
Novice

Posts Posts : 26
Joined Joined : 2010-05-28
OS OS : xp pro
Points Points : 24228
# Likes # Likes : 0

View user profile

Back to top Go down

Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

Post by Crush on 28th May 2010, 8:15 pm

Hello and welcome to GeekPolice.net.

My name is Crush but, you can call me Chris, and I will do my best to help get your problem resolved today.

I am currently a student in GeekPolice Academy, and will be a little delayed on each reply, as my instructors must review and approve each reply.

[You must be registered and logged in to see this link.]

If you have any questions, please ask, and I will do my best to get to the question promptly.

Please wait here, while I get the first set of instructions for you.

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42108
# Likes # Likes : 0

View user profile

Back to top Go down

Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

Post by Crush on 28th May 2010, 8:25 pm

Hi Sparty,

First, please don't use all caps. It makes posts difficult to read and you come off as yelling. Thanks Smile
======

Please reboot your PC. However, instead of letting it boot normally hit F8

In the menu you are presented with choose Safe Mode With Networking

Once there please do the following:

Please visit this webpage for a tutorial on downloading and running ComboFix:

[You must be registered and logged in to see this link.]

See the area: Using ComboFix, and when done, post the log back here.

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42108
# Likes # Likes : 0

View user profile

Back to top Go down

Chris

Post by sparty on 28th May 2010, 9:00 pm

Chris, thanks for your help! I actually tried to post this reply a short time ago (and it wasn't in all caps :-) but when I sent the reply, I was informed that your latest reply was posted and my reply didn't post.

In the interim since posting this topic, I was able to restart in safemode and also run my Antimalwarebytes program which detected 23 different infected files. Upon restart, I'm able to connect to the internet and run other programs. However, upon restart a RUNDLL error message flashed which read "Error loading piunbara.dll. Specified module could not be found." Also upon restart, whenever I do a Google search for a website (Geek Police.net for example) and I click on the website addresss, I'm directed to a totally different site each time (i.e.; blinkx.com or some other unrelated website) rather than the requested website. I can type the address in the address bar and I can click on a bookmarked favorite address with no problem. One other thing I noticed on restart was that I had a new icon containing a notepad document titled "hs_err_pid2556". Should I still download and run the ComboFix?

sparty
Novice
Novice

Posts Posts : 26
Joined Joined : 2010-05-28
OS OS : xp pro
Points Points : 24228
# Likes # Likes : 0

View user profile

Back to top Go down

Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

Post by Crush on 28th May 2010, 9:18 pm

Yes. Please download and run ComboFix. There may still be some stuff leftover. Also, I will need the logfiles from any programs you've run. Thanks Smile

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42108
# Likes # Likes : 0

View user profile

Back to top Go down

Posting Log(s)

Post by sparty on 28th May 2010, 10:40 pm

Following is the ComboFix log. I'm still getting the same RUNDLL error message referenced in prior message on startup. Also, while I was typing this reply, I've had seperate browser windows open up for random websites (ipromote.com & allstate.com).....obviously something is still amiss. I'm also posting the log(s) from 2 seperate AntiMalwarebytes scans along with the log copied from the new icon l referenced earlier that was loaded on to my desktop. I look forward to hearing from you soon. Thanks!

Here is the ComboFix Log:

ComboFix 10-05-28.02 - Boss 05/28/2010 17:41:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.166 [GMT -4:00]
Running from: c:\documents and settings\Boss\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Boss\Application Data\02000000f27ac5f7922C.manifest
c:\documents and settings\Boss\Application Data\02000000f27ac5f7922O.manifest
c:\documents and settings\Boss\Application Data\02000000f27ac5f7922P.manifest
c:\documents and settings\Boss\Application Data\02000000f27ac5f7922S.manifest
c:\documents and settings\Boss\Local Settings\Application Data\{7D010489-9767-45F7-A83C-1CD4F2573CF8}
c:\documents and settings\Boss\Local Settings\Application Data\{7D010489-9767-45F7-A83C-1CD4F2573CF8}\chrome.manifest
c:\documents and settings\Boss\Local Settings\Application Data\{7D010489-9767-45F7-A83C-1CD4F2573CF8}\chrome\content\_cfg.js
c:\documents and settings\Boss\Local Settings\Application Data\{7D010489-9767-45F7-A83C-1CD4F2573CF8}\chrome\content\c.js
c:\documents and settings\Boss\Local Settings\Application Data\{7D010489-9767-45F7-A83C-1CD4F2573CF8}\chrome\content\overlay.xul
c:\documents and settings\Boss\Local Settings\Application Data\{7D010489-9767-45F7-A83C-1CD4F2573CF8}\install.rdf
c:\documents and settings\Boss\Local Settings\Application Data\Windows Server
c:\documents and settings\Boss\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Boss\Local Settings\Application Data\Windows Server\uses32.dat
C:\feed.txt
c:\program files\Common
c:\program files\Common\_helper.sig
c:\windows\jestertb.dll
c:\windows\Mcybaa.exe
c:\windows\system32\comrepl.exe
c:\windows\system32\hlp.dat

Infected copy of c:\windows\system32\drivers\FTDISK.SYS was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ws2_32.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-28 )))))))))))))))))))))))))))))))
.

2010-05-28 19:55 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll
2010-05-28 18:14 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\f36decbb.exe
2010-05-28 18:12 . 2010-05-28 18:12 -------- d-----w- c:\documents and settings\Boss\Application Data\Street-Ads
2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-05-28 18:10 . 2010-05-28 18:10 -------- d-----w- c:\documents and settings\Boss\Application Data\Sky-Banners
2010-05-28 18:09 . 2010-05-28 18:09 -------- d-----w- c:\documents and settings\Boss\Local Settings\Application Data\esdjguvxo
2010-05-28 18:09 . 2010-05-28 18:09 50981 ----a-w- c:\windows\system32\areoghkfntcfn.exe
2010-05-28 18:09 . 2010-05-28 18:09 -------- d-----w- c:\program files\$NtUninstallWTF1012$
2010-05-28 18:09 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll
2010-05-28 18:08 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\8db3d791.exe
2010-05-25 05:38 . 2010-05-25 05:38 309248 ----a-w- c:\windows\system32\mzhjanoe.dll
2010-05-24 16:31 . 2010-05-24 16:31 40633 ----a-w- c:\windows\system32\tevbxohl.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-28 22:00 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-05-28 22:00 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-05-28 21:39 . 2008-09-24 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-28 20:03 . 2004-10-19 14:00 -------- d-----w- c:\program files\McAfee
2010-05-28 18:10 . 2009-05-28 23:13 -------- d-----w- c:\program files\Common Files\Motive
2010-05-21 21:09 . 2010-04-22 18:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-05-18 04:39 . 2008-09-24 03:35 -------- d-----w- c:\program files\Google
2010-04-22 17:53 . 2005-12-14 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-22 17:50 . 2010-04-22 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-04-22 17:47 . 2010-04-22 17:46 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-22 17:46 . 2010-04-22 17:46 -------- d-----w- c:\program files\McAfee.com
2010-04-14 16:29 . 2004-06-27 22:20 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-01 20:28 . 2009-04-17 16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-30 15:33 . 2010-03-30 15:33 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-30 15:33 . 2010-03-30 15:33 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-30 15:33 . 2010-03-30 15:33 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-30 15:33 . 2010-03-30 15:33 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-30 15:33 . 2010-03-30 15:33 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-30 15:33 . 2004-06-21 16:16 -------- d-----w- c:\program files\Common Files\Real
2010-03-30 15:32 . 2006-03-04 19:06 -------- d-----w- c:\program files\Real
2010-03-30 15:32 . 2010-03-30 15:32 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-30 15:31 . 2003-08-05 17:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-30 15:31 . 2003-08-05 17:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-30 04:46 . 2009-04-17 16:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-04-17 16:00 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-03-19 22:34 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-03-19 22:44 430080 ----a-w- c:\windows\system32\vbscript.dll
2005-12-08 05:16 . 2005-12-08 05:16 5037072 ----a-w- c:\program files\spybotsd14.exe
2005-10-22 14:46 . 2005-10-22 14:45 53619100 ----a-w- c:\program files\hansel new users v6.02.exe
.

------- Sigcheck -------

[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2004-03-19 . DD9269230C21EE8FB7FD3FCCC3B1CFCB . 560128 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB824141$\USER32.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CC5A190-E657-4C30-A101-C0A9252B9DAA}]
2010-05-25 05:38 309248 ----a-w- c:\windows\SYSTEM32\mzhjanoe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-21 77824]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 135168]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-30 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"MChk"="c:\windows\system32\tevbxohl.exe" [2010-05-24 40633]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Startup.lnk
backup=c:\windows\pss\HP OfficeJet Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
2003-02-20 21:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-11-12 02:00 864256 ------w- c:\program files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-02-20 21:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 06:04 122933 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 15:27 28672 ----a-w- c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-04-14 19:04 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-06-16 10:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 10:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2006-01-17 17:03 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2006-01-17 17:03 135168 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-11-03 18:46 4800512 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-04-14 18:46 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 00:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-06-21 16:16 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 14:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-09 20:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-30 15:31 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/22/2010 1:49 PM 203280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 2:40 PM 24652]
S0 cadamg;cadamg; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 2:21 PM 135664]
S2 MSWU-8db3d791;MSWU-8db3d791;c:\windows\SYSTEM32\8db3d791.exe [5/28/2010 2:08 PM 75264]
S2 MSWU-f36decbb;MSWU-f36decbb;c:\windows\SYSTEM32\f36decbb.exe [5/28/2010 2:14 PM 75264]
S3 bepprldr;BCL easyPDF SDK Loader;c:\program files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe [11/11/2005 11:03 PM 77824]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fyphhfvk
.
Contents of the 'Scheduled Tasks' folder

2010-05-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-24 16:03]

2010-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

2010-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

2010-04-22 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

2010-05-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: motive.com\patttbc.att
DPF: ppctlcab - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

BHO-{101E208F-5D79-44F9-2C44-8ABE064649FF} - c:\windows\system32\tkncvqhujvmpdp.dll
BHO-{B3745075-1CA8-48D7-BB11-E71F974BEC43} - c:\windows\system32\piunbara.dll
HKCU-Run-rpyfmywx - c:\documents and settings\Boss\Local Settings\Application Data\esdjguvxo\jtqblxutssd.exe
HKLM-Run-IndividualMedical - c:\program files\Assurant Health\IMJA\Individual Medical v2.0\IM.exe
HKLM-Run-skb - piunbara.dll
HKLM-Run-rpyfmywx - c:\documents and settings\Boss\Local Settings\Application Data\esdjguvxo\jtqblxutssd.exe
Notify-28c60c73922 - c:\windows\system32\dfrgui32.dll
MSConfigStartUp-DellSupport - c:\program files\Dell Support\DSAgnt.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-28 18:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2572)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\CTsvcCDA.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\System32\nvsvc32.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2010-05-28 18:13:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-28 22:13

Pre-Run: 59,766,145,024 bytes free
Post-Run: 60,105,039,872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - F066A08767EC84633FE6E6EA0CA3B367





Here are the two (2) Malwarebytes logs:




Malwarebytes' Anti-Malware 1.45
[You must be registered and logged in to see this link.]

Database version: 3930

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.11

5/28/2010 3:53:27 PM
mbam-log-2010-05-28 (15-53-27).txt

Scan type: Quick scan
Objects scanned: 130721
Time elapsed: 12 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CscrptXt.CscrptXt (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sszggoneeahor (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.19,93.188.161.243 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6b9d9fdd-cc26-42f7-a10e-216d01e76f51}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.19,93.188.161.243 -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Boss\Application Data\SystemProc (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Boss\Local Settings\Temp\onwasxmcre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\piunbara.dll (Adware.EZlife) -> Quarantined and deleted successfully.
C:\Documents and Settings\Boss\Application Data\SystemProc\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Boss\Application Data\SystemProc\upd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\COMMDLG32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tkncvqhujvmpdp.dll (Trojan.Agent) -> Quarantined and deleted successfully.



Malwarebytes' Anti-Malware 1.45
[You must be registered and logged in to see this link.]

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

5/28/2010 5:02:02 PM
mbam-log-2010-05-28 (17-02-02).txt

Scan type: Quick scan
Objects scanned: 6477
Time elapsed: 15 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\DRIVERS\cadamg.sys (Rootkit.Agent) -> Delete on reboot.






Finally here is a copy of the log file loaded on my desktop titled "hs_err_pid2556" :




#
# An unexpected error has been detected by HotSpot Virtual Machine:
#
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x1b00255c, pid=2556, tid=1740
#
# Java VM: Java HotSpot(TM) Client VM (1.5.0_10-b03 mixed mode)
# Problematic frame:
# C [ImgUtil.dll+0x255c]
#

--------------- T H R E A D ---------------

Current thread (0x05c90c50): JavaThread "thread applet-vmain.class" [_thread_in_native, id=1740]

siginfo: ExceptionCode=0xc0000005, reading address 0x57000019

Registers:
EAX=0x00000000, EBX=0x2361bd70, ECX=0x08b7dba0, EDX=0x00000000
ESP=0x146af800, EBP=0x255a255a, ESI=0x2361bd70, EDI=0x05c90c50
EIP=0x1b00255c, EFLAGS=0x00210246

Top of Stack: (sp=0x146af800)
0x146af800: 146af800 2361bd70 146af830 2361c348
0x146af810: 00000000 2361bd70 146af82c 146af854
0x146af820: 1b012a64 00000000 1b016509 1d310a28
0x146af830: 1d394e88 1d394e88 146af838 2361bce7
0x146af840: 146af864 2361c348 00000000 2361bd08
0x146af850: 146af860 146af884 1b0129e3 1d3fbcd0
0x146af860: 1d310a28 1d394e88 146af868 2361b3c9
0x146af870: 146af89c 2361c348 00000000 2361b3d8

Instructions: (pc=0x1b00255c)
0x1b00254c: 90 8b ff 55 8b ec 53 8b 5d 10 56 33 f6 3b de 0f
0x1b00255c: 84 92 19 00 00 57 6a 40 89 33 bf 0e 00 07 80 e8


Stack: [0x145b0000,0x146b0000), sp=0x146af800, free space=1022k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C [ImgUtil.dll+0x255c]

[error occurred during error reporting, step 120, id 0xc0000005]

Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
j com.sun.media.sound.HeadspaceSoundbank.nOpenResource(Ljava/lang/String;)J+0
j com.sun.media.sound.HeadspaceSoundbank.initialize(Ljava/lang/String;)V+7
j com.sun.media.sound.HeadspaceSoundbank.(Ljava/net/URL;)V+89
j com.sun.media.sound.HsbParser.getSoundbank(Ljava/net/URL;)Ljavax/sound/midi/Soundbank;+5
j javax.sound.midi.MidiSystem.getSoundbank(Ljava/net/URL;)Ljavax/sound/midi/Soundbank;+36
j vmain.init()V+88
j sun.applet.AppletPanel.run()V+197
j java.lang.Thread.run()V+11
v ~StubRoutines::call_stub

--------------- P R O C E S S ---------------

Java Threads: ( => current thread )
0x02e9bd70 JavaThread "AWT-EventQueue-2" [_thread_blocked, id=4052]
0x08d9f788 JavaThread "Thread-22" [_thread_in_native, id=3992]
0x05d72408 JavaThread "Java Sound Event Dispatcher" daemon [_thread_blocked, id=3880]
0x05c91a20 JavaThread "Thread-20" [_thread_in_native, id=204]
0x08a742c8 JavaThread "AWT-EventQueue-0" [_thread_blocked, id=2212]
0x08add830 JavaThread "AWT-Shutdown" [_thread_blocked, id=3368]
0x02ea6778 JavaThread "Thread-19" [_thread_in_native, id=2928]
=>0x05c90c50 JavaThread "thread applet-vmain.class" [_thread_in_native, id=1740]
0x08a74ee0 JavaThread "thread applet-vmain.class" [_thread_blocked, id=3864]
0x05ce3330 JavaThread "traceMsgQueueThread" daemon [_thread_blocked, id=3456]
0x08b0da00 JavaThread "AWT-Windows" daemon [_thread_in_native, id=2016]
0x05d17bd8 JavaThread "Java2D Disposer" daemon [_thread_blocked, id=3724]
0x05d74108 JavaThread "Low Memory Detector" daemon [_thread_blocked, id=1288]
0x12040250 JavaThread "CompilerThread0" daemon [_thread_blocked, id=1912]
0x05de3cf8 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=1732]
0x05d7d688 JavaThread "Finalizer" daemon [_thread_blocked, id=1936]
0x08ceab80 JavaThread "Reference Handler" daemon [_thread_blocked, id=848]

Other Threads:
0x05e0e290 VMThread [id=3888]
0x05d2cde0 WatcherThread [id=2800]

VM state:not at safepoint (normal execution)

VM Mutex/Monitor currently owned by a thread: None

Heap
def new generation total 5184K, used 4039K [0x1d010000, 0x1d5a0000, 0x1d770000)
eden space 4672K, 86% used [0x1d010000, 0x1d401970, 0x1d4a0000)
from space 512K, 0% used [0x1d4a0000, 0x1d4a03d8, 0x1d520000)
to space 512K, 0% used [0x1d520000, 0x1d520000, 0x1d5a0000)
tenured generation total 67584K, used 48740K [0x1d770000, 0x21970000, 0x23010000)
the space 67584K, 72% used [0x1d770000, 0x207091b8, 0x20709200, 0x21970000)
compacting perm gen total 8192K, used 6311K [0x23010000, 0x23810000, 0x27010000)
the space 8192K, 77% used [0x23010000, 0x23639f08, 0x2363a000, 0x23810000)
No shared spaces configured.

Dynamic libraries:
0x00400000 - 0x0049c000 C:\Program Files\Internet Explorer\IEXPLORE.EXE
0x7c900000 - 0x7c9b2000 C:\WINDOWS\system32\ntdll.dll
0x7c800000 - 0x7c8f6000 C:\WINDOWS\system32\kernel32.dll
0x77dd0000 - 0x77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 - 0x77f02000 C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000 - 0x77ff1000 C:\WINDOWS\system32\Secur32.dll
0x77f10000 - 0x77f59000 C:\WINDOWS\system32\GDI32.dll
0x7e410000 - 0x7e4a1000 C:\WINDOWS\system32\USER32.dll
0x77c10000 - 0x77c68000 C:\WINDOWS\system32\msvcrt.dll
0x77f60000 - 0x77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
0x7c9c0000 - 0x7d1d7000 C:\WINDOWS\system32\SHELL32.dll
0x774e0000 - 0x7761d000 C:\WINDOWS\system32\ole32.dll
0x78130000 - 0x78258000 C:\WINDOWS\system32\urlmon.dll
0x77120000 - 0x771ab000 C:\WINDOWS\system32\OLEAUT32.dll
0x3dfd0000 - 0x3e015000 C:\WINDOWS\system32\iertutil.dll
0x77c00000 - 0x77c08000 C:\WINDOWS\system32\VERSION.dll
0x5cb70000 - 0x5cb96000 C:\WINDOWS\system32\ShimEng.dll
0x71590000 - 0x71609000 C:\WINDOWS\AppPatch\AcLayers.DLL
0x769c0000 - 0x76a74000 C:\WINDOWS\system32\USERENV.dll
0x73000000 - 0x73026000 C:\WINDOWS\system32\WINSPOOL.DRV
0x76390000 - 0x763ad000 C:\WINDOWS\system32\IMM32.DLL
0x773d0000 - 0x774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0x5d090000 - 0x5d12a000 C:\WINDOWS\system32\comctl32.dll
0x3e1c0000 - 0x3e78d000 C:\WINDOWS\system32\IEFRAME.dll
0x76bf0000 - 0x76bfb000 C:\WINDOWS\system32\PSAPI.DLL
0x5ad70000 - 0x5ada8000 C:\WINDOWS\system32\UxTheme.dll
0x74720000 - 0x7476c000 C:\WINDOWS\system32\MSCTF.dll
0x63000000 - 0x63037000 C:\Program Files\Common Files\Motive\McciContextHook_DSR.dll
0x10000000 - 0x10006000 C:\Program Files\McAfee\SiteAdvisor\saHook.dll
0x00ce0000 - 0x00fa5000 C:\WINDOWS\system32\xpsp2res.dll
0x77b40000 - 0x77b62000 C:\WINDOWS\system32\apphelp.dll
0x755c0000 - 0x755ee000 C:\WINDOWS\system32\msctfime.ime
0x5dff0000 - 0x5e01f000 C:\WINDOWS\system32\IEUI.dll
0x76380000 - 0x76385000 C:\WINDOWS\system32\MSIMG32.dll
0x4ec50000 - 0x4edfb000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\gdiplus.dll
0x47060000 - 0x47081000 C:\WINDOWS\system32\xmllite.dll
0x76fd0000 - 0x7704f000 C:\WINDOWS\system32\CLBCATQ.DLL
0x77050000 - 0x77115000 C:\WINDOWS\system32\COMRes.dll
0x746f0000 - 0x7471a000 C:\WINDOWS\System32\msimtf.dll
0x77a20000 - 0x77a74000 C:\WINDOWS\System32\cscui.dll
0x76600000 - 0x7661d000 C:\WINDOWS\System32\CSCDLL.dll
0x77920000 - 0x77a13000 C:\WINDOWS\system32\SETUPAPI.dll
0x325c0000 - 0x325d2000 C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
0x61930000 - 0x6197a000 C:\Program Files\Internet Explorer\ieproxy.dll
0x7d1e0000 - 0x7d49c000 C:\WINDOWS\system32\msi.dll
0x7e720000 - 0x7e7d0000 C:\WINDOWS\system32\SXS.DLL
0x3d930000 - 0x3da01000 C:\WINDOWS\system32\WININET.dll
0x01cc0000 - 0x01cc9000 C:\WINDOWS\system32\Normaliz.dll
0x75cf0000 - 0x75d81000 C:\WINDOWS\system32\MLANG.dll
0x71ab0000 - 0x71ac7000 C:\WINDOWS\system32\ws2_32.dll
0x71aa0000 - 0x71aa8000 C:\WINDOWS\system32\WS2HELP.dll
0x028b0000 - 0x028d7000 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
0x02910000 - 0x02952000 c:\PROGRA~1\mcafee\SITEAD~1\mcbrwctl.dll
0x708f0000 - 0x70903000 C:\WINDOWS\system32\asycfilt.dll
0x03230000 - 0x03240000 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
0x03250000 - 0x032eb000 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
0x60110000 - 0x60162000 C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
0x763b0000 - 0x763f9000 C:\WINDOWS\system32\comdlg32.dll
0x7c3a0000 - 0x7c41b000 C:\WINDOWS\system32\MSVCP71.dll
0x7c340000 - 0x7c396000 C:\WINDOWS\system32\MSVCR71.dll
0x69400000 - 0x69410000 c:\PROGRA~1\mcafee\SITEAD~1\MCSACO~1.DLL
0x03420000 - 0x0343f000 C:\WINDOWS\system32\dla\tfswshx.dll
0x03440000 - 0x0344f000 C:\WINDOWS\system32\tfswapi.dll
0x03450000 - 0x0348b000 C:\WINDOWS\system32\dla\tfswcres.dll
0x6d600000 - 0x6d66a000 C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
0x5edd0000 - 0x5ede7000 C:\WINDOWS\system32\OLEPRO32.DLL
0x14490000 - 0x144a3000 C:\Program Files\McAfee\VirusScan\scriptsn.dll
0x75c50000 - 0x75ccd000 C:\WINDOWS\system32\Jscript.dll
0x73300000 - 0x73369000 C:\WINDOWS\system32\VBscript.dll
0x14180000 - 0x1418f000 C:\Program Files\McAfee\VirusScan\mytilus3.dll
0x14710000 - 0x1474e000 C:\Program Files\McAfee\VirusScan\mytilus3_worker.dll
0x76780000 - 0x76789000 C:\WINDOWS\system32\SHFOLDER.dll
0x14100000 - 0x14107000 C:\Program Files\McAfee\VirusScan\RES00\McShield.dll
0x036d0000 - 0x03790000 C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
0x77a80000 - 0x77b15000 C:\WINDOWS\system32\CRYPT32.dll
0x77b20000 - 0x77b32000 C:\WINDOWS\system32\MSASN1.dll
0x76c30000 - 0x76c5e000 C:\WINDOWS\system32\WINTRUST.dll
0x76c90000 - 0x76cb8000 C:\WINDOWS\system32\IMAGEHLP.dll
0x76d60000 - 0x76d79000 C:\WINDOWS\system32\IPHLPAPI.DLL
0x68000000 - 0x68036000 C:\WINDOWS\system32\rsaenh.dll
0x71a50000 - 0x71a8f000 C:\WINDOWS\system32\mswsock.dll
0x662b0000 - 0x66308000 C:\WINDOWS\system32\hnetcfg.dll
0x71a90000 - 0x71a98000 C:\WINDOWS\System32\wshtcpip.dll
0x76ee0000 - 0x76f1c000 C:\WINDOWS\system32\RASAPI32.dll
0x76e90000 - 0x76ea2000 C:\WINDOWS\system32\rasman.dll
0x5b860000 - 0x5b8b5000 C:\WINDOWS\system32\NETAPI32.dll
0x76eb0000 - 0x76edf000 C:\WINDOWS\system32\TAPI32.dll
0x76e80000 - 0x76e8e000 C:\WINDOWS\system32\rtutils.dll
0x76b40000 - 0x76b6d000 C:\WINDOWS\system32\WINMM.dll
0x71d40000 - 0x71d5b000 C:\WINDOWS\system32\actxprxy.dll
0x77c70000 - 0x77c95000 C:\WINDOWS\system32\msv1_0.dll
0x76790000 - 0x7679c000 C:\WINDOWS\system32\cryptdll.dll
0x722b0000 - 0x722b5000 C:\WINDOWS\system32\sensapi.dll
0x76fc0000 - 0x76fc6000 C:\WINDOWS\system32\rasadhlp.dll
0x76f20000 - 0x76f47000 C:\WINDOWS\system32\DNSAPI.dll
0x3da20000 - 0x3dd95000 C:\WINDOWS\system32\mshtml.dll
0x746c0000 - 0x746e9000 C:\WINDOWS\system32\msls31.dll
0x42f90000 - 0x42ff0000 C:\WINDOWS\system32\ieapfltr.dll
0x77690000 - 0x776b1000 C:\WINDOWS\system32\NTMARTA.DLL
0x71bf0000 - 0x71c03000 C:\WINDOWS\system32\SAMLIB.dll
0x76f60000 - 0x76f8c000 C:\WINDOWS\system32\WLDAP32.dll
0x42070000 - 0x420a2000 C:\WINDOWS\system32\iepeers.dll
0x420c0000 - 0x420f9000 C:\WINDOWS\system32\Dxtrans.dll
0x76b20000 - 0x76b31000 C:\WINDOWS\system32\ATL.DLL
0x6d430000 - 0x6d43a000 C:\WINDOWS\System32\ddrawex.dll
0x73760000 - 0x737ab000 C:\WINDOWS\System32\DDRAW.dll
0x73bc0000 - 0x73bc6000 C:\WINDOWS\System32\DCIMAN32.dll
0x42010000 - 0x42067000 C:\WINDOWS\system32\Dxtmsft.dll
0x74980000 - 0x74aa3000 C:\WINDOWS\System32\msxml3.dll
0x1b000000 - 0x1b00c000 C:\WINDOWS\system32\ImgUtil.dll
0x42b90000 - 0x42c07000 C:\WINDOWS\system32\mshtmled.dll
0x74c80000 - 0x74cac000 C:\WINDOWS\system32\OLEACC.DLL
0x76080000 - 0x760e5000 C:\WINDOWS\system32\MSVCP60.dll
0x435a0000 - 0x43612000 C:\WINDOWS\system32\msfeeds.dll
0x41e30000 - 0x41e3e000 C:\WINDOWS\system32\pngfilt.dll
0x767f0000 - 0x76818000 C:\WINDOWS\system32\schannel.dll
0x68100000 - 0x68126000 C:\WINDOWS\system32\dssenh.dll
0x06570000 - 0x065cb000 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
0x72d20000 - 0x72d29000 C:\WINDOWS\system32\wdmaud.drv
0x72d10000 - 0x72d18000 C:\WINDOWS\system32\msacm32.drv
0x77be0000 - 0x77bf5000 C:\WINDOWS\system32\MSACM32.dll
0x77bd0000 - 0x77bd7000 C:\WINDOWS\system32\midimap.dll
0x08f40000 - 0x093e3000 C:\WINDOWS\system32\Macromed\Flash\Flash10c.ocx
0x73b30000 - 0x73b45000 C:\WINDOWS\system32\mscms.dll
0x12950000 - 0x133b6000 C:\WINDOWS\system32\wmp.dll
0x75a70000 - 0x75a91000 C:\WINDOWS\system32\MSVFW32.dll
0x59a60000 - 0x59b01000 C:\WINDOWS\system32\dbghelp.dll
0x13740000 - 0x13f1b000 C:\WINDOWS\system32\wmploc.dll

VM Arguments:
jvm_args: -Xbootclasspath/a:C:\PROGRA~1\Java\JRE15~1.0_1\lib\deploy.jar;C:\PROGRA~1\Java\JRE15~1.0_1\lib\plugin.jar -Xmx96m -Djavaplugin.maxHeapSize=96m -Xverify:remote -Djavaplugin.version=1.5.0_10 -Djavaplugin.nodotversion=150_10 -Dbrowser=sun.plugin -DtrustProxy=true -Dapplication.home=C:\PROGRA~1\Java\JRE15~1.0_1 -Djava.protocol.handler.pkgs=sun.plugin.net.protocol -Djavaplugin.vm.options=-Djava.class.path=C:\PROGRA~1\Java\JRE15~1.0_1\classes -Xbootclasspath/a:C:\PROGRA~1\Java\JRE15~1.0_1\lib\deploy.jar;C:\PROGRA~1\Java\JRE15~1.0_1\lib\plugin.jar -Xmx96m -Djavaplugin.maxHeapSize=96m -Xverify:remote -Djavaplugin.version=1.5.0_10 -Djavaplugin.nodotversion=150_10 -Dbrowser=sun.plugin -DtrustProxy=true -Dapplication.home=C:\PROGRA~1\Java\JRE15~1.0_1 -Djava.protocol.handler.pkgs=sun.plugin.net.protocol vfprintf
java_command:
Launcher Type: generic

Environment Variables:
PATH=C:\PROGRA~1\Java\JRE15~1.0_1\bin;C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PROGRA~1\COMMON~1\SONICS~1\;.
USERNAME=Boss
OS=Windows_NT
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel



--------------- S Y S T E M ---------------

OS: Windows XP Build 2600 Service Pack 3

CPU:total 2 (cores per cpu 1, threads per core 2) family 15 model 3 stepping 4, cmov, cx8, fxsr, mmx, sse, sse2, sse3, ht

Memory: 4k page, physical 523260k(56876k free), swap 2586492k(2000356k free)

vm_info: Java HotSpot(TM) Client VM (1.5.0_10-b03) for windows-x86, built on Nov 9 2006 13:13:34 by "java_re" with MS VC++ 6.0

sparty
Novice
Novice

Posts Posts : 26
Joined Joined : 2010-05-28
OS OS : xp pro
Points Points : 24228
# Likes # Likes : 0

View user profile

Back to top Go down

Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

Post by Crush on 28th May 2010, 11:21 pm

Hi again,

You have a pretty serious Rootkit called TDL3.

Your computer has multiple infections, including a rootkit. A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).


DO NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its rootkit functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
========

Please download [You must be registered and logged in to see this link.] and install it. If you already have it, no need to reinstall.

Then, download [You must be registered and logged in to see this link.] and save the setup to your Desktop.

  • Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
  • Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
  • Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
  • It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
  • Once inside the interface, do not fix anything. Click on the Report tab.
  • Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
  • It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
  • When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42108
# Likes # Likes : 0

View user profile

Back to top Go down

Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

Post by sparty on 29th May 2010, 12:37 am

Holy Crap!!!!!

I've turned on the lockdown firewall on mcafee which disconnects incoming or outgoing internet connections for now. Is that sufficient to block any rotokit activity like obtaining passwords, etc.? This is a LOT to consider. I've never backed up all my files and I certainly never reformatted or reinstalled an OS. I've read much from the links above. If I'm going to produce the log you mention, I'll need to connect to the internet on that machine. Is that safe?

sparty
Novice
Novice

Posts Posts : 26
Joined Joined : 2010-05-28
OS OS : xp pro
Points Points : 24228
# Likes # Likes : 0

View user profile

Back to top Go down

Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

Post by Crush on 29th May 2010, 12:50 am

Hi Sparty,

A Rootkit is a very serious infection. The easiest way to "start fresh" is to go through the reformat process. If you choose to go this route, do you have another machine handy so we can guide you through it? Do you have an external hard drive or CD's to back your files up to?

This machine is disinfectable and most of the tools we use have been updated to at least catch evidence of this Rootkit but, the infection is fairly new. From reviewing your logs, we still do have a bit of work to do to remove parts of the Rootkit but, ComboFix has already restored the infected system files and deleted a good portion of the Rootkit.

Do you already have RKUnhoker downloaded? If not, yes you will need to connect to the internet to download it. Alternatively, you could download it from another machine to a USB drive or CD's and copy it to the infected machine.

If you have any further questions or issues feel free to ask Smile. I'm going to get the Fix cleared from the "behind the scenes" guys if you choose to continue with the disinfection

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42108
# Likes # Likes : 0

View user profile

Back to top Go down

Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

Post by sparty on 29th May 2010, 1:01 am

I do have another machine, the laptop I'm using now. I do not have an external hard drive. I have some cds and a flash drive. I've been at this for over 6 hrs now.....and this news is disheartening. I'm leaning toward trying for the fix, but I'd like to sleep on it. Frankly, I'm burnt out and displeased, to say the least.

Thanks for your help, Chris. Will you be available tomorrow to take this up again?

sparty
Novice
Novice

Posts Posts : 26
Joined Joined : 2010-05-28
OS OS : xp pro
Points Points : 24228
# Likes # Likes : 0

View user profile

Back to top Go down

Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

Post by Crush on 29th May 2010, 1:09 am

AbsoƖutely Smile. Sorry this has befallen you. I don't envy anyone that gets a bad infection. Let us know what you plan to do in the AM

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42108
# Likes # Likes : 0

View user profile

Back to top Go down

Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

Post by Crush on 29th May 2010, 4:18 am

Hi,

Just in case you want to continue the disinfection I've gotten the fix approved:

I see Viewpoint is installed

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". Read this article: [You must be registered and logged in to see this link.]

Additional info: [You must be registered and logged in to see this link.]

I suggest you remove the program now.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar

=======

Next, Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    [You must be registered and logged in to see this link.]

    KILLALL::

    Folder::
    c:\documents and settings\Boss\Local Settings\Application Data\esdjguvxo

    Driver::
    MSWU-8db3d791
    MSWU-f36decbb
    cadamg

    Collect::
    c:\windows\system32\mzhjanoe.dll
    c:\windows\system32\tevbxohl.exe
    c:\windows\system32\f36decbb.exe

    Reboot::
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

=========

Lastly, Please go to [You must be registered and logged in to see this link.] and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.


  • Things I Need In Your Reply:
    What you plan to do about Viewpoint
    ComboFix log
    Kaspersky Log

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 29th May 2010, 2:40 pm

    Do I stilll need to download and run the rootkitunhooker and 7-zip prior to your latest instructions if I'm going for a fix? You said the machine is disinfectable. Will you be able to tell, after doing all of this, that the rootkit has been removed?

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 29th May 2010, 2:41 pm

    Also, what about running a system restore back to a few days ago? Would that help at all?

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on 29th May 2010, 5:16 pm

    Hi again,

    Do I stilll need to download and run the rootkitunhooker and 7-zip prior to your latest instructions if I'm going for a fix? You said the machine is disinfectable. Will you be able to tell, after doing all of this, that the rootkit has been removed?

    Let's see how things are running after the CFScript. If we still have things to do I'll let you know. I've used the Collect:: command so, hopefully the developer of ComboFix will add those files to what ComboFix deletes automatically and make removing this infection that much easier


    Also, what about running a system restore back to a few days ago? Would that help at all?

    That actually might make things worse so I recommend you just follow up with the fix above and we'll go from there Smile

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 29th May 2010, 5:56 pm

    Thanks, Chris.

    Since waiting for your response I ran Sophos Anti-Rotokit on the advice of my brother-in-law who is a Sys Analyst. SAR detected 25 "unknown hidden files" and did not reccomend cleaning them as it may harm my system. I cleaned one of the files which I researched and found to be a threat: system32\f36decbb.exe. Unfortunately, SAR doesn't provide a log to send you. I cleaned the one file and the rest of the files were no longer available to view as I had to restart and lost those ( I could run it again....it took nearly an hour). Many of the unknown files were "system volume information restore files with an a0001101.exe extension where the extension numbers varied after the a0001....there were probably around 15 of those files. I think I should have cleaned them also? I researched those files and were mostly viewed as threats.

    I also ran another malwarebytes scan as I had problems intially accessing websites. 2 infected registry keys were found and the log is listed below.



    Malwarebytes' Anti-Malware 1.45
    [You must be registered and logged in to see this link.]

    Database version: 3930

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 7.0.5730.11

    5/29/2010 11:36:30 AM
    mbam-log-2010-05-29 (11-36-30).txt

    Scan type: Quick scan
    Objects scanned: 129138
    Time elapsed: 10 minute(s), 29 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.19,93.188.161.243 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6b9d9fdd-cc26-42f7-a10e-216d01e76f51}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.19,93.188.161.243 -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 29th May 2010, 5:59 pm

    BTW, I did remove Viewpoint Manger and Viewpoint Media Player as they were the only ones present.

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 29th May 2010, 6:06 pm

    Chris, just copied the text to notepad and went to save it to the ComboFix file location and noticed it's no longer on my desktop and I can't find it in my files. I see the combofix log but that's it. Should I start over and download ComboFix again?

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on 29th May 2010, 6:09 pm

    Hi Sparty,

    Please wait on the "behind the scenes" guys before proceeding. We've got to figure out the best way to proceed. Thanks Smile

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on 29th May 2010, 6:21 pm

    Hi Sparty,

    Please do not run any scanners it's causing confusion for us both. Too many cooks spoil the soup as they say Smile

    If ComboFix exists on your Desktop, drag it into the Recycle Bin. Download ComboFix again and let me know if you receive a Rootkit message this time Smile

    Please post a new ComboFix log in your reply and we'll go from there.

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 29th May 2010, 7:13 pm

    Chris,

    Will do. We are just heading out to 2 graduation parties. So.....I'm not going to be able to respond for quite a while. I was hoping to knock this thing down, one way or another before leaving. Wishful thinking! I'll try and respond tonight if at all possible. Otherwise, I guess it waits until tomorrow. I hope you're having a better holiday weekend than I!

    I'll be back ASAP.

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on 29th May 2010, 7:14 pm

    Sounds good Sparty. Enjoy Smile

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 30th May 2010, 4:22 pm

    Ok, Chris. ComboFix was no longer on my desktop...not sure why?? Anyway, I've downloaded ComboFix again and copied the log below. I noticed the log shows 0 hidden files and no rootkit??? Why did Sophos SAR find 25 unknown hidden files yesterday? What about all of those "System Volume Information_Restore\A0001.... .exe files? Were they threats?

    Also, while I'm typing this....a new browser window opened up to a random website once again. This was also happening yesterday.

    Thanks again for your assistance!



    ComboFix 10-05-29.05 - Boss 05/30/2010 11:55:03.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.227 [GMT -4:00]
    Running from: c:\documents and settings\Boss\Desktop\ComboFix.exe
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\Vb40032.dll

    .
    ((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
    .

    2010-05-30 14:42 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll
    2010-05-29 17:13 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\f36decbb.exe
    2010-05-29 17:11 . 2009-06-18 16:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
    2010-05-29 15:45 . 2010-05-29 15:45 -------- d-----w- c:\program files\Sophos
    2010-05-28 23:49 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll
    2010-05-28 19:55 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll
    2010-05-28 18:12 . 2010-05-28 18:12 -------- d-----w- c:\documents and settings\Boss\Application Data\Street-Ads
    2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
    2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
    2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
    2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
    2010-05-28 18:10 . 2010-05-28 18:10 -------- d-----w- c:\documents and settings\Boss\Application Data\Sky-Banners
    2010-05-28 18:09 . 2010-05-28 18:09 -------- d-----w- c:\documents and settings\Boss\Local Settings\Application Data\esdjguvxo
    2010-05-28 18:09 . 2010-05-28 18:09 50981 ----a-w- c:\windows\system32\areoghkfntcfn.exe
    2010-05-28 18:09 . 2010-05-28 18:09 -------- d-----w- c:\program files\$NtUninstallWTF1012$
    2010-05-28 18:09 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll
    2010-05-28 18:08 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\8db3d791.exe
    2010-05-25 05:38 . 2010-05-25 05:38 309248 ----a-w- c:\windows\system32\mzhjanoe.dll
    2010-05-24 16:31 . 2010-05-24 16:31 40633 ----a-w- c:\windows\system32\tevbxohl.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-30 15:46 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
    2010-05-30 15:46 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
    2010-05-30 14:43 . 2008-09-24 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-05-29 15:23 . 2004-06-21 16:16 -------- d-----w- c:\program files\Viewpoint
    2010-05-29 15:21 . 2004-06-21 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
    2010-05-28 20:03 . 2004-10-19 14:00 -------- d-----w- c:\program files\McAfee
    2010-05-28 18:10 . 2009-05-28 23:13 -------- d-----w- c:\program files\Common Files\Motive
    2010-05-21 21:09 . 2010-04-22 18:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
    2010-05-18 04:39 . 2008-09-24 03:35 -------- d-----w- c:\program files\Google
    2010-04-22 17:53 . 2005-12-14 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-04-22 17:50 . 2010-04-22 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
    2010-04-22 17:47 . 2010-04-22 17:46 -------- d-----w- c:\program files\Common Files\McAfee
    2010-04-22 17:46 . 2010-04-22 17:46 -------- d-----w- c:\program files\McAfee.com
    2010-04-14 16:29 . 2004-06-27 22:20 -------- d-----w- c:\program files\Common Files\Adobe
    2010-04-01 20:28 . 2009-04-17 16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
    2010-03-30 15:33 . 2010-03-30 15:33 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
    2010-03-30 15:33 . 2010-03-30 15:33 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
    2010-03-30 15:33 . 2010-03-30 15:33 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    2010-03-30 15:33 . 2010-03-30 15:33 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
    2010-03-30 15:33 . 2010-03-30 15:33 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    2010-03-30 15:31 . 2003-08-05 17:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2010-03-30 15:31 . 2003-08-05 17:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-03-30 04:46 . 2009-04-17 16:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-30 04:45 . 2009-04-17 16:00 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-11 12:38 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-11 12:38 . 2004-03-19 22:34 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-03-09 11:09 . 2004-03-19 22:44 430080 ----a-w- c:\windows\system32\vbscript.dll
    2005-12-08 05:16 . 2005-12-08 05:16 5037072 ----a-w- c:\program files\spybotsd14.exe
    2005-10-22 14:46 . 2005-10-22 14:45 53619100 ----a-w- c:\program files\hansel new users v6.02.exe
    .

    ------- Sigcheck -------

    [7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
    [-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\user32.dll
    [-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
    [-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll
    [-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
    [-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll
    [7] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll
    [-] 2004-03-19 . DD9269230C21EE8FB7FD3FCCC3B1CFCB . 560128 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB824141$\USER32.DLL
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CC5A190-E657-4C30-A101-C0A9252B9DAA}]
    2010-05-25 05:38 309248 ----a-w- c:\windows\SYSTEM32\mzhjanoe.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]
    "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-21 77824]
    "MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 135168]
    "ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-30 202256]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
    "McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
    "MChk"="c:\windows\system32\tevbxohl.exe" [2010-05-24 40633]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Startup.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Startup.lnk
    backup=c:\windows\pss\HP OfficeJet Startup.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
    2003-02-20 21:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
    2004-11-12 02:00 864256 ------w- c:\program files\Brother\ControlCenter2\brctrcen.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
    2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
    2003-02-20 21:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
    2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    2004-03-15 06:04 122933 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
    2003-08-13 15:27 28672 ----a-w- c:\windows\SYSTEM32\DSentry.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
    2004-04-14 19:04 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
    2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2004-06-16 10:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2004-06-16 10:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    2006-01-17 17:03 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
    2006-01-17 17:03 135168 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
    2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2003-11-03 18:46 4800512 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
    2004-04-14 18:46 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
    2003-08-27 00:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2004-06-21 16:16 77824 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    2003-10-14 14:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2006-11-09 20:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-03-30 15:31 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
    2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\SYSTEM32\SAVRKBootTasks.sys [5/29/2010 1:11 PM 18816]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/22/2010 1:49 PM 203280]
    S0 cadamg;cadamg; [x]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 2:21 PM 135664]
    S2 MSWU-8db3d791;MSWU-8db3d791;c:\windows\SYSTEM32\8db3d791.exe [5/28/2010 2:08 PM 75264]
    S2 MSWU-f36decbb;MSWU-f36decbb;c:\windows\SYSTEM32\f36decbb.exe [5/29/2010 1:13 PM 75264]
    S3 bepprldr;BCL easyPDF SDK Loader;c:\program files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe [11/11/2005 11:03 PM 77824]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\17.tmp --> c:\windows\system32\17.tmp [?]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    fyphhfvk
    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-30 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-24 16:03]

    2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

    2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

    2010-05-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

    2010-04-22 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

    2010-05-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-05-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-05-30 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-05-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = [You must be registered and logged in to see this link.]
    uInternet Connection Wizard,ShellNext = iexplore
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: motive.com\patttbc.att
    DPF: ppctlcab - [You must be registered and logged in to see this link.]
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
    Rootkit scan 2010-05-30 12:03
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\17.tmp"
    .
    Completion time: 2010-05-30 12:09:04
    ComboFix-quarantined-files.txt 2010-05-30 16:09
    ComboFix2.txt 2010-05-28 22:13

    Pre-Run: 59,996,250,112 bytes free
    Post-Run: 60,041,424,896 bytes free

    - - End Of File - - 07D00A30666A8470CDD95816A499D152

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on 30th May 2010, 7:37 pm

    Hi Sparty,

    This infection just keeps on fighting back. I'm working with the guys behind the scenes to come up with a way to attack it. Smile

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on 30th May 2010, 7:46 pm

    Hi Sparty,

    Let's see the infection stand up to this! Big Grin

    Re-running ComboFix to remove infections:

    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    3. Open notepad and copy/paste the text in the quotebox below into it:

      Rootkit::
      c:\windows\system32\f36decbb.exe
      c:\windows\system32\areoghkfntcfn.exe
      c:\windows\system32\8db3d791.exe
      c:\windows\system32\mzhjanoe.dll
      c:\windows\system32\tevbxohl.exe
      c:\windows\SYSTEM32\8db3d791.exe
      c:\windows\system32\17.tmp

      Folder::
      c:\program files\Viewpoint
      c:\documents and settings\All Users\Application Data\Viewpoint

      Driver::
      MSWU-8db3d791
      MSWU-f36decbb
      MEMSWEEP2
      cadamg

      Registry::
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

      "MChk"=-

      [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

      NetSvc::
      fyphhfvk
    4. Save this as CFScript.txt, in the same location as ComboFix.exe



    5. Referring to the picture above, drag CFScript into ComboFix.exe
    6. When finished, it shall produce a log for you at C:\ComboFix.txt
    7. Please post the contents of the log in your next reply.

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 30th May 2010, 11:20 pm

    Here you go, Chris. The new ComboFix log is below.

    I've got my fingers crossed!



    ComboFix 10-05-29.05 - Boss 05/30/2010 18:40:57.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.276 [GMT -4:00]
    Running from: c:\documents and settings\Boss\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Boss\Desktop\CFScript.txt
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Viewpoint
    c:\program files\Viewpoint

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_CADAMG
    -------\Legacy_MEMSWEEP2
    -------\Legacy_MSWU-8DB3D791
    -------\Legacy_MSWU-F36DECBB
    -------\Service_cadamg
    -------\Service_MSWU-8db3d791
    -------\Service_MSWU-f36decbb


    ((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
    .

    2010-05-30 14:42 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll
    2010-05-29 17:11 . 2009-06-18 16:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
    2010-05-29 15:45 . 2010-05-29 15:45 -------- d-----w- c:\program files\Sophos
    2010-05-28 23:49 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll
    2010-05-28 19:55 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll
    2010-05-28 18:12 . 2010-05-28 18:12 -------- d-----w- c:\documents and settings\Boss\Application Data\Street-Ads
    2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
    2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
    2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
    2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
    2010-05-28 18:10 . 2010-05-28 18:10 -------- d-----w- c:\documents and settings\Boss\Application Data\Sky-Banners
    2010-05-28 18:09 . 2010-05-28 18:09 -------- d-----w- c:\documents and settings\Boss\Local Settings\Application Data\esdjguvxo
    2010-05-28 18:09 . 2010-05-28 18:09 -------- d-----w- c:\program files\$NtUninstallWTF1012$
    2010-05-28 18:09 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-30 22:49 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
    2010-05-30 22:49 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
    2010-05-30 14:43 . 2008-09-24 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-05-28 20:03 . 2004-10-19 14:00 -------- d-----w- c:\program files\McAfee
    2010-05-28 18:10 . 2009-05-28 23:13 -------- d-----w- c:\program files\Common Files\Motive
    2010-05-21 21:09 . 2010-04-22 18:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
    2010-05-18 04:39 . 2008-09-24 03:35 -------- d-----w- c:\program files\Google
    2010-04-22 17:53 . 2005-12-14 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-04-22 17:50 . 2010-04-22 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
    2010-04-22 17:47 . 2010-04-22 17:46 -------- d-----w- c:\program files\Common Files\McAfee
    2010-04-22 17:46 . 2010-04-22 17:46 -------- d-----w- c:\program files\McAfee.com
    2010-04-14 16:29 . 2004-06-27 22:20 -------- d-----w- c:\program files\Common Files\Adobe
    2010-04-01 20:28 . 2009-04-17 16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
    2010-03-30 15:33 . 2010-03-30 15:33 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
    2010-03-30 15:33 . 2010-03-30 15:33 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
    2010-03-30 15:33 . 2010-03-30 15:33 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    2010-03-30 15:33 . 2010-03-30 15:33 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
    2010-03-30 15:33 . 2010-03-30 15:33 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    2010-03-30 15:31 . 2003-08-05 17:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2010-03-30 15:31 . 2003-08-05 17:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-03-30 04:46 . 2009-04-17 16:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-30 04:45 . 2009-04-17 16:00 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-11 12:38 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-11 12:38 . 2004-03-19 22:34 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-03-09 11:09 . 2004-03-19 22:44 430080 ----a-w- c:\windows\system32\vbscript.dll
    2005-12-08 05:16 . 2005-12-08 05:16 5037072 ----a-w- c:\program files\spybotsd14.exe
    2005-10-22 14:46 . 2005-10-22 14:45 53619100 ----a-w- c:\program files\hansel new users v6.02.exe
    .

    ------- Sigcheck -------

    [7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
    [-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\user32.dll
    [-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
    [-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll
    [-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
    [-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll
    [7] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll
    [-] 2004-03-19 . DD9269230C21EE8FB7FD3FCCC3B1CFCB . 560128 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB824141$\USER32.DLL
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]
    "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-21 77824]
    "MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 135168]
    "ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-30 202256]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
    "McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Startup.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Startup.lnk
    backup=c:\windows\pss\HP OfficeJet Startup.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
    2003-02-20 21:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
    2004-11-12 02:00 864256 ------w- c:\program files\Brother\ControlCenter2\brctrcen.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
    2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
    2003-02-20 21:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
    2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    2004-03-15 06:04 122933 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
    2003-08-13 15:27 28672 ----a-w- c:\windows\SYSTEM32\DSentry.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
    2004-04-14 19:04 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
    2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2004-06-16 10:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2004-06-16 10:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    2006-01-17 17:03 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
    2006-01-17 17:03 135168 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
    2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2003-11-03 18:46 4800512 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
    2004-04-14 18:46 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
    2003-08-27 00:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2004-06-21 16:16 77824 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    2003-10-14 14:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2006-11-09 20:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-03-30 15:31 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
    2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\SYSTEM32\SAVRKBootTasks.sys [5/29/2010 1:11 PM 18816]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/22/2010 1:49 PM 203280]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 2:21 PM 135664]
    S3 bepprldr;BCL easyPDF SDK Loader;c:\program files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe [11/11/2005 11:03 PM 77824]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-30 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-24 16:03]

    2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

    2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

    2010-05-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

    2010-04-22 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

    2010-05-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-05-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-05-30 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-05-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = [You must be registered and logged in to see this link.]
    uInternet Connection Wizard,ShellNext = iexplore
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: motive.com\patttbc.att
    DPF: ppctlcab - [You must be registered and logged in to see this link.]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{4CC5A190-E657-4C30-A101-C0A9252B9DAA} - c:\windows\system32\mzhjanoe.dll
    AddRemove-areoghkfntcfn - c:\windows\system32\areoghkfntcfn.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
    Rootkit scan 2010-05-30 18:55
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(4048)
    c:\windows\system32\WININET.dll
    c:\program files\McAfee\SiteAdvisor\saHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\System32\CTsvcCDA.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
    c:\program files\McAfee\MPF\MPFSrv.exe
    c:\windows\System32\nvsvc32.exe
    c:\windows\System32\MsPMSPSv.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\progra~1\mcafee.com\agent\mcagent.exe
    .
    **************************************************************************
    .

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on 31st May 2010, 12:49 am

    Hi Sparty,

    That looks MUCH better! The Rootkit has met its match Smile. How are things running now?

    I'll come up with a fix and get it approved and back to you ASAP. Should just be some cleanup and likely one more scanner to make sure everything is gone Smile

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 31st May 2010, 1:01 am

    That's GREAT news!

    I haven't really been using the desktop except to run the scans, etc. and I've had the firewall locked down for safety's sake. But, so far so good right now. I haven't seen any random websites open up yet and nothing else looking abnormal......hope it holds up!

    I'll wait to hear back from you, Chris. Thanks!

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on 31st May 2010, 2:58 am

    hi sparty,

    Re-running ComboFix to remove infections:

    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    3. Open notepad and copy/paste the text in the quotebox below into it:

      Fcopy::
      c:\windows\ServicePackFiles\i386\user32.dll | c:\windows\system32\user32.dll

      Folder::
      c:\documents and settings\Boss\Local Settings\Application Data\esdjguvxo
    4. Save this as CFScript.txt, in the same location as ComboFix.exe



    5. Referring to the picture above, drag CFScript into ComboFix.exe
    6. When finished, it shall produce a log for you at C:\ComboFix.txt
    7. Please post the contents of the log in your next reply.

    ========

    Next, Please go to [You must be registered and logged in to see this link.] and perform an online antivirus scan.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
        Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

  • Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 31st May 2010, 4:51 am

    Hi Chris,

    I've completed the last requested ComboFix scan. The latest ComboFix log follows. I'll now run the Kaspersky scan as advised and will post that report in my next reply.



    ComboFix 10-05-30.04 - Boss 05/31/2010 0:26.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.195 [GMT -4:00]
    Running from: c:\documents and settings\Boss\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Boss\Desktop\CFScript.txt
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Boss\Local Settings\Application Data\esdjguvxo

    .
    --------------- FCopy ---------------

    c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\system32\user32.dll
    .
    ((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-31 )))))))))))))))))))))))))))))))
    .

    2010-05-30 14:42 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll
    2010-05-29 17:11 . 2009-06-18 16:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
    2010-05-29 15:45 . 2010-05-29 15:45 -------- d-----w- c:\program files\Sophos
    2010-05-28 23:49 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll
    2010-05-28 19:55 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll
    2010-05-28 18:12 . 2010-05-28 18:12 -------- d-----w- c:\documents and settings\Boss\Application Data\Street-Ads
    2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
    2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
    2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
    2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
    2010-05-28 18:10 . 2010-05-28 18:10 -------- d-----w- c:\documents and settings\Boss\Application Data\Sky-Banners
    2010-05-28 18:09 . 2010-05-28 18:09 -------- d-----w- c:\program files\$NtUninstallWTF1012$
    2010-05-28 18:09 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-30 22:49 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
    2010-05-30 22:49 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
    2010-05-30 14:43 . 2008-09-24 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-05-28 20:03 . 2004-10-19 14:00 -------- d-----w- c:\program files\McAfee
    2010-05-28 18:10 . 2009-05-28 23:13 -------- d-----w- c:\program files\Common Files\Motive
    2010-05-21 21:09 . 2010-04-22 18:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
    2010-05-18 04:39 . 2008-09-24 03:35 -------- d-----w- c:\program files\Google
    2010-04-22 17:53 . 2005-12-14 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-04-22 17:50 . 2010-04-22 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
    2010-04-22 17:47 . 2010-04-22 17:46 -------- d-----w- c:\program files\Common Files\McAfee
    2010-04-22 17:46 . 2010-04-22 17:46 -------- d-----w- c:\program files\McAfee.com
    2010-04-14 16:29 . 2004-06-27 22:20 -------- d-----w- c:\program files\Common Files\Adobe
    2010-04-01 20:28 . 2009-04-17 16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
    2010-03-30 15:33 . 2010-03-30 15:33 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
    2010-03-30 15:33 . 2010-03-30 15:33 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
    2010-03-30 15:33 . 2010-03-30 15:33 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    2010-03-30 15:33 . 2010-03-30 15:33 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
    2010-03-30 15:33 . 2010-03-30 15:33 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    2010-03-30 15:31 . 2003-08-05 17:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2010-03-30 15:31 . 2003-08-05 17:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-03-30 04:46 . 2009-04-17 16:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-30 04:45 . 2009-04-17 16:00 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-11 12:38 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-11 12:38 . 2004-03-19 22:34 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-03-09 11:09 . 2004-03-19 22:44 430080 ----a-w- c:\windows\system32\vbscript.dll
    2005-12-08 05:16 . 2005-12-08 05:16 5037072 ----a-w- c:\program files\spybotsd14.exe
    2005-10-22 14:46 . 2005-10-22 14:45 53619100 ----a-w- c:\program files\hansel new users v6.02.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]
    "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-21 77824]
    "MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 135168]
    "ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-30 202256]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
    "McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Startup.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Startup.lnk
    backup=c:\windows\pss\HP OfficeJet Startup.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
    2003-02-20 21:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
    2004-11-12 02:00 864256 ------w- c:\program files\Brother\ControlCenter2\brctrcen.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
    2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
    2003-02-20 21:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
    2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    2004-03-15 06:04 122933 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
    2003-08-13 15:27 28672 ----a-w- c:\windows\SYSTEM32\DSentry.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
    2004-04-14 19:04 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
    2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2004-06-16 10:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2004-06-16 10:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    2006-01-17 17:03 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
    2006-01-17 17:03 135168 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
    2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2003-11-03 18:46 4800512 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
    2004-04-14 18:46 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
    2003-08-27 00:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2004-06-21 16:16 77824 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    2003-10-14 14:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2006-11-09 20:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-03-30 15:31 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
    2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\SYSTEM32\SAVRKBootTasks.sys [5/29/2010 1:11 PM 18816]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/22/2010 1:49 PM 203280]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 2:21 PM 135664]
    S3 bepprldr;BCL easyPDF SDK Loader;c:\program files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe [11/11/2005 11:03 PM 77824]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-30 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-24 16:03]

    2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

    2010-05-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

    2010-05-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

    2010-04-22 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

    2010-05-31 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-05-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-05-31 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-05-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = [You must be registered and logged in to see this link.]
    uInternet Connection Wizard,ShellNext = iexplore
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: motive.com\patttbc.att
    DPF: ppctlcab - [You must be registered and logged in to see this link.]
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
    Rootkit scan 2010-05-31 00:34
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(584)
    c:\windows\system32\WININET.dll
    c:\program files\McAfee\SiteAdvisor\saHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-05-31 00:40:47
    ComboFix-quarantined-files.txt 2010-05-31 04:40
    ComboFix2.txt 2010-05-30 23:02
    ComboFix3.txt 2010-05-30 16:09
    ComboFix4.txt 2010-05-28 22:13

    Pre-Run: 59,888,521,216 bytes free
    Post-Run: 59,864,510,464 bytes free

    - - End Of File - - 422D36296C74F4519DE3C02F262678D1

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on 31st May 2010, 6:56 am

    Hi Sparty,

    There's some more junk we need to remove but, let's just make sure these files are infected first:

    Please visit [You must be registered and logged in to see this link.]

    * Click the Browse.. button
    * Navigate to the file c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll
    * Click the Open button
    * Click the Send button
    * Copy and paste the results into a new reply in this thread please.

    Please do the same for:
    c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll
    c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll
    c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll

    If VirusTotal is busy please use [You must be registered and logged in to see this link.]

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 31st May 2010, 9:51 am

    Chris,

    Wow that scan took forever (3 hours)!

    There were 6 infections found :-( It looks like those System Volume Information_Restore files that I've mentioned that were found by the SAR scan ARE a problem. What now?

    Here is the report from the Kaspersky scan.



    KASPERSKY ONLINE SCANNER 7.0: scan report
    Monday, May 31, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Monday, May 31, 2010 02:33:10
    Records in database: 4193694
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\

    Scan statistics:
    Objects scanned: 81510
    Threats found: 4
    Infected objects found: 6
    Suspicious objects found: 0
    Scan duration: 02:57:34


    File name / Threat / Threats count
    C:\Qoobox\Quarantine\C\WINDOWS\Mcybaa.exe.vir Infected: Packed.Win32.Katusha.n 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\FTDISK.SYS.vir Infected: Rootkit.Win32.TDSS.ap 1
    C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1\A0001008.dll Infected: not-a-virus:AdWare.Win32.BHO.mfb 1
    C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1\A0001012.dll Infected: not-a-virus:AdWare.Win32.RON.dvc 1
    C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1\A0001036.SYS Infected: Rootkit.Win32.TDSS.ap 1
    C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1\A0001090.exe Infected: Packed.Win32.Katusha.n 1

    Selected area has been scanned.

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 31st May 2010, 10:24 am

    Sorry, Chris. I didn't notice you had posted while I was running the Kaspersky scan.

    Following are the results of the Virus Total reports. When I opened and sent the files you listed, I got a message on the last 3 that you listed (after the 555qG.dll) that those files had already been analysed and the report shown was the same for each of those last 3 files as for the 555qG.dll (in fact, it listed the "File 555qG.dll received on 2010.05.31 10:03:00 (UTC)" at the top of the last report for those files. The message after sending those files is immediately below and the 555qG.dll report follows that.

    I need some sleep!




    File has already been analysed:
    MD5: 73d34ba60d912ecd316c927759343c90
    First received: 2010.05.31 10:03:00 UTC
    Date: 2010.05.31 10:03:00 UTC [<1D]
    Results: 14/40
    Permalink: analisis/cd810f7f6bb6594360d5f40e24a02ddbf9a2dd312a58e172fa8e4a8278f6bb8d-1275300180




    File 555qG.dll received on 2010.05.31 10:03:00 (UTC)
    Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


    Result: 14/40 (35%)
    Loading server information...
    Your file is queued in position: 3.
    Estimated start time is between 56 and 80 seconds.
    Do not close the window until scan is complete.
    The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
    If you are waiting for more than five minutes you have to resend your file.
    Your file is being scanned by VirusTotal in this moment,
    results will be shown as they're generated.
    Compact Print results
    Your file has expired or does not exists.
    Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

    You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
    Email:


    Antivirus Version Last Update Result
    a-squared 5.0.0.26 2010.05.31 Trojan.Win32.Alureon!IK
    AhnLab-V3 2010.05.30.00 2010.05.29 -
    AntiVir 8.2.1.242 2010.05.31 -
    Antiy-AVL 2.0.3.7 2010.05.31 -
    Authentium 5.2.0.5 2010.05.31 -
    Avast 4.8.1351.0 2010.05.30 Win32:Trojan-gen
    Avast5 5.0.332.0 2010.05.30 Win32:Trojan-gen
    AVG 9.0.0.787 2010.05.31 -
    BitDefender 7.2 2010.05.31 Gen:Trojan.Heur.TP.em8@bifn34ei
    CAT-QuickHeal 10.00 2010.05.31 -
    ClamAV 0.96.0.3-git 2010.05.30 -
    Comodo 4959 2010.05.31 Heur.Packed.Unknown
    DrWeb 5.0.2.03300 2010.05.31 Trojan.PWS.IpDiscover.4
    eSafe 7.0.17.0 2010.05.30 -
    eTrust-Vet 35.2.7521 2010.05.31 -
    F-Prot 4.6.0.103 2010.05.31 -
    F-Secure 9.0.15370.0 2010.05.31 Gen:Trojan.Heur.TP.em8@bifn34ei
    Fortinet 4.1.133.0 2010.05.30 -
    GData 21 2010.05.31 Gen:Trojan.Heur.TP.em8@bifn34ei
    Ikarus T3.1.1.84.0 2010.05.31 Trojan.Win32.Alureon
    Jiangmin 13.0.900 2010.05.30 -
    Kaspersky 7.0.0.125 2010.05.31 -
    McAfee 5.400.0.1158 2010.05.31 -
    McAfee-GW-Edition 2010.1 2010.05.31 Heuristic.BehavesLike.Win32.Spyware.I
    Microsoft 1.5802 2010.05.31 -
    NOD32 5157 2010.05.31 -
    Norman 6.04.12 2010.05.31 W32/Suspicious_Gen2.ATZEI
    nProtect 2010-05-31.01 2010.05.31 -
    Panda 10.0.2.7 2010.05.30 Suspicious file
    PCTools 7.0.3.5 2010.05.31 -
    Rising 22.50.00.04 2010.05.31 -
    Sophos 4.53.0 2010.05.31 Mal/TDSSPack-Y
    Sunbelt 6380 2010.05.31 Trojan.Win32.Generic!BT
    Symantec 20101.1.0.89 2010.05.31 -
    TheHacker 6.5.2.0.290 2010.05.30 -
    TrendMicro 9.120.0.1004 2010.05.31 -
    TrendMicro-HouseCall 9.120.0.1004 2010.05.31 -
    VBA32 3.12.12.5 2010.05.29 -
    ViRobot 2010.5.20.2326 2010.05.28 -
    VirusBuster 5.0.27.0 2010.05.30 -
    Additional information
    File size: 75264 bytes
    MD5...: 73d34ba60d912ecd316c927759343c90
    SHA1..: 3bfcbf37cefd1a4d52519f2eded49cab4bbd7e88
    SHA256: cd810f7f6bb6594360d5f40e24a02ddbf9a2dd312a58e172fa8e4a8278f6bb8d
    ssdeep: 1536:9GpuwF5CmcRGHSiFrCKm0+xx5fIO8kKxlEbq2e/sFcDh5Zjpj1:UpymcRCt
    4xxlpClEjKpj1

    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x1000
    timedatestamp.....: 0x422eef1b (Wed Mar 09 12:42:03 2005)
    machinetype.......: 0x14c (I386)

    ( 3 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x3000 0x2a00 0.32 baf0f802aada2311a22c24a9460e1026
    .data 0x4000 0x2f000 0xf400 7.36 2aaa268a0ad7fae275e7d9e030160b99
    .rsrc 0x33000 0x1000 0x400 2.66 ffe0298fe7154c7a2174d283500baa9f

    ( 1 imports )
    > kernel32.dll: DeleteCriticalSection, EnterCriticalSection, GetCommandLineA, GetLastError, GetModuleHandleA, GetProcAddress, GetProcessId, GetVersion, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, VirtualProtect

    ( 0 exports )

    RDS...: NSRL Reference Data Set
    -
    pdfid.: -
    trid..: Generic Win/DOS Executable (49.9%)
    DOS Executable Generic (49.8%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
    Symantec Reputation Network: Suspicious.Insight [You must be registered and logged in to see this link.]
    sigcheck:
    publisher....: n/a
    copyright....: Copyright (C) 2010
    product......: vsdsvsdsetup Application
    description..: Pasdvasetup Application
    original name: asdvasdsetup.exe
    internal name: PPCsetup
    file version.: 1, 0, 0, 1
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 31st May 2010, 10:34 am

    Chris, for what it's worth, here are the results of the Jotti scans on those same files. Jotti also indicated the last 3 files were named 555qG.dll and said that file was already scanned.



    Jotti's malware scan
    Filename: 555qG.dll
    Status: Scan finished. 6 out of 19 scanners reported malware.
    Scan taken on: Mon 31 May 2010 12:25:49 (CET) Permalink




    Additional info
    File size: 75264 bytes
    Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
    MD5: 73d34ba60d912ecd316c927759343c90
    SHA1: 3bfcbf37cefd1a4d52519f2eded49cab4bbd7e88







    Scanners
    2010-05-30 Found nothing 2010-05-31 Gen:Trojan.Heur.TP.em8@bifn34ei
    2010-05-30 Win32:Trojan-gen 2010-05-31 Trojan.Win32.Alureon
    2010-05-31 Found nothing 2010-05-31 Found nothing
    2010-05-31 Found nothing 2010-05-31 Found nothing
    2010-05-31 Gen:Trojan.Heur.TP.em8@bifn34ei 2010-05-30 Found nothing
    2010-05-30 Found nothing 2010-05-31 Found nothing
    2010-05-31 Found nothing 2010-05-31 Mal/TDSSPack-Y
    2010-05-31 Trojan.PWS.IpDiscover.4 2010-05-28 Found nothing
    2010-05-30 Found nothing 2010-05-30 Found nothing
    2010-05-31 Found nothing

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on 31st May 2010, 3:57 pm

    Hi Sparty,

    Those System Restore Points are more menacing than they look Smile. When we remove ComboFix it will flush them out and they'll be gone. It looks like all those files are indeed infected so, I'm going to go get a fix approved and back to you asap

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on 31st May 2010, 11:07 pm

    Hi Sparty,

    We're well on our way to complete disinfection!

    Re-running ComboFix to remove infections:

    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    3. Open notepad and copy/paste the text in the quotebox below into it:

      Folder::
      c:\program files\$NtUninstallWTF1012$

      File::
      c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll
      c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll
      c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll
    4. Save this as CFScript.txt, in the same location as ComboFix.exe



    5. Referring to the picture above, drag CFScript into ComboFix.exe
    6. When finished, it shall produce a log for you at C:\ComboFix.txt
    7. Please post the contents of the log in your next reply.

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 1st June 2010, 3:09 am

    I hope you're right, Chris.

    Following is the latest ComboFix report. Thanks again for your help!




    ComboFix 10-05-31.02 - Boss 05/31/2010 22:47:44.5.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.173 [GMT -4:00]
    Running from: c:\documents and settings\Boss\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Boss\Desktop\CFScript.txt
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    FILE ::
    "c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll"
    "c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll"
    "c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\$NtUninstallWTF1012$
    c:\program files\$NtUninstallWTF1012$\elUninstall.exe
    c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll
    c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll
    c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll

    .
    ((((((((((((((((((((((((( Files Created from 2010-05-01 to 2010-06-01 )))))))))))))))))))))))))))))))
    .

    2010-05-31 20:26 . 2010-05-31 20:26 -------- d-----w- c:\windows\LastGood
    2010-05-29 17:11 . 2009-06-18 16:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
    2010-05-29 15:45 . 2010-05-29 15:45 -------- d-----w- c:\program files\Sophos
    2010-05-28 19:55 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll
    2010-05-28 18:12 . 2010-05-28 18:12 -------- d-----w- c:\documents and settings\Boss\Application Data\Street-Ads
    2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
    2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
    2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
    2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
    2010-05-28 18:10 . 2010-05-28 18:10 -------- d-----w- c:\documents and settings\Boss\Application Data\Sky-Banners

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-31 20:26 . 2004-10-19 14:00 -------- d-----w- c:\program files\McAfee
    2010-05-31 20:21 . 2008-09-24 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-05-31 10:36 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
    2010-05-31 10:36 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
    2010-05-28 18:10 . 2009-05-28 23:13 -------- d-----w- c:\program files\Common Files\Motive
    2010-05-21 21:09 . 2010-04-22 18:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
    2010-05-18 04:39 . 2008-09-24 03:35 -------- d-----w- c:\program files\Google
    2010-04-22 17:53 . 2005-12-14 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-04-22 17:50 . 2010-04-22 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
    2010-04-22 17:47 . 2010-04-22 17:46 -------- d-----w- c:\program files\Common Files\McAfee
    2010-04-22 17:46 . 2010-04-22 17:46 -------- d-----w- c:\program files\McAfee.com
    2010-04-14 16:29 . 2004-06-27 22:20 -------- d-----w- c:\program files\Common Files\Adobe
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
    2010-03-30 15:33 . 2010-03-30 15:33 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
    2010-03-30 15:33 . 2010-03-30 15:33 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
    2010-03-30 15:33 . 2010-03-30 15:33 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    2010-03-30 15:33 . 2010-03-30 15:33 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
    2010-03-30 15:33 . 2010-03-30 15:33 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    2010-03-30 15:31 . 2003-08-05 17:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2010-03-30 15:31 . 2003-08-05 17:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-03-30 04:46 . 2009-04-17 16:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-30 04:45 . 2009-04-17 16:00 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-11 12:38 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-11 12:38 . 2004-03-19 22:34 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-03-09 11:09 . 2004-03-19 22:44 430080 ----a-w- c:\windows\system32\vbscript.dll
    2005-12-08 05:16 . 2005-12-08 05:16 5037072 ----a-w- c:\program files\spybotsd14.exe
    2005-10-22 14:46 . 2005-10-22 14:45 53619100 ----a-w- c:\program files\hansel new users v6.02.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]
    "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-21 77824]
    "MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 135168]
    "ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-30 202256]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
    "McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Startup.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Startup.lnk
    backup=c:\windows\pss\HP OfficeJet Startup.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
    2003-02-20 21:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
    2004-11-12 02:00 864256 ------w- c:\program files\Brother\ControlCenter2\brctrcen.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
    2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
    2003-02-20 21:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
    2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    2004-03-15 06:04 122933 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
    2003-08-13 15:27 28672 ----a-w- c:\windows\SYSTEM32\DSentry.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
    2004-04-14 19:04 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
    2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2004-06-16 10:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2004-06-16 10:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    2006-01-17 17:03 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
    2006-01-17 17:03 135168 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
    2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2003-11-03 18:46 4800512 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
    2004-04-14 18:46 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
    2003-08-27 00:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2004-06-21 16:16 77824 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    2003-10-14 14:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2006-11-09 20:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-03-30 15:31 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
    2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\SYSTEM32\SAVRKBootTasks.sys [5/29/2010 1:11 PM 18816]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/22/2010 1:49 PM 203280]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 2:21 PM 135664]
    S3 bepprldr;BCL easyPDF SDK Loader;c:\program files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe [11/11/2005 11:03 PM 77824]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-31 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-24 16:03]

    2010-05-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

    2010-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

    2010-05-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

    2010-04-22 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

    2010-06-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-05-31 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-06-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-05-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = [You must be registered and logged in to see this link.]
    uInternet Connection Wizard,ShellNext = iexplore
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: motive.com\patttbc.att
    DPF: ppctlcab - [You must be registered and logged in to see this link.]
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-$NtUninstallWTF1012$ - c:\program files\$NtUninstallWTF1012$\elUninstall.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
    Rootkit scan 2010-05-31 22:55
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-05-31 23:01:21
    ComboFix-quarantined-files.txt 2010-06-01 03:01
    ComboFix2.txt 2010-05-31 04:40
    ComboFix3.txt 2010-05-30 23:02
    ComboFix4.txt 2010-05-30 16:09
    ComboFix5.txt 2010-06-01 02:45

    Pre-Run: 59,722,158,080 bytes free
    Post-Run: 59,803,074,560 bytes free

    - - End Of File - - EE244E72D08209CD8472F8DE9D183698

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on 1st June 2010, 3:55 am

    Hi Sparty,

    Looks like there is one file that withstood deletion. Let's see it stand up to this! Cheesy Grin (sparkly

    • Download The Avenger by Swandog46 from [You must be registered and logged in to see this link.].
    • Unzip/extract it to a folder on your desktop.
    • Double click on avenger.exe to run The Avenger.
    • Click OK.
    • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
      Code:
      Files to delete:
      c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll
    • In the avenger window, click the Paste script from Clipboard, button.
    • Click the Execute button.
    • You will be asked Are you sure you want to execute the current script?.
    • Click Yes.
    • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
    • Click Yes.
    • Your PC will now be rebooted.
    • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
    • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
    • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
    • Please post this log in your next reply.

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 1st June 2010, 7:38 am

    Hi Chris,

    I ran the Avenger and the log is posted below. It looks like that didn't work on removing that file either. When I first pasted the text to the clipboard I included the word "Code"" and Avenger didn't like that.....I pasted just the text w/o "Code:" and it then executed....but apparently could not find the file. Now what? - Thanks.



    Logfile of The Avenger Version 2.0, (c) by Swandog46
    [You must be registered and logged in to see this link.]

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!


    Error: file "c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll" not found!
    Deletion of file "c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist


    Completed script processing.

    *******************

    Finished! Terminate.

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 1st June 2010, 7:51 am

    Hi again Chris,

    Just wanted to let you know that, when I just rebooted my desktop, McAfee showed that it had detected and deleted a trojan by the name of "Artemis..." (I couldn't see the extension when it flashed on the screen).

    Thought you might want to know.

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on 1st June 2010, 8:11 am

    Hi Sparty,

    Would you mind re-running ComboFix please? I'm signing off here in a few minutes so, we'll likely catch up in the morning Smile

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 1st June 2010, 3:59 pm

    Hey Chris,

    Ok. I had to download ComboFix AGAIN. The executable file was gone again from my desktop and was nowhere to be found on a search. Why is that happening? Is the rootkit responsible? Is the rootikit still present? Thanks again for your continuing assistance!

    Here's the log from the latest ComboFix scan:



    ComboFix 10-05-31.03 - Boss 06/01/2010 11:36:58.6.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.229 [GMT -4:00]
    Running from: c:\documents and settings\Boss\Desktop\ComboFix.exe
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((( Files Created from 2010-05-01 to 2010-06-01 )))))))))))))))))))))))))))))))
    .

    2010-05-29 17:11 . 2009-06-18 16:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
    2010-05-29 15:45 . 2010-05-29 15:45 -------- d-----w- c:\program files\Sophos
    2010-05-28 18:12 . 2010-05-28 18:12 -------- d-----w- c:\documents and settings\Boss\Application Data\Street-Ads
    2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
    2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
    2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
    2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
    2010-05-28 18:10 . 2010-05-28 18:10 -------- d-----w- c:\documents and settings\Boss\Application Data\Sky-Banners

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-01 07:52 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
    2010-06-01 07:52 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
    2010-05-31 20:26 . 2004-10-19 14:00 -------- d-----w- c:\program files\McAfee
    2010-05-31 20:21 . 2008-09-24 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-05-28 18:10 . 2009-05-28 23:13 -------- d-----w- c:\program files\Common Files\Motive
    2010-05-21 21:09 . 2010-04-22 18:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
    2010-05-18 04:39 . 2008-09-24 03:35 -------- d-----w- c:\program files\Google
    2010-04-22 17:53 . 2005-12-14 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-04-22 17:50 . 2010-04-22 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
    2010-04-22 17:47 . 2010-04-22 17:46 -------- d-----w- c:\program files\Common Files\McAfee
    2010-04-22 17:46 . 2010-04-22 17:46 -------- d-----w- c:\program files\McAfee.com
    2010-04-14 16:29 . 2004-06-27 22:20 -------- d-----w- c:\program files\Common Files\Adobe
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
    2010-03-30 15:33 . 2010-03-30 15:33 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
    2010-03-30 15:33 . 2010-03-30 15:33 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
    2010-03-30 15:33 . 2010-03-30 15:33 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    2010-03-30 15:33 . 2010-03-30 15:33 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
    2010-03-30 15:33 . 2010-03-30 15:33 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    2010-03-30 15:31 . 2003-08-05 17:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2010-03-30 15:31 . 2003-08-05 17:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-03-30 04:46 . 2009-04-17 16:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-30 04:45 . 2009-04-17 16:00 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-11 12:38 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-11 12:38 . 2004-03-19 22:34 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-03-09 11:09 . 2004-03-19 22:44 430080 ----a-w- c:\windows\system32\vbscript.dll
    2005-12-08 05:16 . 2005-12-08 05:16 5037072 ----a-w- c:\program files\spybotsd14.exe
    2005-10-22 14:46 . 2005-10-22 14:45 53619100 ----a-w- c:\program files\hansel new users v6.02.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]
    "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-21 77824]
    "MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 135168]
    "ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-30 202256]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
    "McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Startup.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Startup.lnk
    backup=c:\windows\pss\HP OfficeJet Startup.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
    2003-02-20 21:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
    2004-11-12 02:00 864256 ------w- c:\program files\Brother\ControlCenter2\brctrcen.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
    2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
    2003-02-20 21:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
    2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    2004-03-15 06:04 122933 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
    2003-08-13 15:27 28672 ----a-w- c:\windows\SYSTEM32\DSentry.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
    2004-04-14 19:04 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
    2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2004-06-16 10:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2004-06-16 10:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    2006-01-17 17:03 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
    2006-01-17 17:03 135168 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
    2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2003-11-03 18:46 4800512 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
    2004-04-14 18:46 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
    2003-08-27 00:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2004-06-21 16:16 77824 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    2003-10-14 14:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2006-11-09 20:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-03-30 15:31 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
    2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\SYSTEM32\SAVRKBootTasks.sys [5/29/2010 1:11 PM 18816]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/22/2010 1:49 PM 203280]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 2:21 PM 135664]
    S3 bepprldr;BCL easyPDF SDK Loader;c:\program files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe [11/11/2005 11:03 PM 77824]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-06-01 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-24 16:03]

    2010-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

    2010-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

    2010-05-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

    2010-06-01 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

    2010-06-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-06-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-06-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-05-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = [You must be registered and logged in to see this link.]
    uInternet Connection Wizard,ShellNext = iexplore
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: motive.com\patttbc.att
    DPF: ppctlcab - [You must be registered and logged in to see this link.]
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
    Rootkit scan 2010-06-01 11:45
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(1988)
    c:\windows\system32\WININET.dll
    c:\program files\McAfee\SiteAdvisor\saHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-06-01 11:51:14
    ComboFix-quarantined-files.txt 2010-06-01 15:51
    ComboFix2.txt 2010-06-01 03:01
    ComboFix3.txt 2010-05-31 04:40
    ComboFix4.txt 2010-05-30 23:02
    ComboFix5.txt 2010-06-01 15:34

    Pre-Run: 59,795,775,488 bytes free
    Post-Run: 59,768,147,968 bytes free

    - - End Of File - - 12F8FFFC5F99A90DD4E6EC928634A413

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on 1st June 2010, 5:35 pm

    Hi Sparty,

    That confirms it. The file is gone Cheesy Grin (sparkly

    How are things running now?

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 1st June 2010, 7:25 pm

    Hi Chris,

    Excellent!! The desktop seems to be running fine at this point. Nothing unusual noted.

    Do you really think we've gotten totally rid of this beast?? I can't help but be skeptical after reading that rootkit info at Wiki, etc..

    Do you still think I should change all my passwords? I'm guessing it would be a good idea for safety's sake, right? Should I leave all the ComboFix files or get rid of them?

    Thank God for guys like you and your cohorts at Geek Police, Chris!! I am VERY grateful for all your assistance with this issue. It's a fantastic service you guys perform to fight the #@*& idiots that throw this crap out there to muck up our lives via the internet!

    I'll keep you posted if anything weird shows up in the near future.

    Nice job, Chris!!

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on 1st June 2010, 7:35 pm

    Hi Sparty,

    Do you really think we've gotten totally rid of this beast?? I can't help but be skeptical after reading that rootkit info at Wiki, etc..

    Yep. That latest logs shows no more remnants of the Rootkit but, you're absoƖute right. It was one nasty infection!


    Do you still think I should change all my passwords? I'm guessing it would be a good idea for safety's sake, right? Should I leave all the ComboFix files or get rid of them?

    You're absoƖutely right again. Changing passwords periodically never hurts. Except when you can't remember them Goofy


    Thank God for guys like you and your cohorts at Geek Police, Chris!! I am VERY grateful for all your assistance with this issue. It's a fantastic service you guys perform to fight the #@*& idiots that throw this crap out there to muck up our lives via the internet!

    You're very welcome. It's been a pleasure working you Smile

    ====

    Now for the cleanup:

    Congratulations!! Your PC is all clean! Big Grin

    To uninstall ComboFix

    • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
    • In the field, type in ComboFix /uninstall



    (Note: Make sure there's a space between the word ComboFix and the forward-slash.)

    • Then, press Enter, or click OK.
    • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

    ========

    There are many things you can do to keep this from happening again. You can think of a computer like a car. It requires basic maintenance to keep in tip top shape and ready to go. Would you drive your car 100,000 miles without changing the oil? The same principle applies here.

    Cleaning

    Now that your PC is free of malware, it is important to clean up your PC. There are several good free cleaners available. You should make sure to clean up your temp files regularly, at least once a week.

    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    Defragmenting Your Hard Disk

    Over time your PC can become fragmented, Windows comes with a defragmenting utility, however, it is very slow, and there are other options available.

    To use the defragmenter included with Windows either go to Start/Run and type dfrg.msc, hit enter; or
    right-click My Computer, choose Manage, Storage, Disk Defragmenter.

    In the Defragmenter utility, select your main partition/HD, generally C:\ and select analyze . The analysis report will tell you whether or not your disk needs to be defragmented, if it does, click defragment. Be patient, this can take a long time.

    Repeat for multiple partitions/hard disks.

    System Restore Cleanup Instructions

    If you are using Windows ME or XP then it is good to disable and re-enable system restore to make sure there are no infected files left in a restore point. (All restore points will be deleted that way)
    You can find instructions on how to disable and re-enable system restore here:

    [You must be registered and logged in to see this link.]

    [You must be registered and logged in to see this link.]

    Reading Tip:
    [You must be registered and logged in to see this link.]
    Keep Your System Updated

    Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

    Install the updates immediately, if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

    To update Windows and office

    Go to Start > All Programs > Microsoft Update

    Alternatively, you can visit the link below to update Windows and Office products.

    [You must be registered and logged in to see this link.]

    If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

    1. Go to Start > Control Panel > Automatic Updates
    2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
    3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

    Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

    Be careful when opening attachments and downloading files.

    1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
    2. Never open emails from unknown senders.
    3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These are called hoaxes. The email addresses used in the hoaxes can be easily spoofed. Check the antivirus vendor websites to be sure.
    4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

    Surf safely

    Many security exploits on websites are directed to users of Internet Explorer and Firefox.

    If you use Firefox, try the [You must be registered and logged in to see this link.] - which, by default, disables all scripts on all websites. If you trust the website, you can manually allow scripts to work.

    Backup regularly

    You never know when your PC will become unstable or become so infected that you can't recover it. Follow this [You must be registered and logged in to see this link.] to learn how to backup. Follow [You must be registered and logged in to see this link.] by Microsoft to restore your backups.

    Alternatively, you can use 3rd-party programs to back up your data. Examples of these can be found at
    [You must be registered and logged in to see this link.]

    Avoid P2P

    I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

    I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

    Prevent A Re-infection

    1. Winpatrol

    Winpatrol is a heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features [You must be registered and logged in to see this link.]

    You can get a [You must be registered and logged in to see this link.] of Winpatrol or use the [You must be registered and logged in to see this link.] for more features.

    You can read [You must be registered and logged in to see this link.] if you run into problems.

    2. Hosts File

    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    3. Spybot Search and Destroy

    Spybot Search & Destroy is another program for scanning spyware and adware. You are strongly encouraged to run a scan at least once per week.

    Spybot Search & Destroy can be downloaded from [You must be registered and logged in to see this link.].

    If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy [You must be registered and logged in to see this link.] at Bleeping Computer.

    4. SiteHound Toolbar

    [You must be registered and logged in to see this link.] is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spyware or other questionable content. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.

    ====

    Stand Up and Be Counted ---> [You must be registered and logged in to see this link.]<--- where you can make difference!

    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
    ============================================================
    See [You must be registered and logged in to see this link.] for more info about malware and prevention.
    Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site.
    Before the thread is archived, do you have any more questions?

    Happy surfing and stay clean!

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 1st June 2010, 8:13 pm

    Hi Chris,

    Well, one more problem. I ran the ComboFix /Uninstall and, although it did remove the ComboFix icon from my Desktop, I received an error message stating that "Windows cannot find 'ComboFix' ". Also, McAfee showed the Artemis..... trojan detected alert again as soon as I ran the CombFix uninstall request. I ran a file search for 'ComboFix' and there were 14 combofix files found. Should I manually delte those 14 files?

    I'll wait for your instructions. Thanks.

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on 1st June 2010, 9:04 pm

    Hi Sparty,

    Please delete the following files from your machine. They are all part of ComboFix.

    -Combo-Fix.sys
    -nircmd.exe
    -pev.exe
    -pv.com
    -swreg.exe
    -grep.exe
    -hidec.exe
    -sed.exe
    -zip.exe
    -winstart.bat
    -append.dll
    -mbr.exe

    Do you have the path to that Artemis Trojan that mcafee picked up?

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 1st June 2010, 11:57 pm

    Hi Chris,

    Of the files listed above that are part of ComboFix, my search was unable to find Combo-Fix.sys, pv.com, hidec.exe(2 prefetch files associated with that file were found and deleted), winstart.bat and append.dll. The rest of the files were found and deleted along with the 14 files with 'combofix' in their names (logs, text files, prefetch, etc.). Is it a problem that those other files couldn't be located?

    Maybe it has something to do with the "Artemis Trojan" siutation. I found the file in the quarantined files of mcafee and it looks like, on 3 seperate occasions, that the combofix.exe file was the culprit that was identified as a possible threat and quarantined. That likely explains why combofix kept disappearing from my desktop. Maybe it explains the other files not being found?? Check out this link from mcafee regarding Artemis [You must be registered and logged in to see this link.]

    The link in the 1st reply (by the moderator) is particularly interesting. Apparenty, "Artemis is a new technology by McAfee which provides always-on real-time protection that safeguards and secures you from emerging threats."

    What do you think, Chris?

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on 2nd June 2010, 2:52 am

    Hi Sparty,

    I've been talking to the behind the scenes guys about this. We've determined that the Artemis trojan detected by Mcafee was actually ComboFix.

    A lot of times tools we use will be detected as Malware because of the way they are developed. Last I checked, one of our post powerful tools wasn't Malware Smile

    We've also detemined you're good in terms of the botched ComboFix removal. You got it all manually.

    Anything else I can do before this is archived? It's been a pleasure working with you Smile

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-27
    Gender Gender : Male
    Points Points : 42108
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on 2nd June 2010, 4:36 am

    Sounds good to me, Chris.

    Once again, thanks so much for your competent assistance!

    Hopefully, I won't be needing the Geek Police in the future.....but if I do, I'll do so with confidence.

    Peace!

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-28
    OS OS : xp pro
    Points Points : 24228
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    View previous topic View next topic Back to top

    - Similar topics

     
    Permissions in this forum:
    You cannot reply to topics in this forum