NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

View previous topic View next topic Go down

Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

Post by sparty on Mon 31 May - 10:20

Here you go, Chris. The new ComboFix log is below.

I've got my fingers crossed!



ComboFix 10-05-29.05 - Boss 05/30/2010 18:40:57.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.276 [GMT -4:00]
Running from: c:\documents and settings\Boss\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Boss\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\Viewpoint

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CADAMG
-------\Legacy_MEMSWEEP2
-------\Legacy_MSWU-8DB3D791
-------\Legacy_MSWU-F36DECBB
-------\Service_cadamg
-------\Service_MSWU-8db3d791
-------\Service_MSWU-f36decbb


((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.

2010-05-30 14:42 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll
2010-05-29 17:11 . 2009-06-18 16:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-05-29 15:45 . 2010-05-29 15:45 -------- d-----w- c:\program files\Sophos
2010-05-28 23:49 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll
2010-05-28 19:55 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll
2010-05-28 18:12 . 2010-05-28 18:12 -------- d-----w- c:\documents and settings\Boss\Application Data\Street-Ads
2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-05-28 18:10 . 2010-05-28 18:10 -------- d-----w- c:\documents and settings\Boss\Application Data\Sky-Banners
2010-05-28 18:09 . 2010-05-28 18:09 -------- d-----w- c:\documents and settings\Boss\Local Settings\Application Data\esdjguvxo
2010-05-28 18:09 . 2010-05-28 18:09 -------- d-----w- c:\program files\$NtUninstallWTF1012$
2010-05-28 18:09 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-30 22:49 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-05-30 22:49 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-05-30 14:43 . 2008-09-24 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-28 20:03 . 2004-10-19 14:00 -------- d-----w- c:\program files\McAfee
2010-05-28 18:10 . 2009-05-28 23:13 -------- d-----w- c:\program files\Common Files\Motive
2010-05-21 21:09 . 2010-04-22 18:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-05-18 04:39 . 2008-09-24 03:35 -------- d-----w- c:\program files\Google
2010-04-22 17:53 . 2005-12-14 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-22 17:50 . 2010-04-22 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-04-22 17:47 . 2010-04-22 17:46 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-22 17:46 . 2010-04-22 17:46 -------- d-----w- c:\program files\McAfee.com
2010-04-14 16:29 . 2004-06-27 22:20 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-01 20:28 . 2009-04-17 16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-30 15:33 . 2010-03-30 15:33 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-30 15:33 . 2010-03-30 15:33 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-30 15:33 . 2010-03-30 15:33 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-30 15:33 . 2010-03-30 15:33 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-30 15:33 . 2010-03-30 15:33 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-30 15:31 . 2003-08-05 17:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-30 15:31 . 2003-08-05 17:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-30 04:46 . 2009-04-17 16:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-04-17 16:00 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-03-19 22:34 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-03-19 22:44 430080 ----a-w- c:\windows\system32\vbscript.dll
2005-12-08 05:16 . 2005-12-08 05:16 5037072 ----a-w- c:\program files\spybotsd14.exe
2005-10-22 14:46 . 2005-10-22 14:45 53619100 ----a-w- c:\program files\hansel new users v6.02.exe
.

------- Sigcheck -------

[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2004-03-19 . DD9269230C21EE8FB7FD3FCCC3B1CFCB . 560128 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB824141$\USER32.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-21 77824]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 135168]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-30 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Startup.lnk
backup=c:\windows\pss\HP OfficeJet Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
2003-02-20 21:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-11-12 02:00 864256 ------w- c:\program files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-02-20 21:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 06:04 122933 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 15:27 28672 ----a-w- c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-04-14 19:04 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-06-16 10:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 10:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2006-01-17 17:03 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2006-01-17 17:03 135168 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-11-03 18:46 4800512 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-04-14 18:46 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 00:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-06-21 16:16 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 14:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-09 20:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-30 15:31 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\SYSTEM32\SAVRKBootTasks.sys [5/29/2010 1:11 PM 18816]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/22/2010 1:49 PM 203280]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 2:21 PM 135664]
S3 bepprldr;BCL easyPDF SDK Loader;c:\program files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe [11/11/2005 11:03 PM 77824]
.
Contents of the 'Scheduled Tasks' folder

2010-05-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-24 16:03]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

2010-04-22 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

2010-05-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-30 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: motive.com\patttbc.att
DPF: ppctlcab - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

BHO-{4CC5A190-E657-4C30-A101-C0A9252B9DAA} - c:\windows\system32\mzhjanoe.dll
AddRemove-areoghkfntcfn - c:\windows\system32\areoghkfntcfn.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-30 18:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4048)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\CTsvcCDA.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\System32\nvsvc32.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.

sparty
Novice
Novice

Posts Posts : 26
Joined Joined : 2010-05-29
OS OS : xp pro
Points Points : 24248
# Likes # Likes : 0

View user profile

Back to top Go down

Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

Post by Crush on Mon 31 May - 11:49

Hi Sparty,

That looks MUCH better! The Rootkit has met its match Smile. How are things running now?

I'll come up with a fix and get it approved and back to you ASAP. Should just be some cleanup and likely one more scanner to make sure everything is gone Smile

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-28
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

Post by sparty on Mon 31 May - 12:01

That's GREAT news!

I haven't really been using the desktop except to run the scans, etc. and I've had the firewall locked down for safety's sake. But, so far so good right now. I haven't seen any random websites open up yet and nothing else looking abnormal......hope it holds up!

I'll wait to hear back from you, Chris. Thanks!

sparty
Novice
Novice

Posts Posts : 26
Joined Joined : 2010-05-29
OS OS : xp pro
Points Points : 24248
# Likes # Likes : 0

View user profile

Back to top Go down

Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

Post by Crush on Mon 31 May - 13:58

hi sparty,

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Fcopy::
    c:\windows\ServicePackFiles\i386\user32.dll | c:\windows\system32\user32.dll

    Folder::
    c:\documents and settings\Boss\Local Settings\Application Data\esdjguvxo
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

========

Next, Please go to [You must be registered and logged in to see this link.] and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

  • Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-28
    Gender Gender : Male
    Points Points : 42128
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on Mon 31 May - 15:51

    Hi Chris,

    I've completed the last requested ComboFix scan. The latest ComboFix log follows. I'll now run the Kaspersky scan as advised and will post that report in my next reply.



    ComboFix 10-05-30.04 - Boss 05/31/2010 0:26.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.195 [GMT -4:00]
    Running from: c:\documents and settings\Boss\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Boss\Desktop\CFScript.txt
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Boss\Local Settings\Application Data\esdjguvxo

    .
    --------------- FCopy ---------------

    c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\system32\user32.dll
    .
    ((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-31 )))))))))))))))))))))))))))))))
    .

    2010-05-30 14:42 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll
    2010-05-29 17:11 . 2009-06-18 16:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
    2010-05-29 15:45 . 2010-05-29 15:45 -------- d-----w- c:\program files\Sophos
    2010-05-28 23:49 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll
    2010-05-28 19:55 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll
    2010-05-28 18:12 . 2010-05-28 18:12 -------- d-----w- c:\documents and settings\Boss\Application Data\Street-Ads
    2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
    2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
    2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
    2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
    2010-05-28 18:10 . 2010-05-28 18:10 -------- d-----w- c:\documents and settings\Boss\Application Data\Sky-Banners
    2010-05-28 18:09 . 2010-05-28 18:09 -------- d-----w- c:\program files\$NtUninstallWTF1012$
    2010-05-28 18:09 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-30 22:49 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
    2010-05-30 22:49 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
    2010-05-30 14:43 . 2008-09-24 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-05-28 20:03 . 2004-10-19 14:00 -------- d-----w- c:\program files\McAfee
    2010-05-28 18:10 . 2009-05-28 23:13 -------- d-----w- c:\program files\Common Files\Motive
    2010-05-21 21:09 . 2010-04-22 18:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
    2010-05-18 04:39 . 2008-09-24 03:35 -------- d-----w- c:\program files\Google
    2010-04-22 17:53 . 2005-12-14 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-04-22 17:50 . 2010-04-22 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
    2010-04-22 17:47 . 2010-04-22 17:46 -------- d-----w- c:\program files\Common Files\McAfee
    2010-04-22 17:46 . 2010-04-22 17:46 -------- d-----w- c:\program files\McAfee.com
    2010-04-14 16:29 . 2004-06-27 22:20 -------- d-----w- c:\program files\Common Files\Adobe
    2010-04-01 20:28 . 2009-04-17 16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
    2010-03-30 15:33 . 2010-03-30 15:33 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
    2010-03-30 15:33 . 2010-03-30 15:33 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
    2010-03-30 15:33 . 2010-03-30 15:33 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    2010-03-30 15:33 . 2010-03-30 15:33 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
    2010-03-30 15:33 . 2010-03-30 15:33 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    2010-03-30 15:31 . 2003-08-05 17:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2010-03-30 15:31 . 2003-08-05 17:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-03-30 04:46 . 2009-04-17 16:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-30 04:45 . 2009-04-17 16:00 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-11 12:38 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-11 12:38 . 2004-03-19 22:34 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-03-09 11:09 . 2004-03-19 22:44 430080 ----a-w- c:\windows\system32\vbscript.dll
    2005-12-08 05:16 . 2005-12-08 05:16 5037072 ----a-w- c:\program files\spybotsd14.exe
    2005-10-22 14:46 . 2005-10-22 14:45 53619100 ----a-w- c:\program files\hansel new users v6.02.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]
    "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-21 77824]
    "MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 135168]
    "ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-30 202256]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
    "McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Startup.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Startup.lnk
    backup=c:\windows\pss\HP OfficeJet Startup.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
    2003-02-20 21:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
    2004-11-12 02:00 864256 ------w- c:\program files\Brother\ControlCenter2\brctrcen.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
    2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
    2003-02-20 21:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
    2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    2004-03-15 06:04 122933 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
    2003-08-13 15:27 28672 ----a-w- c:\windows\SYSTEM32\DSentry.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
    2004-04-14 19:04 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
    2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2004-06-16 10:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2004-06-16 10:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    2006-01-17 17:03 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
    2006-01-17 17:03 135168 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
    2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2003-11-03 18:46 4800512 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
    2004-04-14 18:46 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
    2003-08-27 00:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2004-06-21 16:16 77824 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    2003-10-14 14:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2006-11-09 20:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-03-30 15:31 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
    2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\SYSTEM32\SAVRKBootTasks.sys [5/29/2010 1:11 PM 18816]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/22/2010 1:49 PM 203280]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 2:21 PM 135664]
    S3 bepprldr;BCL easyPDF SDK Loader;c:\program files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe [11/11/2005 11:03 PM 77824]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-30 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-24 16:03]

    2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

    2010-05-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

    2010-05-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

    2010-04-22 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

    2010-05-31 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-05-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-05-31 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-05-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = [You must be registered and logged in to see this link.]
    uInternet Connection Wizard,ShellNext = iexplore
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: motive.com\patttbc.att
    DPF: ppctlcab - [You must be registered and logged in to see this link.]
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
    Rootkit scan 2010-05-31 00:34
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(584)
    c:\windows\system32\WININET.dll
    c:\program files\McAfee\SiteAdvisor\saHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-05-31 00:40:47
    ComboFix-quarantined-files.txt 2010-05-31 04:40
    ComboFix2.txt 2010-05-30 23:02
    ComboFix3.txt 2010-05-30 16:09
    ComboFix4.txt 2010-05-28 22:13

    Pre-Run: 59,888,521,216 bytes free
    Post-Run: 59,864,510,464 bytes free

    - - End Of File - - 422D36296C74F4519DE3C02F262678D1

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-29
    OS OS : xp pro
    Points Points : 24248
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on Mon 31 May - 17:56

    Hi Sparty,

    There's some more junk we need to remove but, let's just make sure these files are infected first:

    Please visit [You must be registered and logged in to see this link.]

    * Click the Browse.. button
    * Navigate to the file c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll
    * Click the Open button
    * Click the Send button
    * Copy and paste the results into a new reply in this thread please.

    Please do the same for:
    c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll
    c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll
    c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll

    If VirusTotal is busy please use [You must be registered and logged in to see this link.]

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-28
    Gender Gender : Male
    Points Points : 42128
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on Mon 31 May - 20:51

    Chris,

    Wow that scan took forever (3 hours)!

    There were 6 infections found :-( It looks like those System Volume Information_Restore files that I've mentioned that were found by the SAR scan ARE a problem. What now?

    Here is the report from the Kaspersky scan.



    KASPERSKY ONLINE SCANNER 7.0: scan report
    Monday, May 31, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Monday, May 31, 2010 02:33:10
    Records in database: 4193694
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\

    Scan statistics:
    Objects scanned: 81510
    Threats found: 4
    Infected objects found: 6
    Suspicious objects found: 0
    Scan duration: 02:57:34


    File name / Threat / Threats count
    C:\Qoobox\Quarantine\C\WINDOWS\Mcybaa.exe.vir Infected: Packed.Win32.Katusha.n 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\FTDISK.SYS.vir Infected: Rootkit.Win32.TDSS.ap 1
    C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1\A0001008.dll Infected: not-a-virus:AdWare.Win32.BHO.mfb 1
    C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1\A0001012.dll Infected: not-a-virus:AdWare.Win32.RON.dvc 1
    C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1\A0001036.SYS Infected: Rootkit.Win32.TDSS.ap 1
    C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1\A0001090.exe Infected: Packed.Win32.Katusha.n 1

    Selected area has been scanned.

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-29
    OS OS : xp pro
    Points Points : 24248
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on Mon 31 May - 21:24

    Sorry, Chris. I didn't notice you had posted while I was running the Kaspersky scan.

    Following are the results of the Virus Total reports. When I opened and sent the files you listed, I got a message on the last 3 that you listed (after the 555qG.dll) that those files had already been analysed and the report shown was the same for each of those last 3 files as for the 555qG.dll (in fact, it listed the "File 555qG.dll received on 2010.05.31 10:03:00 (UTC)" at the top of the last report for those files. The message after sending those files is immediately below and the 555qG.dll report follows that.

    I need some sleep!




    File has already been analysed:
    MD5: 73d34ba60d912ecd316c927759343c90
    First received: 2010.05.31 10:03:00 UTC
    Date: 2010.05.31 10:03:00 UTC [<1D]
    Results: 14/40
    Permalink: analisis/cd810f7f6bb6594360d5f40e24a02ddbf9a2dd312a58e172fa8e4a8278f6bb8d-1275300180




    File 555qG.dll received on 2010.05.31 10:03:00 (UTC)
    Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


    Result: 14/40 (35%)
    Loading server information...
    Your file is queued in position: 3.
    Estimated start time is between 56 and 80 seconds.
    Do not close the window until scan is complete.
    The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
    If you are waiting for more than five minutes you have to resend your file.
    Your file is being scanned by VirusTotal in this moment,
    results will be shown as they're generated.
    Compact Print results
    Your file has expired or does not exists.
    Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

    You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
    Email:


    Antivirus Version Last Update Result
    a-squared 5.0.0.26 2010.05.31 Trojan.Win32.Alureon!IK
    AhnLab-V3 2010.05.30.00 2010.05.29 -
    AntiVir 8.2.1.242 2010.05.31 -
    Antiy-AVL 2.0.3.7 2010.05.31 -
    Authentium 5.2.0.5 2010.05.31 -
    Avast 4.8.1351.0 2010.05.30 Win32:Trojan-gen
    Avast5 5.0.332.0 2010.05.30 Win32:Trojan-gen
    AVG 9.0.0.787 2010.05.31 -
    BitDefender 7.2 2010.05.31 Gen:Trojan.Heur.TP.em8@bifn34ei
    CAT-QuickHeal 10.00 2010.05.31 -
    ClamAV 0.96.0.3-git 2010.05.30 -
    Comodo 4959 2010.05.31 Heur.Packed.Unknown
    DrWeb 5.0.2.03300 2010.05.31 Trojan.PWS.IpDiscover.4
    eSafe 7.0.17.0 2010.05.30 -
    eTrust-Vet 35.2.7521 2010.05.31 -
    F-Prot 4.6.0.103 2010.05.31 -
    F-Secure 9.0.15370.0 2010.05.31 Gen:Trojan.Heur.TP.em8@bifn34ei
    Fortinet 4.1.133.0 2010.05.30 -
    GData 21 2010.05.31 Gen:Trojan.Heur.TP.em8@bifn34ei
    Ikarus T3.1.1.84.0 2010.05.31 Trojan.Win32.Alureon
    Jiangmin 13.0.900 2010.05.30 -
    Kaspersky 7.0.0.125 2010.05.31 -
    McAfee 5.400.0.1158 2010.05.31 -
    McAfee-GW-Edition 2010.1 2010.05.31 Heuristic.BehavesLike.Win32.Spyware.I
    Microsoft 1.5802 2010.05.31 -
    NOD32 5157 2010.05.31 -
    Norman 6.04.12 2010.05.31 W32/Suspicious_Gen2.ATZEI
    nProtect 2010-05-31.01 2010.05.31 -
    Panda 10.0.2.7 2010.05.30 Suspicious file
    PCTools 7.0.3.5 2010.05.31 -
    Rising 22.50.00.04 2010.05.31 -
    Sophos 4.53.0 2010.05.31 Mal/TDSSPack-Y
    Sunbelt 6380 2010.05.31 Trojan.Win32.Generic!BT
    Symantec 20101.1.0.89 2010.05.31 -
    TheHacker 6.5.2.0.290 2010.05.30 -
    TrendMicro 9.120.0.1004 2010.05.31 -
    TrendMicro-HouseCall 9.120.0.1004 2010.05.31 -
    VBA32 3.12.12.5 2010.05.29 -
    ViRobot 2010.5.20.2326 2010.05.28 -
    VirusBuster 5.0.27.0 2010.05.30 -
    Additional information
    File size: 75264 bytes
    MD5...: 73d34ba60d912ecd316c927759343c90
    SHA1..: 3bfcbf37cefd1a4d52519f2eded49cab4bbd7e88
    SHA256: cd810f7f6bb6594360d5f40e24a02ddbf9a2dd312a58e172fa8e4a8278f6bb8d
    ssdeep: 1536:9GpuwF5CmcRGHSiFrCKm0+xx5fIO8kKxlEbq2e/sFcDh5Zjpj1:UpymcRCt
    4xxlpClEjKpj1

    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x1000
    timedatestamp.....: 0x422eef1b (Wed Mar 09 12:42:03 2005)
    machinetype.......: 0x14c (I386)

    ( 3 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x3000 0x2a00 0.32 baf0f802aada2311a22c24a9460e1026
    .data 0x4000 0x2f000 0xf400 7.36 2aaa268a0ad7fae275e7d9e030160b99
    .rsrc 0x33000 0x1000 0x400 2.66 ffe0298fe7154c7a2174d283500baa9f

    ( 1 imports )
    > kernel32.dll: DeleteCriticalSection, EnterCriticalSection, GetCommandLineA, GetLastError, GetModuleHandleA, GetProcAddress, GetProcessId, GetVersion, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, VirtualProtect

    ( 0 exports )

    RDS...: NSRL Reference Data Set
    -
    pdfid.: -
    trid..: Generic Win/DOS Executable (49.9%)
    DOS Executable Generic (49.8%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
    Symantec Reputation Network: Suspicious.Insight [You must be registered and logged in to see this link.]
    sigcheck:
    publisher....: n/a
    copyright....: Copyright (C) 2010
    product......: vsdsvsdsetup Application
    description..: Pasdvasetup Application
    original name: asdvasdsetup.exe
    internal name: PPCsetup
    file version.: 1, 0, 0, 1
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-29
    OS OS : xp pro
    Points Points : 24248
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on Mon 31 May - 21:34

    Chris, for what it's worth, here are the results of the Jotti scans on those same files. Jotti also indicated the last 3 files were named 555qG.dll and said that file was already scanned.



    Jotti's malware scan
    Filename: 555qG.dll
    Status: Scan finished. 6 out of 19 scanners reported malware.
    Scan taken on: Mon 31 May 2010 12:25:49 (CET) Permalink




    Additional info
    File size: 75264 bytes
    Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
    MD5: 73d34ba60d912ecd316c927759343c90
    SHA1: 3bfcbf37cefd1a4d52519f2eded49cab4bbd7e88







    Scanners
    2010-05-30 Found nothing 2010-05-31 Gen:Trojan.Heur.TP.em8@bifn34ei
    2010-05-30 Win32:Trojan-gen 2010-05-31 Trojan.Win32.Alureon
    2010-05-31 Found nothing 2010-05-31 Found nothing
    2010-05-31 Found nothing 2010-05-31 Found nothing
    2010-05-31 Gen:Trojan.Heur.TP.em8@bifn34ei 2010-05-30 Found nothing
    2010-05-30 Found nothing 2010-05-31 Found nothing
    2010-05-31 Found nothing 2010-05-31 Mal/TDSSPack-Y
    2010-05-31 Trojan.PWS.IpDiscover.4 2010-05-28 Found nothing
    2010-05-30 Found nothing 2010-05-30 Found nothing
    2010-05-31 Found nothing

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-29
    OS OS : xp pro
    Points Points : 24248
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on Tue 1 Jun - 2:57

    Hi Sparty,

    Those System Restore Points are more menacing than they look Smile. When we remove ComboFix it will flush them out and they'll be gone. It looks like all those files are indeed infected so, I'm going to go get a fix approved and back to you asap

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-28
    Gender Gender : Male
    Points Points : 42128
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on Tue 1 Jun - 10:07

    Hi Sparty,

    We're well on our way to complete disinfection!

    Re-running ComboFix to remove infections:

    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    3. Open notepad and copy/paste the text in the quotebox below into it:

      Folder::
      c:\program files\$NtUninstallWTF1012$

      File::
      c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll
      c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll
      c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll
    4. Save this as CFScript.txt, in the same location as ComboFix.exe



    5. Referring to the picture above, drag CFScript into ComboFix.exe
    6. When finished, it shall produce a log for you at C:\ComboFix.txt
    7. Please post the contents of the log in your next reply.

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-28
    Gender Gender : Male
    Points Points : 42128
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on Tue 1 Jun - 14:09

    I hope you're right, Chris.

    Following is the latest ComboFix report. Thanks again for your help!




    ComboFix 10-05-31.02 - Boss 05/31/2010 22:47:44.5.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.173 [GMT -4:00]
    Running from: c:\documents and settings\Boss\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Boss\Desktop\CFScript.txt
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    FILE ::
    "c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll"
    "c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll"
    "c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\$NtUninstallWTF1012$
    c:\program files\$NtUninstallWTF1012$\elUninstall.exe
    c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll
    c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll
    c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll

    .
    ((((((((((((((((((((((((( Files Created from 2010-05-01 to 2010-06-01 )))))))))))))))))))))))))))))))
    .

    2010-05-31 20:26 . 2010-05-31 20:26 -------- d-----w- c:\windows\LastGood
    2010-05-29 17:11 . 2009-06-18 16:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
    2010-05-29 15:45 . 2010-05-29 15:45 -------- d-----w- c:\program files\Sophos
    2010-05-28 19:55 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll
    2010-05-28 18:12 . 2010-05-28 18:12 -------- d-----w- c:\documents and settings\Boss\Application Data\Street-Ads
    2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
    2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
    2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
    2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
    2010-05-28 18:10 . 2010-05-28 18:10 -------- d-----w- c:\documents and settings\Boss\Application Data\Sky-Banners

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-31 20:26 . 2004-10-19 14:00 -------- d-----w- c:\program files\McAfee
    2010-05-31 20:21 . 2008-09-24 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-05-31 10:36 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
    2010-05-31 10:36 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
    2010-05-28 18:10 . 2009-05-28 23:13 -------- d-----w- c:\program files\Common Files\Motive
    2010-05-21 21:09 . 2010-04-22 18:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
    2010-05-18 04:39 . 2008-09-24 03:35 -------- d-----w- c:\program files\Google
    2010-04-22 17:53 . 2005-12-14 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-04-22 17:50 . 2010-04-22 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
    2010-04-22 17:47 . 2010-04-22 17:46 -------- d-----w- c:\program files\Common Files\McAfee
    2010-04-22 17:46 . 2010-04-22 17:46 -------- d-----w- c:\program files\McAfee.com
    2010-04-14 16:29 . 2004-06-27 22:20 -------- d-----w- c:\program files\Common Files\Adobe
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
    2010-03-30 15:33 . 2010-03-30 15:33 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
    2010-03-30 15:33 . 2010-03-30 15:33 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
    2010-03-30 15:33 . 2010-03-30 15:33 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    2010-03-30 15:33 . 2010-03-30 15:33 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
    2010-03-30 15:33 . 2010-03-30 15:33 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    2010-03-30 15:31 . 2003-08-05 17:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2010-03-30 15:31 . 2003-08-05 17:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-03-30 04:46 . 2009-04-17 16:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-30 04:45 . 2009-04-17 16:00 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-11 12:38 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-11 12:38 . 2004-03-19 22:34 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-03-09 11:09 . 2004-03-19 22:44 430080 ----a-w- c:\windows\system32\vbscript.dll
    2005-12-08 05:16 . 2005-12-08 05:16 5037072 ----a-w- c:\program files\spybotsd14.exe
    2005-10-22 14:46 . 2005-10-22 14:45 53619100 ----a-w- c:\program files\hansel new users v6.02.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]
    "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-21 77824]
    "MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 135168]
    "ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-30 202256]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
    "McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Startup.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Startup.lnk
    backup=c:\windows\pss\HP OfficeJet Startup.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
    2003-02-20 21:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
    2004-11-12 02:00 864256 ------w- c:\program files\Brother\ControlCenter2\brctrcen.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
    2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
    2003-02-20 21:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
    2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    2004-03-15 06:04 122933 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
    2003-08-13 15:27 28672 ----a-w- c:\windows\SYSTEM32\DSentry.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
    2004-04-14 19:04 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
    2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2004-06-16 10:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2004-06-16 10:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    2006-01-17 17:03 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
    2006-01-17 17:03 135168 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
    2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2003-11-03 18:46 4800512 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
    2004-04-14 18:46 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
    2003-08-27 00:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2004-06-21 16:16 77824 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    2003-10-14 14:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2006-11-09 20:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-03-30 15:31 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
    2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\SYSTEM32\SAVRKBootTasks.sys [5/29/2010 1:11 PM 18816]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/22/2010 1:49 PM 203280]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 2:21 PM 135664]
    S3 bepprldr;BCL easyPDF SDK Loader;c:\program files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe [11/11/2005 11:03 PM 77824]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-31 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-24 16:03]

    2010-05-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

    2010-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

    2010-05-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

    2010-04-22 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

    2010-06-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-05-31 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-06-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-05-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = [You must be registered and logged in to see this link.]
    uInternet Connection Wizard,ShellNext = iexplore
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: motive.com\patttbc.att
    DPF: ppctlcab - [You must be registered and logged in to see this link.]
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-$NtUninstallWTF1012$ - c:\program files\$NtUninstallWTF1012$\elUninstall.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
    Rootkit scan 2010-05-31 22:55
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-05-31 23:01:21
    ComboFix-quarantined-files.txt 2010-06-01 03:01
    ComboFix2.txt 2010-05-31 04:40
    ComboFix3.txt 2010-05-30 23:02
    ComboFix4.txt 2010-05-30 16:09
    ComboFix5.txt 2010-06-01 02:45

    Pre-Run: 59,722,158,080 bytes free
    Post-Run: 59,803,074,560 bytes free

    - - End Of File - - EE244E72D08209CD8472F8DE9D183698

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-29
    OS OS : xp pro
    Points Points : 24248
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on Tue 1 Jun - 14:55

    Hi Sparty,

    Looks like there is one file that withstood deletion. Let's see it stand up to this! Cheesy Grin (sparkly

    • Download The Avenger by Swandog46 from [You must be registered and logged in to see this link.].
    • Unzip/extract it to a folder on your desktop.
    • Double click on avenger.exe to run The Avenger.
    • Click OK.
    • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
      Code:
      Files to delete:
      c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll
    • In the avenger window, click the Paste script from Clipboard, button.
    • Click the Execute button.
    • You will be asked Are you sure you want to execute the current script?.
    • Click Yes.
    • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
    • Click Yes.
    • Your PC will now be rebooted.
    • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
    • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
    • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
    • Please post this log in your next reply.

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-28
    Gender Gender : Male
    Points Points : 42128
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on Tue 1 Jun - 18:38

    Hi Chris,

    I ran the Avenger and the log is posted below. It looks like that didn't work on removing that file either. When I first pasted the text to the clipboard I included the word "Code"" and Avenger didn't like that.....I pasted just the text w/o "Code:" and it then executed....but apparently could not find the file. Now what? - Thanks.



    Logfile of The Avenger Version 2.0, (c) by Swandog46
    [You must be registered and logged in to see this link.]

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!


    Error: file "c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll" not found!
    Deletion of file "c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist


    Completed script processing.

    *******************

    Finished! Terminate.

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-29
    OS OS : xp pro
    Points Points : 24248
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on Tue 1 Jun - 18:51

    Hi again Chris,

    Just wanted to let you know that, when I just rebooted my desktop, McAfee showed that it had detected and deleted a trojan by the name of "Artemis..." (I couldn't see the extension when it flashed on the screen).

    Thought you might want to know.

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-29
    OS OS : xp pro
    Points Points : 24248
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on Tue 1 Jun - 19:11

    Hi Sparty,

    Would you mind re-running ComboFix please? I'm signing off here in a few minutes so, we'll likely catch up in the morning Smile

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-28
    Gender Gender : Male
    Points Points : 42128
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on Wed 2 Jun - 2:59

    Hey Chris,

    Ok. I had to download ComboFix AGAIN. The executable file was gone again from my desktop and was nowhere to be found on a search. Why is that happening? Is the rootkit responsible? Is the rootikit still present? Thanks again for your continuing assistance!

    Here's the log from the latest ComboFix scan:



    ComboFix 10-05-31.03 - Boss 06/01/2010 11:36:58.6.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.229 [GMT -4:00]
    Running from: c:\documents and settings\Boss\Desktop\ComboFix.exe
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((( Files Created from 2010-05-01 to 2010-06-01 )))))))))))))))))))))))))))))))
    .

    2010-05-29 17:11 . 2009-06-18 16:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
    2010-05-29 15:45 . 2010-05-29 15:45 -------- d-----w- c:\program files\Sophos
    2010-05-28 18:12 . 2010-05-28 18:12 -------- d-----w- c:\documents and settings\Boss\Application Data\Street-Ads
    2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
    2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
    2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
    2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
    2010-05-28 18:10 . 2010-05-28 18:10 -------- d-----w- c:\documents and settings\Boss\Application Data\Sky-Banners

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-01 07:52 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
    2010-06-01 07:52 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
    2010-05-31 20:26 . 2004-10-19 14:00 -------- d-----w- c:\program files\McAfee
    2010-05-31 20:21 . 2008-09-24 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-05-28 18:10 . 2009-05-28 23:13 -------- d-----w- c:\program files\Common Files\Motive
    2010-05-21 21:09 . 2010-04-22 18:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
    2010-05-18 04:39 . 2008-09-24 03:35 -------- d-----w- c:\program files\Google
    2010-04-22 17:53 . 2005-12-14 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-04-22 17:50 . 2010-04-22 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
    2010-04-22 17:47 . 2010-04-22 17:46 -------- d-----w- c:\program files\Common Files\McAfee
    2010-04-22 17:46 . 2010-04-22 17:46 -------- d-----w- c:\program files\McAfee.com
    2010-04-14 16:29 . 2004-06-27 22:20 -------- d-----w- c:\program files\Common Files\Adobe
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
    2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
    2010-03-30 15:33 . 2010-03-30 15:33 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
    2010-03-30 15:33 . 2010-03-30 15:33 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
    2010-03-30 15:33 . 2010-03-30 15:33 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    2010-03-30 15:33 . 2010-03-30 15:33 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
    2010-03-30 15:33 . 2010-03-30 15:33 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    2010-03-30 15:31 . 2003-08-05 17:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2010-03-30 15:31 . 2003-08-05 17:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-03-30 04:46 . 2009-04-17 16:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-30 04:45 . 2009-04-17 16:00 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-11 12:38 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-11 12:38 . 2004-03-19 22:34 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-03-09 11:09 . 2004-03-19 22:44 430080 ----a-w- c:\windows\system32\vbscript.dll
    2005-12-08 05:16 . 2005-12-08 05:16 5037072 ----a-w- c:\program files\spybotsd14.exe
    2005-10-22 14:46 . 2005-10-22 14:45 53619100 ----a-w- c:\program files\hansel new users v6.02.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]
    "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-21 77824]
    "MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 135168]
    "ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-30 202256]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
    "McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Startup.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Startup.lnk
    backup=c:\windows\pss\HP OfficeJet Startup.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
    2003-02-20 21:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
    2004-11-12 02:00 864256 ------w- c:\program files\Brother\ControlCenter2\brctrcen.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
    2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
    2003-02-20 21:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
    2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    2004-03-15 06:04 122933 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
    2003-08-13 15:27 28672 ----a-w- c:\windows\SYSTEM32\DSentry.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
    2004-04-14 19:04 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
    2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2004-06-16 10:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2004-06-16 10:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    2006-01-17 17:03 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
    2006-01-17 17:03 135168 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
    2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2003-11-03 18:46 4800512 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
    2004-04-14 18:46 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
    2003-08-27 00:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2004-06-21 16:16 77824 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    2003-10-14 14:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2006-11-09 20:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-03-30 15:31 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
    2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\SYSTEM32\SAVRKBootTasks.sys [5/29/2010 1:11 PM 18816]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/22/2010 1:49 PM 203280]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 2:21 PM 135664]
    S3 bepprldr;BCL easyPDF SDK Loader;c:\program files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe [11/11/2005 11:03 PM 77824]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-06-01 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-24 16:03]

    2010-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

    2010-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

    2010-05-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

    2010-06-01 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

    2010-06-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-06-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-06-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-05-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = [You must be registered and logged in to see this link.]
    uInternet Connection Wizard,ShellNext = iexplore
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: motive.com\patttbc.att
    DPF: ppctlcab - [You must be registered and logged in to see this link.]
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
    Rootkit scan 2010-06-01 11:45
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(1988)
    c:\windows\system32\WININET.dll
    c:\program files\McAfee\SiteAdvisor\saHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-06-01 11:51:14
    ComboFix-quarantined-files.txt 2010-06-01 15:51
    ComboFix2.txt 2010-06-01 03:01
    ComboFix3.txt 2010-05-31 04:40
    ComboFix4.txt 2010-05-30 23:02
    ComboFix5.txt 2010-06-01 15:34

    Pre-Run: 59,795,775,488 bytes free
    Post-Run: 59,768,147,968 bytes free

    - - End Of File - - 12F8FFFC5F99A90DD4E6EC928634A413

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-29
    OS OS : xp pro
    Points Points : 24248
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on Wed 2 Jun - 4:35

    Hi Sparty,

    That confirms it. The file is gone Cheesy Grin (sparkly

    How are things running now?

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-28
    Gender Gender : Male
    Points Points : 42128
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on Wed 2 Jun - 6:25

    Hi Chris,

    Excellent!! The desktop seems to be running fine at this point. Nothing unusual noted.

    Do you really think we've gotten totally rid of this beast?? I can't help but be skeptical after reading that rootkit info at Wiki, etc..

    Do you still think I should change all my passwords? I'm guessing it would be a good idea for safety's sake, right? Should I leave all the ComboFix files or get rid of them?

    Thank God for guys like you and your cohorts at Geek Police, Chris!! I am VERY grateful for all your assistance with this issue. It's a fantastic service you guys perform to fight the #@*& idiots that throw this crap out there to muck up our lives via the internet!

    I'll keep you posted if anything weird shows up in the near future.

    Nice job, Chris!!

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-29
    OS OS : xp pro
    Points Points : 24248
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on Wed 2 Jun - 6:35

    Hi Sparty,

    Do you really think we've gotten totally rid of this beast?? I can't help but be skeptical after reading that rootkit info at Wiki, etc..

    Yep. That latest logs shows no more remnants of the Rootkit but, you're absoƖute right. It was one nasty infection!


    Do you still think I should change all my passwords? I'm guessing it would be a good idea for safety's sake, right? Should I leave all the ComboFix files or get rid of them?

    You're absoƖutely right again. Changing passwords periodically never hurts. Except when you can't remember them Goofy


    Thank God for guys like you and your cohorts at Geek Police, Chris!! I am VERY grateful for all your assistance with this issue. It's a fantastic service you guys perform to fight the #@*& idiots that throw this crap out there to muck up our lives via the internet!

    You're very welcome. It's been a pleasure working you Smile

    ====

    Now for the cleanup:

    Congratulations!! Your PC is all clean! Big Grin

    To uninstall ComboFix

    • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
    • In the field, type in ComboFix /uninstall



    (Note: Make sure there's a space between the word ComboFix and the forward-slash.)

    • Then, press Enter, or click OK.
    • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

    ========

    There are many things you can do to keep this from happening again. You can think of a computer like a car. It requires basic maintenance to keep in tip top shape and ready to go. Would you drive your car 100,000 miles without changing the oil? The same principle applies here.

    Cleaning

    Now that your PC is free of malware, it is important to clean up your PC. There are several good free cleaners available. You should make sure to clean up your temp files regularly, at least once a week.

    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    Defragmenting Your Hard Disk

    Over time your PC can become fragmented, Windows comes with a defragmenting utility, however, it is very slow, and there are other options available.

    To use the defragmenter included with Windows either go to Start/Run and type dfrg.msc, hit enter; or
    right-click My Computer, choose Manage, Storage, Disk Defragmenter.

    In the Defragmenter utility, select your main partition/HD, generally C:\ and select analyze . The analysis report will tell you whether or not your disk needs to be defragmented, if it does, click defragment. Be patient, this can take a long time.

    Repeat for multiple partitions/hard disks.

    System Restore Cleanup Instructions

    If you are using Windows ME or XP then it is good to disable and re-enable system restore to make sure there are no infected files left in a restore point. (All restore points will be deleted that way)
    You can find instructions on how to disable and re-enable system restore here:

    [You must be registered and logged in to see this link.]

    [You must be registered and logged in to see this link.]

    Reading Tip:
    [You must be registered and logged in to see this link.]
    Keep Your System Updated

    Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

    Install the updates immediately, if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

    To update Windows and office

    Go to Start > All Programs > Microsoft Update

    Alternatively, you can visit the link below to update Windows and Office products.

    [You must be registered and logged in to see this link.]

    If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

    1. Go to Start > Control Panel > Automatic Updates
    2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
    3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

    Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

    Be careful when opening attachments and downloading files.

    1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
    2. Never open emails from unknown senders.
    3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These are called hoaxes. The email addresses used in the hoaxes can be easily spoofed. Check the antivirus vendor websites to be sure.
    4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

    Surf safely

    Many security exploits on websites are directed to users of Internet Explorer and Firefox.

    If you use Firefox, try the [You must be registered and logged in to see this link.] - which, by default, disables all scripts on all websites. If you trust the website, you can manually allow scripts to work.

    Backup regularly

    You never know when your PC will become unstable or become so infected that you can't recover it. Follow this [You must be registered and logged in to see this link.] to learn how to backup. Follow [You must be registered and logged in to see this link.] by Microsoft to restore your backups.

    Alternatively, you can use 3rd-party programs to back up your data. Examples of these can be found at
    [You must be registered and logged in to see this link.]

    Avoid P2P

    I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

    I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

    Prevent A Re-infection

    1. Winpatrol

    Winpatrol is a heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features [You must be registered and logged in to see this link.]

    You can get a [You must be registered and logged in to see this link.] of Winpatrol or use the [You must be registered and logged in to see this link.] for more features.

    You can read [You must be registered and logged in to see this link.] if you run into problems.

    2. Hosts File

    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    3. Spybot Search and Destroy

    Spybot Search & Destroy is another program for scanning spyware and adware. You are strongly encouraged to run a scan at least once per week.

    Spybot Search & Destroy can be downloaded from [You must be registered and logged in to see this link.].

    If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy [You must be registered and logged in to see this link.] at Bleeping Computer.

    4. SiteHound Toolbar

    [You must be registered and logged in to see this link.] is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spyware or other questionable content. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.

    ====

    Stand Up and Be Counted ---> [You must be registered and logged in to see this link.]<--- where you can make difference!

    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
    ============================================================
    See [You must be registered and logged in to see this link.] for more info about malware and prevention.
    Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site.
    Before the thread is archived, do you have any more questions?

    Happy surfing and stay clean!

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-28
    Gender Gender : Male
    Points Points : 42128
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on Wed 2 Jun - 7:13

    Hi Chris,

    Well, one more problem. I ran the ComboFix /Uninstall and, although it did remove the ComboFix icon from my Desktop, I received an error message stating that "Windows cannot find 'ComboFix' ". Also, McAfee showed the Artemis..... trojan detected alert again as soon as I ran the CombFix uninstall request. I ran a file search for 'ComboFix' and there were 14 combofix files found. Should I manually delte those 14 files?

    I'll wait for your instructions. Thanks.

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-29
    OS OS : xp pro
    Points Points : 24248
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on Wed 2 Jun - 8:04

    Hi Sparty,

    Please delete the following files from your machine. They are all part of ComboFix.

    -Combo-Fix.sys
    -nircmd.exe
    -pev.exe
    -pv.com
    -swreg.exe
    -grep.exe
    -hidec.exe
    -sed.exe
    -zip.exe
    -winstart.bat
    -append.dll
    -mbr.exe

    Do you have the path to that Artemis Trojan that mcafee picked up?

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-28
    Gender Gender : Male
    Points Points : 42128
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on Wed 2 Jun - 10:57

    Hi Chris,

    Of the files listed above that are part of ComboFix, my search was unable to find Combo-Fix.sys, pv.com, hidec.exe(2 prefetch files associated with that file were found and deleted), winstart.bat and append.dll. The rest of the files were found and deleted along with the 14 files with 'combofix' in their names (logs, text files, prefetch, etc.). Is it a problem that those other files couldn't be located?

    Maybe it has something to do with the "Artemis Trojan" siutation. I found the file in the quarantined files of mcafee and it looks like, on 3 seperate occasions, that the combofix.exe file was the culprit that was identified as a possible threat and quarantined. That likely explains why combofix kept disappearing from my desktop. Maybe it explains the other files not being found?? Check out this link from mcafee regarding Artemis [You must be registered and logged in to see this link.]

    The link in the 1st reply (by the moderator) is particularly interesting. Apparenty, "Artemis is a new technology by McAfee which provides always-on real-time protection that safeguards and secures you from emerging threats."

    What do you think, Chris?

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-29
    OS OS : xp pro
    Points Points : 24248
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by Crush on Wed 2 Jun - 13:52

    Hi Sparty,

    I've been talking to the behind the scenes guys about this. We've determined that the Artemis trojan detected by Mcafee was actually ComboFix.

    A lot of times tools we use will be detected as Malware because of the way they are developed. Last I checked, one of our post powerful tools wasn't Malware Smile

    We've also detemined you're good in terms of the botched ComboFix removal. You got it all manually.

    Anything else I can do before this is archived? It's been a pleasure working with you Smile

    Crush
    Master
    Master

    Posts Posts : 3889
    Joined Joined : 2010-01-28
    Gender Gender : Male
    Points Points : 42128
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

    Post by sparty on Wed 2 Jun - 15:36

    Sounds good to me, Chris.

    Once again, thanks so much for your competent assistance!

    Hopefully, I won't be needing the Geek Police in the future.....but if I do, I'll do so with confidence.

    Peace!

    sparty
    Novice
    Novice

    Posts Posts : 26
    Joined Joined : 2010-05-29
    OS OS : xp pro
    Points Points : 24248
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    View previous topic View next topic Back to top

    - Similar topics

     
    Permissions in this forum:
    You cannot reply to topics in this forum