Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Possible Generic.DX infection?

  • Please log in to reply
10 replies to this topic

#1 Colin!


  • Members
  • 6 posts
  • Local time:01:09 AM

Posted 24 February 2009 - 03:25 AM

I installed some software on my pc which appeared to work OK. When I installed on another machine, McAfee panicked about there being a Generic.DX trojan on the disk. Since then, I've been having issues with Windows Explorer and the LAN drive crashing. I've updated all the drivers, and performed MalwareBytes, Windows Defender and McAfee scans in safe mode but to no avail. Can you determine please if there is something suspicious in my HJT file? Much appreciated!


Attached Files

Edited by Colin!, 24 February 2009 - 03:26 AM.

BC AdBot (Login to Remove)


#2 Bio-Hazard


  • Members
  • 258 posts
  • Gender:Male
  • Location:Cornwall, UK
  • Local time:01:09 AM

Posted 08 March 2009 - 10:16 AM

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • I f you don't know or understand something please don't hesitate to ask.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.
No Reply Within 5 Days Will Result In Your Topic Being Closed!!

random's system information tool (RSIT)
  • Download random's system information tool (RSIT) by random/random from HERE and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt (<<will be maximized)
    • info.txt (<<will be minimized)
  • Post both of these logs in your next reply (Sometimes you have to make several post to get the logs posted.)

#3 Bio-Hazard


  • Members
  • 258 posts
  • Gender:Male
  • Location:Cornwall, UK
  • Local time:01:09 AM

Posted 13 March 2009 - 12:31 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

#4 Bio-Hazard


  • Members
  • 258 posts
  • Gender:Male
  • Location:Cornwall, UK
  • Local time:01:09 AM

Posted 18 March 2009 - 08:03 AM

Topic reopened on the reguest of the topic starter.

#5 Colin!

  • Topic Starter

  • Members
  • 6 posts
  • Local time:01:09 AM

Posted 18 March 2009 - 09:05 AM

Attached are the logs from RSIT

Attached Files

  • Attached File  info.txt   18.1KB   5 downloads
  • Attached File  log.txt   30.89KB   19 downloads

#6 Carolyn


    Bleepin' kitten

  • Members
  • 2,131 posts
  • Local time:07:09 PM

Posted 19 March 2009 - 12:23 PM

Hello Colin!,

My name is Carolyn. Bio-Hazard has the flu so I will be assisting you.


P2P Warning!

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.


P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.

I would recommend that you uninstall eMule, however that choice is up to you.

If you wish to keep it, please do not use it until your computer is cleaned.

If you have malware cleaned from your system by one of our Hjt Team/Malware Hunters and then later return with more infections....and these P2P programs are still installed, you maybe refused help.


Disable Windows Defender until the computer is clean

Windows Defender normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

- Open Windows Defender
- Select Tools and then General Settings
- Under Real Time Protection Options uncheck Turn on real-time protection
- Select Save
Don't forget to re-enable it, when your computer is clean.


Download and run Flash_Disinfector

Download Flash_Disinfector from here and save it to your desktop.
Right click on Flash_Disinfector.exe and select Run as administrator to run it and follow the prompts.
Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. This may include your mobile phone, mp3 player, and so on,
Please do so and allow the utility to clean up those drives as well.


Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Right click Erunt.exe and select Run as administrator to backup your registry to the folder of your choice.

Note:to restore your registry, go to the folder and start ERUNT.exe


Download and Run OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.


  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

Please Install Sun Java and Run a Kaspersky Online Scan

Please make sure that all programs are closed when installing Java.

  • Click here to visit Java's website.
  • Scroll down to Java Runtime Environment (JRE) 6 Update 12. Click on Download.
  • Select Windows from the drop-down list for Platform.
  • Select Multi-language from the drop-down list for Language.
  • Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
  • Click on jre-6u12-windows-i586-p.exe link to download it and save this to a convenient location.
  • Right click on jre-6u12-windows-i586-p.exe and select Run As Administrator to install Java.
  • After the Java installation has finished, right click on your favourite web browser (Internet Explorer, Firefox, etc) and select Run As Administrator to run it.
  • Go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

I would like to see the log from when you last ran Malwarebytes' Anti-malware. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.


Please post the following:
  • The OTMoveIt log
  • The Kaspersky log
  • The Malwarebytes' Anti-Malware log
  • A fresh RSIT log (RSIT will only produce one log for you to post this time).

Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#7 Colin!

  • Topic Starter

  • Members
  • 6 posts
  • Local time:01:09 AM

Posted 24 March 2009 - 03:34 AM


The first link Flash_disinfector.exe is broken

I ran Erunt and old timer. Old timer appeared to stop working, so I rebooted and it reopened on startup and gave this log:
Files moved on Reboot...
File C:\Users\PRODUC~1\AppData\Local\Temp\etilqs_PwYaTSESXxAhJEx4RB6f not found!
File C:\Users\PRODUC~1\AppData\Local\Temp\etilqs_PwYaTSESXxAhJEx4RB6f-journal not found!
File C:\Users\PRODUC~1\AppData\Local\Temp\IMG2451.tmp not found!
File C:\Users\PRODUC~1\AppData\Local\Temp\IMG2809.tmp not found!
File C:\Users\PRODUC~1\AppData\Local\Temp\ppcrlui_5408_2 not found!
File move failed. C:\Windows\temp\CLDigitalHome\CLMS_AGENT_LOG1.txt scheduled to be moved on reboot.
File move failed. C:\Windows\temp\CLDigitalHome\PCMMediaServer.log scheduled to be moved on reboot.
File C:\Windows\temp\mcafee_cgAorOlzrDWTyag not found!
File C:\Windows\temp\mcmsc_7DNfOhzB9SNneQJ not found!
File C:\Windows\temp\mcmsc_a9dx59sg2xGRg2U not found!
File C:\Windows\temp\mcmsc_cXNenlfkQIzBnqa not found!
File C:\Windows\temp\mcmsc_vEgt8cLH9aEgAdf not found!
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0009\adoc.bx moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0009\md.dat moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0009\url.ax moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0009\w.ax moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0009\wb.vx moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0008\adoc.bx moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0008\md.dat moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0008\url.ax moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0008\w.ax moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0008\wb.vx moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0007\adoc.bx moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0007\md.dat moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0007\url.ax moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0007\w.ax moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0007\wb.vx moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0006\adoc.bx moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0006\md.dat moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0006\url.ax moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0006\w.ax moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0006\wb.vx moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0005\adoc.bx moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0005\md.dat moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0005\url.ax moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0005\w.ax moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0005\wb.vx moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0004\adoc.bx moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0004\md.dat moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0004\url.ax moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0004\w.ax moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0004\wb.vx moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0003\adoc.bx moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0003\md.dat moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0003\url.ax moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0003\w.ax moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0003\wb.vx moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0002\adoc.bx moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0002\md.dat moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0002\url.ax moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0002\w.ax moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0002\wb.vx moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0000\adoc.bx moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0000\md.dat moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0000\url.ax moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0000\w.ax moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\vps\0000\wb.vx moved successfully.
C:\Users\Production\AppData\Local\Opera\Opera\Profile\cache4\temporary_download\OTMoveIt3.exe moved successfully.

Kaspersky keeps saying Java/javascript is disabled?

I'm going to try going through the settings (or maybe use IE to run it)

#8 Colin!

  • Topic Starter

  • Members
  • 6 posts
  • Local time:01:09 AM

Posted 24 March 2009 - 03:36 AM

Malwarebyte's log:
Malwarebytes' Anti-Malware 1.34
Database version: 1861
Windows 6.0.6001 Service Pack 1

18/03/2009 15:11:30
mbam-log-2009-03-18 (15-11-30).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 322311
Time elapsed: 1 hour(s), 55 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 Carolyn


    Bleepin' kitten

  • Members
  • 2,131 posts
  • Local time:07:09 PM

Posted 25 March 2009 - 06:48 AM

You can download Flash_Disinfector from HERE

Let's try a different online scan...

  • Click here to perform a Panda online scan. Please use Internet Explorer as it requires ActiveX.
  • Click on Scan your PC now.
  • A new window will open.
  • Select your country and type in your email address. You may also optionally choose to receive emails from Panda. If you don't wish to, please select I do not want to receive marketing information from Panda Software and/or its International Representatives where applicable. option.
  • Click on Free online scan.
  • You will be prompted to install an ActiveX. Please allow it.
  • Once installed, it will start downloading the virus definitions. Please be patient. This takes a while.
  • Once the files are downloaded, it will ask you to select what to scan. Select My Computer.
  • The scan will start. It takes a while, please be patient.
  • Once done, click on View Report.
  • You will be brought to another page. Click on Save Report. Save it to your desktop. Please post this report in your next reply.

Please post the Panda log along with a fresh RSIT log and a description of how your computer is behaving.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#10 Colin!

  • Topic Starter

  • Members
  • 6 posts
  • Local time:01:09 AM

Posted 27 March 2009 - 04:26 AM

Panda log attached...

RSIT log attached...

NDAS service still cannot see the netdisk/lan drive. Tests show that the computer is able to see the disk (or the packets sent by it)

Attached Files

#11 Carolyn


    Bleepin' kitten

  • Members
  • 2,131 posts
  • Local time:07:09 PM

Posted 27 March 2009 - 01:10 PM



D:\My Documents\Software\opera8_keygen\opera_keygen.exe
D:\BACKUP FROM OLD PC\Documents and Settings\Production\My Documents\Software\opera8_keygen\opera_keygen.exe

Someone on this system was trying to access cracks or a 'keygen'....this is a certain way to attract malware to your system. 'Keygen' are illegal and often associated or loaded with malware, and should be avoided (along with 'cracks' and associated 'crack' sites).


Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following folders: if found, delete them

D:\BACKUP FROM OLD PC\Program Files\NoAdware <<Folder
D:\BACKUP FROM OLD PC\Documents and Settings\Production\Cookies <<Folder
D:\My Documents\Software\opera8_keygen <<Folder
D:\BACKUP FROM OLD PC\Documents and Settings\Production\My Documents\Software\opera8_keygen <<Folder

Now empty you’re Recycle Bin.


There is no longer any signs of malware on your computer. As the problem you are having with the netdisk/lan drive is not malware related, I suggest that you post for continued assistance in one of the general computer troubleshooting forums.


This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are

Your log now appears to be clean. Congratulations!

Please delete RSIT.exe from your computer

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.

  • CleanUp! with OTMoveIt
    • Right click OTMoveIt3.exe and select Run as administrator to launch the programme.
    • Click on the CleanUp! button.
    • OTMoveIt will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • When finished exit out of OTMoveIt
    • The tool will delete itself once it finishes, if not delete it by yourself.
    General Security and Computer Health
    Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

    • Clear Infected System Restore Points
      Turn off System Restore-Vista
    • Click the Vista/Start icon.
    • Right Click >> Computer
    • Click Properties.
    • Click the System Protection tab.
    • Uncheck All drives
    • Click "Turn Off System Restore" at the prompt then click "Apply".
    • Restart your computer.
    Turn ON System Restore-Vista
    • Click the Vista/Start icon
    • Right Click >> Computer
    • Click Properties.
    • Click the System Protection tab.
    • Checkmark All drives that were selected previously then click "Apply".

  • Set correct settings for files
    • Click Start > Computer > Organize menu (at top of page) > Folder and Search Options > View tab.
    • Under Hidden files and folders if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check Display content of system folders
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab.

  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

  • Make Internet Explorer More Secure
    You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE

Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.

  • Malwarebytes' Anti-Malware
    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.

  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.

    Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
    If this isn't done first, the next reboot may take a VERY LONG TIME.
    This is how to do it. First be sure you are signed in as a user with administrative privileges:

    Stop and Disable the DNS Client Service
    Go to Start, in the Start Search box type Run, when the run window opens type Services.msc and click OK.
    Under the Extended Tab, Scroll down and find this service.
    DNS Client
    Right-Click on the DNS Client Service. Choose Properties
    Select the General tab. Click on the Stop button.
    Click the Arrow-down tab on the right-hand side at the Start-up Type box.
    From the drop-down menu, click on Manual
    Click the Apply tab, then click OK

  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:

Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users