dxcombin.exe

Discussion in 'Windows Desktop Systems' started by Tuffgong4, Sep 22, 2006.

  1. Tuffgong4

    Tuffgong4 The Donger Need Food!!!! Political User

    Messages:
    2,465
    Location:
    Chicago
    just got a horrible virus on my computer and have no idea where it came from. the file was called dxcombin.exe

    I searched google and found nothing describing it and I can't believe what it did to my system.

    It took all options away from me. It took away the task manager, regedit, the run command in the start menu, and some other things. I'm running nod32 and windows defender. I just installed spyware blaster and still have no idea how it got on my computer.

    This was some bad stuff so be careful. If anyone has any info on this please post here.

    I haven't had a virus in a long time, like at least a couple years. And this one messed me up bad
     
    Last edited: Sep 22, 2006
  2. American Zombie

    American Zombie Moderator Staff Member Political User

    Messages:
    2,934
    Location:
    Seattle
    Try searching on just dxcombin without the exe on the end.
     
  3. Tuffgong4

    Tuffgong4 The Donger Need Food!!!! Political User

    Messages:
    2,465
    Location:
    Chicago
    I searched just that but it brought me to a forum post about torrents...haven't done and torrent downloads since the new build and actually haven't used bittorrent for quite some time. So i don't know how it would have gotten through. I've had such a good run without a virus that i'm confused...the only two things that have changed are that I'm running XP Pro x64 and nod32 and those can't be the reason I would get this.

    Maybe someone in my family that uses this computer did something. I'll have to ask.
     
  4. bush dogg

    bush dogg OSNN Senior Addict Political User

    Messages:
    433
    Location:
    Kansas
    This is the first I heard of that but seems it was first seen on Sept 7 2006.

    The only thing I could find on it is Here.
     
  5. GoNz0

    GoNz0 NTFS Stoner

    Messages:
    2,781
    Location:
    the year 2525
    without looking into this, an old trick after a virus stopped you using regedit.exe was to rename it to regedit.cmd, if you do that in safe mode you can remove where the little bugger starts itself..
     
  6. nonskidsurfass

    nonskidsurfass OSNN One Post Wonder

    Messages:
    1
    I have recently noticed this file through my firewall trying to access the internet and did some investigating. Seems to me it may be part of the new DirectX 9.0c v.4.09.0000.0904 software. Doesn't seem malicious as far as I can see and that Prevx page mentioned above seems extremely suspicious right off the bat. Just my thought.
    -Nonskidsurfass

    Not sure if that last quick reply worked, so excuse the repeat. I recently discovered this dxcombin.exe thru my Firewall and decided to investigate. Looking thru the registry it seems it may be part of the new DirectX software Update v.4.09.0000.0904. Oh yeah and that page listed above... PREVX has spyware written all over it. Let me know your thoughts.
    -Nonskidsurfass
     
    Last edited by a moderator: Sep 30, 2006
  7. teste

    teste Vanquish is my Hero!

    Messages:
    3
    I also did some investigation and didn't find any necessarily suspicious behavior from DXcombin, except this: it started itself after running an executable found on a filesharing network, and wanted to access the internet; it did not terminate itself when I closed the original executable and it tried again to access the internet. It also placed itself in the Windows/System 32 XP folder. It did place two new keys to the registry, describing itself as a DirectX run process. That's a small amount of keys. Furthermore, it didn't place itself in the startup processes (msconfig), and after running a scan with HiJack this, there was no trace of alterations. So, honestly, it's probably pretty safe... I could be wrong. All of the symptoms seem to tell me that it's threat level would be very low. peace,
     
  8. LeeJend

    LeeJend Moderator

    Messages:
    5,291
    Location:
    Fort Worth, TX
    I got 5 pages of hits on dxcombin.

    Definitely malware, a Trojan/Backdoor. It blocks access to AV sites to protect itself so you will need to get removal instructions from another computer.

    Interestingly there is nothing on any of the major AV sites about it.
     
  9. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN
    ANALYSIS OF: DXCOMBIN.EXE

    * File Names Used: 45
    * Paths Used: 20
    * Common File Name: DXCOMBIN.EXE
    * Common Path: %WINDIR%\SYSTEM32\
    * Vendor Information: No Vendor details specified
    * DXCOMBIN.EXE may use 45 or more path and file names, these are the most common:
    * 1 :%DESKTOP%\WINTRUST32.EXE
    * 2 :%WINDIR%\SYSTEM32\ACTSRV.EXE
    * 3 :%WINDIR%\SYSTEM32\DXCOMBIN.EXE
    * 4 :%WINDIR%\SYSTEM32\DXCOMBIN2.EXE
    * 5 :%WINDIR%\SYSTEM32\IWINAPP.EXE
    * 6 :%WINDIR%\SYSTEM32\NETID.EXE
    * 7 :%WINDIR%\SYSTEM32\NETIDBAD.EXE
    * 8 :%WINDIR%\SYSTEM32\NETMSG.EXE
    * 9 :%WINDIR%\SYSTEM32\ODBC.EXE
    * 10:%WINDIR%\SYSTEM32\ODBC.EXE.REN
    * File Name Structure: Normal
    * File and Path Structure: Suspicious, unusually high number of file and path combinations

    Tuffgong4, Have you been able to scan and remove the trojan?
     
  10. American Zombie

    American Zombie Moderator Staff Member Political User

    Messages:
    2,934
    Location:
    Seattle
    You guys did see that the last post in this thread was two months ago?
     
  11. LeeJend

    LeeJend Moderator

    Messages:
    5,291
    Location:
    Fort Worth, TX
    Umm, no we didn't... Duh.
     
  12. Tuffgong4

    Tuffgong4 The Donger Need Food!!!! Political User

    Messages:
    2,465
    Location:
    Chicago
    I cleared it up long ago but I like where the topic is going about how there is 0 information about this on some av websites.