DC11.exe in C:\RECYCLER

[kkaran168]

My Mom's computer gets the following message in her scan logs:

C:\RECYCLER\S-1-5-21-633758444-38797348-4173624282-1003\Dc11.exe\%MAINDIR%\Skins\MHQ - BlueWonder.ask\tab1.bmp [E] Archive is password protected. (42056)
C:\RECYCLER\S-1-5-21-633758444-38797348-4173624282-1003\Dc11.exe\%MAINDIR%\Skins\MHQ - BlueWonder.ask\tab2.bmp [E] Archive is password protected. (42056)
C:\WINDOWS\Installer\591495.msp\PCW_CAB_H15\MSTORDB.EXE [L] Win32:Malware-gen (0)
C:\WINDOWS\Installer\591495.msp\PCW_CAB_H15\MSTORDB.EXE [L] Win32:Malware-gen (0)

I was able to get into the C:\RECYCLER\S-1-5-21-633758444-38797348-4173624282-1003 directory using the command prompt but was unable to delete the DC11.exe file.  Also, what should I do about the MSTORDB.EXE file?

She is running Avast Professional 4.8 on Win XP.

Please advise.

[mikaelrask]

if avast is unable to send infection to chest or delete i suggest a boot scan with avast.

http://www.digitalred.com/avast-boot-time.php

scan the computer with malwarebytes antimalware after malware if find any hit remove. might need to reboot the computer if so let it do that.

http://filehippo.com/download_malwarebytes_anti_malware/

ps avast 5 have been out for over a year so i suggest your mother upgrades to the latest verion of avast sens its much better then avast 4.8.

good luck and let us know how it goes. or if you need more help.

[SafeSurf]

scan the computer with malwarebytes antimalware after malware if find any hit remove. might need to reboot the computer if so let it do that.

No...if Malwarebytes (MBAM) finds anything you want to send it to quarantine (do NOT delete it).  Please see instructions here:

·   Download free http://www.malwarebytes.org/ for an on-demand scanner.
·   Double Click mbam-setup.exe to install the application.
·   After install, click update so you have latest database before scanning.
·   Under Settings:
o   General: Automatically Save File After Scan Completes is checked off
o   Scanner Settings:  Check all boxes
o   Updater: Download and install update if available is checked off
·   Once the program has loaded, select "Perform FULL Scan", then click Scan.
·   The scan may take some time to finish, so please be patient.
·   When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
·   Click the “remove selected” button to quarantine anything found.  You will find the infection details under the Quarantine tab.
·   The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
·   Copy & Paste the entire report in your next reply.

Questions:

1. What version of Avast Pro 4.8xxx is she running?  Are the definitions up to date?
2. What is the OS?  XP SP_?
3. What type of Avast scan was done to find the malware?
4. Is anything sitting in the Virus Chest now?  Leave anything that is there in there. 

Please let me know if you have any questions and I will be looking out for your logs.  Thank you.

[kkaran168]

Thank you SafeSurf for your detailed reply.  I did as you said and downloaded the latest free version of Malwarebytes mbam-setup-1.46.exe version 4684.  I also did a full scan.  Here is the log.  It mentions nothing about the MSTORDB.EXE and Dc11.exe files.  It did notice that I turned off the windows firewall and windows antivirus settings.  I did this because she has a hardware firewall (Linksys router) and she does not use the windows antivirus software.  We use the avast antivirus software.

Code: [Select]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4684

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

9/24/2010 11:16:15 AM
mbam-log-2010-09-24 (11-16-15).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 189587
Time elapsed: 56 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here are the answers to your questions:

1. What version of Avast Pro 4.8xxx is she running?  Are the definitions up to date?
She is running Avast Pro 4.8.  The VPS is up to date and the version is 100924 and the compilation date is 9/24/10

2. What is the OS?  XP SP_?
The OS is Win XP Home Edition SP3

3. What type of Avast scan was done to find the malware?
I ran an overnight scan of all local drives.  The Avast log is in a the next post.

4. Is anything sitting in the Virus Chest now?  Leave anything that is there in there. 
I don't know where the Virus Chest is.  I think Malwarebytes moved three registry settings in there.

A) Should I upgrade to the latest version of Avast?
B) Should I delete the MSTORDB.EXE and Dc11.exe
C) If so, how can I delete DC11.EXE if I can't see it? 
D) There is a site called http://www.Prevx.com.  Are they a legit software company?  They have a page on this: http://spywarefiles.prevx.com/RRIHJJ63418/DC11.EXE.html

Thank you so much for your assistance so far.

[kkaran168]

SafeSurf,

The forum was complaining that my post was too large.  Attached is the Avast Log you requested.

Thanks again.

[Pondus]

What is the C:Recycler folder and is there anyway you can remove the files contained in it?
http://wiki.answers.com/Q/What_is_the_C:Recycler_folder_and_is_there_anyway_you_can_remove_the_files_contained_in_it

[kkaran168]

What is the C:Recycler folder and is there anyway you can remove the files contained in it?
http://wiki.answers.com/Q/What_is_the_C:Recycler_folder_and_is_there_anyway_you_can_remove_the_files_contained_in_it

Hi Pondus thank you for addressing my issue.

Yes, I saw that link also.  However, I thought you were not supposed to just delete the file.  I thought you were supposed to get a removal tool to do that.  See the sticky in this section: http://forum.avast.com/index.php?topic=5373.msg39361#msg39361.  I also cannot see the file.  I can only see the directory.  The link you suggest refers to another link which advises to use the rd /s to remove the recycler directory along with it's contents.  Will that crash my system?

[SafeSurf]

@ Pondus,

Since MBAM quarantined items that were part of the OP's registries for running the Security Center, wouldn't you think there is something else going on?

@ justaguy168,

To answer your questions:

1. At some point after we fix your problems, you should update from 4.8 to 5.0.677.
2. Prevx is a legitimate site as I use them with no conflict along side with Avast.
3. Your Avast Virus Chest should be in the GUI somewhere.  It's been a while since I've used 4.8.
4. Do not remove items that are quarantined from MBAM.

Question for you: Is your XP Firewall enabled?  Please check and confirm.  Thank you.

Please download and install:

1. CCleaner -  a freeware system optimization, privacy and cleaning tool.  There is a Slim version available as well at http://www.piriform.com/ccleaner/builds - 4th option down.  It removes unused files (cache, temporary Internet files, etc.) from your system - allowing Windows to run faster and freeing up valuable hard disk space.  It also cleans traces of your online activities such as your Internet history.  Additionally it contains a fully featured registry cleaner; do not use the registry cleaner while we are checking for malware now.  Reboot.

2. Download TFC by OldTimer to your desktop.
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/. 
·   It will close all programs when running, so make sure you have saved all your work before you begin.
·   Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.  Let it run uninterrupted to completion.
·   Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.  Reboot after install.

Next, check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0. 

Follow the directions of obtaining OTL log.  Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).  We can then analyze this in the meantime for any malware, and if any malware is found we will refer you to one of our malware experts.  Thank you.

Please let us know if you have any questions.  Thank you.