DC12.exe in my Flash Disk

[Oriour]

Avast managed to catch a trojan called DC12.exe trying to get itself into the system32 folder, while I was accessing my flash at one point, then McAfee caught the same thing on another computer. Scanning the flash disk (both programs) revealed nothing, so I just rebooted then went into my computer and formated the thing. Is there anything more I should do, or should that be sufficient to remove whatever was in the disk that spawned the trojan?

[DavidR]

Where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
1.  SUPERantispyware On-Demand only in free version. Or AVG anti-spyware (formerly Ewido) Resident scanner during trial On-Demand after trial ends. Or Spyware Terminator Resident scanner.

[Oriour]

C:\windows\system32\DC12.exe

I managed to move the file to the chest on my home pc, now how do I get it securely out so it doesn't do anything, is it the extract function in the chest?

[oldman]

The file can't do anything in the chest. It's safe there. Did you submit the file as DavidR suggested? Don't want to remove a good file.

What you can do with a file in the chest.

Add file. You can add files to the "User files" category only.
Delete file. Files are deleted irreversibly, i.e. they are not moved to the recycle bin!
Restore file. The file will be moved to its original location, i.e. to the folder on your disks where it was moved to the Chest from. Simultaneously, it is removed from the Chest.
Extract file. The file is copied to the selected folder.
Scan file. The file is scanned for viruses.
Show file properties. The file properties are displayed; it is possible to add a comment to the file.
Email to ALWIL Software.

Right click the file or use the menu at the top of the chest page.

[DavidR]

Yes, extract sends a copy to a temporary folder of your choice, it is obviously best not to send it back to the original location. A copy will remain in the chest.

avast may alert whilst trying to move it or upload it, pause the standard shield, to extract it and upload it to VT or Jotti, immediately it is on its way enable the standard shield again.

You have to run some of those other scans to see if find what tried to place it in the system32 folder as that is clearly not detected by avast.

Because it is possible that it may have come from a flash drive, look for autorun.inf files in the root folders of your HDD (there shouldn't be any in fixed drives) C:\, D:\, etc.
Scan the flash drive with the above tools and see if there is an autorun.inf in it also, if so open it with notepad and copy and paste the contents here.

[Oriour]

Well don't I need to extract it to scan it, or can I have it uploaded from the chest.

Also, super anti checked out clean in safemode.

I found an autorun with the following:

[AutoRun]
Open= .\RECYCLER\~systmp
shell\Open\command= .\RECYCLER\~systmp
shell\open\Default=1
shell\explore\Command= .\RECYCLER\~systmp

[oldman]

Well don't I need to extract it to scan it, or can I have it uploaded from the chest.

If you are uploading it to virustotal or jotti, you will have to extract it to a temp location.

Lile I said, the chest is a safe place, files can't be run or accessed from outside.

[Oriour]

Virus total:

Antivirus     Version     Last Update     Result
AhnLab-V3   2007.10.27.0   2007.10.26   Win-Trojan/Bifrose.39826
AntiVir   7.6.0.30   2007.10.26   Worm/Bobic.O.1
Authentium   4.93.8   2007.10.26   W32/BifrostP.F
Avast   4.7.1074.0   2007.10.27   Win32:Trojan-gen {Other}
AVG   7.5.0.503   2007.10.27   Generic4.CLV
BitDefender   7.2   2007.10.28   Win32.Worm.Bobic.O
CAT-QuickHeal   9.00   2007.10.26   (Suspicious) - DNAScan
ClamAV   0.91.2   2007.10.27   -
DrWeb   4.44.0.09170   2007.10.27   -
eSafe   7.0.15.0   2007.10.22   Suspicious File
eTrust-Vet   31.2.5244   2007.10.26   -
Ewido   4.0   2007.10.27   -
FileAdvisor   1   2007.10.28   -
Fortinet   3.11.0.0   2007.10.19   -
F-Prot   4.3.2.48   2007.10.26   W32/BifrostP.F
F-Secure   6.70.13030.0   2007.10.27   W32/Malware.AREF
Ikarus   T3.1.1.12   2007.10.27   Backdoor.Win32.Bifrose.aer
Kaspersky   7.0.0.125   2007.10.28   Heur.Trojan.Generic
McAfee   5150   2007.10.26   BackDoor-CEP.svr
Microsoft   1.2908   2007.10.28   -
NOD32v2   2620   2007.10.27   Win32/Bifrose.NCC
Norman   5.80.02   2007.10.26   W32/Malware.AREF
Panda   9.0.0.4   2007.10.27   Suspicious file
Prevx1   V2   2007.10.28   -
Rising   19.46.51.00   2007.10.27   Backdoor.Win32.Bifrose.yg
Sophos   4.23.0   2007.10.28   -
Sunbelt   2.2.907.0   2007.10.27   -
Symantec   10   2007.10.28   Downloader
TheHacker   6.2.9.110   2007.10.27   -
VBA32   3.12.2.4   2007.10.26   Trojan.Win32.Bifrose.NCC
VirusBuster   4.3.26:9   2007.10.27   Backdoor.Bifrose.ZK
Webwasher-Gateway   6.6.1   2007.10.28   Worm.Bobic.O.1

Additional information
File size: 39774 bytes
MD5: 4d10db9ee6ab46f140b3bff036d567bb
SHA1: 3b201c8b43e784259e65fa944908646ec15497e9

[Oriour]

Jotti:

 A-Squared     
Found nothing
AntiVir    
Found WORM/Bobic.O.1
ArcaVir    
Found Trojan.Bifrose.Yg
Avast    
Found Win32:Trojan-gen {Other}
AVG Antivirus    
Found Generic4.CLV
BitDefender    
Found Win32.Worm.Bobic.O
ClamAV    
Found nothing
CPsecure    
Found nothing
Dr.Web    
Found nothing
F-Prot Antivirus    
Found W32/BifrostP.F
F-Secure Anti-Virus    
Found nothing
Fortinet    
Found nothing
Kaspersky Anti-Virus    
Found nothing
NOD32    
Found Win32/Bifrose.NCC
Norman Virus Control    
Found W32/Malware.AREF
Panda Antivirus    
Found nothing
Rising Antivirus    
Found Backdoor.Win32.Bifrose.yg
Sophos Antivirus    
Found nothing
VirusBuster    
Found Backdoor.Bifrose.ZK
VBA32    
Found Trojan.Win32.Bifrose.NCC

[DavidR]

Well don't I need to extract it to scan it, or can I have it uploaded from the chest.

Also, super anti checked out clean in safemode.

I found an autorun with the following:

[AutoRun]
Open= .\RECYCLER\~systmp
shell\Open\command= .\RECYCLER\~systmp
shell\open\Default=1
shell\explore\Command= .\RECYCLER\~systmp

1. you have to extract it to upload it to VT or Jotti as I mentioned in bold in my first reply.

2. if you tried to scan the file in the chest with super anti spyware it may have failed to detect anything as it effectively can scan it as files in the chest are encrypted. If outside the chest then SAS failed to detect it as avast and 20 other scanners did, which shows not to rely on a single application.

3. You don't say where this autorun.inf was found (?), if on the Hard Disk it should be deleted.

I'm not to familiar with the commands but it looks like it is trying to possibly set-up a hidden folder in the recycle bin/s.
It could also be trying to divert any file that is opened is sent to this folder in the recycle bin, which could reap havoc.

Of course someone with experience of these commands could shine some light on it, suffice to say it doesn't look very nice.

[oldman]

It appears to be agood detection.

@DavidR
I'm not sure about the autorun either. Sooo..

Lets see if we can see anything else.

Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  

[Oriour]

oh sorry, the auto is in my flash disk, e:/autorun and its target is similarly the recycler in the disk, at least I think since it has the file.

[Oriour]

Logfile of HijackThis v1.99.1
Scan saved at 7:54:27 PM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijack\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070706
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070706
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070706
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=rVl-Zb0oXkJ0WUVBHmRv8e3836s
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\usrinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189826159375
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[oldman]

Sorry about the delay. Got called away to look at a 386 

I don't see anything in your log.

Someone else will have to comment on the autorun in e:\.  I'm curious as to it pointing at the recycler.

Btw is e:\ a cd or is it drive letter assigned to the flash.

I'm still looking for info on a malformed autorun.   

[Oriour]

It's the letter assigned to the flash.

Also, I noticed that the folder and autorun would respawn after formatting the disk, I decided to upload systmp to virus total and see what came up:

AhnLab-V3   2007.10.27.0   2007.10.26   Win32/Autorun.worm.136109
AntiVir   7.6.0.30   2007.10.26   Worm/Bobic.O.1
Authentium   4.93.8   2007.10.26   -
Avast   4.7.1074.0   2007.10.27   -
AVG   7.5.0.503   2007.10.27   Generic4.QDK
BitDefender   7.2   2007.10.28   Trojan.Dropper.RGQ
CAT-QuickHeal   9.00   2007.10.26   -
ClamAV   0.91.2   2007.10.28   -
DrWeb   4.44.0.09170   2007.10.27   Win32.HLLW.Autoruner.551
eSafe   7.0.15.0   2007.10.22   -
eTrust-Vet   31.2.5244   2007.10.26   -
Ewido   4.0   2007.10.27   -
FileAdvisor   1   2007.10.28   -
Fortinet   3.11.0.0   2007.10.19   -
F-Prot   4.3.2.48   2007.10.26   -
F-Secure   6.70.13030.0   2007.10.27   Virus.Win32.AutoRun.ih
Ikarus   T3.1.1.12   2007.10.27   -
Kaspersky   7.0.0.125   2007.10.28   Virus.Win32.AutoRun.ih
McAfee   5150   2007.10.26   -
Microsoft   1.2908   2007.10.28   -
NOD32v2   2620   2007.10.27   probably unknown NewHeur_PE virus
Norman   5.80.02   2007.10.26   W32/Malware
Panda   9.0.0.4   2007.10.27   -
Prevx1   V2   2007.10.28   -
Rising   19.46.52.00   2007.10.28   Worm.Agent.tw
Sophos   4.23.0   2007.10.28   -
Sunbelt   2.2.907.0   2007.10.27   -
Symantec   10   2007.10.28   W32.SillyDC
TheHacker   6.2.9.110   2007.10.27   -
VBA32   3.12.2.4   2007.10.28   Virus.Win32.AutoRun.ih
VirusBuster   4.3.26:9   2007.10.27   -
Webwasher-Gateway   6.6.1   2007.10.28   Worm.Bobic.O.1

Additional information
File size: 136114 bytes
MD5: f19578f7b6ed4c429238e67577e9ce63
SHA1: 5eac4525ba91d5d7600eec5c9e40003c9fa492c8