February 8, 200917 yr During my routine weekly scan on Avira something came up which I'm a bit concerned about: C:\RECYCLER\S-1-5-21-3410578098-587847939-1203241884-1007\Dc6[Caution: Executable File] [WARNING] The file could not be opened! I did a Google search for this [Dc6[Caution: Executable File]] and it's apparently a backdoor trojan. I had a look in C:\RECYCLER, and apparently the total size size of said folder is 0mb, any google info says the virus in question should be about 170Mb or so. I also haven't noticed any of the problems associated with said trojan which came up on the google results; I've had no browser popups (I'm using ABP on Fx 3.1b2 if this makes any difference) and I haven't noticed/logged any random processes running. Apart from a few tracking cookies, I haven't had anything come up on this computer since I first installed Avira and it found all the things that Norton didn't, and this is the first time I've seen this warning. Need I be worried? Here's a HJT log if you need it: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:27:16, on 08/02/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss[Caution: Executable File] C:\WINDOWS\system32\winlogon[Caution: Executable File] C:\WINDOWS\system32\services[Caution: Executable File] C:\WINDOWS\system32\lsass[Caution: Executable File] C:\WINDOWS\system32\svchost[Caution: Executable File] C:\WINDOWS\System32\svchost[Caution: Executable File] C:\Program Files\Lavasoft\Ad-Aware\aawservice[Caution: Executable File] C:\WINDOWS\system32\spoolsv[Caution: Executable File] C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched[Caution: Executable File] C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard[Caution: Executable File] C:\WINDOWS\system32\nvsvc32[Caution: Executable File] C:\WINDOWS\system32\svchost[Caution: Executable File] C:\WINDOWS\Explorer[Caution: Executable File] C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt[Caution: Executable File] C:\WINDOWS\system32\RUNDLL32[Caution: Executable File] C:\WINDOWS\system32\ctfmon[Caution: Executable File] C:\WINDOWS\System32\svchost[Caution: Executable File] C:\WINDOWS\system32\wuauclt[Caution: Executable File] C:\Program Files\Mozilla Firefox 3.1 Beta 2\firefox[Caution: Executable File] C:\Program Files\X-Chat 2\xchat[Caution: Executable File] C:\Program Files\Trend Micro\HijackThis\HijackThis[Caution: Executable File] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [Dell Photo AIO Printer 942] "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr[Caution: Executable File]" O4 - HKLM\..\Run: [DLBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32[Caution: Executable File] C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz[Caution: Executable File] /install O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt[Caution: Executable File]" /min O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra[Caution: Executable File] O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask[Caution: Executable File]" -atboottime O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32[Caution: Executable File] C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon[Caution: Executable File]] C:\WINDOWS\system32\ctfmon[Caution: Executable File] O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam[Caution: Executable File]" -silent O4 - HKUS\S-1-5-18\..\Run: [CTFMON[Caution: Executable File]] C:\WINDOWS\system32\CTFMON[Caution: Executable File] (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector[Caution: Executable File] (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON[Caution: Executable File]] C:\WINDOWS\system32\CTFMON[Caution: Executable File] (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag[Caution: Executable File] O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag[Caution: Executable File] O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: Executable File] O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: Executable File] O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/tel ... tTeleX.cab O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by108fd.bay108.hotmail.msn.com/a ... Atchmt.ocx O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice[Caution: Executable File] O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched[Caution: Executable File] O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard[Caution: Executable File] O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms[Caution: Executable File] O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32[Caution: Executable File] -- End of file - 5422 bytes What should I do? "In the beginning, the universe was created. This has made a lot of people very angry and been widely regarded as a bad move."
February 8, 200917 yr O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) Something doesn't seem right about that file. Why would HiJack be logging something that doesn't exist...? Could you tell us if you've been to any sites that might be suspicious? I was going to eat hot dogs for dinner tonight. I think I will settle for cereal. OPEN WIDE HERE COMES THE HELICOPTER.
February 8, 200917 yr Author It's a shared computer though, which is a problem. I try to avoid any suspicious looking sites, but it's possible someone else in my family could have gotten on to something, though I have no way of finding out what. :| "In the beginning, the universe was created. This has made a lot of people very angry and been widely regarded as a bad move."
February 8, 200917 yr It's a shared computer though, which is a problem. I try to avoid any suspicious looking sites, but it's possible someone else in my family could have gotten on to something, though I have no way of finding out what. :| That makes things a bit more complex. You haven't been to any, so it rules you out. Check your history to see what sites were visited? IF not that, then boot into safe mode and see what a scan pulls up. I was going to eat hot dogs for dinner tonight. I think I will settle for cereal. OPEN WIDE HERE COMES THE HELICOPTER.
February 8, 200917 yr Author I've tried just scanning c:\recycler but it comes up with the same warning. I don't see how safe mode would make a difference. I can't find anything in history that looks suspicious. Everything I look at usually is in bookmarks (all are safe), and the odd thing from a google search. It's possible it's someone else in my family, though I'm more concerned about getting rid of said thing than finding out where it came from though. "In the beginning, the universe was created. This has made a lot of people very angry and been widely regarded as a bad move."
February 9, 200917 yr I've tried just scanning c:\recycler but it comes up with the same warning. I don't see how safe mode would make a difference. I can't find anything in history that looks suspicious. Everything I look at usually is in bookmarks (all are safe), and the odd thing from a google search. It's possible it's someone else in my family, though I'm more concerned about getting rid of said thing than finding out where it came from though. you should be able to remove it simply by emptying the recycle bin on all users of the computer, C:/recycler is where the files are stored when you delete them in windows, and haven't yet emptied your recycle bin. there is a hidden recycler folder on every hard drive in windows, including portable usb ones (plug a usb hard drive into 1 computer, and delete a file on it. unplug the drive and goto another windows machine and plug it in. goto the recycle bin on the 2nd computer and it will be in there, waiting for you to confirm its deletion)
February 9, 200917 yr Author Tried that, I also ran CCleaner and it's still there. Either something is horribly corrupted, or it's malware. Would a so called 'file shredding' tool be able to do it? "In the beginning, the universe was created. This has made a lot of people very angry and been widely regarded as a bad move."
February 10, 200917 yr Give it a shot, it should remove it. I was going to eat hot dogs for dinner tonight. I think I will settle for cereal. OPEN WIDE HERE COMES THE HELICOPTER.
Create an account or sign in to comment