Cannot Remove Win32:Malware-gen - Please assist.

Ran a couple of scans (boot-time and real time) and avast! will NOT let me DELETE or MOVE the following malware to the virus chest:

C:\WINDOWS\Installer\23a75fcc.msp|>PCW_CAB_H15|>MSTORDB.EXE

I’ve repaired and updated my avast! AV software, and I’m still having no luck. I’m sure it’s not a huge threat, but I’d like to remove this .exe file ASAP. Would someone mind assisting me as I’m having no luck on my own?

Thank you all a ton in advance.

Hi sinistersims,

See if it is the real one here: http://www.pcpitstop.com/libraries/process/i/mstordb.exe.html

polonus

Googled this info

MSTORDB.EXE - MSTORDB.EXE information
http://www.pc1news.com/files/76384-mstordb-exe.html

have you run Malwarebytes for a second opinion ?

Just updated and ran a fresh MBAM scan (log below)…nothing significant to note, so do I assume that it’s a legit process?? How can I double-check to make sure it’s the real deal and not malware? I am NOT running MS Clips, so I’d like to make sure the process is disabled. Can someone walk me through this process, as I haven’t been able to find it under Control Panel>Admin Tools>Services.

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4686

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

9/24/2010 4:40:22 PM
mbam-log-2010-09-24 (16-40-22).txt

Scan type: Quick scan
Objects scanned: 148854
Time elapsed: 9 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Hi sinistersims,

It is not only for MS Clips, but also part of Office when on Vista, Windows7, re: http://www.file.net/process/mstordb.exe.html
See with the task manager what is running and if it is kasher?
Also read here for the associated vulnerabilities of the executable:
http://www.pc1news.com/files/76384-mstordb-exe.html
Download freefixer here: http://www.freefixer.com/static/freefixersetup.exe
and give me a log before fixing anything, we’ll have a look for ye,

An error could be through this: Common FL21WIN.DLL Error Behaviors through a Parsing Vulnerability
of the DLL’…

Change the content of the autoexec.bat file and make it behaves improperly
Modifies firewall settings automatically and leave vulnerability to spyware or virus.
Executes a Process
Changes firewall settings without letting users know so as to access Internet as it likes.
Disables the proper running of the built-in Windows File Protection System
Accesses other computers remotely by using HTTP protocols

polonus

FreeFixer v0.58 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 3
Log dated 2010-09-24 17:48

Suspicious file names
C:\WINDOWS\system32\hh.exe

Browser Helper Objects (3 whitelisted)
{9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80}, PopKiller Class, C:\Program Files\SysShield Tools\Internet Eraser\pkext.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7}, Google Toolbar Helper, C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}, Google Toolbar Notifier BHO, C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
{D2C5E510-BE6D-42CC-9F61-E4F939078474}, Lexmark Printable Web, C:\Program Files\Lexmark Printable Web\bho.dll

Internet Explorer toolbars (3 whitelisted)
HKLM..\Toolbar{EE9DD090-902D-4623-9360-FB7D8666202B} - AbsoluteShield - C:\Program Files\SysShield Tools\Internet Eraser\AbsoluteBar.dll
HKLM..\Toolbar{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
HKCU..\Toolbar\ShellBrowser{C4069E3A-68F1-403E-B40E-20066696354B} - - (no file specified)
HKCU..\Toolbar\WebBrowser{043C5167-00BB-4324-AF7E-62013FAEDACF} - - (no file specified)

Basic Internet Explorer settings
HKCU..\Main, Start Page = http://www.yahoo.com/
HKCU..\Desktop\General, Wallpaper = C:\Documents and Settings\Big Daddy D\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

Registry Startups (21 whitelisted)
HKLM..\Run, hpWirelessAssistant = C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
HKLM..\Run, QPService = “C:\Program Files\HP\QuickPlay\QPService.exe”
HKLM..\Run, HP Software Update = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
HKLM..\Run, QlbCtrl = C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
HKLM..\Run, RecGuard = C:\Windows\SMINST\RecGuard.exe
HKLM..\Run, Reminder = C:\Windows\CREATOR\Remind_XP.exe
HKLM..\Run, BlackBerryAutoUpdate = C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
HKLM..\Run, Google Quick Search Box = “C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe” /autorun
HKLM..\Run, Monitor = “C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe”
HKLM..\Run, FPCCSMiddleware = C:\Program Files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe
HKLM..\Run, PAC7302_Monitor = C:\WINDOWS\PixArt\PAC7302\Monitor.exe
HKLM..\Run, QuickTime Task = “C:\Program Files\QuickTime\qttask.exe” -atboottime
HKCU..\Run, swg = “C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe”
HKCU..\Run, Google Update = “C:\Documents and Settings\Big Daddy D\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” /c

Autostart shortcuts
AbsoluteShield Internet Eraser.lnk, , C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe

HOSTS file
ÿþ127.0.0.1 localhost

Processes (41 whitelisted)
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
C:\Documents and Settings\Big Daddy D\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Big Daddy D\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\FreeFixer\freefixer.exe

Services (45 whitelisted)
gupdate, Google Update Service (gupdate), c:\program files\google\update\googleupdate.exe
hpqwmiex, hpqwmiex, c:\program files\hewlett-packard\shared\hpqwmiex.exe
IS360service, IS360service, c:\program files\iobit\iobit security 360\is360srv.exe
LeapFrog Connect Device Service, LeapFrog Connect Device Service, c:\program files\leapfrog\leapfrog connect\commandservice.exe
LightScribeService, LightScribeService Direct Disc Labeling Service, c:\program files\common files\lightscribe\lssrvc.exe
RoxLiveShare9, LiveShare P2P Server 9, c:\program files\common files\roxio shared\9.0\sharedcom\roxliveshare9.exe (file is missing)

Svchost.exe Modules (231 whitelisted)
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\7bffd7ff2009f421fe5d229927588496\mscorlib.ni.dll

Explorer.exe Modules (144 whitelisted)
C:\Program Files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
C:\Program Files\IObit\IObit Security 360\IS360Ext.dll

Windows XP Firewall authorized apps (14 whitelisted)
C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe
C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe
C:\Program Files\HP\Digital Imaging\bin\hposid01.exe
C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe
C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe
C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe
C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe
C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe
C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe
C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\SopCast\adv\SopAdver.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe

Recently created/modified files (20 whitelisted)
6 minutes, c:\Program Files\FreeFixer\Uninstall.exe
6 minutes, c:\Documents and Settings\Big Daddy D\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00002a
6 minutes, c:\Documents and Settings\Big Daddy D\My Documents\Downloads\freefixersetup.exe
1 hour, c:\Documents and Settings\Big Daddy D\Local Settings\Temp~nsu.tmp\Au_.exe
2 hours, c:\Program Files\Alwil Software\Avast5\defs\10092401\algo.dll
2 hours, c:\Documents and Settings\Big Daddy D\My Documents\Downloads\ccsetup235.exe
3 hours, c:\System Volume Information_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP84\A0010853.scr
3 hours, c:\System Volume Information_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP84\A0010830.dll
3 hours, c:\System Volume Information_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP84\A0010831.exe
3 hours, c:\System Volume Information_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP84\A0010857.exe

The following errors occurred during the scan:
Problems opening folder ‘c:\ea24008552d46abe14b535\update’ to enumerate files. FindFirstFile failed. System error message: Access is denied. Error code: 5.

End of FreeFixer log

Hi sinistersims,

Then this is malware and should be fixed: c:\Documents and Settings\Big Daddy D\Local Settings\Temp~nsu.tmp\Au_.exe
Read explanation here:
http://www.threatexpert.com/report.aspx?md5=f74708da4f2d06c8114b1077f957dc68
Consider this also: This file is not really a SpyFalcon issue. It is from an installer which could be used to install good valid software or any malware program if the creator of the malware used NSIS as their installer. Any processs that executes could be in the Prefetch folder for a period of time. About the Au_.exe, this could be a legitimate exe, or it could be malware… The fact that it is from the ~nsu.tmp folder is because it uses the Nullsoft Install System. Many programs use this, so this doesn’t mean that this is malware.
Do you have Winamp installed for example? Because I know Winamp puts an Au_.exe there as well which connects with the internet.
If you’re in doubt, just upload that file here:
http://www.virustotal.com/en/indexf.html
and let it scan, download http://www.mvps.org/winhelp2002/DelDomains.inf Right Click the file and click install

polonus

c:\Documents and Settings\Big Daddy D\Local Settings\Temp~nsu.tmp\Au_.exe - Seems as if this file was from the CCleaner (legit software) that I installed to scan my machine earlier during the day on Friday.

I installed the “DelDomains.inf” file on my desktop, right clicked, and installed, but it seems as if nothing happened at all. Maybe I’m missing something…

Hi sinistersims,

The logs seem to be clean, just cleanse the temp files by restarting in SafeMode and youi may be good to go or are there any particular hick-ups, from here your machine seems OK,

polonus