Paranoid person needs help... (regarding dc12.exe)

Viruses and worms
1

Hello! For a long while I have been using the free version of Avast! in conjunction with Spybot S&D immunizations. (No TeaTimer, though. I know, I’m stupid) I had been scanning each day with both programs, as well as RootkitRevealer, and using Foxfire (with NoScript) to browse the internet. (Though admittedly the other person using this computer uses IE to browse) I also just use the Windows Firewall. I’m not extremely technical, so please bear with me.

Unfortunately, a week or so ago (I’m not certain of the exact date of infection) I checked the On-Access Scanner and noticed dc12.exe (inside my recycling bin) had been the last thing my Standard Shield had scanned. I think the Shield strength had been set to ‘Normal’ at the time and it did not note the file as infected. Nothing showed up in my Recycling Bin though I didn’t have Folder Options set to show me protected operating system files, only hidden files, if that makes any difference.

I panicked, emptied my bin, and ran the usual (Avast!/Spybot S&D/RootkitRevealer) scans including an Avast! Boot-Time scan. Nothing showed up. Ran HijackThis and nothing odd popped up, though I might not be able to notice something very subtle. I thought I was okay and decided now was the time to stop being a cheapskate. After installing the Pro version, I noticed something the Standard Shield (newly installed and at ‘Normal’ power) had scanned: dc4.lnk once again inside my bin, but I still couldn’t see it even after making the changes to Folder Options. Emptied it again.

I’ve run Malwarebytes Anti-Malware, SuperAntiSpyware, Avast! Cleaner and even done a VundoFix scan when I thought it might Virtumonde. Nothing is coming up. No strange processes are appearing on Process Explorer, either. I’ve been mindful to check what files are being created each day just using Windows Search and nothing unusual is popping up either.

And, well, nothing bad has happened either. Even after I first noticed dc12.exe, nothing strange occurred. No ads, no odd processes, though the Internet had been slow lately, I believe that it might have just been my Comcast service, as it has improved now. I have now reinstalled my Spybot S&D, Firefox and installed Avast! Pro with no incident, besides noticing the ‘dc4.lnk’ file. I’m now running Avast! at ‘High’ strength and using TeaTimer and haven’t seen a reemergence of the ‘dc’ files, although I wouldn’t be able to find them manually, anyway.

Does anyone know what this ‘dc12.exe’ might be? Why can’t I see any of these files? Am I okay? Am I just overreacting entirely? (Feel free to call me crazy) Also, if this file is a threat, can it transfer itself to my iPod? Unfortunately, I’ve connected it to my computer after I initially thought I was fine.

Please forgive any rambling or poor spelling in the above message, as it’s very late where I am and I’m a little sleepless due to the aforementioned problem.

Any help is appreciated, and thank you in advance. I’ll post my Hijack log shortly.

2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:25:38 AM, on 3/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast\aswUpdSv.exe
C:\Program Files\Avast\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast\ashDisp.exe
C:\Program Files\Spybot-S&D\TeaTimer.exe
C:\Program Files\Avast\ashMaiSv.exe
C:\Program Files\Avast\ashWebSv.exe
C:\Documents and Settings[i](my username, deleted)[/i]\My Documents\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot-S&D\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


End of file - 3113 bytes

3

An analysis of your HJT log shows mostly clean with no bad entries :

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.

Entries that can be fixed with HJT :

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Unnecessary (deactivated) entry that can be fixed.

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Unnecessary (deactivated) entry that can be fixed.

Those are not problem entries but can be removed with HJT as they have no use.

Information about dc12.exe :

The unsafe files using this name are associated with the malware groups:
Malicious Software
Fraudulent Security Program
http://spywarefiles.prevx.com/RRIHJA104921/dc12%252Eexe.html

4

I’m currently just using the Windows Firewall. Something I regret now, I assure you…

Thank you so much for your help in pointing me to what this dubious program is. What still troubles me is, can it infected my iPod as well? Can it steal private data I have transmitted through this computer? Does anyone have any further experience with this irritation?

Thanks again.

5

:slight_smile: Hi :

Spybot has not been considered a top antiSPYWARE/antiTROJAN program for
a couple of years; nowadays, most experienced, certified, Volunteer
“Malware Removal Specialists” recommend primarily Malwarebytes’ Anti-
Malware ( www.malwarebytes.org/mbam.php ) and secondly
"SUPERAntiSpyware ( www.superantispyware.com ), BOTH of which come in
FREE Version(s), which I recommend you now use .

6

I suspect something deeper as this is possibly the shortest HJT log I have seen on the forums.

@ TM27
Is this the full log or have you edited it ?

You should have a folder for HJT and not just dump it in the my documents folder I suggest C:\HJT but the choice is yours.

Once you have done this rename hijackthis.exe to TM27hjt.exe and then run it again.

7

The reason my log might be short is because my old hard drive went down not too long ago, I hadn’t really installed much onto the new drive yet, besides the anti-virus and anti-spyware.

That’s the full log, the only thing I deleted was a empty space at the bottom and my username. Did as you asked and here are the results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:45 AM, on 3/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast\aswUpdSv.exe
C:\Program Files\Avast\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast\ashDisp.exe
C:\Program Files\Spybot-S&D\TeaTimer.exe
C:\Program Files\Avast\ashMaiSv.exe
C:\Program Files\Avast\ashWebSv.exe
C:\HJT\TM27hjt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot-S&D\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


End of file - 2793 bytes

8

Thank you for the heads up regarding this. I wasn’t aware the Spybot’s usefulness had lessened so much over the years. I stopped using Ad-Aware for this reason.

Should I just remove Spybot S&D entirely and use both these applications? Are there any incompatibilities with having all three on a system?

9

OK, thought it was a bit small. The reason for changing the hijackthis.exe is some malware is on the lookout for it to avoid HJT reporting its process/es.

You can leave S&D if for no other reason it provides limited resident protection in the form of tea-timer, but I wouldn’t rely on it as my only anti-spyware (though avast does lookout for spyware).

SAS and MBAM are currently the top of the pile in the anti-spyware/malware pile and compliment avast, so I would suggest you install both and do a weekly scan (updating the signatures before you do). I like SAS and went as far as paying for the pro version (a small one off payment), which provides resident protection. MBAM offers the same in its paid option again a small one off payment; if you were to get the paid version of either of those I would say S&D ‘should’ be uninstalled.