Jump to content

Mystery Infection


Recommended Posts

I'm not seeing anything else bad.

What happens if you just select English and run a scan?

We can try a online scan.

http://www.eset.eu/online-scanner

Go here to run an online scannner from ESET.

Click the green ESET Online Scanner button.

Read the End User License Agreement and check the box: YES, I accept the Terms of Use.

Click on the Start button next to it.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?"".

Answer Yes to download and install the ActiveX controls that allows the scan to run.

Click Start.

Check Remove found threats and Scan potentially unwanted applications.

Click Scan to begin.

If offered the option to get information or buy software. Just close the window.

Wait for the scan to finish

Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic.

Link to post
Share on other sites

Hey

re: the language bar, English is the default and working, which is fine for me. Since the owner of the laptop is Chinese, I hope yet to make Chinese work. Unless it bears on the question of infection, I'll work on that separately.

So, I un-installed (add/remove programs) and re-installed mbam. I updated and ran an mbam scan, while simultaneously running NormanMalware and NortonPowerErase. Mbam finished and did not find everything (seems like I can get one good run after a reinstall, some times). Norman did not find anything.

Norton found 4 "I don't knows" which I left alone -- I figure I can run norton again and get them at that time, plus the general instructions are not to delete things without consensus. I was planning to put the norton log here, but it did not create one for this run. I will run it again, and and post what I get (assuming I get anything).

What seems significant is that twice, during the triple run, the real-time AVG popped up twice saying there was a bad thing, which I told it to clean. Here is "the good news" -- what AVG found real-time:

"Trojan horse Downloader.Agent2.BBGT";"d:\System Volume Information\_restore{057EF1DB-699E-460E-A182-554DABF78B4D}\RP5\A0000847.exe";"Moved to Virus Vault";"4/23/2012, 10:10:07 AM";"file";"C:\Documents and Settings\hou\My Documents\Downloads\Cleaning tools\NormanMalwareCleaner\Norman_Malware_Cleaner.exe"

"Trojan horse Downloader.Agent2.BBGT";"d:\Program Files\EditPlus 2\EditPlus.exe";"Moved to Virus Vault";"4/23/2012, 8:49:36 AM";"file";"C:\WINDOWS\system32\rundll32.exe"

Here is the bad news, this is what AVG found on its nightly scheduled (occurred after the real-time had supposedly caught some things) scan :

"";"F:\soft setup\EDITPLUS.exe:\{app}\EditPlus.exe";"Trojan horse Downloader.Agent2.BBGT";"Moved to Virus Vault"

"";"F:\soft setup\EDITPLUS.exe";"Trojan horse Downloader.Agent2.BBGT";"Moved to Virus Vault"

Things keep coming back, apparently.

I will also run the net/cloud scan and post the results.

Link to post
Share on other sites

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17109 (vista_gdr.120227-1644)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=e82e7ef45538a74abd0edc5d20978b2b

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-04-24 12:03:49

# local_time=2012-04-24 12:03:49 (+0000, GMT Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777175 100 0 1112977 1112977 0 0

# compatibility_mode=8192 67108863 100 0 450 450 0 0

# scanned=75314

# found=0

# cleaned=0

# scan_time=4587

Link to post
Share on other sites

I tried to run m-bam again, it failed. I removed (add/remove programs) and re-installed. Scan now running. Simultaneously I am running CCE, NMC, and NPE. CCE cannot update its signature file (tried twice) so I ran on what ever it came with. CCE says that msconfig was disabled, and I authorized fixing it. M-bam crashed. NMC found nothing.

Link to post
Share on other sites

NPC found the same 4 "I don't know what these are" items. I told it to clean(delete) them, it tried and said it couldn't. There is a log, but it is in XML, and it is long. I think I have located the relevant part:

- <RemediationStatusPostReboot DateAndTime="Tuesday, 24 April 2012 Time: 16:13">

- <Infections_Remediated>

<DRIVERS Count="0" />

<SERVICES Count="0" />

<PROCESSES Count="0" />

<LAYERED_SERVICE_PROVIDERS Count="0" />

- <DESKTOP_SHORTCUTS Count="2">

- <Desktop_Shortcut ID="1">

- <File_Information>

<Path>d:\program files\fastait2009\nettrans.exe</Path>

<FileVersion>0.0.1.34</FileVersion>

<ProductVersion>0.0.1. building 34</ProductVersion>

<ProductName>Kingsoft FastAit 2009</ProductName>

<Company>Copyright © Kingsoft Corporation Limited. All rights reserved.</Company>

<Copyrights>Copyright © Kingsoft Corporation Limited. All rights reserved.</Copyrights>

<MD5>ACF292062C205056FA3A33BEBF08000E</MD5>

<SHA256>A6570D7B40B473EF2757B8C4C7CA10B47E84B8DBF467D236EF6347BB984E35F8</SHA256>

<FileSize>441456</FileSize>

</File_Information>

- <SideEffects Count="2" Status="Remediate_Failed">

<File>D:\Program Files\FASTAIT2009\NetTrans.exe</File>

<File>C:\Documents and Settings\hou\Application Data\Microsoft\Internet Explorer\Quick Launch\金山快译2009.lnk</File>

</SideEffects>

</Desktop_Shortcut>

- <Desktop_Shortcut ID="2">

- <File_Information>

<Path>d:\program files\winsnap_3.1.1\winsnap.exe</Path>

<FileVersion>3.1.1.0</FileVersion>

<ProductVersion>3.1.1.0</ProductVersion>

<ProductName>WinSnap</ProductName>

<Company>NTWind Software</Company>

<Copyrights>© 2009 NTWind Software</Copyrights>

<MD5>741C47BACA0A03D604C37A704C6785A5</MD5>

<SHA256>24C2748FCC9C7E108A385E3499BA1F1B93A1973BEA38561040C3F8830BE512F3</SHA256>

<FileSize>575952</FileSize>

</File_Information>

- <SideEffects Count="2" Status="Remediate_Failed">

<File>D:\Program Files\WinSnap_3.1.1\WinSnap.exe</File>

<File>C:\Documents and Settings\hou\Application Data\Microsoft\Internet Explorer\Quick Launch\屏幕抓图.lnk</File>

</SideEffects>

</Desktop_Shortcut>

</DESKTOP_SHORTCUTS>

<AUTORUN_FILES Count="0" />

- <STARTUP_ITEMS Count="2">

- <Startup_Item ID="1">

- <File_Information>

<Path>d:\program files\dynacomware\dynadoc\dlview32.exe</Path>

<FileVersion>4, 25, 1130, 2002</FileVersion>

<ProductVersion>4, 25, 1130, 2002</ProductVersion>

<ProductName>DynaDoc Free Reader</ProductName>

<Company>DynaComware Corporation</Company>

<Copyrights>Copyright© 2002</Copyrights>

<MD5>29571CC00720DD576BDEDA6B741CD4D4</MD5>

<SHA256>3B1C08ADC1FE8DC79C5F0F2FBF0E2CFEE212785AD8908057C0524E0617A1AFB3</SHA256>

<FileSize>1538048</FileSize>

</File_Information>

- <SideEffects Count="3" Status="Remediate_Failed">

<File>d:\program files\dynacomware\dynadoc\dlview32.exe</File>

<RegistryValue>\REGISTRY\MACHINE\software\microsoft\windows\currentversion\app paths\DLVIEW32.EXE\""</RegistryValue>

<RegistryKey>\REGISTRY\MACHINE\software\microsoft\windows\currentversion\app paths\DLVIEW32.EXE</RegistryKey>

</SideEffects>

</Startup_Item>

- <Startup_Item ID="2">

- <File_Information>

<Path>d:\program files\极速工具栏\jsquick.exe</Path>

<FileVersion />

<ProductVersion />

<ProductName />

<Company />

<Copyrights />

<MD5>BE87CABF1456F396CF5BE92D1ECD1028</MD5>

<SHA256>10A75522EA55587C23237EC4944D3AA74107650762CC82118F2E7DCDFFA7895F</SHA256>

<FileSize>631500</FileSize>

</File_Information>

- <SideEffects Count="3" Status="Remediate_Failed">

<File>d:\program files\极速工具栏\jsquick.exe</File>

<RegistryValue>\REGISTRY\MACHINE\software\microsoft\windows\currentversion\app paths\Start Quick.exe\""</RegistryValue>

<RegistryKey>\REGISTRY\MACHINE\software\microsoft\windows\currentversion\app paths\Start Quick.exe</RegistryKey>

</SideEffects>

</Startup_Item>

</STARTUP_ITEMS>

<BROWSER_HELPER_OBJECTS Count="0" />

<BROWSER_TOOLBARS Count="0" />

<BROWSER_PLUGINS Count="0" />

<SHELL_EXTENSIONS Count="0" />

<EXPLORER_PLUGINS Count="0" />

<DIRECTORIES Count="0" />

<FILES Count="0" />

<SYSTEM_SETTINGS Count="0" />

</Infections_Remediated>

</RemediationStatusPostReboot>

</Session0>

</Norton_Power_Eraser_Information>

Link to post
Share on other sites

Please do the following to see if it resolves the issue: Post back and let us know please


  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus:
  • Here's how to do that.
  • usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Next: Install the latest version of Malwarebytes' Anti-Malware from here

    • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
    • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
      Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or ask and we'll explain how to do it.

Link to post
Share on other sites

Hey

So, re-down-loaded a fresh copy and of mbam-clean, and mbam. Ran clean, booted, disabled AVG, installed mbam, updated mbam, re-enabled AVG and selected full scan, selected all 4 logical drives (one physical), scanned. It finished, quickly actually, 41 minutes, previous (successful) runs have taken up to an hour and 40 +/-. It found nothing. Without booting, I ran another mbam, it crashed in less than 2 minutes.

Link to post
Share on other sites

Booted. Running another scan with the current installation of mbam (no new update available yet). This one finished and found nothing. Running another scan, without even closing MBAM or trying to update, just started another scan. This second run completed successfully (and found nothing). I exited mbam, relaunched it, updated it, and ran another scan, which also completed successfully, with nothing found.

Oh, before I forget to mention it again, the number of objects scanned jumps to a high number (like 40 t0 50 thousand) all at once, a minute or two into the scan. It has been doing this the entire time I've been working on this computer. I don't remember it happening like this on all my computers (at home), I remember the count increasing steadily. Is the big jump normal behavior?

Link to post
Share on other sites

I have not tried a quick scan recently, but I can do that. I don't know what it crashes on, there is the windows pop-up saying "error ... have to close" and it covers most of the mbam window. I suppose I can start the scan, move the mbam window to a far corner, and then if/when it crashes, I should be able to see what is in the window...

Link to post
Share on other sites

Home PC, fee edition.

Girlfriend's machine, in China. I live in the US (with 4 computers), except for extended visits to China (tourist visa, 90 day maximum visit), so when I say "my machines at home" that is what I am referring to. Trying to get her machine(s) cleaned up.

This laptop (subject of this thread) had been her teenage daughters machine (the daughter is now in the US attending college), so it is safe to assume the daughter broke every rule about safe surfing - thus the mess on this machine, when I first started working on it. Also, I have grave misgivings about the Chinese 360 AntiVirus products. Two 360 products were on this machine when I started -- but clearly lots of infections got past them. I removed the 360products in favor of US AV products that I know well, and have been trying to clean it up ever since, the history is described (absent all the gory details) in the first post of this thread. She (GF) also has an (older Dell) desktop, but that is the chines version of XP, and it is very difficult for me to work with (since I am not bi-lingual). On that machine, MBAM finds the same 2 items, run after run after run after run, and both are in 360 files. Starting to wonder if 360 itself has trojan properties built into it... And, apparantly 360 protects itself from being cleaned by mbam. Well, that all is a different story. Back to the tecra.

This morning AVG had updated itself and was waiting for a reboot. Booted. Launched existing install and updated MBAM. Ran a quick scan successfully, nothing found, 4 minutes "and change" to run. Immediately ran another quick scan successfully, nothing found, about 1.5 minutes. 3rd successful, about 1.5 minutes.

I started a full scan and then I decided to try to watch when the count jumps up. I aborted that scan and started another full scan. The jump in count happens at the end of the registry scan, and the beginning of the file system scan (FYI). This scan crashed, very quickly (less than 2 minutes) but I forgot to move the window, so I could not get anything about state at the crash, other than it was in the file system activity.

I started another full scan. Crashes about 15 minutes in -- but (silly me) I forgot to look at the state befor I clicked on "send a crash report to Microsoft" so I lost any state info (again). Launched again, no new update available, started another full scan . Ran succesfully, 37 minutes. Found nothing

While I was waiting for that last full scan, I looked at last night AVG run (scheduled every night, assuming I leave the PC on), Looks like the same 2 items as the previous run:

"";"F:\System Volume Information\_restore{057EF1DB-699E-460E-A182-554DABF78B4D}\RP6\A0000910.exe:\{app}\EditPlus.exe";"Trojan horse Downloader.Agent2.BBGT";"Moved to Virus Vault"

"";"F:\System Volume Information\_restore{057EF1DB-699E-460E-A182-554DABF78B4D}\RP6\A0000910.exe";"Trojan horse Downloader.Agent2.BBGT";"Moved to Virus Vault"

Running another quick scan (did not try to update). successful 2 min 38 sec. Ran another quick scan. successful, 1 minute 18 seconds.

Is the variablilty of the run time important? There are about a dozen log entries since the last install. I can extract the type of run (full/quick) and the run time, if you like.

Thanks

Blessings

David

Link to post
Share on other sites

"";"F:\System Volume Information\_restore{057EF1DB-699E-460E-A182-554DABF78B4D}\RP6\A0000910.exe:\{app}\EditPlus.exe";"Trojan horse Downloader.Agent2.BBGT";"Moved to Virus Vault"

"";"F:\System Volume Information\_restore{057EF1DB-699E-460E-A182-554DABF78B4D}\RP6\A0000910.exe";"Trojan horse Downloader.Agent2.BBGT";"Moved to Virus Vault"

Is the F: drive an external drive or a partition?

That is in a system restore point.

Link to post
Share on other sites

Partition. This machine has 4 partitions, on one physical drive.

If I recall correctly, restore was turned off when I started working on this machine. I turned it back on, and the Norton (and possibly others) have been making restore points. I have not paid much attention -- until the machine is clear-and-clean, I would not want to restore anyway.

Last nights AVG scan was clean (nothing found).

Link to post
Share on other sites

Hey, just FYI

I may have figured out the language bar (partly? more or less?). The two versions of Chinese both specified the US keyboard, since we don't (at this time) have any special keyboard or keyboard emulator software. Just on a hunch, I added a second keyboard type (even though we don't actually have it) to each of the Chinese entries, now they appear to act normally. Until we actually load up a keyboard program (there is a dominant one here in China), I wont know for sure where we stand, but it seems better. Still a puzzlement as to why it worked temporarily in the middle of a Combofix scan.

Link to post
Share on other sites

Thanks.

We will try to use it, but no banking or credit.

I'll keep an eye on it.

If something obvious happens, I'll give a shout.

Thanks again.

Blessings blessings blessings

Love joy happiness

Peace of heart, peace of mind

All that is best and highest

Now and always

And in all ways

Reverend David Smith

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.