information or guidance?

[ceomag]

Hi, I'm hoping for some guidance. I suffered a major virus/malware attack a year ago -- cleaned up with help from the folks at bleepingcomputer. Since then I've added security addons to Firefox, I installed and maintain a Hosts file, I do at least one Quick MBAM scan every day and at least one Full scan every week, I do a full scan with Avast! at least once a week, I run Secunia PSI and update as needed, etc., etc., etc.

Earlier today I ran a quick scan with MBAM, Database version: 3382, and everything came up clean. Since I had some extra time this evening I ran a full scan, same database (no update was found) and it found one infected object:

C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP314\A0049145.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

I quarantined it and followed the instructions to restart my computer immediately.

My question is, can anyone tell me what might have happened? Is there any way to read to report to see how or when this snuck in? Or what it might be? Is there a chance that this might have been a false positive?

Basically, I'm concerned that there might be something else lurking in my computer, or a vulnerability I should address.

Thanks for any help.

[AdvancedSetup]

No this is normal. You should have been instructed to clean up your Restore Points after a Malware cleanup. The System Restore makes copies of all types of system files for you safety in case you need to restore. Unfortunately often Malware also gets backed up there, that's why it's best to clean it and make a new clean restore point.

If you're on XP you can do the following.

Remove all but the most recent Restore Point on Windows XP

You should

Create a New Restore Point

to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to

"roll-back"

to a clean working state.

The easiest and safest way to do this is

:

• Go to
  Start
  >
  Programs
  >
  Accessories
  >
  System Tools
  and click "
  System Restore
  ".
  
  
• If the shortcut is missing you can also click on
  START
  >
  RUN
  > and type in
  %SystemRoot%\system32\restore\rstrui.exe
  and click OK
  
  
• Choose the radio button marked "
  Create a Restore Point
  " on the first screen then click "
  Next
  ".
  
  
• Give the new Restore Point a name, then click "
  Create
  ".
  
  
• The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  
  

• Then use the
  Disk Cleanup
  to remove all but the most recently created Restore Point.
  
  
• Go to
  Start
  >
  Run
  and type:
  Cleanmgr.exe
  
  
• Select the drive where Windows is installed and click "
  Ok
  ". Disk Cleanup will scan your files for several minutes, then open.
  
  
• Click the "
  More Options
  " tab, then click the "
  Clean up
  " button under System Restore.
  
  
• Click Ok. You will be prompted with "
  Are you sure you want to delete all but the most recent restore point?
  "
  
  
• Click
  Yes
  , then click Ok.
  
  
• Click
  Yes
  again when prompted with "
  Are you sure you want to perform these actions?
  "
  
  
• Disk Cleanup will remove the files and close automatically.
  
  
• On the
  Disk Cleanup
  tab, if the
  System Restore: Obsolete Data Stores
  entry is available remove them also.
  
  
• These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.
  
  

Additional information

Microsoft KB article: How to turn off and turn on System Restore in Windows XP

Bert Kinney's site: All about Windows System Restore

[ceomag]

Thanks for the reply, but I don't think that's it. I'm sure that I was instructed to clean out my restore points by the folks who were helping me.

Also, the last full MBAM scan I ran, on December 3'rd (almost two weeks ago -- I must be getting careless) didn't find any problems.

I'll follow your instruction on cleaning out the restore points, but I don't think that whatever was in there was left over from last year.

Can you think of anything else that might be at work here?

Thanks again.

[mountaintree16]

That finding is harmless as far as I know Its stored in your system restore, so as long as that old restore point is NOT used, you won't get infected from it. It wouldn't hurt to do as AdvancedSetup posted; its good to clear our your restore points once in a while. I do anyway

I'll let AdvancedSetup or someone else answer if anything else may be at work here, but, that particular finding is harmless

[ceomag]

Thanks, mountaintree16. I followed the instructions to create a new restore point and clean up the old ones -- although Disk Cleanup didn't close on its own -- I closed it after I was sure it had completed.

But I am concerned about how a new threat may have made it past my defenses and scans and gotten into a system restore point.

[mountaintree16]

You're welcome ceomag.

I'm not sure, but, did you notice anything in your Avast's quarantine files that matched this name: A0049145.dll or was close to it?

[ceomag]

Thanks, mountaintree16! Avast's logs a a pain to navigate, but that's a good idea! I'll give iit a try.

[mountaintree16]

You're welcome ceomag If there is nothing there (and if there is, check to see if the date is close to around what that Mbam scan log's date is), I have a pretty good hunch that that system restore point finding may be leftover from an older infection

I am going to sleep now, and hopefully someone will be able to confirm what I said, but, I think that's probably what it is

[ceomag]

Well, it was a good idea, but nothing in the logs. Also, I haven't had an alert from Avast in months -- except for their recent false positive incident.

I am going to sleep now

That's a good idea! Thanks again!

[ceomag]

Just thought I'd add that I've been going through my most recent logs. Full scans on on 11/27, 11/28, 11/30 and 12/03, etc., as well as quick scans every day, didn't pick this up. Prior to this I've had a couple false positives -- posted in the FP forum -- but no real malware the past year.

[AdvancedSetup]

It's quite possible that it is a new find that was added to the definitions. We add new findings every day and often many times during the day to add to the definitions.

You should be okay, but if you want you can follow the directions below and have someone go over some scans and logs with you to confirm there is no issue.

We don't work on Malware removal in the general forums.

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someon has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

[ceomag]

Thanks again, AdvancedSetup.

I may take you up on that after the holiday rush. Right now subsequent scans with MBAM and Avast! are all coming up clean. I did have some odd behavior about a month ago, but right now everything seems to be acting normally. I'll cross my fingers and keep an eye on it for a while.

[AdvancedSetup]

Great, we're here if you need us.

Thanks and I hope you have a great Holiday Season.

[ceomag]

Okay, well I think I have to take you up on your offer.

I've done multiple scans w/MBAM and a scan with Avast! and nothing came up. But today when I started the computer ZoneAlarm (Free) went frantic with attempts by agent.exe to access ports, etc. I recognized it as the name of a legit program, Installshield, but that wasn't normal behavior, so I updated and ran a full MBAM scan. Here's the log:

Malwarebytes' Anti-Malware 1.42

Database version: 3406

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/21/2009 8:30:41 PM

mbam-log-2009-12-21 (20-30-41).txt

Scan type: Full Scan (C:\|)

Objects scanned: 251345

Time elapsed: 1 hour(s), 20 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\TypeLib\{0fcdc8c0-8297-4d27-85d2-84effa002f13} (Trojan.Small) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{57e7a0d2-05a2-4743-9268-0af49f56d56c} (Trojan.Small) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{b7afd990-e814-4cc7-925a-c3938f71b81b} (Trojan.Small) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{13289e82-7a5d-4ed5-bec9-2c3b34a88ed0} (Trojan.Small) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{b9e3f918-328c-410a-b2e3-2abf9e209974} (Trojan.Small) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\dtopMFC.ocx (Trojan.Small) -> Quarantined and deleted successfully.

So, something is in there.

If I "go pro" with MBAM, will it peacefully coexist with Avast? Would it make sense to buy the upgrade now, or after I'm clean?

Thanks

[ceomag]

BTW, after the full scan, clean up, and reboot I updated and ran another full scan. This one came up with no problems found, but ZoneAlarm is still recording one or more attempts by agent.exe every minute. Most of these are loopback attempts. So far ZoneAlarm seems to have it bottled up.

[marktreg]

It's possible that you may be worrying unnecessarily. dtopMFC.ocx was a false positive that was fixed in database update 3408.

http://www.malwarebytes.org/forums/index.p...;hl=dtopMFC.ocx

And agent.exe is actually a legitimate part of the InstallShield Update Service. It is explained at the bottom of this web page:

http://consumer.installshield.com/faqs_us.asp

However, if you are not satisfied that your computer is malware free, please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someon has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

[ceomag]

It's possible that you may be worrying unnecessarily. dtopMFC.ocx was a false positive that was fixed in database update 3408.

...

Geez, I hope so! I worry so much and it so rarely turns out to be unfounded! :)

My heightened sense of paranoia was kicked off about a month ago when I started getting some Google searches redirected and my Firefox Google toolbar suddenly acted strangely.

However, agent.exe did suddenly start behaving differently yesterday, and it is still being picked up by ZoneAlarm today. I'll try to pursue that angle with the good folks at ZoneAlarm, but I'll attach a screenshot here if anyone can offer an opinion.

Honestly, I appreciate your input!

[marktreg]

You could try disabling InstallShield's Update Manager and see if agent.exe stops trying to connect. Details on how to do that are here:

http://consumer.installshield.com/faqs_us.asp

[ceomag]

Well ... thanks, but no luck.

There's a "contact us" option, but I haven't gotten a reply from them.

The Software manager they mention isn't present in my Start menu. In the event that the Software Manager isn't in the Start Manager they provide an install file to install it. I tried that, and it appeared to be successful, but there's still no Software Manager in my Start menu, and searching for it only turns up the install file and an entry in the prefetch folder.

I know this isn't your problem, but ... any other ideas?

[ceomag]

Okay, I may have found it. As near as I could tell, InstallShield is used by at least two programs I have on my PC: Acronis True Image Home and RecordNow! I still need Acronis, but RecordNow! was an old CD burner that I have not used in some time. I uninstalled RecordNow! and its updater, and rebooted. Since then agent.exe has not tried to get past ZoneAlarm and has not popped up in Windows Task Manager.

I still have "agent.exe" in the UpdateService folder, but it's quiet.

I'll know better after a little more time, but that may have fixed it.

Thanks for your help! I appreciate it!