Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mbsmacosxplugin1635.dll


  • Please log in to reply
20 replies to this topic

#1 cpro99jlb

cpro99jlb

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 21 August 2008 - 05:27 PM

My AVG keeps telling me it has detected a threat
c:\documents and settings\ADMIN\application data\mbsmacosxplugin1635.dll
c:\documents and settings\ADMIN\application data\mbsmemoryplugin1635.dll

AVG has named it as Trojan horse Agent.AABY
Detected on open

I keep asking to delete it or whatever the option is and it doesn't seem to help. According to the AVG site a trojan horse should be able to be fixed by deleting the file but when I try to look for the file it cannot be found. I'm not even sure how I got it with AVG upto date

Any help would be appreciated. Thank you

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 AM

Posted 21 August 2008 - 05:28 PM

Try running a scan with AVG in Safe Mode.

How to start Windows in Safe Mode
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 cpro99jlb

cpro99jlb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 21 August 2008 - 06:12 PM

My computer does not seem to want to go into safe mode. If I am lucky enough to get the option for the safe mode screen my keyboard does not work for me to toggle to choose safe mode and it eventually just starts in regular mode

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 AM

Posted 21 August 2008 - 06:13 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 cpro99jlb

cpro99jlb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 21 August 2008 - 06:33 PM

Malwarebytes' Anti-Malware 1.25
Database version: 1076
Windows 5.1.2600 Service Pack 2

5:31:43 PM 21.Aug.08
mbam-log-08-21-2008 (17-31-43).txt

Scan type: Quick Scan
Objects scanned: 59855
Time elapsed: 10 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\SEC (Rogue.SecureExpertCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemail2 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemail2.1 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemailbundle2 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemailbundle2.1 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatmailman2 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatmailman2.1 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 cpro99jlb

cpro99jlb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 21 August 2008 - 06:34 PM

My spybot was asking weather to allow or deny changes after this program ran. What do I do in that situation

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 AM

Posted 21 August 2008 - 06:39 PM

You should allow the changes. It's probably best to turn off TeaTimer while scanning with Malwarebytes (just remember to turn it back on again after the scan has finished).
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 cpro99jlb

cpro99jlb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 22 August 2008 - 01:27 PM

I still had the infection this morning but I figured out how why I couldn't get into safe mode and tried that ran avg in safe mode. It said it found and fixed the one infection but when I rebooted and went into regular mode I still have the infection. Am running malware again right now to see if it will find it. Here is the report from avg in safe mode. Am not sure what to try next. Any other ideas.....thank you

AVG 8.0 Anti-Virus command line scanner
Copyright © 1992 - 2008 AVG Technologies
Program version 8.0.134, engine 8.0.0
Virus Database: Version 270.6.6/1627 2008-08-22

C:\Documents and Settings\ADMIN\Application Data\MBSMacOSXPlugin1635.dll Trojan horse Agent.AABY Object was moved to Virus Vault.
C:\Documents and Settings\ADMIN\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\ADMIN\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\ADMIN\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\ADMIN\ntuser.dat.LOG Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\NetworkService\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Locked file. Not tested.
C:\pagefile.sys Locked file. Not tested.
C:\System Volume Information\ Locked file. Not tested.
C:\WINDOWS\system32\config\DEFAULT Locked file. Not tested.
C:\WINDOWS\system32\config\default.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SAM Locked file. Not tested.
C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SOFTWARE Locked file. Not tested.
C:\WINDOWS\system32\config\software.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SYSTEM Locked file. Not tested.
C:\WINDOWS\system32\config\system.LOG Locked file. Not tested.

------------------------------------------------------------
Objects scanned : 763924
Found infections : 1
Found PUPs : 0
Healed infections : 1
Healed PUPs : 0
Warnings : 0

#9 cpro99jlb

cpro99jlb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 22 August 2008 - 01:32 PM

Just finished running Malware again and it detected nothing.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:01 PM

Posted 22 August 2008 - 03:51 PM

Please run this tool it may not show ,but I still feel the first infection was a LOP.

Please uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.
Netpumper
BitRoll
CiD Help
CiD Manager
Download Plugin for Internet Explorer
Zone Media


Be sure to reboot when done.

Please download NoLop and save it to your desktop.
alternate download link 1
alternate download link 2
  • First close any other programs you have running as this will require a reboot.
  • Double click NoLop.exe to run it.
  • Now click the button labeled "Search and Destroy"
    <>
  • When scanning is finished you will be prompted to reboot only if infected. Click OK.
  • Now click the "REBOOT" button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish.
  • Please post the contents of C:\NoLop.log .
--If you receive an error: "mscomctl.ocx or one of its dependencies are not correctly registered", please download mscomctl.ocx to your system32 folder then rerun NoLop..

Edited by boopme, 22 August 2008 - 04:04 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 cpro99jlb

cpro99jlb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 22 August 2008 - 04:02 PM

No Lop found nothing. There doesn't appear to be a log anywhere

Hijack this said:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:00:33 PM, on 22.Aug.08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal


It should be here,C:\NoLop.log
but if it was empty it doesn't really matter now.
Sorry I forgot to remove the line about HJT logs. We do not post them here,so removed it.
But if the PC is not doing any better we may just go there. PC is stll the same?

Edited by boopme, 22 August 2008 - 04:09 PM.


#12 cpro99jlb

cpro99jlb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 22 August 2008 - 04:13 PM

Found it under my computer c: - It hasn't popped up in the last 1/2 hour or so but I just thought of something, is it possible that it coincides with my screen saver????

NoLop! Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to NoLop!OLD.log

Fix running from: C:\Documents and Settings\ADMIN\Desktop
[22.Aug.08]
[3:10:00 PM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\Admin\Application Data\Adobe
C:\Documents and Settings\Admin\Application Data\Apple Computer
C:\Documents and Settings\Admin\Application Data\Ati
C:\Documents and Settings\Admin\Application Data\Google
C:\Documents and Settings\Admin\Application Data\Gtek
C:\Documents and Settings\Admin\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Admin\Application Data\Identities
C:\Documents and Settings\Admin\Application Data\Iscreensaver
C:\Documents and Settings\Admin\Application Data\Limewire
C:\Documents and Settings\Admin\Application Data\Macromedia
C:\Documents and Settings\Admin\Application Data\Malwarebytes
C:\Documents and Settings\Admin\Application Data\Microsoft
C:\Documents and Settings\Admin\Application Data\Mozilla
C:\Documents and Settings\Admin\Application Data\Real
C:\Documents and Settings\Admin\Application Data\Sun
C:\Documents and Settings\Admin\Application Data\Thunderbird
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Apple
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Avg8
C:\Documents and Settings\All Users\Application Data\Broderbund Software
C:\Documents and Settings\All Users\Application Data\Common Files
C:\Documents and Settings\All Users\Application Data\Dell
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Gtek
C:\Documents and Settings\All Users\Application Data\Im
C:\Documents and Settings\All Users\Application Data\Incredimail
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Intuit
C:\Documents and Settings\All Users\Application Data\Lavasoft
C:\Documents and Settings\All Users\Application Data\Malwarebytes
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Microsoft Help
C:\Documents and Settings\All Users\Application Data\Sbsi
C:\Documents and Settings\All Users\Application Data\Sonic
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Wlinstaller
C:\Documents and Settings\All Users\Application Data\Zebra
C:\Documents and Settings\Default User\Application Data\Ati
C:\Documents and Settings\Default User\Application Data\Gtek
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Mozilla
C:\Documents and Settings\Networkservice\Application Data\Microsoft

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:01 PM

Posted 22 August 2008 - 04:15 PM

It should be here,C:\NoLop.log
but if it was empty it doesn't really matter now.
Sorry I forgot to remove the line about HJT logs. We do not post them here,so removed it.
But if the PC is not doing any better we may just go there. PC is stll the same?

We scan run another tool if you want to to se if it gets it .Download and install then run from safe mode.
Remember to keep Spybot off again...I'll be back in a few hours..


Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Edited by boopme, 22 August 2008 - 04:18 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 cpro99jlb

cpro99jlb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 22 August 2008 - 07:31 PM

OK it took 4ever but it's done here are the results. I will see in the morning if I still have the message pop up

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/22/2008 at 06:26 PM

Application Version : 4.15.1000

Core Rules Database Version : 3544
Trace Rules Database Version: 1533

Scan type : Complete Scan
Total Scan Time : 02:48:38

Memory items scanned : 160
Memory threats detected : 0
Registry items scanned : 7256
Registry threats detected : 0
File items scanned : 79389
File threats detected : 15

Adware.Tracking Cookie
C:\Documents and Settings\ADMIN\Cookies\admin@adcentriconline[2].txt
C:\Documents and Settings\ADMIN\Cookies\admin@xiti[2].txt
C:\Documents and Settings\ADMIN\Cookies\admin@mycounter.tinycounter[1].txt
C:\Documents and Settings\ADMIN\Cookies\admin@banner.eurogrand[1].txt
C:\Documents and Settings\ADMIN\Cookies\admin@crackle[1].txt
C:\Documents and Settings\ADMIN\Cookies\admin@click2houston[1].txt
C:\Documents and Settings\ADMIN\Cookies\admin@windowsmedia[2].txt
C:\Documents and Settings\ADMIN\Cookies\admin@ads.pointroll[1].txt
C:\Documents and Settings\ADMIN\Cookies\admin@advertising[1].txt
C:\Documents and Settings\ADMIN\Cookies\admin@atwola[1].txt
C:\Documents and Settings\ADMIN\Cookies\admin@overture[1].txt
C:\Documents and Settings\ADMIN\Cookies\admin@questionmarket[1].txt
C:\Documents and Settings\ADMIN\Cookies\admin@specificclick[2].txt
C:\Documents and Settings\ADMIN\Cookies\admin@tacoda[2].txt
C:\Documents and Settings\ADMIN\Cookies\admin@yadro[1].txt

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:01 PM

Posted 22 August 2008 - 08:39 PM

OK,let us know.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users