Desktopicon\eBayShortcuts.exe

[mkis]

This may a FP. Or may be a trojan agent.
C:\Documents and Settings\user\Application Data\Desktopicon\eBayShortcuts.exe (Trojan.Agent)

There is a precedent
http://forum.avast.com/index.php?topic=38050.msg318419#msg318419

The event happened yesterday.
A Malwarebyte scan picked up the infection today.
-------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.35
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/13/2009 11:33:52 PM
mbam-log-2009-04-13 (23-33-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 91552
Time elapsed: 26 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\user\Application Data\Desktopicon\eBayShortcuts.exe (Trojan.Agent) -> Quarantined and deleted successfully.

---------------------------------------------------------------------

I chose to remove as I did have an ebay shortcut load itself to the desktop during a download session.  But a day removed from the download I cant say for sure which download it was, so rather than confuse things by making a guess, I'm trying to track down details of the event where creation of ebayshortcut occurred. As I said, I chose for malwarebytes to remove. I am left with - 'C:\Documents and Settings\user\Application Data\Desktopicon\Configuration Settings' which seem to be not infected.

There are entries in the registry that reference desktopicon\eBayShortcuts.exe.

There is also left a program installed that is called ebay that holds a link
hxxp://www.adon-demand.de/red/2303/

The link may be okay. I haven’t tried to follow it up. Thought I would post first and see what feedback I got. If it is a Trojan then my defense did not pick up the entry of the malware.

As best I remember, during the downloading the ebay icon appeared on the desktop, I thought as an extra feature, added because I hadn’t unchecked a box that offered the option somewhere in the download session. I deleted the shortcut off the desktop.

Some of the downloads are saved to program files but have yet to be run – one is ‘Unlocker’, another is ‘BHORemover’. 'Foxit’ programs I think, the Reader has been run. Perhaps, I downloaded something and uninstalled it again, I can’t quite recall, as I was on the computer and then off again.

Back on today and  malwarebyte scan picked up entry as an infection.

---------------------------------------------------------------------
Here is the previous scan taken 4 days earlier.

Malwarebytes' Anti-Malware 1.35
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/9/2009 7:03:40 PM
mbam-log-2009-04-09 (19-03-40).txt

Scan type: Full Scan (C:\|)
Objects scanned: 96925
Time elapsed: 29 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected) 
  
-----------------------------------------------------------------------------------------------------


No scans of files with avast has returned any other signs of infection. I may try some online scans and see if anything does turn up.

[YoKenny]

That may be a false positive and you could try removing it from Quarantine.

By the way MBAM detection is up to Database version 1974 and the application has been updated to 1.36 and its always best to do an Update before a scan and its not necessary to do a Full Scan as a Quick Scan will detect 99.9% of the known infections. 

[micky77]

Some of the downloads are saved to program files but have yet to be run – one is ‘Unlocker’,

http://www.malwarebytes.org/forums/index.php?showtopic=6281&hl=eBayShortcuts.exe.

[mkis]

Thanks YoKenny. Im new to mbam. For now, I updated and ran a 1975 quick scan which returned no malicious items.

I'm turning in for the night, and I'll check the forum in the morning. When I might need to do some tidy up.

[mkis]

Thanks micky77. Back in the morn.

[mkis]

Quote from: mkis on Today at 02:13:16 PM

Some of the downloads are saved to program files but have yet to be run – one is ‘Unlocker’,

http://www.malwarebytes.org/forums/index.php?showtopic=6281&hl=eBayShortcuts.exe

That seems to be the one micky77


The eBayShortcuts entry almost cert come with 'Unlocker' but I can't recall a checkbox option.    There must have been one. I deleted the entry with mbam because I don't use eBay. So all entries have to go. Also, I did run 'Unlocker'. So I've cleaned that out that as well. I use http://www.revouninstaller.com/


So false positive? I can't find anything live except that mbam find 1 infection. Nothing in any of the log viewers. Only mbam log picked up the file. Time pressing so may have to just clean and move on.  Interested if anyone has similar log like in micky77 link above. I don't actual use eBay myself.