Author Topic: Automatically Deleted File Causing Popup At Startup  (Read 17673 times)

0 Members and 1 Guest are viewing this topic.

Offline mpkeith

  • Jr. Member
  • **
  • Posts: 22
Automatically Deleted File Causing Popup At Startup
« on: December 22, 2010, 03:39:42 AM »
I just installed Avast today and about 3 minutes later I got a popup saying a trojan was detected and deleted. Now, everytime I start up my laptop I get an error message popup saying "there was a problem starting c:\Users\xxxxx\AppData\Local\BthcfgLite\nsPathapi.dll - The specified module could not be found", which was the file that was deleted by Avast.

Any idea what this was, or how I can stop this message from popping up every time I boot? I've searched for this file to try and find the program it's associated with but my search turns up zero results. Thanks!

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7085
  • Be alert for error code - ID 10T
Re: Automatically Deleted File Causing Popup At Startup
« Reply #1 on: December 22, 2010, 05:29:30 AM »
***

Welcome to the forums, mpkeith   :)

If I am not mistaken, that dll belongs to Java. Try reinstalling Java. Make sure you get the newest version.


***

EDIT :   The information given at the below link is a little different. In the post at the link below, you say that avast quarantined the file. If that is true, then the file would still be in the Virus Chest and might be restored. Is it still there?
http://www.bleepingcomputer.com/forums/topic368760.html


***
« Last Edit: December 22, 2010, 05:41:08 AM by CharleyO »
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline mpkeith

  • Jr. Member
  • **
  • Posts: 22
Re: Automatically Deleted File Causing Popup At Startup
« Reply #2 on: December 22, 2010, 05:58:27 AM »
Thanks Charley. Yes, it is still there. I installed Avast for the first time yesterday and ran a manual scan, which returned 2 results for trojans... the file in question as well as msocfg32.exe. I quarantined them both and the popup started @ bootup, so I did a system restore and reinstalled Avast earlier today. That's when I got the taskbar popup that said the file was (detected/quarantined) and deleted.

EDIT: If I restore this file, that should solve the problem, but won't it just get quarantined again the next time it tries to run? Also, I think it may possibly be part of a browser hijacker I've been having problems with in Firefox. I believe the notification of quarantine occurred when I was doing a Google search, and the hijacker would take me to pages that weren't the page my search results said they were. If that's the case, I'd like to delete whatever it is that the file is associated with as well so I don't have the hijacker and I don't get the "failure to start" popup either.

POSTEDIT: When I search Google for "BthcfgLite" with the quotes, this page and the page you mentioned of my other post are the only 2 results that come up. Is it possible if I delete this folder that contains the nsPathapi.dll file that might stop the popup I'm getting? It seems to me if I'm the only person on the Internet that's mentioned this folder it can't be something that belongs to any legit programs. Or could it be autogenerated by a legit program?
« Last Edit: December 22, 2010, 06:31:02 AM by mpkeith »

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7085
  • Be alert for error code - ID 10T
Re: Automatically Deleted File Causing Popup At Startup
« Reply #3 on: December 22, 2010, 06:45:58 AM »
***

OK, let's do this :

Quote
You could check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner ( http://www.virustotal.com/ ) and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.

Borrowed from DavidR


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline mpkeith

  • Jr. Member
  • **
  • Posts: 22
Re: Automatically Deleted File Causing Popup At Startup
« Reply #4 on: December 22, 2010, 10:54:16 AM »
Here is the VT link: http://www.virustotal.com/file-scan/report.html?id=f6e1c5bb3c46f7b3cca4501695a1ef8f58d4c73bb7b40a87cfb419fbd1ce20a0-1293011449

There are 6/43 possitives on this... 4/43 if you count Avast, Avast5 and Gdata as one. What do you think?
« Last Edit: December 22, 2010, 11:00:26 AM by mpkeith »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: Automatically Deleted File Causing Popup At Startup
« Reply #5 on: December 22, 2010, 11:29:25 AM »
I did not find anything in Google.
Seems a false positive (and companies mimic the others detection on VT). But, it's difficult to say as I can't find any legit program that uses that BthcfgLite folder...
Maybe someone with more experience could help us.
The best things in life are free.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72843
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Automatically Deleted File Causing Popup At Startup
« Reply #6 on: December 22, 2010, 12:43:47 PM »
I did not find anything in Google.
Seems a false positive (and companies mimic the others detection on VT). But, it's difficult to say as I can't find any legit program that uses that BthcfgLite folder...
Maybe someone with more experience could help us.

Well, the folder name alone is highly suspicious...!!!
Run free Mbam to get a second opinon..! http://www.malwarebytes.org/mbam.php
Update it before scanning and post the log here afterwards.
asyn

Win 8.1 [x64] - Avast PremSec 21.10.6772.IBC [UI.679] - EEK - Firefox ESR 91.3 [NS/uBO/PB] - TB 91.3.2
Avast-Tools: Secure Browser 96.0 - Cleanup 21.3 - SecureLine 5.14 - Driver Updater 21.3 - CCleaner 5.87
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline 12-es_csaj

  • Full Member
  • ***
  • Posts: 186
  • Stop malicious codes! We don't want them!
Re: Automatically Deleted File Causing Popup At Startup
« Reply #7 on: December 22, 2010, 01:30:21 PM »
Ikarus (and Emsisoft with its Ikarus engine) and COMODO and avast! says that it is a trojan named sefnit. So I would say all three detections are the same. So I think that isn't a false positive.
OS: Windows 7 Home Premium 64bit - Service Pack 1
Resident: avast! 6.0.1289; Windows Firewall On-demand: Malwarebytes' Anti-Malware free
Browsers: Mozilla Firefox; Google Chrome

Offline Silk0

  • Poster
  • *
  • Posts: 482
  • Octo Live
Re: Automatically Deleted File Causing Popup At Startup
« Reply #8 on: December 22, 2010, 01:32:46 PM »
I would suggest what Asyn said...
Download MBAM and run a full scan.

Give us a feedback when it's done.
~ Silk0
Avast! Free 6.0.1367

Offline mpkeith

  • Jr. Member
  • **
  • Posts: 22
Re: Automatically Deleted File Causing Popup At Startup
« Reply #9 on: December 22, 2010, 08:48:34 PM »
I've ran mbam a few times already over the past week or so and it hasn't found any malicious files... this was even before I quarantined the file in question. I can restore the file to it's original location and give it another shot though. I'll do a manual update of mbam first.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40610
  • Dragons by Sasha
    • Malware fixes
Re: Automatically Deleted File Causing Popup At Startup
« Reply #10 on: December 22, 2010, 09:52:21 PM »
There is probably a run key related to that file - Do you use bluetooth ?

Offline mpkeith

  • Jr. Member
  • **
  • Posts: 22
Re: Automatically Deleted File Causing Popup At Startup
« Reply #11 on: December 22, 2010, 09:56:00 PM »
Below are the results of a full scan with mbam... I forgot to restore the file to it's original location, but then I realized it's still in C:\Suspect folder so it should have caught it there. Again, nothing malicious.

No, I don't use bluetooth, but that doesn't mean my laptop didn't come with bluetooth software.


Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5351

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/22/2010 3:47:32 PM
mbam-log-2010-12-22 (15-47-32).txt

Scan type: Full scan (C:\|)
Objects scanned: 224499
Time elapsed: 1 hour(s), 0 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
« Last Edit: December 22, 2010, 09:57:52 PM by mpkeith »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40610
  • Dragons by Sasha
    • Malware fixes
Re: Automatically Deleted File Causing Popup At Startup
« Reply #12 on: December 22, 2010, 10:46:32 PM »
If it is in the vault then MBAM will not be able to detect it

If you could run an OTL log for me I could look at the run key location and then determine whether or not it is a legitimate file

Download OTL  to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT




  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Offline mpkeith

  • Jr. Member
  • **
  • Posts: 22
Re: Automatically Deleted File Causing Popup At Startup
« Reply #13 on: December 22, 2010, 11:53:04 PM »
I restored the file to it's original location before I ran mbam but it's still showing up in the vault. I tried again to make sure it went through and was told the file already existed, so it is there. I also ran mbam a few times before I installed Avast and it came back negative then as well.

Here are my OTL logs... I had to host them on one of my domains as they were too large to post here:

http://gylbo.com/myfiles/OTL.Txt
http://gylbo.com/myfiles/Extras.Txt


The folder seems to have been created the night I installed Flip Video (though a few hours later), which is a software program that edits video taken from Flip camcorders. I wonder if it is a part of that program... or possibly a file converter I downloaded to change my mp4 files to flash video files.
« Last Edit: December 23, 2010, 01:09:23 AM by mpkeith »

Offline De Hollander

  • Jr. Member
  • **
  • Posts: 68
Re: Automatically Deleted File Causing Popup At Startup
« Reply #14 on: December 23, 2010, 03:03:03 AM »
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FSefnit.E

Any of those files or folder present.

BTW,I see a lot of Norton Internet Security entry's in your log. How did you removed Norton. And did you use their removal tool.
http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN