Can this be explained...

Discussion in 'General Software Discussion' started by Tyrsonswood, Dec 26, 2014.

  1. Tyrsonswood

    Tyrsonswood HH's curmudgeon

    Joined:
    Mar 7, 2008
    Messages:
    13,774
    Likes Received:
    1,555
    Trophy Points:
    138
    Okay, Win7 machine. Few months old, all updated, running AVG, scanned semi-regularly with Malwarebytes, no issues...

    Except there's this program in the Notification Area (tool tray, or whatever you want to call it on the right hand side) that apparently doesn't exist. I was on the other side of the room yesterday... Computer was playing music, which is it's normal job, and I heard a "program closing" or "disconnecting" type of sound... Not sure which windows sound it was specifically. When I got to the system an icon disappeared from the tool tray. I went to the "customize" option and the icon I saw was there in the list along with the program name, bccacabebdbdi.exe. No description of what it does and when I set it to show icon and notifications it said it was inactive at the time. If I search there is no such program or file on my hard drives... Nor anything similar. There is also no such name anywhere on the net.


    So, how does something exist and not exist at the same time
     
  2. Takaharu

    Takaharu Unus offa, unus iuguolo

    Joined:
    Aug 31, 2009
    Messages:
    3,386
    Likes Received:
    401
    Trophy Points:
    108
    That's quite common. It's basically malware that automatically generates a new name. If you manage to find it and delete it, a new one will be generated so you'll need to look for a file/program that isn't recognised (which is the one that generates). I really can't recall where, I'm afraid. Documents/Downloads/etc is your first port of call, followed by Program Files. I'm fairly sure it's not in System32.
     
  3. Tyrsonswood

    Tyrsonswood HH's curmudgeon

    Joined:
    Mar 7, 2008
    Messages:
    13,774
    Likes Received:
    1,555
    Trophy Points:
    138
    But what am I looking for? Search says that file isn't on my system... Scans show it's clean too (Malwarebytes and AVG) Recommendations for a better scan tool?


    By the way, it no longer shows in the tool tray.
     
  4. Tipstaff

    Tipstaff Well-Known Member

    Joined:
    Jul 22, 2002
    Messages:
    9,745
    Likes Received:
    1,390
    Trophy Points:
    123
    SUPERAntispyware and Malwarebytes run in tandem should be fine. The key is to run them in safe mode (if possible), and without a network connection (ie. be offline). The first thing I would do (other than installing the needed software) is disable your network card, then hit the Windows key plus R, go into msconfig, and disable ALL startup items. After that go into System Restore, and disable it. Then reboot into safe mode, and run both MB and SA, one after the other, twice. Note: be sure to run them with administrator rights.

    Other tools to try would be Microsoft Removal Tool (HERE), ComboFix (HERE), ADWCleaner (HERE), and RogueKiller (HERE). In fact I would run RogueKiller first, then Malwarebytes and SUPERAntispyware afterwards.

    Once you run those boot back into normal mode, and run them again (you still want to be offline, btw). After another reboot, if you feel things are as good as they're going to get, go back into msconfig, and re-enable things one at a time of items you KNOW. Anything left over is probably malware. If you aren't sure of what's what, just take a snapshot, post the pic here, and we can go through it for you.

    Another thing I usually uninstall all network drivers, and do a fresh reinstall of them, just in case they've been hijacked.
     
  5. Tyrsonswood

    Tyrsonswood HH's curmudgeon

    Joined:
    Mar 7, 2008
    Messages:
    13,774
    Likes Received:
    1,555
    Trophy Points:
    138
    ^^^ I got nuthin'


    Meaning, I did all that and there's nothing there.
     
  6. jiiteepee

    jiiteepee Active Member

    Joined:
    Apr 3, 2005
    Messages:
    409
    Likes Received:
    1
    Trophy Points:
    28
    There is "Resource monitoring" tool in W7 (open Task Manager, select Performance -tab and press "Resource Monitor" -button) for to monitor behaviour of the weird exe. Try to find the target site your malware software is trying to contact. If Resource monitor utility is not good enough for this then try ZoneAlarm firewall + antivirus (free) (just enable all alerting and logging features ...) which allows you to log/alert network I/O and even some software behaviour.
     
  7. Tipstaff

    Tipstaff Well-Known Member

    Joined:
    Jul 22, 2002
    Messages:
    9,745
    Likes Received:
    1,390
    Trophy Points:
    123
    If it's not malware then all I can think of is it's a device connecting/disconnecting, usually a USB device, maybe due to inactivity. I've seen mice and USB storage do this. There's a program called USBDeview (you can get it HERE, download link is at the bottom for x86 and x64) that you can use to track USB devices, what's installed, what's connected, but the real beauty is that there is a column for "Last plug/unplug date". If you can remember the date and time it occurred, or if you ever hear that happen again, just sort by that column to see if anything connected/disconnected.

    A funny thing about Windows is that it remembers every USB device you've ever plugged into your system. The thing about USBDeview is that you can uninstall the old USB devices that Windows remembers, and the drivers for them too. For instance in my case the MotionInJoy driver (that allows you to use a PS3 controller on the PC) still loads even after I uninstalled the drivers years ago. What led me to that software in the first place was that a client had installed a device a couple years back, and even though they don't use that device anymore the driver continued to load which was causing an issue with a different "similar" type of device they were trying to use. This could be an issue here as well where an old driver is periodically trying to connect/disconnect a device you no longer have. The only thing USBDeview can't tell you is if those drivers have associated services that are still active or not, so you might need to go through those too.
     
  8. Tyrsonswood

    Tyrsonswood HH's curmudgeon

    Joined:
    Mar 7, 2008
    Messages:
    13,774
    Likes Received:
    1,555
    Trophy Points:
    138
    Seems that if it was a USB device it or it's drivers wouldn't have such an obscure name... Also there would be something on the net about it. I ran the USBDeview and there were only a handful of items listed and those are all accounted for. As I said this is a fairly new machine and it has had very few changes or devices plugged into it.

    @ jiiteepee If I were able to know what I was looking for, Resource Monitor or something similar could tell me something. With that file name not existing on my machine it would have to run under another name, or changed names, or something, and if it's something "phoning home" I would have to be right here when that happened and know what name it wanted to call itself at that moment. Frustrating as hell.

    I did just Google that name again and it found something... This thread.

    At least we know Google bots are working properly.
     
  9. Takaharu

    Takaharu Unus offa, unus iuguolo

    Joined:
    Aug 31, 2009
    Messages:
    3,386
    Likes Received:
    401
    Trophy Points:
    108
    I'd say that the primary focus is to find the file in question. A third-party search tool may be required if Windows Search doesn't find anything and you may also need to enable hidden system files and "ordinary" hidden files. Make a note of where it is, delete it then reboot. If a new file takes its place you'll know that it's randomly-generated. It's not a solution, rather a diagnosis.
     
  10. Tyrsonswood

    Tyrsonswood HH's curmudgeon

    Joined:
    Mar 7, 2008
    Messages:
    13,774
    Likes Received:
    1,555
    Trophy Points:
    138
    I'm not finding much, scans have gotten rid of a few cookies (non malicious), and noted a few broken signatures. I've been searching and watching processes (boring as hell).... Nothing.

    I have noticed one thing that may or may not be related, I don't know. When I look at the "Performance" page in task manager the "last core" is always going nuts, even if nothing is running. (I shouldn't say nothing because default programs, anti virus/anti spyware, power management for the UPS, etc. are running) I say "last core" because this is an unlocked dual core Phenom II running as a quad. Thinking that maybe that core was going bad I put it back to a dual and then the second core was doing the same thing... The graph looks like an earthquake plot. I put it back to a quad because it's never caused problems before. My only comparison here at the moment is a quad Intel chip running XP and all 4 cores seem to be doing pretty much the same thing as the others. Like even load across all cores instead of one running crazy while the others idle... Said XP/Intel system is running the same background programs as this Win7/AMD system...

    Weird.

    So, can malware run completely invisible, change names at random and steal one core to do it's dirty work or what.... As I've said the system "seems" to be fine except for that one time. Oh, and bccacabdbdi.exe is gone from the tool tray.


    Maybe it was the NSA scanning my system... :D
     
  11. Dyre Straits

    Dyre Straits 10 Grandkids -2 Great-grandsons

    Joined:
    May 13, 2002
    Messages:
    19,581
    Likes Received:
    2,548
    Trophy Points:
    153
    May be closer to the truth than either of us like to think. ;)
     
  12. Tipstaff

    Tipstaff Well-Known Member

    Joined:
    Jul 22, 2002
    Messages:
    9,745
    Likes Received:
    1,390
    Trophy Points:
    123
    It could also be that you had some piece of malware that tried to install itself, and your AV package caught it in time. However that still doesn't explain the connect/disconnect sound, a Windows sound that is specific to that exact procedure. Other possibilities would be a faulty cable from the case to the motherboard, a card reader that is faulty can power up and down, glitchy network card...

    ...or something else that dawned on me just now could be that Windows powered down a device to save power. I see this from time to time when people run in "Balanced" mode under "Power Options" (the default Windows mode). One of the default settings is to power down select devices (such as USB devices, keyboard, mouse, and network cards) to save power which correlates to the check box for each device in Device Manager under the "Power Management" tab (if the device has one). Left alone long enough, and Windows will power down those devices, but it can glitch when it comes to USB mice. Windows can power down a laser or optical mouse, and suddenly power it back up because the sensor on the mouse sensed the slightest of movement... which it's supposed to because the default setting is to allow the mouse to wake up the PC. Anyways.. just a thought...
     

Share This Page

visited