TR/Dropper.Gen trojans

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Ice4

Thread Starter
Joined
Oct 8, 2007
Messages
191
Last night my browser stopped while it was loading a webpage, then crashed completely without any further communication. Firefox or Windows usually at least acknowledge that the browser had to shut down for some reason after it does. As this was happening, a long string of number appeared in my Windows Task Manager. I wrote it down: 0.44122103151821657.exe

I think the process disappeared immediately after I wrote down the number, and I had also unplugged my dial up connection immediately. When I logged back on, my Avira AntiVir Free alerted me to a trojan repeatedly. The first time I let it "deny access" because that was the default setting on the warning, but after that I ticked "delete". I did a scan immediately after, and it came back clean, but I'm skeptical. The computer was moving very slowly after and I saw weird stuff happening in the Windows Task Manager under Processes. I also cleared my browser cache and deleted any unknown cookies.

Here's what was in the Event Log of Avira:

4/18/10 4:21
Virus or unwanted program 'TR/Dropper.Gen [trojan]'
detected in file 'C:\Documents and Settings\user\Local Settings\Temp\57.tmp.
Action performed: Deny access

4/18/10 4:23
Virus or unwanted program 'TR/Dropper.Gen [trojan]'
detected in file 'C:\Documents and Settings\user\Local Settings\Temp\59.tmp.
Action performed: Delete file

4/18/10 5:09
Virus or unwanted program 'TR/Dropper.Gen [trojan]'
detected in file 'C:\Documents and Settings\user\Local Settings\Temp\63.tmp.
Action performed: Delete file

4/18/10 5:10
Virus or unwanted program 'TR/Dropper.Gen [trojan]'
detected in file 'C:\Documents and Settings\user\Local Settings\Temp\64.tmp.
Action performed: Delete file

I kept an eye on my Task Manager after that, and noticed that a couple of times an Adobe process appeared. I didn't write it down exactly, but it was one I associate with the PDF reader, and I manually ended the process each time, because I don't use the reader and I don't like when it thinks it should update on its own (I have the updater turned off). Then occasionally some process flashed and disappeared. It was too fast to see it, but at one point, a number followed by .tmp (I think it was 66.tmp) appeared under Processes, and stuck around. I manually ended the process, and unplugged my internet connection again.

I looked around in the temp folder and I found a couple of numbered .tmp files that were created over the last couple of hours previous to this. I tried to delete them. One looked like it was deleting, then I was told it couldn't be, that it was being used by another program, but the file was gone nonetheless. I tried the same with the other file, and got the same message, and it stayed.

A few weeks ago I also had an event, which I wonder if it's involved in this, since it has the same extension apparently:

3/26/10 22:38
Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]'
detected in file 'C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\sttm9vn5.default\Cache\B8A1E323d01.
Action performed: Deny access

Any help in figuring out if I'm still infected would be greatly appreciated. Thanx.
 

Ice4

Thread Starter
Joined
Oct 8, 2007
Messages
191
I just ran the SuperAntiSpyware Free, and during the first few minutes of the scan, Avira threw up another couple of warnings. Since this time it seemed to be like it might be associated with a system process, I ticked move to quarantine, just in case. This is from the Avira Event Log, all four events at the same time:

4/18/10 18:35
Virus or unwanted program 'TR/Dropper.Gen [trojan]'
detected in file 'C:\Documents and Settings\user\Application Data\SystemProc\lsass.exe.
Action performed: Move file to quarantine

Error detected in AntiVir Guard.
Error message: Action failed for file: C:\Documents and Settings\user\Application Data\SystemProc\lsass.exe
Error code: [0x00000005 - Access is denied.].

Error detected in AntiVir Guard.
Error message: Action failed for file: C:\Documents and Settings\user\Application Data\SystemProc\lsass.exe
Error code: [0x00000005 - Access is denied.].

Virus or unwanted program 'TR/Dropper.Gen [trojan]'
detected in file 'C:\Documents and Settings\user\Application Data\SystemProc\lsass.exe.
Action performed: Move file to quarantine

Then SAS found several things. The usual few adware tracking cookies, but also apparently the trojan(s). It found 1 item each in Memory and Registry, and 2 items in Files:

This was listed under Registry Keys:

Trojan.Agent/Gen
HKCR\idid

These were the others, 3 items with the same name:

Trojan.Agent/Gen-FakeAlert

in Memory Processes:
C:\WINDOWS\SYSTEM32\HEFS.NTO

in Files:
C:\WINDOWS\SYSTEM32\HEFS.NTO
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\56.TMP

After clicking to have these quarantined/removed, SAS prompted me to reboot. As it was rebooting, I got a RUNDLL error message saying:

Error loading hefs.nto
The specific module could not be found

I clicked OK and everything appears to have loaded normally. I'm hoping that took care of it...?

Incidentally the file 56.tmp was the file that I tried to delete manually from the temp folder last night, that wouldn't delete. I forgot to mention that I also scanned the file with Malwarebyte's AntiMalware, the other program I have on my system, and it came up clean.

Does the "FakeAlert" mean that not all of these were actually trojans? I know Avira has been said to generate some false positives. Is this related? Would love it if someone would give me some insight for future reference into this.

Thanx.
 

Ice4

Thread Starter
Joined
Oct 8, 2007
Messages
191
Well, I guess it's not over yet, unless Avira is giving me false warnings...

Just now got the following:

4/19/10 0.03

Virus or unwanted program 'TR/Dropper.Gen [trojan]'
detected in file 'C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\3ZYTC57V\update4303[1].exe.
Action performed: Delete file

Virus or unwanted program 'TR/Dropper.Gen [trojan]'
detected in file 'C:\autoexec.exe.
Action performed: Deny access
 

Ice4

Thread Starter
Joined
Oct 8, 2007
Messages
191
Did another scan with SuperAntiSpyware, and the same message as when I did the first scan appeared, twice:

Virus or unwanted program 'TR/Dropper.Gen [trojan]'
detected in file 'C:\Documents and Settings\user\Application Data\SystemProc\lsass.exe.
Action performed: Deny access

The scan came back totally clean.
 

Ice4

Thread Starter
Joined
Oct 8, 2007
Messages
191
I tried one more scan, this time with Malwarebyte's AntiMalware. When I rebooted after updating it, I got that same rundll error message again on reboot. During the scan Avira threw up 13 warnings, over 5 separate times, including all the same ones from yesterday, today's lsass one repeatedly, as well as the one from a few weeks ago. Guess that one's been with me all this time. MBAM found 13 files, and claims to have dealt with them. I'm pasting the log below. After reboot, I did not get that rundll error message again this time. I also noticed that the second lsass process that was in my Task Manager is now gone.

I feel like I just watched an ancient greek battle on my computer... Is it over yet?

Here's the MBAM log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

4/19/2010 2:56:35 AM
mbam-log-2010-04-19 (02-56-35).txt

Scan type: Full scan (C:\|)
Objects scanned: 143283
Time elapsed: 1 hour(s), 6 minute(s), 26 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 5

Memory Processes Infected:
C:\Documents and Settings\user\Application Data\SystemProc\lsass.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdbpl (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe hefs.nto rpwvj) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D} (Trojan.Swisyn) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome (Trojan.Swisyn) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content (Trojan.Swisyn) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\SystemProc (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest (Trojan.Swisyn) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf (Trojan.Swisyn) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul (Trojan.Swisyn) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\SystemProc\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\confin.sys (Malware.Trace) -> Quarantined and deleted successfully.
 

Ice4

Thread Starter
Joined
Oct 8, 2007
Messages
191
And it continues... Got another message from Avira:

Virus or unwanted program 'TR/Trash.Gen [trojan]'
detected in file 'C:\System Volume Information\_restore{9FFFF274-B2A1-4F59-86E7-5746BCAA499A}\RP695\A0061062.exe.
Action performed: Deny access

I scanned the computer and it says it's quarantined the virus.

I also scanned again with MBAM and it found nothing.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

No members online now.
Top