1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

TR/Dropper.Gen trojans

Discussion in 'Virus & Other Malware Removal' started by Ice4, Apr 18, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. Ice4

    Ice4 Thread Starter

    Joined:
    Oct 8, 2007
    Messages:
    160
    Last night my browser stopped while it was loading a webpage, then crashed completely without any further communication. Firefox or Windows usually at least acknowledge that the browser had to shut down for some reason after it does. As this was happening, a long string of number appeared in my Windows Task Manager. I wrote it down: 0.44122103151821657.exe

    I think the process disappeared immediately after I wrote down the number, and I had also unplugged my dial up connection immediately. When I logged back on, my Avira AntiVir Free alerted me to a trojan repeatedly. The first time I let it "deny access" because that was the default setting on the warning, but after that I ticked "delete". I did a scan immediately after, and it came back clean, but I'm skeptical. The computer was moving very slowly after and I saw weird stuff happening in the Windows Task Manager under Processes. I also cleared my browser cache and deleted any unknown cookies.

    Here's what was in the Event Log of Avira:

    4/18/10 4:21
    Virus or unwanted program 'TR/Dropper.Gen [trojan]'
    detected in file 'C:\Documents and Settings\user\Local Settings\Temp\57.tmp.
    Action performed: Deny access

    4/18/10 4:23
    Virus or unwanted program 'TR/Dropper.Gen [trojan]'
    detected in file 'C:\Documents and Settings\user\Local Settings\Temp\59.tmp.
    Action performed: Delete file

    4/18/10 5:09
    Virus or unwanted program 'TR/Dropper.Gen [trojan]'
    detected in file 'C:\Documents and Settings\user\Local Settings\Temp\63.tmp.
    Action performed: Delete file

    4/18/10 5:10
    Virus or unwanted program 'TR/Dropper.Gen [trojan]'
    detected in file 'C:\Documents and Settings\user\Local Settings\Temp\64.tmp.
    Action performed: Delete file

    I kept an eye on my Task Manager after that, and noticed that a couple of times an Adobe process appeared. I didn't write it down exactly, but it was one I associate with the PDF reader, and I manually ended the process each time, because I don't use the reader and I don't like when it thinks it should update on its own (I have the updater turned off). Then occasionally some process flashed and disappeared. It was too fast to see it, but at one point, a number followed by .tmp (I think it was 66.tmp) appeared under Processes, and stuck around. I manually ended the process, and unplugged my internet connection again.

    I looked around in the temp folder and I found a couple of numbered .tmp files that were created over the last couple of hours previous to this. I tried to delete them. One looked like it was deleting, then I was told it couldn't be, that it was being used by another program, but the file was gone nonetheless. I tried the same with the other file, and got the same message, and it stayed.

    A few weeks ago I also had an event, which I wonder if it's involved in this, since it has the same extension apparently:

    3/26/10 22:38
    Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]'
    detected in file 'C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\sttm9vn5.default\Cache\B8A1E323d01.
    Action performed: Deny access

    Any help in figuring out if I'm still infected would be greatly appreciated. Thanx.
     
  2. Ice4

    Ice4 Thread Starter

    Joined:
    Oct 8, 2007
    Messages:
    160
    I just ran the SuperAntiSpyware Free, and during the first few minutes of the scan, Avira threw up another couple of warnings. Since this time it seemed to be like it might be associated with a system process, I ticked move to quarantine, just in case. This is from the Avira Event Log, all four events at the same time:

    4/18/10 18:35
    Virus or unwanted program 'TR/Dropper.Gen [trojan]'
    detected in file 'C:\Documents and Settings\user\Application Data\SystemProc\lsass.exe.
    Action performed: Move file to quarantine

    Error detected in AntiVir Guard.
    Error message: Action failed for file: C:\Documents and Settings\user\Application Data\SystemProc\lsass.exe
    Error code: [0x00000005 - Access is denied.].

    Error detected in AntiVir Guard.
    Error message: Action failed for file: C:\Documents and Settings\user\Application Data\SystemProc\lsass.exe
    Error code: [0x00000005 - Access is denied.].

    Virus or unwanted program 'TR/Dropper.Gen [trojan]'
    detected in file 'C:\Documents and Settings\user\Application Data\SystemProc\lsass.exe.
    Action performed: Move file to quarantine

    Then SAS found several things. The usual few adware tracking cookies, but also apparently the trojan(s). It found 1 item each in Memory and Registry, and 2 items in Files:

    This was listed under Registry Keys:

    Trojan.Agent/Gen
    HKCR\idid

    These were the others, 3 items with the same name:

    Trojan.Agent/Gen-FakeAlert

    in Memory Processes:
    C:\WINDOWS\SYSTEM32\HEFS.NTO

    in Files:
    C:\WINDOWS\SYSTEM32\HEFS.NTO
    C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\56.TMP

    After clicking to have these quarantined/removed, SAS prompted me to reboot. As it was rebooting, I got a RUNDLL error message saying:

    Error loading hefs.nto
    The specific module could not be found

    I clicked OK and everything appears to have loaded normally. I'm hoping that took care of it...?

    Incidentally the file 56.tmp was the file that I tried to delete manually from the temp folder last night, that wouldn't delete. I forgot to mention that I also scanned the file with Malwarebyte's AntiMalware, the other program I have on my system, and it came up clean.

    Does the "FakeAlert" mean that not all of these were actually trojans? I know Avira has been said to generate some false positives. Is this related? Would love it if someone would give me some insight for future reference into this.

    Thanx.
     
  3. Ice4

    Ice4 Thread Starter

    Joined:
    Oct 8, 2007
    Messages:
    160
    Well, I guess it's not over yet, unless Avira is giving me false warnings...

    Just now got the following:

    4/19/10 0.03

    Virus or unwanted program 'TR/Dropper.Gen [trojan]'
    detected in file 'C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\3ZYTC57V\update4303[1].exe.
    Action performed: Delete file

    Virus or unwanted program 'TR/Dropper.Gen [trojan]'
    detected in file 'C:\autoexec.exe.
    Action performed: Deny access
     
  4. Ice4

    Ice4 Thread Starter

    Joined:
    Oct 8, 2007
    Messages:
    160
    Did another scan with SuperAntiSpyware, and the same message as when I did the first scan appeared, twice:

    Virus or unwanted program 'TR/Dropper.Gen [trojan]'
    detected in file 'C:\Documents and Settings\user\Application Data\SystemProc\lsass.exe.
    Action performed: Deny access

    The scan came back totally clean.
     
  5. Ice4

    Ice4 Thread Starter

    Joined:
    Oct 8, 2007
    Messages:
    160
    I tried one more scan, this time with Malwarebyte's AntiMalware. When I rebooted after updating it, I got that same rundll error message again on reboot. During the scan Avira threw up 13 warnings, over 5 separate times, including all the same ones from yesterday, today's lsass one repeatedly, as well as the one from a few weeks ago. Guess that one's been with me all this time. MBAM found 13 files, and claims to have dealt with them. I'm pasting the log below. After reboot, I did not get that rundll error message again this time. I also noticed that the second lsass process that was in my Task Manager is now gone.

    I feel like I just watched an ancient greek battle on my computer... Is it over yet?

    Here's the MBAM log:

    Malwarebytes' Anti-Malware 1.45
    www.malwarebytes.org

    Database version: 3930

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 7.0.5730.13

    4/19/2010 2:56:35 AM
    mbam-log-2010-04-19 (02-56-35).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 143283
    Time elapsed: 1 hour(s), 6 minute(s), 26 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 1
    Folders Infected: 4
    Files Infected: 5

    Memory Processes Infected:
    C:\Documents and Settings\user\Application Data\SystemProc\lsass.exe (Trojan.Agent) -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdbpl (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe hefs.nto rpwvj) Good: (Explorer.exe) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D} (Trojan.Swisyn) -> Quarantined and deleted successfully.
    C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome (Trojan.Swisyn) -> Quarantined and deleted successfully.
    C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content (Trojan.Swisyn) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Application Data\SystemProc (Trojan.Agent) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest (Trojan.Swisyn) -> Quarantined and deleted successfully.
    C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf (Trojan.Swisyn) -> Quarantined and deleted successfully.
    C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul (Trojan.Swisyn) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Application Data\SystemProc\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\confin.sys (Malware.Trace) -> Quarantined and deleted successfully.
     
  6. Ice4

    Ice4 Thread Starter

    Joined:
    Oct 8, 2007
    Messages:
    160
    And it continues... Got another message from Avira:

    Virus or unwanted program 'TR/Trash.Gen [trojan]'
    detected in file 'C:\System Volume Information\_restore{9FFFF274-B2A1-4F59-86E7-5746BCAA499A}\RP695\A0061062.exe.
    Action performed: Deny access

    I scanned the computer and it says it's quarantined the virus.

    I also scanned again with MBAM and it found nothing.
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/917780

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice