Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unable to remove [DETECTION] Is the TR/Dropper.Gen Trojan/ Moved


  • Please log in to reply
5 replies to this topic

#1 spece30

spece30

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 09 April 2009 - 02:35 AM

Hi,

My problem stated with a vundo infection as detected by Avira. I finally got that resolved using combofix. Now I am unable to get rid of the TR/Dropper.Gen Trojan. The rootkit search in combofix finds the same thing but does not fix it.

Avira says to restart the computer to complete the fix but the problem always returns. Any help would be appreciated.

Here is a snippet from the Avira report:

Starting search for hidden objects.
The repair notes were written to the file 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\PROFILES\AVSCAN-20090409-025528-442F19CB.avp'.
c:\windows\system32\drivers\ovfsthfosjdhdnjrlxrhbakugqnvdqkimovjcc.sys
[INFO] The file is not visible.
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4a439c56.qua'!
c:\windows\system32\ovfsthfumvuhcnjndosmubofkcfmqxxbilxrjc.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[INFO] No SpecVir entry was found!
c:\windows\system32\ovfsthoihtxrlhiouvbxtmkelwxsltjsmrnqjx.dat
[INFO] The file is not visible.
c:\windows\system32\ovfsthslbnvgwctxaopsahejvvesitlnkfmhfg.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[INFO] No SpecVir entry was found!
c:\windows\system32\ovfsthvgtbmcmjdchswawsmfwijgbhnakjcmeh.dat
[INFO] The file is not visible.
c:\windows\system32\ovfsthwwpuainastddpmkmilpmorrxdubhlled.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[INFO] No SpecVir entry was found!
c:\documents and settings\bendover\local settings\temp\ovfsthslccfypvbjckanabhwubyrfjhnrcwdiq000
[INFO] The file is not visible.
\systemroot\system32\drivers\ovfsthfosjdhdnjrlxrhbakugqnvdqkimovjcc.sys
[INFO] The registry entry is invisible.


End of the scan: Thursday, April 09, 2009 02:55
Used time: 01:31 Minute(s)

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:24 AM

Posted 09 April 2009 - 06:36 PM

As the log above is from your AntiVirus program, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

PLEASE DO NOT NOW POST LOGS unless a log is specifically requested.

using combofix


Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Running ComboFix by yourself is like performing open heart surgery on yourself--the scalpel and other surgical tools that is ComboFix is meant to be wielded by a highly trained surgeon only in emergencies or dire circumstances. When the surgeon is thru s/he leaves the room. So combofix should be removed from a system once it has accomplished its job, unlike an AV that is there to protect you from future infections.

. . . CF does make some alterations to your system if you run it. Even if you had no malware removed and run the uninstall command, some things may be different now on your system. I can tell you that one thing is that all your restore points will be flushed out and a new one created. There is a good reason to do that when you have a severe infection--but if you aren't infected you might need those restore points.

Read and abide by the disclaimer people. It's there for a reason. Stick to running and protecting yourself with a good AV and firewall and an anti-malware scanner or two. If you feel you need a second opinion, try running online scans. If you feel you might need surgery, come here to BC and ask for help--that is what we're here for.


From: http://www.bleepingcomputer.com/forums/ind...t&p=1159014

Please tell us what your operating system is.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 spece30

spece30
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 09 April 2009 - 10:16 PM

Microsoft Windows XP Professional SP3

#4 spece30

spece30
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 13 April 2009 - 11:31 PM

Well, you are pretty much useless.

Thanks for nothing.

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:24 AM

Posted 14 April 2009 - 05:53 AM

It's one thing to not follow directions and ignore disclaimers, but it's entirely uncalled for to be rude to someone, especially a staff member who has a hopeless job of straightening up this mess of a forum where everyone posts in the wrong place.

One or more of the identified infections is a rootkit/backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Someone may still be able to clean this machine but we can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Chewy

No. Try not. Do... or do not. There is no try.

#6 spece30

spece30
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 15 April 2009 - 08:05 PM

Hi,

Thanks for the reply. I originally posted to the "HijackThis Logs and Virus/Trojan/Spyware/Malware Removal" forum where I think it would have gotten the attention it deserved. I had followed instructions. I did not post a combofix log. I posted detailed word for word messages that I received as is requested in the instructions. The only thing I didn't put in the original post was the os which was my mistake. Orange Blossom scolded me for using combofix and then moved it to "am I infected what do i do"and asked what operating system. There was no doubt I was infected and I answered the os question on the same day. It then sat there unanswered and (to me at least) abandoned for 5 days. Hence my frustration. I posted that after I had already given up on any help and reformatted and re-installed xp.

Orange blossom could have at the very minimum told me the same thing you did on the day I originally posted. Fortunatley I already knew it was a serious infection and disconnected that computer from the internet within minutes of it getting infected and it stayed disconnected for 4 days while I attempted to fix it myself without any guidance (while checking back here hoping for some). In my opinion it was a disservice to go to the trouble of reading and moving it and letting it sit unanswered for 5 days.

I came back out of curiosity and was actually surprised to see someone had noticed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users