Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TR/Dropper.Gen - Real or false alarm?


  • Please log in to reply
3 replies to this topic

#1 jlp897

jlp897

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 14 December 2010 - 07:51 PM

Hi. Most of my troubles started a little while back. I was on the computer and all of the sudden a whole bunch of different windows popped up. I can't really explain it better, but it didn't seem like internet browswer windows, but windows with names of files in the title. I seemed like my computer had crashed.

I restarted and ran an AVG scan, Malwarebytes scan, SUPERAnitSpyware scan. I quarantined some files. I think after I did this is when I started having problems with my internet. I cannot connect to the internet through my wireless broadband modems (I have two usb modems from two different carriers). The usb ports work, but not for internet as one modem shows a signal but gets stuck on "connecting" and the other shows no device is connected. I checked and both modems work on other computers. I may have quarantined something I shouldn't have.

What I found from Malwarebytes was Spyware.PWS in C:\system volume information\restore.....\A0013280.exe. AVG found something, but after I quarantined it, I uninstalled AVG and installed Avast. I believe what AVG found was the TR/Dropper trojan, which I would see later. Whatever SUPERAntiSpyware had found, I restored because I thought it might have caused a problem with the modems. It wasn't the problem and SUPERAntiSpyware doesn't even show it as a threat anymore. I believe the threat had something like "winlogon" and "taskman" listed in a registry.

Today Avira found a TR/Dropper.Gen trojan on my laptop while the computer was doing nothing (it was just sitting there and then I got a warning). I had connected a USB drive to this laptop that had been in the infected drive. Avira listed this trojan in C:\System Volume Information\restore....\A0025883.exe. I scanned the USB drive with several different software and no results.

All of this seems really odd and makes me wonder if my computer didn't just crash, I got a bunch of false hits and I'm making it worse. I am running Windows XP (SP2) and may have downloaded updates before the crash, had AVG at the time(updated), Comodo (somewhat updated), SUPERAntiSpyware running(updated) running in the background.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,778 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:23 PM

Posted 14 December 2010 - 09:27 PM

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan were in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations and files before changes are made. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not.

System Restore is enabled by default and will back up the good as well as malevolent files, so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location at some point and probably has been removed. However, when you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (in System Restore points) and moved into quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

If your anti-virus or anti-malware tool cannot move the files to quarantine, they sometimes can reinfect your system if you accidentally use an old restore point. If your anti-virus or anti-malware tool was able to move (quarantine) the file(s) it is no longer a threat. When an anti-virus or security program quarantines a file and moves it into a virus vault (chest) or a dedicated Quarantine folder, that file is safely held there and no longer a threat. The file is essentially disabled and prevented from causing any harm to your system through security routines which may copy, rename, encrypt and password protect the file the file before moving. When the quarantined file is known to be malicious, you can delete it at any time by launching the program which removed it, going to the Quarantine tab, and choosing the option to delete.

In order to ensure all such files are removed, the easiest thing to do after disinfection is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point. Vista and Windows 7 users can refer to these links:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jlp897

jlp897
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 14 December 2010 - 10:58 PM

Thanks for the reply. I also forgot to mention that I installed the latest COMODO firewall software. I noticed when I set the Defense+ Security Level to Safe Mode, it resets to Disabled when the computer is restarted. The firewall security level stays the same.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,778 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:23 PM

Posted 15 December 2010 - 07:24 AM

I don't use Comodo Firewall so I'm not that familiar with its configuration settings. You may want to start a new topic in the AntiVirus, Firewall and Privacy Products and Protection Methods forum.

Tips to protect yourself against malware and reduce the potential for re-infection:

Keep Windows and Internet Explorer current with all security updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. When necessary, Microsoft releases security updates on the second Tuesday of each month and publishes Security update bulletins to announce and describe the update. If you're not sure how to install updates, please refer to Updating your computer. Microsoft also recommends Internet 6 and 7 users to upgrade their browsers due to security vulnerabilities which can be exploited by hackers.

Avoid gaming sites, porn sites, pirated software (warez), cracking tools, and keygens. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. In some instances an infection may cause so much damage to your system that recovery is not possible and the only option is to wipe your drive, reformat and reinstall the OS.

Avoid peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, Kontiki, BitTorrent, BitComet, uTorrent, BitLord, BearShare). They too are a security risk which can make your computer susceptible to malware infections. File sharing networks are thoroughly infected and infested with malware according to Senior Virus Analyst, Norman ASA. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
Beware of Rogue Security software as they are one of the most common sources of malware infection. They infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware. For more specific information on how these types of rogue programs install themselves and spread infections, read How Malware Spreads - How did I get infected.

Keeping Autorun enabled on flash drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer. One in every eight malware attacks occurs via a USB device. Many security experts recommend you disable Autorun as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...This update is intended to stop AutoPlay functionality from working on USB drives, external hard drives, or network shares...

Microsoft Security Advisory (967940): Update for Windows Autorun

If using Windows 7, be aware that in order to help prevent malware from spreading, the Windows 7 engineering team made important changes and improvements to AutoPlay so that it will no longer support the AutoRun functionality for non-optical removable media.

Always update vulnerable software like Adobe Reader and Java Runtime Environment (JRE) with the latest security patches. Older versions of these programs have vulnerabilities that malicious sites can use to exploit and infect your system.
Change all passwords: Anytime you encounter a malware infection on your computer, especially if that computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords as a precaution in case an attacker was able to steal your information when the computer was infected. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.

Security Resources from Microsoft:Other Security Resources:Browser Security Resources:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users