Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

EXPLORER.EXE and yuldald.bat Trojans on External Hard Drive


  • Please log in to reply
9 replies to this topic

#1 Lxno78

Lxno78

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 PM

Posted 31 May 2015 - 12:46 AM

I'm in the process of getting a new computer and wanted to scan some old files before putting them on to my new computer. I decided to scan my old computer and my external hard drive.
 
I used Bitdefender Rescue CD to scan both my old Computer (runs Windows 7) and my external hard drive (Western Digital, My Passport, 1 Terabyte).
 
The scan on my old computer came up clean, no infected files.
The scan on my external drive listed two infected files.
 
1. EXPLORER.EXE 
 
Trojan.Agent.VB.H
 
2. yudald.bat
 
Trojan.Generic.300285
 
These two files reside directly on the drive (if the external drive was drive E:\ the two files would show up as E:\EXPLORER.EXE  and E:\yudald.bat). The two files were also "protected operating system files".
 
After the initial scan I decided to view the files myself from Windows. I rebooted into Windows, went into Folder Options and unchecked the Hide protected operating system files (Recommended) option. I could see both files on the drive. I decided to scan the files with Avast and they both showed up as trojans from that scan as well.
 
During this process I accidentally clicked the EXPLORER.EXE file. Windows displayed a message saying that the file did not exist at E:\EXPLORER.EXE. I quickly shutdown my computer and rebooted the Bitdefender Rescue CD. I scanned my external hard drive again. This time only the yudald.bat file showed up. I deleted that file. I scanned my old computer again, it showed up clean, no infections. I scanned my external hard drive a third time, it showed up clean, no infections.
 
I can't find any information about yudlad.bat being a trojan. I did find some information on the EXPLORER.EXE trojan. I read that EXPLORER.EXE trojan may install additional programs on your computer, may be shown running multiple times when view your processes in the task manager, and may slow your computer down. My computer has none of those symptoms.
 
Here are my questions:
 
1. Is it possible those files are actually part of the external hard drive and not trojans (just false positives)?
 
2. When I clicked on EXPLORER.EXE did the trojan hide itself else or in one of my personal files (like an Excel file)? (I know the additional scans found nothing, but that was really odd when I clicked on it for Windows to say it wasn't there).
 
3. Why was my external hard drive infected but not my computer. I plug that external drive into my computer often enough to think the computer would be infected as well.
 
4. What is the likelihood my personal files are infected? (I have Excel files, jpgs, pngs, txt files, video files, and .sol files from flash games. What's the likelihood those types of files would get infected?)
 
5. I want to put my old files on my new computer, but know I don't feel safe doing so. What scans can I use to be more confidant my old files are clean or should I even put them on my new computer, even after scanning, at all?
(I'm interesting especially in booting a live CD Linux to scan my files from there, with other things than Bitdefender, instead of on the Windows OS, but what flavor of Linux would I use and what antivirus software?)
 


BC AdBot (Login to Remove)

 


m

#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:33 AM

Posted 31 May 2015 - 05:15 AM

Hi there,

I'll try to answer your questions to the best of my ability.

1. It's hard to tell since explorer.exe is a legit file, but it can also be malware using that name. The best way to determine is to submit it to an analysis service like VirusTotal to check it against multiple scanners.

2. It is unlikely, but malware usually don't infect documents (unless it's ransomware, then they encrypt the files).

3. Was the external drive plugged into other computers at one point? Just plugging it once into an infected computer is enough to get it infected.

Which antivirus are you using? There can be a second possibility that your machine is infected and the infection went undetected, therefore infecting your external HD you are using.

4. Images, videos and documents usually do not get infected by malware. I think they should be safe to recover using a live Linux CD, for example. I'm not very sure about Flash games though - you might want to submit them to VirusTotal for analysis to make sure they are clean.

5. There are multiple AV vendors offering rescue CDs - one of the most popular ones is Kaspersky Rescue Disk.

Regards,
Alex

#3 Lxno78

Lxno78
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 PM

Posted 31 May 2015 - 12:48 PM

Thank you for the help!

 

 

Was the external drive plugged into other computers at one point?

 

 

Yes at school and my other computer. I can scan the other computer, but it will be a bit of work as it died (I just have to swap it's hard drive and scan from rescue CD).

 

Which antivirus are you using?

 

 

I used Bitdefender Rescue CD.

 

I also scanned the computer with a (fully updated) free version of Avast from the Windows OS (in normal mode). Both scans came up clean, but I could definitely do more scans with different software.

 

Again, thank you!


Edited by Lxno78, 31 May 2015 - 12:49 PM.


#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:33 AM

Posted 31 May 2015 - 01:04 PM

Please be noted that scanning from a rescue CD might not be enough if there is active malware on the machine - you will need to use tools like Malwarebytes Anti-Malware or Emsisoft Emergency Kit to scan from within Windows.

Edited by Alexstrasza, 31 May 2015 - 01:04 PM.


#5 Lxno78

Lxno78
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 PM

Posted 01 June 2015 - 04:08 PM

I ran more scans. I was hoping to know how confident I should feel about the results.

 

I scanned both the external hard drive and my old computer, making sure the programs were all updated in both program version and definition.

 

I used the following programs within the Windows OS:

 

Avast, Malwarebytes, Emsisoft Emergency Kit, and AdwCleaner.

 

All scans came up clean for both the external hard drive and the computer. (Only one anti-malware program was running at a time to avoid conflicts.)

 

 

Then, I used 2 rescue CDs:

 

AVG rescue CD and Kaspersky Rescue Disk.

 

All scans came up clean for both the external hard drive and the computer.

 

I understand there still could be some hidden malware, but I should be pretty confident both external hard drive and computer are clean, right?


Edited by Lxno78, 02 June 2015 - 02:08 AM.


#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:33 AM

Posted 01 June 2015 - 04:14 PM

You can do a final scan with a standalone scanner from ESET. Connect the external drive to the PC, then run this.

ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click on Change at Current scan targets and place a checkmark in your external drive, then click OK.
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Regards,
Alex

#7 Lxno78

Lxno78
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 PM

Posted 01 June 2015 - 10:23 PM

I finished the ESET scan here was the result:

 

C:\Windows\SysWOW64\Adobe\Shockwave 12\gt.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Windows\System32\Adobe\Shockwave 12\gt.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined
 
The result is rather strange to me, but my knowledge in the area is rather limited.
 
- First, I ran a Google search to see what Win32/Bundled.Toolbar.Google.D was. Most of the search results (that aren't from forum posts) pull up websites with the same article that starts with this sentence;
 
Win32/Bundled.Toolbar.Google.D is a kind of malicious Trojan horse infection that can harm all versions of the Windows operating system.

 

I don't find the Win32/Bundled.Toolbar.Google.D as suspicious as I do the website describing it. Almost all the websites that describe Win32/Bundled.Toolbar.Google.D use nearly the exact same article. All those websites have really "spammy" looking layouts and "spammy" looking URLs. On top of that, ESET only describes Win32/Bundled.Toolbar.Google.D as a potentially unsafe application however, the article lists it as a trojan. That seems strange to me.
 
To me it looks like those websites are using fear mongering to get people to download particular sets of antivirus software to increase revenue or something.
 
Someone else had the same issue and submitted the file to Virus Total. The result (here) shows that only ESET picks up the file on a scan.
I submitted the files myself and the result (here) was the same. Only ESET picks up the file. There is a comment on my result stating:
 
Google toolbar installer that was bundled with adobe shockwave 12 on my system

 

I would probably agree with that. I don't think it's as bad as some of the websites make out, but I would say it's unwanted. Unfortunately, with my limited knowledge I don't certainly know about it. I did re-scan the file as to allow ESET to quarantine it.

 

- Second, I don't know how this result occurred:

 

C:\Windows\System32\Adobe\Shockwave 12\gt.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined

 

There is no Adobe folder in C:\Windows\System32. I have hidden files and folders visible and protected system folders visible at the moment. Even typing in the directory directly into windows explorer produces a Windows can't find... error.

 

Could this be in  part to the malicious intent of Win32/Bundled.Toolbar.Google.D? Just an artifact/quirk of the ESET scan? Or, just a lack of understanding on my part?

 

As well, the log makes it appear as if ESET has done nothing with C:\Windows\SysWOW64\Adobe\Shockwave 12\gt.exe, but that is indeed the file that is in the quarantine. The other result (C:\Windows\System32\Adobe\Shockwave 12\gt.exe) doesn't appear in the quarantine, but that directory doesn't even exist on my computer.

 

- Lastly, what do you make of the result? Should I assume I'm clean for the most part? Or is there still trouble?

 

Also, I can't thank you enough! It's usually very difficult to find quality help online. I know my posts are a bit long, so I'm extra grateful that some helped me out.


Edited by Lxno78, 02 June 2015 - 02:12 AM.


#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:33 AM

Posted 02 June 2015 - 02:03 AM

Hi there,

I don't find the Win32/Bundled.Toolbar.Google.D as suspicious as I do the website describing it. Almost all the websites that describe Win32/Bundled.Toolbar.Google.D use nearly the exact same article. All those websites have really "spammy" looking layouts and "spammy" looking URLs. On top of that, ESET only describes Win32/Bundled.Toolbar.Google.D as a potentially unsafe application however, the article lists it as a trojan. That seems strange to me.

You are correct in the assessment of those websites - this post explains their real nature. It is terribly difficult to find good information with all the SEO poisoning to bring scam sites to the top of search engine ranking list.

Aside from that, your log looks clean - Google Toolbar is just a Potentially Unwanted Program (PUP) so there should be nothing to worry about.

Do you have any other questions?

#9 Lxno78

Lxno78
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 PM

Posted 02 June 2015 - 05:21 AM

No other questions. :)  And again, thank you!



#10 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:33 AM

Posted 02 June 2015 - 05:25 AM

You are welcome.

Here are some articles that will interest you...

Best Practices for Safe Computing - Prevention of Malware Infection
How Malware Spreads - How did I get infected
About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs)

Have a nice (malware-free) day, and stay safe on the 'Net :)

Regards,
Alex




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users