Jump to content


Photo
- - - - -

Trojan.Win32.Dropper.Gen

Virus Removal Help Trojan

  • This topic is locked This topic is locked
44 replies to this topic

#1 deusgrego

deusgrego

    New Member

  • Members
  • Pip
  • 21 posts
  • Gender:Male

Posted 11 July 2012 - 01:38 PM

Avast had been giving notifications about files being quarantined but everytime it and Norton run a full scan nothing populated so my wife thought everything was fine. But I noticed that the laptop had been getting slower, and other issues such as programs that had worked previously, but uninstalled would not reinstall. ex: skype, malwarebytes, mass effect 3. When trying to install those programs we recieve error message "Runtime error 216 at *********" The "*" numbers change depending on the program. I've been able to get the programs to install by entering safe mode. While I was on the laptop I chanced to see the virus notification. It is finding the virus in the topic title and the files quarantined are named "dwh3043.crdownload" just with different numbers after the dwh. And also files named "DWHA***.tmp". Files are located in C:\users\"system user"\AppData\Local\Temp.

Attached is the log file from hijackthis, and two from dds.scr.

Your help is very much appreciated so thanks in advance!

PFC Slinger, Michael
Combat Medic US Army
“Being in the army is like being in the Boy Scouts, except that the Boy Scouts have adult supervision." -Blake Clark

Attached Files


PFC Slinger, Michael
Combat Medic US Army
“Being in the army is like being in the Boy Scouts, except that the Boy Scouts have adult supervision." -Blake Clark

#2 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,178 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 11 July 2012 - 01:58 PM

Welcome to the forum.

Before we proceed further, please uninstall or disable uTorrent and any other peer-to-peer filesharing app.
Continued use of filesharing or ill-advised downloads will surely re-infect your system.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

It's also against our policy:
http://forums.malwar...showtopic=97700

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#3 deusgrego

deusgrego

    New Member

  • Members
  • Pip
  • 21 posts
  • Gender:Male

Posted 11 July 2012 - 06:03 PM

Done. New logfiles attached

Attached Files


PFC Slinger, Michael
Combat Medic US Army
“Being in the army is like being in the Boy Scouts, except that the Boy Scouts have adult supervision." -Blake Clark

#4 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,178 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 11 July 2012 - 06:29 PM

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Click Scan to scan the system (don't run any other options, they're not all bad!!!!!!!)
Post back the report.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#5 deusgrego

deusgrego

    New Member

  • Members
  • Pip
  • 21 posts
  • Gender:Male

Posted 11 July 2012 - 08:52 PM

RogueKiller V7.6.3 [07/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Slinger Family [Admin rights]
Mode: Scan -- Date: 07/11/2012 21:49:02
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 6 ¤¤¤
[SUSP PATH] {14ED23BD-AEDA-41FA-865F-EB1A33453E28}.job @ : C:\Users\Slinger Family\Desktop\saveedit\Gibbed.MassEffect3.SaveEdit.exe -> FOUND
[SUSP PATH] {53AABE41-D0FD-4C00-A298-D919EF8F86FF}.job @ : C:\Users\Slinger Family\Desktop\saveedit\Gibbed.MassEffect3.SaveEdit.exe -> FOUND
[SUSP PATH] {69D4A4A6-B80B-4CE2-9940-8A16A3B03895}.job @ : C:\Users\Slinger Family\Desktop\saveedit\Gibbed.MassEffect3.SaveEdit.exe -> FOUND
[SUSP PATH] {DE13BAF0-8172-47E6-BF73-C692D98984A2}.job @ : C:\Users\Slinger Family\Desktop\me3\OriginInstaller.exe -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST975042 0AS SATA Disk Device +++++
--- User ---
[MBR] df5f2a357af0b0d5b8dff0bc6680cd36
[BSP] bee1f23af191fbaa51922b5a56c0af45 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 690713 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1414989824 | Size: 20428 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 1456826368 | Size: 4062 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1].txt >>
RKreport[1].txt
PFC Slinger, Michael
Combat Medic US Army
“Being in the army is like being in the Boy Scouts, except that the Boy Scouts have adult supervision." -Blake Clark

#6 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,178 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 11 July 2012 - 08:58 PM

Next..........

Please make sure system restore is running and create a new restore point before continuing.
XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Posted Image

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

Posted Image

------------------------

Click the Start Scan button.

Posted Image

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

Posted Image

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


Posted Image


--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:


If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC (gone for tonight...be back tomorrow am)

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#7 deusgrego

deusgrego

    New Member

  • Members
  • Pip
  • 21 posts
  • Gender:Male

Posted 12 July 2012 - 09:53 AM

I was able to follow the above post up until running of TDSSKiller.exe. Unfortunately it does not run. Do I try in safe mode? I've attached what task manager shows is running just in case it is loading/loaded and I'm just going crazy. The attachment is 20 min after I tried running TDSSKiller.

Attached Files


PFC Slinger, Michael
Combat Medic US Army
“Being in the army is like being in the Boy Scouts, except that the Boy Scouts have adult supervision." -Blake Clark

#8 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,178 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 12 July 2012 - 09:56 AM

Yes, try it in safe mode, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#9 deusgrego

deusgrego

    New Member

  • Members
  • Pip
  • 21 posts
  • Gender:Male

Posted 12 July 2012 - 11:04 AM

When running in safe mode, at 10% initialization TDSSKiller warns that it cannot initialize log, at 40% cannot load driver. After running a search through the C: drive no log file was created. When clicking on report inside TDSSKiller, nothing is inside although it did find 1 threat. Suspicious object: IconMan_R ( UnsignedFile.Multi.Generic ) Which I skipped per directions.
PFC Slinger, Michael
Combat Medic US Army
“Being in the army is like being in the Boy Scouts, except that the Boy Scouts have adult supervision." -Blake Clark

#10 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,178 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 12 July 2012 - 11:09 AM

See if you can run ComboFix.........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#11 deusgrego

deusgrego

    New Member

  • Members
  • Pip
  • 21 posts
  • Gender:Male

Posted 12 July 2012 - 08:07 PM

ComboFix log file.

Attached Files


PFC Slinger, Michael
Combat Medic US Army
“Being in the army is like being in the Boy Scouts, except that the Boy Scouts have adult supervision." -Blake Clark

#12 deusgrego

deusgrego

    New Member

  • Members
  • Pip
  • 21 posts
  • Gender:Male

Posted 12 July 2012 - 08:17 PM

Just as a heads up, I work in an emergency room. Scheduling is a little hectic sometimes. But for this weekend you probably will not hear from me until after 1900.
PFC Slinger, Michael
Combat Medic US Army
“Being in the army is like being in the Boy Scouts, except that the Boy Scouts have adult supervision." -Blake Clark

#13 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,178 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 13 July 2012 - 06:41 AM

OK, delete your copy of TDSSKiller and download a fresh one, see if you can run it.
You can try to run it in safe mode if needed.

If it won't run.....

Cut and paste TDSSKiller.exe into Malwarebytes Chameleon folder:

C:\Program Files\Malwarebytes' Anti-Malware\Chameleon

Install the Chameleon driver by doing the following:

Press the Windows key + R and in the Run box, copy and paste the following command then press Enter.

"%programfiles%\Malwarebytes' Anti-Malware\Chameleon/mbam-chameleon.com" /o

A black DOS prompt will appear with a prompt to press any key to continue, please do until the Dos prompt disappears.

Execute TDSSKiller.exe by doubleclicking on it in the Chameleon folder.

See if it runs.

Let me know, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#14 deusgrego

deusgrego

    New Member

  • Members
  • Pip
  • 21 posts
  • Gender:Male

Posted 13 July 2012 - 07:08 PM

I copy/paste the command to install the drivers, I recieve a location not available error. Malwarebytes' installed in the Program files (x86) folder. I tried changing the command to "%programfiles(x86)%\..." with and without spaces. All to no avail. Ended up running cmd then mbam-chameleon.com /o. It said it got the driver ok. TDSSkiller still does not run either with double click or run as administrator.
PFC Slinger, Michael
Combat Medic US Army
“Being in the army is like being in the Boy Scouts, except that the Boy Scouts have adult supervision." -Blake Clark

#15 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,178 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 13 July 2012 - 07:22 PM

Please do this instead....

Download aswMBR to your desktop.
http://public.avast....erek/aswMBR.exe
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

Please zip it up and attach it to your next post.
MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#16 deusgrego

deusgrego

    New Member

  • Members
  • Pip
  • 21 posts
  • Gender:Male

Posted 13 July 2012 - 07:22 PM

In safe mode. Tried cmd prompt got "driver is already loaded...failed to start driver.. enabling driver... failed.." TDSSKiller had the exact same result as previous run while in safe mode.
PFC Slinger, Michael
Combat Medic US Army
“Being in the army is like being in the Boy Scouts, except that the Boy Scouts have adult supervision." -Blake Clark

#17 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,178 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 13 July 2012 - 07:23 PM

OK, run aswMBR as outlined in the post above yours, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#18 deusgrego

deusgrego

    New Member

  • Members
  • Pip
  • 21 posts
  • Gender:Male

Posted 13 July 2012 - 07:27 PM

quick scan, c:\, or ....?
PFC Slinger, Michael
Combat Medic US Army
“Being in the army is like being in the Boy Scouts, except that the Boy Scouts have adult supervision." -Blake Clark

#19 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,178 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 13 July 2012 - 07:50 PM

Full Scan, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#20 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,178 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 13 July 2012 - 07:51 PM

edit out

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users