Avast WEBforum
Other => Viruses and worms => Topic started by: pasrus01 on November 24, 2012, 08:53:36 AM
-
I searched around a bit but was unable to find a topic addressing this.
I recently purchased a new laptop running windows 7 home premium. I then installed both dropbox and the free version of avast. The problem is, every time I start dropbox, a get notifications about every minute that avast has blocked malware coming from dropbox. It's associated with the dropbox.exe *32 process. Avast repeatedly moves a temp file to the virus chest, saying that it is a Win32:Trojan-gen. I'm not sure if this is a false positive or not, but I've never had problems between avast and dropbox before. To get the pop-ups to stop I just start task manager and kill the dropbox.exe *32 process, but it would be nice of course to use the program. Here's the name of the file that avast keeps moving to the virus chest:
C:\Users\<username>\Dropbox\.dropbox.cache\~e84ddb1c.tmp
Any ideas? Thanks in advance!
-
Test it at VT (https://www.virustotal.com/) and post the result.
-
Here's the report from virustotal.com:
SHA256: 205f0caedf82989588eda2d4a292557697f07d7eb11bc5cf126c8153a2f8036b
SHA1: 57bb7ef65c549f3c9d547cdbc387591c94774e85
MD5: cc541892fabf1aba5b7172cf1f50e6cd
File size: 29.0 KB ( 29743 bytes )
File name: ~e84ddb1c.tmp
File type: Win32 EXE
Detection ratio: 15 / 36
Analysis date: 2012-11-24 13:21:25 UTC ( 1 minute ago )
00
Less details
Analysis
Comments
Votes
Additional information
Antivirus Result Update
Agnitum - 20121124
AntiVir - 20121124
Antiy-AVL - 20121123
Avast Win32:Trojan-gen 20121124
AVG - 20121124
BitDefender - 20121124
ByteHero - 20121116
CAT-QuickHeal - 20121124
ClamAV - 20121124
Commtouch W32/Backdoor2.HMDI 20121124
Comodo UnclassifiedMalware 20121124
Emsisoft - 20121124
ESET-NOD32 - 20121124
F-Prot W32/Backdoor2.HMDI 20121124
F-Secure - 20121124
Fortinet W32/Barys.A6AA!tr 20121124
GData Win32:Trojan-gen 20121124
Ikarus Trojan-Dropper.Win32.KGen 20121124
Jiangmin Trojan/Generic.aayzx 20121124
K7AntiVirus Backdoor 20121123
Kingsoft - 20121119
Microsoft - 20121124
MicroWorld-eScan - 20121124
nProtect - 20121124
Panda Trj/CI.A 20121124
PCTools Trojan.Gen 20121124
Rising - 20121123
Sophos - 20121124
SUPERAntiSpyware - 20121124
Symantec Trojan.Gen 20121124
TheHacker Posible_Worm32 20121124
TotalDefense - 20121123
TrendMicro TROJ_GEN.RCBZ1JR 20121124
TrendMicro-HouseCall TROJ_GEN.RCBZ1JR 20121124
VIPRE - 20121124
ViRobot - 20121124
-
much easier to just post the scan link ;)
https://www.virustotal.com/file/205f0caedf82989588eda2d4a292557697f07d7eb11bc5cf126c8153a2f8036b/analysis/
seems like it is correct
First seen by VirusTotal
2012-03-10 14:35:19 UTC ( 8 måneder, 2 uker ago )
-
Whoops, sorry about that. I'm new to this stuff. ;D
Okay, so it's a real virus. Next question then, how do I get it to stop popping up every minute? The file is never permanently removed but just gets created over and over again. Any ideas on that?
-
I have dropbox on my system and Avast is quite happy with it plus there is not a folder/file with that name in my folder
So I would suspect that there is an infection in there somewhere
-
Ok, I guess I'm not sure what to do about it. I scanned the entire dropbox folder, and no threats were found. Then I thought the program itself was the problem, so I uninstalled it, deleted all my synced info, and re-downloaded and re-installed the program. Same result, except this time the temp file has a different name. Also checked that one on virustotal.com, and interestingly enough, it stated it was the same file as the one I had tried earlier today.
So what to do? The problem isn't with the files I have on dropbox, and it's not with the program itself. I don't disagree that there's an infection, but I don't know how to find and permanently remove it.
-
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
Secondary link (http://www.itxassociates.com/OT-Tools/OTL.exe)
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
(https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%username%/dropbox /s
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
-
Ok, here are the logs. Thanks for the guidance on this!
-
OK numpty used the wrong switch
Run OTL again and paste the following line in the custom scans box and press run scan. There will be just one log this time
C:\Users\ben\Dropbox\*.* /s
-
Hmmm... tried attaching the log but was rejected because the file size is too big (680 kb) for attachments. Is there a way around that limitation?
-
Hmmm... tried attaching the log but was rejected because the file size is too big (680 kb) for attachments. Is there a way around that limitation?
split the log on two....and use two posts ;)
-
I ended up uploading it mediafire. Here's the link:
http://www.mediafire.com/view/?634np53sjc9wunh
-
I tried my own link, but didn't get the file, so here it is split in two as you suggested.
-
Part 2
-
Essexboy is in bed now...but back tomorrow ;)
-
Ta .. Found it .. Lets see if OTL can kill it
You will need to resynch on completion as removal from the computer should then remove it from online
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
[2012/11/24 21:35:17 | 000,026,879 | ---- | M] () -- C:\Users\ben\Dropbox\.dropbox.cache\IF8Mrt-CmJWI7aLUopJVdpfwfX6xG8XPEmyBU6L4A2s
:Files
C:\Users\ben\Dropbox\.dropbox.cache
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
I've got two logs for you - one OTL produced after running the fix, then one after the quick scan. Unfortunately, it didn't work. After the reboot, dropbox also started automatically, and the popups started coming again one after another.
-
OK lets use a stronger tool for this
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Here's the log. After reboot, the result is the same. Still get the popups when Dropbox tries to sync.
-
Question: does the dropbox process need to be running for these fixes to work? I always kill the process after I reboot to stop the popups. Just want to make sure I'm not doing something wrong there.
-
No that is OK as OTL will remove it even if it is running
A question .. Are you synching with another dropbox account ?
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Folder::
C:\Users\ben\Dropbox\.dropbox.cache
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
-
Here's the latest log. I think it worked this time! Rebooted, and so far no popups after re-enabling avast. Any last steps?
Thanks so much for helping me out!!!
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Remove ComboFix- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall
(Notice the space between the "x" and "/")
then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
If you use on-line banking then as an added layer of protection install Trusteer Rapport (http://www.trusteer.com/Products/Trusteer-Rapport-for-Online-Banking)
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe :wave:
-
Hello.
I am having the same issue. Avast pop up is not going away.
One point I didn\t understand from the above discussion is:
is the instruction about Combofix a followup of that of the OTL, or you are taking Combofix as an alternative since the first (OTL) failed to solve the problem?
I am assuming the latter, that the OTL and the Combofix are independent fixes and tried combofix as instructed above. But, my problem is still persisting. I have attached my logs of the Combofix. Can you help me please?
-
They are different fixes.. And are only suitable for that system. Luckily I had not unsubscribed from this thread
Could you run an OTL scan please so that I can see what you have
-
Thank you for the fast reply. Here, I have attached the log file generated in OTL generated with the customization text ( as you stated above):
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
thanks
-
Looks like whitesmoke may be the culprit
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Files
C:\Users\Desalegn\Dropbox\WhiteSmoke 2012 With Trial Reset v6.zip
C:\Users\Desalegn\Dropbox\.dropbox.cache
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
The problem doesn't go yet, apparently. Avast is keeping popping up still.
Here is the log after the reboot (quick scan).
Thanks
-
OK lets try one more time.. They appear to have updated this malware
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
[2013.01.01 23:26:05 | 000,000,029 | ---- | M] () -- C:\Windows\SysWow64\TempWmicBatchFile.bat
@Alternate Data Stream - 80 bytes -> C:\ProgramData\sdpsenv.dat:naughtypirates
:Files
C:\Users\Desalegn\Dropbox\.dropbox.cache
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Oh, this is not fixing the problem. I scanned my system with Malwarebytes Antimalware. It finds no virus. I couldn't manually delete the virus file (~3609c714 file in the dropbox catch folder). It also disappears when I close the Avast Popup. Then, the popup comes back and the temp file also reappears. Do you think removing Avast and Dropbox would help?
-
Save all the files that you want to keep from dropbox to your desktop
Then fully uninstall Dropbox and ensure no folders remain
Then let me know if Avast alerts again..
There should not be a cache folder in dropbox
-
1. I removed one of the suspect folders in the dropbox that contain some windows softwares
2. I logged into the safe mood, and cleared all the stuff in the cache folder
Now, I am in the normal mood; and Avast is not popping up so far.
Thank you for the help ;D
-
OK if it is still good tomorrow let me know and I will tidy up
-
No problem so far. I will follow the guides you provide above and clear my pc.
regards,
-
Are you happy to follow that or would you like your own copy ;D
-
It is fine. thanks
-
Hi guys...
I've encountered the same problem:
Everytime I sync my dropbox, Avast shows malware popups.
It keeps on detecting the process:
C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe
Newbie here so please be gentle :)
Any help? TIA!