Author Topic: Dropper Trojan: Can't move to chest/remove  (Read 5433 times)

0 Members and 1 Guest are viewing this topic.

masono

  • Guest
Dropper Trojan: Can't move to chest/remove
« on: September 04, 2009, 05:29:41 PM »
Hi, first let me say I'm a complete layman with this stuff so you'll have to go slow with me...

So, both Avast and AdAware have detected C:\WINDOWS\Temp\wpv731245771011.exe as a dropper Trojan on my PC, but both also seem unable to move it to the chest or delete it. I found something that looks similar here http://forum.avast.com/index.php?topic=47604.0 and have deleted my system restore points as in that thread but still can't get rid of it.

I orginally ran an Avast scan when my comp was doing weird things with my input devises. If i clicked an icon with the mouse it'd select all icons up to that one and open them. If I typed with capslock off it would be on and visa versa, if i typed quickly random letters were in capitals, shift keys didnt work etc etc. That scan brought up a bunch of trojans and cleared them, still had the problem. I deleted my Temp files and suddenly it seemed to clear up, no idea why. So basically now I have no signs of a virus when I use my PC, but its still  finding that dropper....help please!

Attatched is latest log from Hijackthis.

Any help much appreciated, thanks.

O

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re: Dropper Trojan: Can't move to chest/remove
« Reply #1 on: September 04, 2009, 05:35:04 PM »
If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

1. Clean your temporary files. You can use CleanUp or CCleaner for that.

2. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
If avast does not detect it, you can try DrWeb CureIT! instead.

3. It will be good if you download, install, update and run MBAM (or SUPERantispyware or even SpywareTerminator).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
About legit antispyware applications or the bad ones see here.

4. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster for XP/Vista. For XP only: Panda.

5. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.

6. Browser hijacking and problems with antivirus update could be managed in some scenarios by cleaning the hosts file (at C:\windows\system32\drivers\etc folder). The file does not have an extention, it's simply hosts.
The default file consists of a number of example lines preceded with # The only required line is
127.0.0.1       localhost
You can get a good replacement with HostsMan that keep it clean (avoid infections) and updated: http://www.abelhadigital.com

7. After you're clean, disable System Restore on Windows ME, XP or Vista. System Restore is not available in Windows 9x and 2k. After disabling you can enable it again.

8. Use the immunization of SpywareBlaster.

9. Finally, when you're clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.


Hope it helps to guide you trough cleanness.
Fell free to ask any question you have and welcome to avast forums.
The best things in life are free.

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 88428
  • No support PMs thanks
Re: Dropper Trojan: Can't move to chest/remove
« Reply #2 on: September 04, 2009, 05:38:31 PM »
Well firstly system restore points aren't mentioned in your detection so this would make no difference to your situation, other than to make what good restore point unavailable to you. So it is best to seek advice and confirmation before deleting anything.

Why couldn't it be moved to the chest, e.g. what errors were displayed, file in use, etc. ?

If you have XP, vista or Win2k (all 32bit), you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php. Don't opt for deletion (you have no options left), always send to the chest and investigate.

Since it is in a Temp location you could have simply cleared out the Temp folder - CCleaner - Temp File Cleaner, etc. or ClearProg - Temp File Cleaner

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.10.6086 (build 23.10.8563.800) UI 1.0.784/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

YoKenny

  • Guest
Re: Dropper Trojan: Can't move to chest/remove
« Reply #3 on: September 04, 2009, 08:51:30 PM »
After you get your system cleaned up you are still running Windows Service Pack 2 so you should install Windows Service Pack 3 that has been available for over a year and contains several Critical Security updates plus performance improvements.

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Also you should enable Automatic Updates or at least be notified that Updates are available.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don't automatically download or install them.

Go to Add/Remove Programs and un-install vulnerable Adobe 8.0 and download the 9.1 update:
http://get.adobe.com/reader <== make sure you de-select the Yahoo toolbar if you do not want it.

Download and install:
User Profile Hive Cleanup Service:
Brief Description
A service to help with slow log off and unreconciled profile problems.
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

CharleyO

  • Guest
Re: Dropper Trojan: Can't move to chest/remove
« Reply #4 on: September 05, 2009, 02:28:05 PM »
***

In addition to the above posts, here is an analysis of problems shown in your HJT log :

We couldn't detect any active process of a firewall on your system. Possible reasons:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows XP's firewall.
The XP firewall is only a one-way (inbound) firewall. A 2-way firewall is advisable.

Platform: Windows XP SP2 (WinNT 5.01.2600)
A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft's windowsupdate site to download the newest version of the service pack.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Unnecessary (deactivated) entry that can be fixed.
http://www.spyandseek.com/Search.php?search_for=7E853D72-626A-48EC-A868-BA8D5E23E045&search=SAS-Search   (first 5 entries on list)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Unnecessary (deactivated) entry that can be fixed.

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Unnecessary (deactivated) entry that can be fixed.

The above entries can be fixed with HJT.


Overview of running tasks :

smss.exe   
System task   
Session Manager Subsystem

winlogon.exe   
System task   
Microsoft Windows Logon Process

services.exe   
System task   
Windows Service Controller

lsass.exe   
System task   
Local Security Authority Service

svchost.exe   
System task   
Microsoft Service Host Process

svchost.exe   
System task   
Microsoft Service Host Process

svchost.exe   
System task   
Microsoft Service Host Process

aswUpdSv.exe   
Virusscan   
Avast Anti-Virus Component

AAWService.exe   
Anti Add/Spyware software   
Ad-Aware 2007 Service

ashServ.exe   
Virusscan   
Avast

spoolsv.exe   
System task   
Microsoft Printer Spooler Service

mDNSResponder.exe   
Backgroundtask   
Bonjour for Windows Component

ehRecvr.exe   
Backgroundtask   
Media Center Receiver Service

ehSched.exe   
Backgroundtask   
Media Center Scheduler Service

nvsvc32.exe   
Application   
NVIDIA Driver Helper Service

svchost.exe   
System task   
Microsoft Service Host Process

Tablet.exe   
Backgroundtask   
Wacom Win32 Tablet Service

ashMaiSv.exe   
Virusscan   
Avast Anti-Virus Component

ashWebSv.exe   
Virusscan   
avast! Web Scanner

dllhost.exe   
System task   
Microsoft DCOM DLL Host Process

Explorer.EXE   
System task   
Microsoft Windows Explorer

TabUserW.exe   
Backgroundtask   
Wacom Pen Tablet Module

Tablet.exe   
Backgroundtask   
Wacom Win32 Tablet Service

ehtray.exe   
Backgroundtask   
Microsoft Media Center Tray Icon

stsystra.exe   
Driver   
SigmaTel C-Major Audio Tray App

Acrotray.exe   
Backgroundtask   
Acrobat Traybar Assistant

jusched.exe   
Backgroundtask   
Sun Java Update Scheduler

PWRISOVM.EXE   
Driver   
PowerISO Virtual Drive Manager

ehmsas.exe   
System task   
Microsoft Media Center State Aggregator Service

Camservice.exe   
Unknown task      (Related to the Hercules Dualpix HD Webcam)
Unknown task       http://www.hercules.com/us/webcam/bdd/p/20/hercules-dualpix-hd-webcam/

ashDisp.exe   
Virusscan   
Avast AntiVirus

AAWTray.exe   
Backgroundtask   
AAWTray Application

ctfmon.exe   
System task   
Alternative User Input Services

FNPLicensingService.exe   
Backgroundtask   
Activation Licensing Service

svchost.exe   
System task   
Microsoft Service Host Process

wuauclt.exe   
System task   
AutoUpdate Client

firefox.exe   
Application   
Mozilla Firefox

jucheck.exe   
Backgroundtask   
Sun Java UpdateChecker Module

ashSimp2.exe   
Unknown task   (avast scanner)
Unknown task

HijackThis.exe   
Application   
Merijn Hijackthis


***
« Last Edit: September 05, 2009, 02:30:13 PM by CharleyO »

masono

  • Guest
Re: Dropper Trojan: Can't move to chest/remove
« Reply #5 on: September 05, 2009, 07:52:37 PM »
Thanks very much for all your help, CCleaner and boot-time scans seem to have worked. Sorry to ask obvious questions! All your comments very much appreciated.

O

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 88428
  • No support PMs thanks
Re: Dropper Trojan: Can't move to chest/remove
« Reply #6 on: September 05, 2009, 09:01:26 PM »
No problem, glad I could help.

Welcome to the forums.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.10.6086 (build 23.10.8563.800) UI 1.0.784/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

CharleyO

  • Guest
Re: Dropper Trojan: Can't move to chest/remove
« Reply #7 on: September 06, 2009, 12:13:00 PM »
***

Welcome to the forums, masono.   :)

We are glad your problem is fixed.

Please come back often and learn more.


***