1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Win32 Malware-gen and Trojan Dropper Win 32-NV

Discussion in 'Malware and Virus Removal Archive' started by Ann, 2010/07/12.

Page 2 of 2
  1. 2010/07/16
    Ann

    Ann Well-Known Member Thread Starter

    Joined:
    2002/01/10
    Messages:
    597
    Likes Received:
    1
    broni - I ran ESET twice because I did not notice the "No Threats Found" message the first time. :eek:

    Will updating to XP SP3 cause changes to system files? I have gotten three messages from TPF regarding changes in files.
     
    Ann,
    #21
  2. 2010/07/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    If you mean Windows files, yes. If you mean, your private files, no.

    Since Eset didn't find anything....

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    =============================================================

    Your computer is clean :)

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    [SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
    broni,
    #22


  3. to hide this advert.

  4. 2010/07/16
    Ann

    Ann Well-Known Member Thread Starter

    Joined:
    2002/01/10
    Messages:
    597
    Likes Received:
    1
    broni. I ran a scan with Avast and it did not come up with the Win32 Malware-gen. I ask where did it go?

    Did the same with Superantispyware and it did find the Trojan dropper/WIN-NV. What should I do with this item? Can I quarantine it? Can I remove it from quarantine?

    I will follow the rest of your instructions as stated.
     
    Ann,
    #23
  5. 2010/07/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Let me know exact file name and a location of apparent infected file.
     
    broni,
    #24
  6. 2010/07/16
    Ann

    Ann Well-Known Member Thread Starter

    Joined:
    2002/01/10
    Messages:
    597
    Likes Received:
    1
    The file name is update.exe located in C:\WINDOWS\I386\APPS\APP06146\.
     
    Ann,
    #25
  7. 2010/07/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Upload that file to http://www.virustotal.com/ for security check.
    If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
    broni,
    #26
  8. 2010/07/16
    Ann

    Ann Well-Known Member Thread Starter

    Joined:
    2002/01/10
    Messages:
    597
    Likes Received:
    1


    Result: 0/42 (0%)
    Loading server information...
    Your file is queued in position: ___.
    Estimated start time is between ___ and ___ .
    Do not close the window until scan is complete.
    The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
    If you are waiting for more than five minutes you have to resend your file.
    Your file is being scanned by VirusTotal in this moment,
    results will be shown as they're generated.
    Compact Compact
    Print results Print results
    Your file has expired or does not exists.
    Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

    You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
    Email:

    Antivirus Version Last Update Result
    a-squared 5.0.0.31 2010.07.16 -
    AhnLab-V3 2010.07.17.00 2010.07.16 -
    AntiVir 8.2.4.12 2010.07.16 -
    Antiy-AVL 2.0.3.7 2010.07.15 -
    Authentium 5.2.0.5 2010.07.16 -
    Avast 4.8.1351.0 2010.07.16 -
    Avast5 5.0.332.0 2010.07.16 -
    AVG 9.0.0.836 2010.07.16 -
    BitDefender 7.2 2010.07.17 -
    CAT-QuickHeal 11.00 2010.07.16 -
    ClamAV 0.96.0.3-git 2010.07.16 -
    Comodo 5451 2010.07.16 -
    DrWeb 5.0.2.03300 2010.07.17 -
    eSafe 7.0.17.0 2010.07.15 -
    eTrust-Vet 36.1.7715 2010.07.16 -
    F-Prot 4.6.1.107 2010.07.16 -
    F-Secure 9.0.15370.0 2010.07.16 -
    Fortinet 4.1.143.0 2010.07.16 -
    GData 21 2010.07.17 -
    Ikarus T3.1.1.84.0 2010.07.16 -
    Jiangmin 13.0.900 2010.07.16 -
    Kaspersky 7.0.0.125 2010.07.17 -
    McAfee 5.400.0.1158 2010.07.17 -
    McAfee-GW-Edition 2010.1 2010.07.16 -
    Microsoft 1.6004 2010.07.16 -
    NOD32 5285 2010.07.16 -
    Norman 6.05.11 2010.07.16 -
    nProtect 2010-07-16.01 2010.07.16 -
    Panda 10.0.2.7 2010.07.16 -
    PCTools 7.0.3.5 2010.07.17 -
    Prevx 3.0 2010.07.17 -
    Rising 22.56.04.04 2010.07.16 -
    Sophos 4.55.0 2010.07.17 -
    Sunbelt 6595 2010.07.17 -
    SUPERAntiSpyware 4.40.0.1006 2010.07.17 -
    Symantec 20101.1.1.7 2010.07.16 -
    TheHacker 6.5.2.1.318 2010.07.16 -
    TrendMicro 9.120.0.1004 2010.07.16 -
    TrendMicro-HouseCall 9.120.0.1004 2010.07.17 -
    VBA32 3.12.12.6 2010.07.16 -
    ViRobot 2010.7.12.3932 2010.07.16 -
    VirusBuster 5.0.27.0 2010.07.16 -
    Additional information
    File size: 5051551 bytes
    MD5...: 4d63a41750eb632d445ecd2000a1ff1c
    SHA1..: 7a9c99e9609ad2f82461bd6b79f21488e85bdf88
    SHA256: 54ccacf1750bb63ed522f5bbef03d4624e08f9d7d02478bd187b3c99e7f14283
    ssdeep: 98304:iOv0ThQdht9pppjT3lwFldelnhPvAZir7QgH9mXk6J:xdh9bKmPYZk7QgZ
    6J
    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x183af
    timedatestamp.....: 0x3ddee736 (Sat Nov 23 02:25:58 2002)
    machinetype.......: 0x14c (I386)

    ( 5 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x20212 0x21000 6.40 8077101cacac0e20b1a1a1fad6c75bda
    MCRC 0x22000 0x79 0x1000 0.34 eeac63d102ab9a0f48150ef3e68ac477
    .rdata 0x23000 0x25bc 0x3000 4.84 33b382c4ef3a40ba242dde5b405a2eea
    .data 0x26000 0xa6cc 0x3000 4.43 6490581537ec22c19f7a8f35557b0d68
    .rsrc 0x31000 0x2508 0x3000 2.82 eee9bdf3c55eea080d14972a7909e3c3

    ( 4 imports )
    > KERNEL32.dll: GetDiskFreeSpaceA, GetModuleHandleA, GlobalLock, GetLogicalDrives, GlobalUnlock, GlobalHandle, GlobalAlloc, GlobalFree, GetACP, IsDBCSLeadByte, CreateFileA, GetTempFileNameA, DeleteFileA, MoveFileA, SetEndOfFile, GetFileAttributesA, SetFileAttributesA, SetFileTime, FlushFileBuffers, GetCurrentProcess, ExpandEnvironmentStringsA, GetLastError, CopyFileA, GetDriveTypeA, CloseHandle, DeviceIoControl, GetFileType, SetFileApisToOEM, SetFileApisToANSI, GetShortPathNameA, AreFileApisANSI, FindClose, FindFirstFileA, SetFilePointer, ReadFile, WriteFile, SetLastError, GetVolumeInformationA, GetLocalTime, GetCommandLineA, FindNextFileA, CreateDirectoryA, GetFullPathNameA, GetSystemTime, GetWindowsDirectoryA, GetSystemDirectoryA, LoadLibraryA, MoveFileExA, PulseEvent, OpenEventA, GetPrivateProfileSectionA, GetVersionExA, GetCurrentDirectoryA, GetTimeZoneInformation, DosDateTimeToFileTime, InterlockedDecrement, InterlockedIncrement, GetStartupInfoA, ExitProcess, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, SetStdHandle, HeapAlloc, HeapFree, DeleteCriticalSection, GetCPInfo, SetCurrentDirectoryA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringA, LCMapStringW, TerminateProcess, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetCurrentThreadId, TlsSetValue, TlsAlloc, TlsGetValue, HeapDestroy, HeapCreate, VirtualFree, RtlUnwind, HeapReAlloc, HeapSize, GetStringTypeA, GetStringTypeW, VirtualAlloc, CompareStringA, CompareStringW, SetEnvironmentVariableA, GetProcAddress, FreeLibrary, GetEnvironmentVariableA, WinExec, GetPrivateProfileStringA, lstrcmpA, lstrcpyA, GetVersion, SetErrorMode, lstrlenA, GetModuleFileNameA, lstrcatA, RemoveDirectoryA, WritePrivateProfileStringA, GetOEMCP, FileTimeToLocalFileTime, FileTimeToSystemTime
    > USER32.dll: DefWindowProcA, DestroyWindow, SendDlgItemMessageA, CreateDialogParamA, MoveWindow, GetSystemMetrics, GetWindowRect, OemToCharA, wsprintfA, CharUpperA, CharUpperBuffA, CharNextA, CharPrevA, SetCursor, SetWindowTextA, CharToOemA, TranslateMessage, PostQuitMessage, FindWindowA, GetLastActivePopup, BringWindowToTop, ShowWindow, LoadIconA, LoadCursorA, RegisterClassA, CreateWindowExA, LoadStringA, MessageBoxA, SendMessageA, PeekMessageA, IsDialogMessageA, DispatchMessageA
    > GDI32.dll: GetStockObject
    > ADVAPI32.dll: RegQueryValueExA, RegOpenKeyExA, RegQueryValueA, RegCloseKey, RegSetValueExA, RegCreateKeyExA, RegDeleteValueA

    ( 65 exports )
    _AllowDefInstall@@YGHPAH@Z, _CenterDialog@@YAXPAUHWND__@@@Z, _DestroyStatusDialog@@YGXXZ, _DisplaySubscriptionInvalidMsgBox@@YGHXZ, _ExecuteAction@@YGXPADPBD@Z, _ExtractMemoryScanningFile@@YGHPAD@Z, _ExtractMessageResponse@@YGIPAD@Z, _GetRemainingFiles@@YAHPAD0@Z, _InitMessageSystem@@YGHXZ, _InsertCharacter@@YGXPADEG@Z, _IsPlatformNT@@YGHXZ, _LogActivityToDisk@@YGXPAD@Z, _NoSkipUpdaterMessaging@@YGIPADI@Z, _OkToContinueSearch@@YAHPAD@Z, _ParseCmdLine@@YGHHQAPAD@Z, _PrepareFindAllCopies@@YGHXZ, _PrepareProgramTitle@@YGXPAD@Z, _ProcessDefDir@@YGHXZ, _ProcessIniFile@@YGHPAD0@Z, _ProgramTrace@@YGXPAD@Z, _ReadZipDir@@YAHPAD0H@Z, _RemoveMemoryScanningFile@@YGXXZ, _ScanDialogProc@@YGHPAUHWND__@@GGJ@Z, _ScanMemory@@YGHPAD@Z, _ShowStatusDialog@@YGXPADH@Z, _StatusDisplayText@@YGXPAD@Z, _UPDCleanup@@YGHPBDPAD@Z, _UPDExtract@@YGHPBDPAD@Z, _UPDExtractFileToBuffer@@YGHPBD0PADK@Z, _UPDUnzip@@YGHPAD0@Z, _UPDUpdateNavDir@@YGHPAD@Z, _UPDUpdaterInit@@YGHXZ, _UPDUpdaterProcess@@YGHXZ, _UPDUpdaterRelease@@YGXXZ, _UnsupportedNavInstalled@@YGHXZ, _UpdaterMessaging@@YGIPADI@Z, _UpdaterSelfCheck@@YGHXZ, _WndProc@@YGJPAUHWND__@@IIJ@Z, _IUPAddFileToPackage@4, _IUPCheckPackage@4, _IUPClosePackage@4, _IUPCreatePackage@12, _IUPExtractBuffer@12, _IUPExtractFile@8, _IUPHistory@4, _IUPListPackage@4, _IUPOpenPackage@4, _IUPOpenPackageRead@4, _IUUAddCreator@8, _IUUBuildCreateList@4, _IUUBuildFileList@4, _IUUCopyCreateList@8, _IUUDeleteCreateList@4, _IUUDeleteFileList@4, _IUUFindFirstFile@4, _IUUFindNextFile@4, _IUUFreeCreatorBlocks@4, _IUUGetFileByName@4, _IUUGetFileHeader@8, _IUUGetNameFromHdr@8, _IUUNewPackage@4, _IUUReadCreatorBlocks@8, _IUUWriteCreatorBlocks@8, _SymGetFreeSystemResources@4, _SymSystemHeapInfo@4
    RDS...: NSRL Reference Data Set
    -
    trid..: Win32 Executable Generic (68.0%)
    Generic Win/DOS Executable (15.9%)
    DOS Executable Generic (15.9%)
    pdfid.: -
    sigcheck:
    publisher....: n/a
    copyright....: n/a
    product......: n/a
    description..: n/a
    original name: n/a
    internal name: n/a
    file version.: n/a
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
     
    Ann,
    #27
  9. 2010/07/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You can disregard Super finding then.
    Any other issues?
     
    broni,
    #28
  10. 2010/07/16
    Ann

    Ann Well-Known Member Thread Starter

    Joined:
    2002/01/10
    Messages:
    597
    Likes Received:
    1
    Not as far as I can see.

    For general information could you please tell me if when a program reports a threat on the computer if I should quarantine the file? Is that the correct procedure?

    Also why does a reported threat found with a particular program scan come up clean when you do another scan.

    Thanks so much for your help, broni.
     
    Ann,
    #29
  11. 2010/07/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yes. Note "quarantine ", not "delete ", because false positive happens (that's the answer to your 2nd question). Run the computer for couple of days and if no ill effect, you can empty AV program vault.
    In case, it was false positive and something is not working, you can always get the file back from the vault.
    On the other hand, you can always upload file in question to VirusTotal for double check, or...post a question here :)

    I'll mark this thread as resolved.
    Good luck and stay safe :)
     
    broni,
    #30
  12. 2010/07/16
    Ann

    Ann Well-Known Member Thread Starter

    Joined:
    2002/01/10
    Messages:
    597
    Likes Received:
    1
    Thank you for the information and for your generous help. :cool:
     
    Ann,
    #31
  13. 2010/07/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're very welcome :)
     
    broni,
    #32
  14. 2010/07/19
    Ann

    Ann Well-Known Member Thread Starter

    Joined:
    2002/01/10
    Messages:
    597
    Likes Received:
    1
    broni

    I tested all my programs and one does not open. PrintMaster 17 which is my main graphics program doesn't work. It was working prior to reporting the virus and spyware. Any suggestions?
     
    Ann,
    #33
  15. 2010/07/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Sometimes, either infection itself, or a cleaning process, may mess up some programs.
    I suggest, you reinstall it.
     
    broni,
    #34
  16. 2010/07/19
    Ann

    Ann Well-Known Member Thread Starter

    Joined:
    2002/01/10
    Messages:
    597
    Likes Received:
    1
    My infection was not really an infection....right? :rolleyes:

    I thought XP_SP3 might have caused it. I will lay the blame on the cleaning process. :D No biggie, I was just curious.

    Once more, thanks for everything.
     
    Ann,
    #35
  17. 2010/07/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're very welcome :)
     
    broni,
    #36
Page 2 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...