Sunday, November 7, 2010

Trojan Horse Dropper.Generic2 - Hopefully fixed

Dealt with a Trojan Horse infection this evening -  this makes the 3rd one in a year or so, and hopefully I've got it fixed.  At the moment - its been all of 30 minutes, things seem stable.  

Here's what happened:
  •  I was dropping on Entrecard. 
  • After a drop my computer locked up & Windows media launched.  At this point I didn't suspect anything, I just didn't want to watch anything on windows media, so I attempted to close it down.
  • After dealing with Windows media, I left the room
  • Came back after 45 mins or so, and saw the the following messages & displays:
Resident Shield Found Trojan Horse Dropper.Generic2.BPJX  (this message displayed twice)  Located in C:\Documents & Settings\Owner\Local Settings\Application Data\syssvc.exe (Object is inaccessible)

  • Also I noted behind the Resident Shield Display (Resident Shield is part of my AVG anti-virus software) was another display, with a name something like Anti-Virus Pro (I think), and a list of stuff detected.
  • There was a balloon a the bottom task bar saying that my computer was infected, and I needed to run a scan - this was from the Anti-Virus Pro (or whatever - for the life of me I can't remember the name and I didn't write it down).
  • When I clicked on the AVG Icon, nothing happened
The Resident Shield Display was valid.  The Anti-Virus Pro was not.  Anti-Virus Pro (or whatever it's name was) is "Rogueware".

What I did:

  • Shut down the computer.  I did this by pressing and holding in the power off button.
  • Booted up computer in Safe Mode
  • Ran a full "Command Line" AVG Scan. 
  • The scan came back clean (which I did not see as a good thing); also there were a lot of system files and such that were "locked" and weren't tested. None of this gave me confidence.
  • Did a system restore to a previous date, several days ago.  It's possible (nay, even probable) that I should have done the sytem restore before the scan.  Anyway.
  • Restarted computer in normal mode
  • AVG Kicked off a scan automatically.  That was a good thing - normally these trojans more or less disable the anti-virus software.
  • AVG finished, detecting some tracking cookies, but no Trojans
  • Updated & Ran MalwareBytes - full scan
  • MalwareBytes detected "Trojan.Agent", located at C:\Documents and Settings\owner\local settings\temp\pdfupd.exe  (I hate pdf's!!!)
  • Quarantined and deleted file
  • Restarted computer
The last scan ended less than an hour ago.  I've been online since and all seems stable, but I'm never confident about this stuff.  I have no idea if anything is really fixed.  Time will tell I suppose.  I don't like this at all.

So, to sum up:  I shut down the computer, did a system restore, ran scans & things seem stable.

4 comments:

Nicole said...

Thanks for the good post. My PC is also infected by the same Trojan...I will try your method first...but if it does not work, I am going to find online repair company ( http://www.teesupport.com/ )to help me. I heard that hacker could use Trojan to steal information on your PC..LOL..I am really worried about it.

A Valdese Blogger said...

Nicole - Good luck!

Grace said...

Entrecard has become the top source of viruses etc on the internet if users of it can be believed (and why shouldn't they?). When I was using EC there were a few times when it kinda messed with my MAC - or tried to anyway. Gad, I don't know how you folks deal with Microsoft crap...

A Valdese Blogger said...

Grace: Me and my computer go way back - it's old & creaky in computer terms, but I suppose I'll keep it 'till it dies. It thinks in "XP" & usually does fine. I spent many years in the I.T. world, and I ran into many situations where "A" was happening & "B" occurred and I learned the hard way that the tendency to conclude that "A" caused "B" was frequently wrong. So I may suspect I got the bug from entecard, but I can't say sure. And I suspect I'll never really know.