Page 1 of 5 123 ... LastLast

  1. Joined : Jun 2016
    Posts : 31
    Windows 10 (64)
       20 Jun 2016 #1

    Do I Have A Trojan?


    Hello,
    First post here

    Lately my Windows Defender is finding a Trojan in the Recovery D (Trojan:Win32/Dynamer!ac)
    It only shows up after a full 3 hour search and not in the fast search
    A full search with Malwarebytes, Adware and Hitman Pro (free versions) will come up clean.

    Unlike some others online I've been successful in removing the trojan with WD only to find it back the next day.
    I even re-installed W10 and it's still there (I assume D was changed as well)

    This questionable trojan is in some stupid game.
    I don't play games on my PC and would love to rid my PC of any game that might be on it.

    I took a snapshot of WD trying to get rid of the damn thing at the usual point where it sticks for about an hour.

    Click image for larger version. 

Name:	once again.JPG 
Views:	5 
Size:	71.5 KB 
ID:	86032

    So, Is it a false positive as some have said online?
    And if yes how do I get WD to stop flashing red when it finds it?
      My System SpecsSystem Spec


  2. Joined : Oct 2013
    NW Florida
    Posts : 6,785
    Windows 10 Enterprise and Pro/Windows 7 Enterprise/Linux Mint
       20 Jun 2016 #2

    As best as I can find out, it is not a false positive.

    Trojan:Win32/Dynamer!ac

    I would follow the directions in the above link and also run these:

    Scan with Kaspersky TDSSKiller:
    Anti-rootkit utility TDSSKiller

    ESET online scanner:
    Free Virus Scan | ESET Online Scanner ESET
    Superantispyware
    SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!
    Malwarebytes
    Malwarebytes | Free Anti-Malware & Internet Security Software
    When installing, uncheck the start trial real time scanning and just use it as an on demand scanner
      My System SpecsSystem Spec


  3. Joined : Oct 2013
    Penns Forrest
    Posts : 3,506
    Win_8.1-Pro, Win_10.1607-Pro, Mint_17.3
       20 Jun 2016 #3

    I agree with essenbe - a false positive.
    edit: You should determine if it is a real threat or a false positive
    For it to be a threat though, you would see it under Windows, not on the D: drive.

    The only way to know for certain is to submit the file to one of the virus database sites


    You could also run an offline scan

    How to create a Bitdefender Rescue CD
    How to scan your computer with Bitdefender Rescue CD

    What is Windows Defender Offline? - Windows Help
    Last edited by Slartybart; 20 Jun 2016 at 20:37. Reason: I really did agree Steve ;)
      My System SpecsSystem Spec


  4. Joined : Jun 2016
    Posts : 31
    Windows 10 (64)
       20 Jun 2016 #4

    essenbe said: View Post
    As best as I can find out, it is not a false positive.

    Trojan:Win32/Dynamer!ac

    I would follow the directions in the above link and also run these:

    Scan with Kaspersky TDSSKiller:
    Anti-rootkit utility TDSSKiller

    ESET online scanner:
    Free Virus Scan | ESET Online Scanner ESET
    Superantispyware
    SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!
    Malwarebytes
    Malwarebytes | Free Anti-Malware & Internet Security Software
    When installing, uncheck the start trial real time scanning and just use it as an on demand scanner
    Thanks for the reply

    I was on this site but with further research in their forums people can't agree if it's a real threat or not.
    I already did an offline WD scan but I'll do it again since I just reloaded W10.

    BTW~I have the free versions of Superantispyware, Malwarebytes, Hitman, Adware and CCleaner and use them everyday...it only shows up with WD in full search.

    Cheers.
      My System SpecsSystem Spec


  5. Joined : Jun 2016
    Posts : 31
    Windows 10 (64)
       20 Jun 2016 #5

    Slartybart said: View Post
    I agree with essenbe - a false positive.
    For it to be a threat, you would see it under Windows, not on the D: drive.

    The only way to know for certain is to submit the file to one of the virus database sites


    You could also run an offline scan

    How to create a Bitdefender Rescue CD
    How to scan your computer with Bitdefender Rescue CD

    What is Windows Defender Offline? - Windows Help
    Again, thanks for the reply.
    But I get the impression Essenbe thinks it's not a false positive and I should take it seriously.
    Thanks for the tools...I'll dig right in
      My System SpecsSystem Spec


  6. Joined : Oct 2013
    Penns Forrest
    Posts : 3,506
    Win_8.1-Pro, Win_10.1607-Pro, Mint_17.3
       20 Jun 2016 #6

    Koukol said: View Post
    Again, thanks for the reply.
    But I get the impression Essenbe thinks it's not a false positive and I should take it seriously.
    Thanks for the tools...I'll dig right in
    My mistake - I agree with essenbe
    It should be determined if it's a real threat or a false positive.

    That's why I gave you the virus db sites and the offline AV scanners

    I fixed my previous post

    Bill
    .
      My System SpecsSystem Spec


  7. Joined : Jun 2016
    Posts : 31
    Windows 10 (64)
       20 Jun 2016 #7

    OK,

    I feel like I just went to a dark place and came back.

    I should admit I know little about what I'm doing.
    I'm one of those guys that keeps deleting essential files and might have done it again.

    First off I scanned with the free Eset program.
    It came up with these and not the trojan WD keeps reporting.
    (Please delete or modify if I'm putting myself into jeopardy by posting these.)

    Click image for larger version. 

Name:	eset 1.JPG 
Views:	7 
Size:	81.1 KB 
ID:	86083Click image for larger version. 

Name:	eset2.JPG 
Views:	6 
Size:	86.0 KB 
ID:	86084

    I have no idea what these are but I deleted them.
    I think it was at this point my PC became very sluggish.
    It took about 30 seconds for my browser to open opening about 5 because of all the button pushing on my part.
    And about a full minute or two to open my PC to access my files.

    I then tried to do a Windows Defender Offline scan but was unsuccessful.
    I made both a CD and USB drive (with another PC) but was unable to boot my (infected?) PC in question
    I got this response...
    "Selected boot image did no authenticate...press enter to continue"
    I went into the BIOS and tried putting both USB and CD drive first in boot up options...didn't help.

    I then tried to do a system recovery which I always thought was my fail-safe but got a series of failures which had me sweating.
    Click image for larger version. 

Name:	restore failed.jpg 
Views:	3 
Size:	1.05 MB 
ID:	86086
    Click image for larger version. 

Name:	failed recovery.jpg 
Views:	4 
Size:	1.76 MB 
ID:	86087

    Fortunately I ended up finding a way by using the search and "restored" my PC to a few days ago right after I thought WD got rid of the trojan. (it said it was successful)

    Now I'm convinced something is wrong and I don't know what to do next.
    Do I need to go back into BIOS and change things back?
    (I don't remember the original order.)

    I should add that for the last few days I get a popup saying WD discovered some Malware and is removing it.
    It's still happening.

    I'm going now to see if this trojan is listed on the sites Bill listed. (thanks)
    I hope I can just type in the name because if I have to copy and paste I'm not sure I can even get into "D".
    And if I can I'm concerned I'll really screw things up.

    I really appreciate the help, guys.
      My System SpecsSystem Spec


  8. Joined : Oct 2013
    Penns Forrest
    Posts : 3,506
    Win_8.1-Pro, Win_10.1607-Pro, Mint_17.3
       21 Jun 2016 #8

    The two google toolbars are potentially unwanted , but not necessarily harmful. It looks as though WD already stashed them anyway and ESET found them in the stash - you deleted them thru ESET.

    I don't think removing those files caused any harm - WD might have objected and caused some thrashing though.

    WD offline failed to boot - let's skip that for now. I suggested WD offline to see if that version of defender also saw D:\...wim...\Win32/Dynamer!ac as a threat. It might answer the question if Defender flagged it and Defender offline did not, since the other scanners you ran did not.

    Now about those virus database sites: they probably do list the file, but that's not going to tell you about the file on your system. They are very good reference sites about malware, but the real power comes from you sending the file from your system to them for analysis. Since the file is buried in a windows image (wim) ... let's skip that step too.


    I'm more convinced that it is a false positive after doing more reading.
    From the link to MS that essenbe provided:
    Technical Information
    Threat behavior
    We've automatically analyzed this threat, determined that it's a trojan because of what it does when it gets on a PC, and blocked and removed it from your PC.

    Typically, trojans try to do one or all of the following:

    • Download and install other malware.
    • Use your computer for click fraud.
    • Record your keystrokes and the sites you visit.
    • Send information about your PC, including usernames and browsing history, to a remote malicious hacker.
    • Give a remote malicious hacker access to your PC.


    Due to the generic nature of this threat, we are unable to provide specific information on what it does.

    That's a fairly generic Technical Information about a trojan.


    And over on Microsoft Answers ... false positves:
    Win32/Dynamer!ac Search results


    But .... there is still a risk that it is not a False positive.

    D: is the HP recovery partition - right?
    That is probably for the previous version of Windows - you upgraded from Win7 or Win8, is that also correct?

    Here's what I would do

    1) copy D: to a thumbdrive (16GB sb enough)

    2) remove the D: partittion

    3) Run a fair set of Malware scanners
    I can give you some now and finish up after you decide what to do with D:



    Restart your machine in case there are any system operations pending

    Click here to download Old Timer-TFC.
    >> save the application to your Desktop.
    Old Timer-TFC is a standalone application, there is no install.

    !!!!! Save your work and close all open windows.
    TFC will close ALL open programs including your browser!

    Right click, run as administrator TFC

    Click the Start button to begin the cleaning up temporary files and folders.
    !!!!! Do not work on other things while TFC is running - most applications use some sort of temporary files. Just let TFC run by itself on the machine until it completes.

    Restart your machine immediately after TFC completes.


    AdwCleaner is a two step process. Scan then Clean

    Click here to download AdwCleaner (author: Xplode)
    --> save the application to your Desktop.

    • Right-click AdwCleaner.exe on your Desktop and select Run As Administrator to run the scanner with full privilege rights.
      AdwCleaner is a standalone executable, there is no install.

    • Click on the Scan button.
      • AdwCleaner begins scanning your system. It might take some time to complete.

      • Review the detected objects grouped under each of the tabs.
        --> If there is something you KNOW should NOT be cleaned, clear the checkbox next to the object. If you're not sure about an object, paste the scan logfile (AdwCleaner[S#].txt) in a new post for a member to review and advise you.
        Otherwise, go to the next step.


    • After the scan has finished and you have reviewed the objects to be cleaned, click on the Clean button.
      • Answer OK to the close all programs prompt, then follow the onscreen prompts.
      • Answer OK to the restart the computer prompt to complete the removal process.
        The AdwCleaner log file is opened in your default Text editor when the machine has restarted.
        Each time AdwCleaner runs, the log file number [#] is incremented, the highest number is the most recent. There are two log files, one for the scan (AdwCleaner[S#].txt) and one for the clean (AdwCleaner[C#].txt).

    Paste the entire clean logfile (AdwCleaner[C#].txt) in your next post.
    --> AdwCleaner logs are located in the C:\AdwCleaner folder if you need to reference them again


    and finallay (for now)
    Malwarebytes Anti-Malware Free - Windows 7 Help Forums
      My System SpecsSystem Spec


  9. Joined : Jun 2016
    Posts : 31
    Windows 10 (64)
       21 Jun 2016 #9

    "D: is the HP recovery partition - right?
    That is probably for the previous version of Windows - you upgraded from Win7 or Win8, is that also correct?

    Here's what I would do

    1) copy D: to a thumbdrive (16GB sb enough)

    2) remove the D: partittion

    3) Run a fair set of Malware scanners
    I can give you some now and finish up after you decide what to do with D:"


    Yes, "D" is my Recovery and I did a free upgrade to W10 from W8.
    I did a W10 reinstall two days ago through a USB stick. (I wonder why WDoffline wouldn't boot with the stick?)

    What does "16GB sb enough" mean? (my "D" is just over 35GB)
    I also have no idea how to copy the entire "D" drive and then delete it from my laptop.

    Thanks again for the help.
      My System SpecsSystem Spec


  10. Joined : Oct 2013
    Penns Forrest
    Posts : 3,506
    Win_8.1-Pro, Win_10.1607-Pro, Mint_17.3
       21 Jun 2016 #10

    Koukol said: View Post
    Yes, "D" is my Recovery and I did a free upgrade to W10 from W8.
    I did a W10 reinstall two days ago through a USB stick. (I wonder why WDoffline wouldn't boot with the stick?)

    What does "16GB sb enough" mean? (my "D" is just over 35GB)
    I also have no idea how to copy the entire "D" drive and then delete it from my laptop.
    Ok, good info
    Don't know why WD Offline wouldn't boot - let's skip that issue.

    Well, that's embarrassing I guess a 16 GB Thumb drive is NOT big enough ... Sheesh D: is over 35GB !!!!!!
    That might only be the capacity - the diskpart commands below will tell me more.

    Do you have a device that can hold 36 GBs - an external drive, or a 64 GB thumb drive?

    What can you see on D: in File Explorer? Is it accessible?

    Launch a Command Prompt (Admin)

    Quick Access menu

    Right click the Windows menu (aka Start) on the Taskbar

    Select Command Prompt (Admin)
    and yes to the UAC prompt

    Enter the following commands:

    diskpart
    lis dis
    lis vol
    sel vol # (Note, not part of the command: # is the volume number that matches drive letter D)
    det vol
    det par
    exit

    Press alt+PrtScrn to grab a windowed screen shot
    Open Paint
    Ctrl+V to paste the shot
    Ctrl+S to save the capture
    you can close the Cmd Prompt window

    Then please post the image to a new post.
      My System SpecsSystem Spec


 
Page 1 of 5 123 ... LastLast


Similar Threads
Thread Forum
.ecc Extension: Trojan ? Can't Seem To Delete Them ? Help please
Hello, I received an eMail from a friend who said that any file with an .ecc extension is one of those Crypto ransom ware trojans. True ? My old PC7 PC was wiped out, literally, a few months ago, so I am literally paranoid about this.
AntiVirus, Firewalls and System Security
Solved Trojan Detected in OneDrive
The odd thing is I don't even use OneDrive except to automatically upload photos from my Android phone to my desktop; nothing has been detected on the phone. I've run another full scan with Bitdefender and Malwarebytes Anti-Malware (free) without...
AntiVirus, Firewalls and System Security
Trojan in My Registry
I have an older 15 inch HP with W10 that I recently updated. I have always had McAfee on the computer, it has never lapsed. I have also run Spybot, Malwarebytes, Google Ghostery and ABP Adblock Popup. When I recently bought a new printer...
AntiVirus, Firewalls and System Security
I have a backdoor Trojan (malware)
I have a backdoor Trojan (malware) on my computer and I couldn't be bothered to reformat my PC until the opportunity was given to me in windows 10. I still want to keep my PC but I want the malware to be completely gone, so in my situation would...
AntiVirus, Firewalls and System Security
Solved Trojan removed by Defender
With the last couple of builds it seems that Defender is always finding stuff to remove every time I start Windows 10. This morning I removed Trojan Win32/GHEUGENT.Alplock after Defender quarantined it and marked it severe. Right now I am running...
AntiVirus, Firewalls and System Security
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 09:53.
Find Us
Twitter Facebook Google+



Windows 10 Forums