Windows 10: Windows Defender - Trojan Dropper Malware

Page 1 of 2 12 LastLast

  1. Posts : 253
    Win 10 Home Build 1703 64bit
       15 Aug 2016 #1

    Windows Defender - Trojan Dropper Malware


    Malwarebytes discovered the Trojan Dropper in rundlll.32exe file. Windows Defender (WD) did not detect in a scan performed immediately before. I removed with Malwaebytes and did a follow-up scan with Norton Power Eraser which was negative. I do not have Malwarebytes installed but download periodically to do a scan.

    Posting this to illustrate the importance of supplementing WD with another AV.

    If you are not familiar with Trojan Dropper it is a type of Trojan whose purpose is to deliver an enclosed payload onto a destination host computer.
      My ComputerSystem Spec


  2. Posts : 3,506
    Win_8.1-Pro, Win_10.1607-Pro, Mint_17.3
       15 Aug 2016 #2

    torre : Posting this to illustrate the importance of supplementing WD with another AV

    Not another AV, but I understand.

    You should only run ONE real time Virus protection product on your system. More than one often causes conflict when they fight each other for controll. Each one might treat the other as a virus and the fight for control escalates... well you get the idea.

    Running one or more on-demand scanners IS a good idea when warranted. Your machine is exhibiting signs of infections (erratic mouse, strange homepage, excessive pop-up ads, etc - there are plenty of sites that describe what you might experience).

    I run Malwarebytes FREE about once a month - maybe every two months, just to get that warm and fuzzy feeling.

    The paid Malwarebytes runs well with almost every real-time AV product.

    Just to clarify, there are Anti-Virus products and there are Anti-Malware products. They are tuned to process different threats.

    I just looked at your post again and see that the file Mbam found is: rundlll.32exe
    There's an extra l id .dlll and the extension is not an executable .32exe

    It's possible that WD cleaned up the threat and that file is a remnant - it's a good rename that will never get executed anyway

    If you have that file in Mbam quarantine, you might consider sending it to MS for analysis. It could help everyone
      My ComputerSystem Spec


  3. Posts : 253
    Win 10 Home Build 1703 64bit
    Thread Starter
       16 Aug 2016 #3

    just looked at your post again and see that the file Mbam found is: rundlll.32exe
    There's an extra l id .dlll and the extension is not an executable .32exe

    Typo on my part. Only one l, rundll32.exe. Is rundll.32exe an executable extension ?

    If you have that file in Mbam quarantine, you might consider sending it to MS for analysis. It could help everyone
    I removed from quarantine. Does Malwarebytes automatically collect, or does user have to send. I saw no option.
      My ComputerSystem Spec


  4. Posts : 824
    Win10/64 Pro 1511 (and 2 Win 7/64 Ult & Pro systems)
       16 Aug 2016 #4

    Hi:

    In addition to @Slartybart's excellent advice.

    MBAM does conduct anonymous telemetry about detected threats, but I am not sure how that works "under the hood".
    I do not think there is currently an in-app file submission process from the GUI (I think it has been a requested feature).

    If you think that the detection might be a False Positive detection by MBAM, then I suggest having a look at this forum sticky and then submitting to their F/P forum AT LEAST the MBAM scan log that shows the detection. This KB article explains how to locate and export the log files.
    The Research/QA teams will evaluate the data and advise you accordingly.

    Also, as @Slartybart pointed out, MBAM Free is only a manual, on-demand scanner. For layered real-time protection targeting zero-hour and zero-day, mostly non-viral malware threats, you need the paid, Premium version alongside your AV.

    Cheers,
    MM
      My ComputerSystem Spec


  5. Posts : 3,506
    Win_8.1-Pro, Win_10.1607-Pro, Mint_17.3
       16 Aug 2016 #5

    torre said: View Post
    Typo on my part. Only one l, rundll32.exe. Is rundll.32exe an executable extension ?
    I removed from quarantine. Does Malwarebytes automatically collect, or does user have to send. I saw no option.
    No sweat - typos and mischaracterizations happen to me a LOT

    No, .32exe is not a known executable filetype

    Moxie answered your other question about Mbam collecting samples.

    Defender can automatically submit samples if that is on in Defender settings. The sample is sent to MS labs and that is usually shared with the other malware vendors.

    I saw one tool that had a submit to VirusTotal button - can't recall or find which one it was now. Darn, I thought it was a great thing to have at your fingertips.

    I've used this in the past to make sample submission to VirusTotal a little easier
    VirusTotal Windows Uploader - VirusTotal
      My ComputerSystem Spec


  6. Posts : 253
    Win 10 Home Build 1703 64bit
    Thread Starter
       16 Aug 2016 #6

    MoxieMomma said: View Post
    Hi:


    Also, as @Slartybart pointed out, MBAM Free is only a manual, on-demand scanner. For layered real-time protection targeting zero-hour and zero-day, mostly non-viral malware threats, you need the paid, Premium version alongside your AV.
    Thanks for the reply. I am familiar with Malwarebytes and use the free, on-demand scanner as a supplement to WD.

    From my research, the rundll.32exe Trojan Dropper seems to a common threat. While there is always a possibility of a false positive, I chose to err on the side of caution and remove the reported virus.

    My post was not intended to degrade WD, but to illustrate the importance of a secondary scan by another AV as is also stated on the numerous forum posts on "what is the best av."
      My ComputerSystem Spec


  7. Posts : 3,506
    Win_8.1-Pro, Win_10.1607-Pro, Mint_17.3
       16 Aug 2016 #7

    You did the right thing by removing a detected threat.

    Can you point me to what you found? That will help me help other folks - thanks
    I know Droppers are a common threat and I thought I saw that VirusTotal determined that rundll.32exe was a threat until I noticed my search results were for rundll32.exe.

    Same thing for other searches I performed - it looked as though there were .32exe files flagged as threats, but when I looked at the actual mediation the files were xyz32.exe.

    I didn't think your statement was derogatory towards WD - on the contrary, your thread shows the value of 2nd opinion malware software.


    My focus is on the threat Mbam found and if there is anything else that should be run.

    Here are two good tools, please run them when you get the chance.

    1. Download Temp File Cleaner (TFC) by Oldtimer

      1. Save your work and close all open windows.

      2. Restart your machine in case there are any system operations pending

      3. Navigate to your Downloads folder
        Right click on TFC
        Select Run as administrator

      4. Press the start button in the TFC window
        TFC begins cleaning up temporary files and folders.

        !!!!! Do not work on other things while TFC is running - most applications use some sort of temporary files. !!!

      5. Restart your machine immediately after TFC completes


    2. Download AdwCleaner by Xplode

      1. Save your work and close all open windows.

      2. Navigate to your Downloads folder
        Right click AdwCleaner
        Pick Run as administrator

      3. Click on the Scan button.

        • AdwCleaner begins scanning your system. It might take some time to complete.

        • Review the detected objects grouped under each of the tabs.
          --> If there is something you KNOW should NOT be cleaned, clear the checkbox next to the object. If you're not sure about an object, paste the scan logfile (AdwCleaner[S#].txt) in a new post for a member to review and advise you.

          Otherwise, go to the next step.


      4. After the scan has finished and you have reviewed the objects to be cleaned, click on the Clean button.

        • Answer OK to the close all programs prompt, then follow the onscreen prompts.
        • Answer OK to the restart the computer prompt to complete the removal process.
          The AdwCleaner log file is opened in your default Text editor when the machine has restarted.
          Each time AdwCleaner runs, the log file number [#] is incremented, the highest number is the most recent. There are two log files, one for the scan (AdwCleaner[S#].txt) and one for the clean (AdwCleaner[C#].txt).


        Paste the entire clean logfile (AdwCleaner[C#].txt) in your next post.
        --> AdwCleaner logs are located in the C:\AdwCleaner folder if you need to reference them again
      My ComputerSystem Spec


  8. Posts : 824
    Win10/64 Pro 1511 (and 2 Win 7/64 Ult & Pro systems)
       16 Aug 2016 #8

    Hi;

    Thanks for the clarification.

    If you had been running MBAM Premium in real-time alongside your AV, it's possible that MBAM might have prevented the infection in the first place.
    In my book, at least, it seems preferable to try to PREVENT infection, rather than to try to CLEAN-UP after it.
    With certain types of malware these days (e.g. ransomware), after-the-fact cleanup can be too late.

    Cheers,
    MM
      My ComputerSystem Spec


  9. Posts : 253
    Win 10 Home Build 1703 64bit
    Thread Starter
       16 Aug 2016 #9

    Can you point me to what you found?
    The below is an example from a google search. Google

    Trojan.Dropper Description

    A Trojan.Dropper is designed to deliver a payload onto the victim's computer system. However, a Trojan.Dropper will usually lead a large-scale attack, usually not the end infection itself. Typically, one of the main goals of computer criminals is to find ways to install malware onto their victim's computer without alerting the victim of the intrusion. A Trojan.Dropper is a typical method that is quite common.

    Typically, a Trojan.Dropper contains a malware infection within itself which is designed to deliver the infection by copying it onto the victim's computer's file system. A Trojan.Dropper will usually install and execute the malware installed and then will often delete itself or simply remain harmless on the victim's computer system.

    A Trojan.Dropper will usually be confusing to the victim, and designed to cause no symptoms. A typical example of a Trojan.Dropper is a fake screen saver which, when opened, will simply display an error message. However, even though the error message may look genuine, it will actually have been part of the Trojan.Dropper's tactics to install its payload without the user being aware of the problem. Many Trojan.Dropper infections will include an encrypting algorithm of some kind of obfuscator or packing algorithm to make their detection and removal much more difficult than normal.

    Usually, a Trojan.Dropper is created as a way to distribute malware, since a Trojan.Dropper is relatively cheap and easy to distribute. A Trojan.Dropper is also low risk for the criminals that create it, since it is easy for them to cover their tracks when there are several steps to an infection. However, one of the features of Trojan.Dropper infections that make them attractive to criminals is that they can be easily disguised by simply changing their icon and file name.

    The payload of a typical Trojan.Dropper will vary from one case to the next. Typically, they will drop executable files, which can then infect the victim's computer system or download malware from a remote location.

    There are few symptoms associated with a Trojan.Dropper. Some kinds of Trojan.Dropper infections will display a fake error message while dropping their payload. However, most of the time a Trojan.Dropper will display no signs of infection at all. Usually, the symptoms on an infected computer system will have been caused by the Trojan.Dropper's payload rather than by the dropper. Some examples of Trojan.Dropper infections will be associated with rootkits that hide the Trojan.Dropper's payload and may also make changes to the System's settings and the Windows Registry
    Trojan.Dropper or Application.E.Surveiller.D Removal Report


    .

    .

    .
      My ComputerSystem Spec


  10. Posts : 3,506
    Win_8.1-Pro, Win_10.1607-Pro, Mint_17.3
       16 Aug 2016 #10

    Thanks for the info - you'll get lots of hits for a generic malware type.

    When I'm researching a file, I get tons of hits from malware logs - it doesn't mean the file is malware, it only means that a common file was reported in a log. Drives me bonkers - so I have to sort those things out.

    I think you're in the clear and the file was the result of the remediation of a threat. Regardless, Malwarebytes cleaned it up and you deleted it from quarantine.

    Still, you should run the other tools above.
      My ComputerSystem Spec


 
Page 1 of 2 12 LastLast

Related Threads
Anniversary build defender won't allow what it thinks is malware in AntiVirus, Firewalls and System Security
Hi there If Windows defender thinks something is malware it deletes it before you've been given a chance to examine it. This is on release 1607 (Anniversary build). On 1511 you could see what Windows defender had caught and then allow /...
This one somehow is able to detect and remove many trojans/ malware which Spyware or Spybot does not detect, IOBit Malware fighter and IObit Advance System 9, Symantec Endpoint 12 all somehow can miss most of what Loaris Trojan Killer v1.3.99 finds....
I have a backdoor Trojan (malware) in AntiVirus, Firewalls and System Security
I have a backdoor Trojan (malware) on my computer and I couldn't be bothered to reformat my PC until the opportunity was given to me in windows 10. I still want to keep my PC but I want the malware to be completely gone, so in my situation would...
Solved Trojan removed by Defender in AntiVirus, Firewalls and System Security
With the last couple of builds it seems that Defender is always finding stuff to remove every time I start Windows 10. This morning I removed Trojan Win32/GHEUGENT.Alplock after Defender quarantined it and marked it severe. Right now I am running...
Solved Windows Defender claims malware in AntiVirus, Firewalls and System Security
Just by starting up I.E., Windows defender claims that it is taking action to clean delete malware. I have ran WD, Malwarebytes etc with no problems. Antisuperspyware claims "Trojan agent/gen-downloader" and adware.dealply/variant claims they...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 23:04.
Find Us