Hi there, I’m hoping you guys can help me! My laptop has been running fine with Avast for a long time but recently I have not been able to connect to the internet and Avast has now started finding numerous files with the VBS: ExeDropper- gen trojan. There seem to be two main places within Program Files that Avast is picking it up:

C:\Users\Hannah\AppData\Local\VirtualStore\ProgramFiles\Adobe\Reader9.0\Legal\ENU\license.html
C:\Users\Hannah\AppData\Local\VirtualStore\ProgramFiles\Adobe\Reader9.0\ReadMe.htm
C:\Users\Hannah\AppData\Local\VirtualStore\ProgramFiles\AlwilSotfware\Avast4\ENGLISH\aswInfTg.htm
C:\Users\Hannah\AppData\Local\VirtualStore\ProgramFiles\Canon\CD-LabelPrint\Manual\html\04-23album_info.htm
C:\Users\Hannah\AppData\Local\VirtualStore\ProgramFiles\Canon\CD-LabelPrint\Manual.…\04-26select_back_header.htm

The recommended action is always move to chest. I am running Avast scans in safe mode because I get constant Avast trojan popup alerts when running usually. I ran a MalWareBytes scan and deleted a few things that were found.
What would you advise me to try? I am not keen on a complete system restore because I do not have the OS disc.
I’d be grateful for any help!
Thanks.

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Read this instructions and provide more info with the logs generated.
6. Clean your Hosts file (replacing it) with HostsMan tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster.
9. Check if you have insecure applications with Secunia Software Inspector.

Personally I would clean some of the old stuff out of your VirtualStore, avast4, surely you aren’t still using that (avast 6.0.100 latest); adobe reader 9, old version with vulnerabilities that are being exploited (10.0.x latest.

Then I would suggest uploading the 04-23album_info.htm and 04-26select_back_header.htm to virustotal to confirm the detection (or otherwise).

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.

Hi, thanks for the advice.
MalWareBytes is now not finding anything. Neither is Avast, I’ve updated Avast to newest version. Attached is a log from OTS.
Any advice you can give me based on that? Would it be a good idea to uninstall Adobe and Canon which seems to be where the files were being picked up?
Thanks

Also attached a log from avast! antirootkit.

You’re welcome

1. The best advice I gave was to confirm the detection (or otherwise) using virustotal and post the URL of the results.

If that shows multiple AVs (and there are 43 scanners on VT) detect it then it confirms the detection if only avast and gdata detect it (with the same malware name) then it is likely to be a false positive.

On confirmation one way or another we can decide if any further action is required, that is why it was suggested.

2. If you have Adobe reader 9.0 installed then you should at the very least update it to the latest version. It is a huge target for malware given its very large user base, for that reason and it becoming very bloated for a simple pdf reader I switched to FoxIt PDF Reader a long time ago. There are other free PDF readers that are not as bloated or such a target for malware.

3. For me any other action is premature without confirmation using VT.

Aside from that I’m not familiar with the OTS analysis and cleaning tool. No detections in the aswar.log.

Your JAVA version is way out of date and vulnerable (java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab [Java Plug-in 1.6.0_11]). You should uninstall this as it is very early and updating it won’t remove this old version.

• I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

With the files being HTM I would like to run a second opinion on this one. What error do you get when you try to connect ?

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_USERS\S-1-5-21-1876695607-620616741-546333022-1000\] > -> HKEY_USERS\S-1-5-21-1876695607-620616741-546333022-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "LvckZkfgnsc" -> [C:\Users\Hannah\AppData\Local\Temp\drweb.exe]
YN -> "LvckZkfgnZ" -> [C:\Users\Hannah\AppData\Local\Temp\cmd.exe]
YN -> "LvckZkfgoMc" -> [C:\Users\Hannah\AppData\Local\Temp\gdi32.exe]
YN -> "LvckZkfgruf" -> [C:\Users\Hannah\AppData\Local\Temp\spoolsv.exe]
YN -> "LvckZkfgrwe" -> [C:\Users\Hannah\AppData\Local\Temp\sysmgm.exe]
YN -> "LvckZkfgrxe" -> [C:\Users\Hannah\AppData\Local\Temp\system.exe]
[Files/Folders - Created Within 30 Days]
NY ->  abelhadigital.com -> C:\Users\Hannah\AppData\Roaming\abelhadigital.com
NY ->  abelhadigital.com -> C:\ProgramData\abelhadigital.com
NY ->  Ymumde -> C:\Users\Hannah\AppData\Roaming\Ymumde
NY ->  Diabpo -> C:\Users\Hannah\AppData\Roaming\Diabpo
[Files - No Company Name]
NY ->  653246187.dat -> C:\Users\Hannah\AppData\Local\653246187.dat
[File - Lop Check]
NY ->  Codai -> C:\Users\Hannah\AppData\Roaming\Codai
NY ->  Diabpo -> C:\Users\Hannah\AppData\Roaming\Diabpo
NY ->  Iged -> C:\Users\Hannah\AppData\Roaming\Iged
NY ->  Ihdi -> C:\Users\Hannah\AppData\Roaming\Ihdi
NY ->  Iskah -> C:\Users\Hannah\AppData\Roaming\Iskah
NY ->  Lixub -> C:\Users\Hannah\AppData\Roaming\Lixub
NY ->  lowsec -> C:\Users\Hannah\AppData\Roaming\lowsec
NY ->  Opih -> C:\Users\Hannah\AppData\Roaming\Opih
NY ->  Viemso -> C:\Users\Hannah\AppData\Roaming\Viemso
NY ->  Ymumde -> C:\Users\Hannah\AppData\Roaming\Ymumde
[Custom Items]
:Files
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

THEN

Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download

It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that

Hi thanks for the replies,

I ran that fix in OTS, the log is attached. I can connect to the internet ok now, am still in Safe Mode with networking though.

I also tested what I think were the suspect files on virustotal.com, didnt seem as though they were detected as malware. URLS:

http://www.virustotal.com/file-scan/report.html?id=f0df43336f37eca8fb330f1fddc3567759defdf8eab816a7ddbd833d83e66381-1302298502

http://www.virustotal.com/file-scan/report.html?id=16b362d6ebfab9d4fa42cc75463ee29e7ca760cf30c5593528d9992afb9aaaab-1302298589

I have just run Dr Web scan, the log is too big to attach. It only found one threat which I deleted. I will uninstall Adobe Acrobat and restart in normal mode to see if I still have problems.

I’ve just run a MalwareBytes scan and Avast scan and found no new threats. I’ve updated all versions and definitions of Avast so nothing is outdated. I’ve uninstalled Adobe and will probably get a different PDF reader as David suggests. The only thing I’ve got left is about 30 infected files in my virus chest. What should I do about them? Almost all have the original location,

C:\Users\Hannah\AppData\Local\VirtualStore\ProgramFiles\Canon\CD-LabelPrint\Manual\htm

Is it ok to leave them be? Or should I delete them?

Thanks for all the help.

Looks like they were FPs as I suspected, though those two VT results were from 2011-04-08 21:35:02 (UTC) and 2011-04-08 21:36:29 (UTC).

Can you rescan these two files in the avast chest, hopefully avast will no longer detect them, based on these VT results ?

If they come up clean then you can leave them.

Thats good to hear - my concerns about the HTM files is that they are a known infection point for Ramnit, so better safe than sorry

Once in normal mode let me know of any remaining problems

I agree with David - bin Adobe and use Foxit