Jump to content
Sign in to follow this  
HomeBoy

AntiVirus reporting TR-DropperGen

Recommended Posts

I was working on something completely non-OFF related this evening when my AVira antivirus program popped this up on my screen:

 

TR-DropperGenVirus.png

 

I clicked on "Repair all" which quarantined my OFFManager.exe. Of course that just won't do. I had been meaning to update my mini-patch (was running 132.e) so I went and downloaded 132.g and when I tried to install it, I got the same error message about this TR/Dropper.Gen virus. I looked it up and from everything I've read, it is a "low threat" so at least for now, I've chosen to ignore the warning from Avira. I'm just curious if anybody has seen this and if this is real. I don't want to get too smart for my own good assuming that Avira is falsely recognizing something in the file as having this virus. OFF seems to run just fine.

 

I'm not sure what I should do about this.

 

Thanks!

-mark

 

P.S. Sorry I've been a bit AWOL lately, I've gotten tied up in other things and haven't paddled my way back here yet. Looking forward to getting back into OFF. Hope everyone is doing well! :salute:

Share this post


Link to post
Share on other sites

There's a lot of OFFManager.exe's out there with no problem, so I think we can safely say either a virus got onto you PC and infected the file, or it's a false positive.

We run with different virus scanners on the PCs so others would have picked it up by now if there was anything. Welcome back though Mark.

Share this post


Link to post
Share on other sites

Yes, good to see you Homeboy. My McAfee program has not detected any such virus.

Share this post


Link to post
Share on other sites

I was working on something completely non-OFF related this evening when my AVira antivirus program popped this up on my screen:

 

TR-DropperGenVirus.png

 

I clicked on "Repair all" which quarantined my OFFManager.exe. Of course that just won't do. I had been meaning to update my mini-patch (was running 132.e) so I went and downloaded 132.g and when I tried to install it, I got the same error message about this TR/Dropper.Gen virus. I looked it up and from everything I've read, it is a "low threat" so at least for now, I've chosen to ignore the warning from Avira. I'm just curious if anybody has seen this and if this is real. I don't want to get too smart for my own good assuming that Avira is falsely recognizing something in the file as having this virus. OFF seems to run just fine.

 

I'm not sure what I should do about this.

 

Thanks!

-mark

 

P.S. Sorry I've been a bit AWOL lately, I've gotten tied up in other things and haven't paddled my way back here yet. Looking forward to getting back into OFF. Hope everyone is doing well! :salute:

I hope "paddled" doesn't mean the flooding in different areas 2 weeks ago.

 

I use Avast and there's been discussions about Dropper. It seems to be aimed primarily at MSNBC misc links through IE6,7 or 8. It reportedly interferes with IE homepage, directed links and the such. I can't see how it "linked" to the OFFM.exe. It may be a false positive but Dropper is real and it's able to circumvent a lot of the heuristic searches/algorithms.

 

plug_nickel (Al)

Share this post


Link to post
Share on other sites

Hi Guys,

 

We take this sort of thing quite seriously and all Dev PCs are fully protected and whats more we all use different AVs so we hope to spread the risk by not being tied into one AV system.

 

My PC is reported clean and is scanned every day.

 

I will keep an eye on this thread - its possible the exe became infected on the end user PC but I am not discounting anything.

 

If anyone feels like running an AV test on OFF please do so and post back the results.

 

Thanks

 

WM

 

OBD Software

Share this post


Link to post
Share on other sites

I check everything that I download, before I install. I'm on the OBD team, but still check downloads from the team members.

 

I run Norton AV and SpyHunter- all clear here :good:

Edited by sandbagger

Share this post


Link to post
Share on other sites

Welcome back at the front, Homeboy.

You will soon realise, that this Trojan is a minor problem, when you have to face the

twin Spandaus again. Lol! Good you're back here!

Share this post


Link to post
Share on other sites

Checked with AVG 8.5 and Malwarebytes...can report no problems at all

Share this post


Link to post
Share on other sites

Nothing here either... I'm using F-Secure 2010. Avira may not be the best anti-virus programme - if you don't want to get a commercial product (which are the most reliable in my experience - except Norton which sucks on so many levels), I've heard Avast is one of the best free ones available. Of course there's always the possibility that you really have a virus, but I had often such false positives when I was using free anti-virus products.

Share this post


Link to post
Share on other sites

Have used Avast in the past (hmm..poetry!) :grin: ...and it's very good.

Avira / Norton, not my best friends I'm sorry to say.

 

Anyone use Kaspersky?

Share this post


Link to post
Share on other sites

I run Avira as well as McAfee, AdAware and Spybot Search & Destroy. I've gotten no hits on the OFF files whatsoever. Don't know what to tell you.

Share this post


Link to post
Share on other sites

AVG here, daily run.. no issues on my end.

Share this post


Link to post
Share on other sites

I'd like - for OBD's sake - to bring up one point here again, that we had already discussed

sometime back in the early days of BHaH:

 

Everybody who loves BHaH as a great product with a lot of time and energy put into,

could help, and use words like "bug" or "Virus in an OFF product" rather carefully, and

first of all: Not in the headline

 

Cause that way, too many people may stumble across these words in their searches, and

although there was no "bug" in most cases, something negative may stick in their minds.

 

I have been criticised to ask for censorship with this, back then - but what really I mean to

ask you all for, is rather to be helpful in a positive way.

Something really disturbing or bad could still be posted to OBD's support:

 

support@overflandersfields.com

 

I made the experience myself, that they usually care very quick. Thanks for reading.

Share this post


Link to post
Share on other sites

Good point Olham. Homeboy do you mind editing the title to maybe have a "?" on the end. Otherwise it looks like a statement about the product in general?

If you can't one of the mods can. Don't want people panicking out there when there clearly is nothing wrong as others show.

 

Basically this could happen thousands of times in one off incidents on a users' PCs with all sorts of programs and files. If I detect something I always assume it's my issue, and then use one of the online scanners from a well known company site such as McAfee's or Kaspersky etc too to double check the system.

 

http:/www.mcafee.com,

 

search for "online scan" it's free.

Share this post


Link to post
Share on other sites

I've never used AVIRA but ...

 

False positives based on heuristic scanning happen quite a bit. Scan engines and definitions work on the principle of if it looks like a duck, walks like a duck, it must be a duck. Sometimes this works and sometimes it doesn't. Hence the term "false positive". I would highly recommend since the service is available that you report the false positive to AVIRA so they can update their scan engine. You can do that here through their online submit form: AVIRA Sample Submission

 

While I was digging around AVIRA I also noticed a removal tool that's free and independent of any A/V. I would be interested to see what their removal tool detects and reports for you. You can get a copy of it here: AVIRA Removal Tool

 

For those of you that enjoy using Internet Explorer (IE) for browsing I would highly recommend you at least consider the followiing.

 

A) Keep your IE software up to date and current, flush the browser cache routinely. Personal recommendation is to not keep a cache at all as you can set in the IE options for IE to clear the cache when the browser window is closed.

* From IE // Tools > Internet Options > Advanced Tab > Scroll down to security section and check "Empty Temporary Internet Files ..." > Click Apply

B) Keep your Java updated and remove older versions from your machine (add/remove software). Also here again make sure the cache is cleaned regularly or turned off as Java allows configuration of its cache settings.

* Update your Java // Control Panel > Open "Java" Control Panel > Update Tab > Check For Update > Install if update found

* Set Java's Temporary Internet Files // Control Panel / Open "Java" Control Panel > General Tab > Temporary Internet Files - Click "Settings" > Untick box to keep files at top of window

* Check latest version of Java running in IE // Tools > Internet Options > Advanced Tab > Scroll down to Java section and make sure the latest Java is selected > Click Apply

C) Check out Windows Defender. It's a good way to protect your MicroSoft products.

*
Windows Defender

D) Strongly consider using a more secure and compliant browser like FireFox.

*
Get FireFox

E) At the very least make sure you check the IE Browser Add-Ons and remove (disable) anything you don't recognize which includes removing tool bars.

* In IE // Tools > Manage Addons > Disable as necessary

F) Keep your module files clean and updated. You may safely remove all module files and when they are needed again your system will download and install current versions. You can access your plugin module files in IE

* IE // Tools > Internet Options > General Tab > Click "Settings" in the Browsing History Section > On pop-up window for temp internet files and history Click "View Objects" > Remove files in this view window as necessary or right click them and update them if you recognize them as being used often.

* :: Usually these files are stored in C:\WINDOWS\Downloaded Program Files\

G) Keep your OS Updated by using Microsoft Update regularly. Check this yourself and don't rely on the automated system as it can be disabled by malware.

 

 

For a further diagnosis of your file system if you are unable to find and remove the TR/DropperGen.Trojan I recommend the following:

 

Download Malwarebytes' Anti-Malware (MBAM)

 

* Double-click mbam-setup.exe and follow the prompts to install the program.

* At the end, be sure a checkmark is placed next to the following:

o Update Malwarebytes' Anti-Malware

o Launch Malwarebytes' Anti-Malware

* Then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform quick scan, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

* Copy and Paste the entire report in your next reply.

 

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

 

 

Good luck.

 

 

E

Share this post


Link to post
Share on other sites

Well, i got the same "Warning" with AV. But only after patching OFF yesterday.

 

Guess & hope nothing serious?

Share this post


Link to post
Share on other sites

Thanks a lot Erik.

 

Cash yes so which AV program?

 

AVira doesn't like a certain pattern of binary in the new OFF Manager (which is changed of course) and is causing a false report - please report it as a false positive, all the other virus killers here and mine and the teams all find no problem.

 

Just to clarify so far

 

AVG 8.5 (two people)

Norton

NOD32 (two people I have it too)

SpyHunter

F-Secure 2010

McAfee AV

AdAware

Spybot

Avast

 

All find nothing.. I think we are a ok ;)

 

 

Some online scanners worth keeping a note somewhere if you get future issues to get a second scan

 

http://home.mcafee.com/Downloads/FreeScan.aspx

http://housecall.trendmicro.com/

http://www.bitdefender.com/scanner/online/free.html

http://www.kaspersky.com/scanforvirus

Share this post


Link to post
Share on other sites

And also SuperAntiSpyware (good for detecting trojans and some rootkits) doesn't report anything.

Tomorrow I'll check with BitDefender Internet Security.

Edited by Von Paulus

Share this post


Link to post
Share on other sites

yep same here patched yesterday to the new mini patch and got the virus warning.. hope its just a small problem and nothing two huge..

Share this post


Link to post
Share on other sites

yep same here patched yesterday to the new mini patch and got the virus warning.. hope its just a small problem and nothing two huge..

 

Blue781 which Anti Virus product? it is important that to note that.

 

Some AV programs use the same algorithms or AV signatures.

 

Housecall found nothing either so many many AV products find nada..

 

Please if anyone posts a "me too" please state the AV product, and more importantly do not post if you have the same AV as the start of this thread, AVira, or obviously you WILL have a warning from it and it will not help anyone to have 100 people saying me too with the same AV product!

Share this post


Link to post
Share on other sites

" its possible the exe became infected on the end user PC but I am not discounting anything"

 

Surely an exe is machine code? How can a virus get into it? Or am I mistaking the nature of a .exe file?

 

Have to agree with Erik - get a proper browser like Firefox.

 

Downloaded 1.32g, no problems, but will fire up the free AVG thing later today and report back if it finds anything it considers dubious, but I'm pretty doubtful...

 

Cheers,

Si

Share this post


Link to post
Share on other sites

Viri change .exe's very very easily that's one of the main things they do ;)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×

Important Information

By using this site, you agree to our Terms of Use, Privacy Policy, and We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue..