AntiVirus reporting TR-DropperGen

[HomeBoy 1]

I was working on something completely non-OFF related this evening when my AVira antivirus program popped this up on my screen:

 

 

I clicked on "Repair all" which quarantined my OFFManager.exe. Of course that just won't do. I had been meaning to update my mini-patch (was running 132.e) so I went and downloaded 132.g and when I tried to install it, I got the same error message about this TR/Dropper.Gen virus. I looked it up and from everything I've read, it is a "low threat" so at least for now, I've chosen to ignore the warning from Avira. I'm just curious if anybody has seen this and if this is real. I don't want to get too smart for my own good assuming that Avira is falsely recognizing something in the file as having this virus. OFF seems to run just fine.

 

I'm not sure what I should do about this.

 

Thanks!

-mark

 

P.S. Sorry I've been a bit AWOL lately, I've gotten tied up in other things and haven't paddled my way back here yet. Looking forward to getting back into OFF. Hope everyone is doing well!

[+Polovski 414]

There's a lot of OFFManager.exe's out there with no problem, so I think we can safely say either a virus got onto you PC and infected the file, or it's a false positive.

We run with different virus scanners on the PCs so others would have picked it up by now if there was anything. Welcome back though Mark.

[Rickitycrate 10]

Yes, good to see you Homeboy. My McAfee program has not detected any such virus.

[almccoyjr 7]

I was working on something completely non-OFF related this evening when my AVira antivirus program popped this up on my screen:

 

 

I clicked on "Repair all" which quarantined my OFFManager.exe. Of course that just won't do. I had been meaning to update my mini-patch (was running 132.e) so I went and downloaded 132.g and when I tried to install it, I got the same error message about this TR/Dropper.Gen virus. I looked it up and from everything I've read, it is a "low threat" so at least for now, I've chosen to ignore the warning from Avira. I'm just curious if anybody has seen this and if this is real. I don't want to get too smart for my own good assuming that Avira is falsely recognizing something in the file as having this virus. OFF seems to run just fine.

 

I'm not sure what I should do about this.

 

Thanks!

-mark

 

P.S. Sorry I've been a bit AWOL lately, I've gotten tied up in other things and haven't paddled my way back here yet. Looking forward to getting back into OFF. Hope everyone is doing well!

I hope "paddled" doesn't mean the flooding in different areas 2 weeks ago.

 

I use Avast and there's been discussions about Dropper. It seems to be aimed primarily at MSNBC misc links through IE6,7 or 8. It reportedly interferes with IE homepage, directed links and the such. I can't see how it "linked" to the OFFM.exe. It may be a false positive but Dropper is real and it's able to circumvent a lot of the heuristic searches/algorithms.

 

plug_nickel (Al)

[+Winder 32]

Hi Guys,

 

We take this sort of thing quite seriously and all Dev PCs are fully protected and whats more we all use different AVs so we hope to spread the risk by not being tied into one AV system.

 

My PC is reported clean and is scanned every day.

 

I will keep an eye on this thread - its possible the exe became infected on the end user PC but I am not discounting anything.

 

If anyone feels like running an AV test on OFF please do so and post back the results.

 

Thanks

 

WM

 

OBD Software

[sandbagger 1]

I check everything that I download, before I install. I'm on the OBD team, but still check downloads from the team members.

 

I run Norton AV and SpyHunter- all clear here

Edited October 3, 2009 by sandbagger

[Olham 164]

Welcome back at the front, Homeboy.

You will soon realise, that this Trojan is a minor problem, when you have to face the

twin Spandaus again. Lol! Good you're back here!

[UK_Widowmaker 571]

Checked with AVG 8.5 and Malwarebytes...can report no problems at all

[Hasse Wind 46]

Nothing here either... I'm using F-Secure 2010. Avira may not be the best anti-virus programme - if you don't want to get a commercial product (which are the most reliable in my experience - except Norton which sucks on so many levels), I've heard Avast is one of the best free ones available. Of course there's always the possibility that you really have a virus, but I had often such false positives when I was using free anti-virus products.

[UK_Widowmaker 571]

Have used Avast in the past (hmm..poetry!) ...and it's very good.

Avira / Norton, not my best friends I'm sorry to say.

 

Anyone use Kaspersky?

[NS13Jarhead 6]

I run Avira as well as McAfee, AdAware and Spybot Search & Destroy. I've gotten no hits on the OFF files whatsoever. Don't know what to tell you.

[OvS 8]

AVG here, daily run.. no issues on my end.

[Olham 164]

I'd like - for OBD's sake - to bring up one point here again, that we had already discussed

sometime back in the early days of BHaH:

 

Everybody who loves BHaH as a great product with a lot of time and energy put into,

could help, and use words like "bug" or "Virus in an OFF product" rather carefully, and

first of all: Not in the headline

 

Cause that way, too many people may stumble across these words in their searches, and

although there was no "bug" in most cases, something negative may stick in their minds.

 

I have been criticised to ask for censorship with this, back then - but what really I mean to

ask you all for, is rather to be helpful in a positive way.

Something really disturbing or bad could still be posted to OBD's support:

 

support@overflandersfields.com

 

I made the experience myself, that they usually care very quick. Thanks for reading.

[Von Paulus 8]

NOD32 V4 and SuperAntiSpyware and... no issues.

[Von Paulus 8]

Well AVG is known for its false positives.

[+Polovski 414]

Good point Olham. Homeboy do you mind editing the title to maybe have a "?" on the end. Otherwise it looks like a statement about the product in general?

If you can't one of the mods can. Don't want people panicking out there when there clearly is nothing wrong as others show.

 

Basically this could happen thousands of times in one off incidents on a users' PCs with all sorts of programs and files. If I detect something I always assume it's my issue, and then use one of the online scanners from a well known company site such as McAfee's or Kaspersky etc too to double check the system.

 

http:/www.mcafee.com,

 

search for "online scan" it's free.

[+Erik 1,731]

I've never used AVIRA but ...

 

False positives based on heuristic scanning happen quite a bit. Scan engines and definitions work on the principle of if it looks like a duck, walks like a duck, it must be a duck. Sometimes this works and sometimes it doesn't. Hence the term "false positive". I would highly recommend since the service is available that you report the false positive to AVIRA so they can update their scan engine. You can do that here through their online submit form: AVIRA Sample Submission

 

While I was digging around AVIRA I also noticed a removal tool that's free and independent of any A/V. I would be interested to see what their removal tool detects and reports for you. You can get a copy of it here: AVIRA Removal Tool

 

For those of you that enjoy using Internet Explorer (IE) for browsing I would highly recommend you at least consider the followiing.

 

A) Keep your IE software up to date and current, flush the browser cache routinely. Personal recommendation is to not keep a cache at all as you can set in the IE options for IE to clear the cache when the browser window is closed.

* From IE // Tools > Internet Options > Advanced Tab > Scroll down to security section and check "Empty Temporary Internet Files ..." > Click Apply

B) Keep your Java updated and remove older versions from your machine (add/remove software). Also here again make sure the cache is cleaned regularly or turned off as Java allows configuration of its cache settings.

* Update your Java // Control Panel > Open "Java" Control Panel > Update Tab > Check For Update > Install if update found

* Set Java's Temporary Internet Files // Control Panel / Open "Java" Control Panel > General Tab > Temporary Internet Files - Click "Settings" > Untick box to keep files at top of window

* Check latest version of Java running in IE // Tools > Internet Options > Advanced Tab > Scroll down to Java section and make sure the latest Java is selected > Click Apply

C) Check out Windows Defender. It's a good way to protect your MicroSoft products.

*

Windows Defender

D) Strongly consider using a more secure and compliant browser like FireFox.

*

Get FireFox

E) At the very least make sure you check the IE Browser Add-Ons and remove (disable) anything you don't recognize which includes removing tool bars.

* In IE // Tools > Manage Addons > Disable as necessary

F) Keep your module files clean and updated. You may safely remove all module files and when they are needed again your system will download and install current versions. You can access your plugin module files in IE

* IE // Tools > Internet Options > General Tab > Click "Settings" in the Browsing History Section > On pop-up window for temp internet files and history Click "View Objects" > Remove files in this view window as necessary or right click them and update them if you recognize them as being used often.

* :: Usually these files are stored in C:\WINDOWS\Downloaded Program Files\

G) Keep your OS Updated by using Microsoft Update regularly. Check this yourself and don't rely on the automated system as it can be disabled by malware.

 

 

For a further diagnosis of your file system if you are unable to find and remove the TR/DropperGen.Trojan I recommend the following:

 

Download Malwarebytes' Anti-Malware (MBAM)

 

* Double-click mbam-setup.exe and follow the prompts to install the program.

* At the end, be sure a checkmark is placed next to the following:

o Update Malwarebytes' Anti-Malware

o Launch Malwarebytes' Anti-Malware

* Then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform quick scan, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

* Copy and Paste the entire report in your next reply.

 

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

 

 

Good luck.

 

 

E

[Cash 0]

Well, i got the same "Warning" with AV. But only after patching OFF yesterday.

 

Guess & hope nothing serious?

[cptroyce 0]

All fine with Avast full scan.

 

 

Royce

 

 

[+Polovski 414]

Thanks a lot Erik.

 

Cash yes so which AV program?

 

AVira doesn't like a certain pattern of binary in the new OFF Manager (which is changed of course) and is causing a false report - please report it as a false positive, all the other virus killers here and mine and the teams all find no problem.

 

Just to clarify so far

 

AVG 8.5 (two people)

Norton

NOD32 (two people I have it too)

SpyHunter

F-Secure 2010

McAfee AV

AdAware

Spybot

Avast

 

All find nothing.. I think we are a ok ;)

 

 

Some online scanners worth keeping a note somewhere if you get future issues to get a second scan

 

http://home.mcafee.com/Downloads/FreeScan.aspx

http://housecall.trendmicro.com/

http://www.bitdefender.com/scanner/online/free.html

http://www.kaspersky.com/scanforvirus

[Von Paulus 8]

And also SuperAntiSpyware (good for detecting trojans and some rootkits) doesn't report anything.

Tomorrow I'll check with BitDefender Internet Security.

Edited October 3, 2009 by Von Paulus

[Blue781 0]

yep same here patched yesterday to the new mini patch and got the virus warning.. hope its just a small problem and nothing two huge..

[+Polovski 414]

yep same here patched yesterday to the new mini patch and got the virus warning.. hope its just a small problem and nothing two huge..

 

Blue781 which Anti Virus product? it is important that to note that.

 

Some AV programs use the same algorithms or AV signatures.

 

Housecall found nothing either so many many AV products find nada..

 

Please if anyone posts a "me too" please state the AV product, and more importantly do not post if you have the same AV as the start of this thread, AVira, or obviously you WILL have a warning from it and it will not help anyone to have 100 people saying me too with the same AV product!

[themightysrc 5]

" its possible the exe became infected on the end user PC but I am not discounting anything"

 

Surely an exe is machine code? How can a virus get into it? Or am I mistaking the nature of a .exe file?

 

Have to agree with Erik - get a proper browser like Firefox.

 

Downloaded 1.32g, no problems, but will fire up the free AVG thing later today and report back if it finds anything it considers dubious, but I'm pretty doubtful...

 

Cheers,

Si

[+Polovski 414]

Viri change .exe's very very easily that's one of the main things they do ;)