Windows 10: Do I Have A Trojan?

Hello,
First post here *Smile

Lately my Windows Defender is finding a Trojan in the Recovery D (Trojan:Win32/Dynamer!ac)
It only shows up after a full 3 hour search and not in the fast search
A full search with Malwarebytes, Adware and Hitman Pro (free versions) will come up clean.

Unlike some others online I've been successful in removing the trojan with WD only to find it back the next day.
I even re-installed W10 and it's still there (I assume D was changed as well)

This questionable trojan is in some stupid game.
I don't play games on my PC and would love to rid my PC of any game that might be on it.

I took a snapshot of WD trying to get rid of the damn thing at the usual point where it sticks for about an hour.





So, Is it a false positive as some have said online?
And if yes how do I get WD to stop flashing red when it finds it?

:)

 

How do i do a total reset of my phone? I have a Samsung Focus

I tried that but it didn't work. i held all three buttons till the phone turned off.

 

How do i do a total reset of my phone? I have a Samsung Focus

This began after i installed a free application. my phone first locked up a couple of times so i had to turn it off then turn it on. The last time i turned it back on, all my settings were gone along with all my programs. then after signing my phone into
my live id, i have tried to install the missing applications and it tells me that i have no space. I think my phone completely crashed. is there any way to revive it?

 

As best as I can find out, it is not a false positive.

Trojan:Win32/Dynamer!ac

I would follow the directions in the above link and also run these:

Scan with Kaspersky TDSSKiller:
Anti-rootkit utility TDSSKiller

ESET online scanner:
Free Virus Scan | ESET Online Scanner ESET
Superantispyware
SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!
Malwarebytes
Malwarebytes | Free Anti-Malware & Internet Security Software
When installing, uncheck the start trial real time scanning and just use it as an on demand scanner

 

I agree with essenbe - a false positive.
edit: You should determine if it is a real threat or a false positive
For it to be a threat though, you would see it under Windows, not on the D: drive.

The only way to know for certain is to submit the file to one of the virus database sites

• VirusTotal Also see: VirusTotal Uploader
  
• VirSCAN
  
• Jottis

You could also run an offline scan

How to create a Bitdefender Rescue CD
How to scan your computer with Bitdefender Rescue CD

What is Windows Defender Offline? - Windows Help

 

Thanks for the reply *Smile

I was on this site but with further research in their forums people can't agree if it's a real threat or not.
I already did an offline WD scan but I'll do it again since I just reloaded W10.

BTW~I have the free versions of Superantispyware, Malwarebytes, Hitman, Adware and CCleaner and use them everyday...it only shows up with WD in full search.

Cheers.

 

Again, thanks for the reply.
But I get the impression Essenbe thinks it's not a false positive and I should take it seriously.
Thanks for the tools...I'll dig right in *Smile

 

My mistake - I agree with essenbe
It should be determined if it's a real threat or a false positive.

That's why I gave you the virus db sites and the offline AV scanners

*Redface I fixed my previous post *Redface

Bill
.

 

OK,

I feel like I just went to a dark place and came back.

I should admit I know little about what I'm doing.
I'm one of those guys that keeps deleting essential files and might have done it again.*Redface

First off I scanned with the free Eset program.
It came up with these and not the trojan WD keeps reporting.
(Please delete or modify if I'm putting myself into jeopardy by posting these.)







I have no idea what these are but I deleted them.
I think it was at this point my PC became very sluggish.
It took about 30 seconds for my browser to open opening about 5 because of all the button pushing on my part.
And about a full minute or two to open my PC to access my files.

I then tried to do a Windows Defender Offline scan but was unsuccessful.
I made both a CD and USB drive (with another PC) but was unable to boot my (infected?) PC in question
I got this response...
"Selected boot image did no authenticate...press enter to continue"
I went into the BIOS and tried putting both USB and CD drive first in boot up options...didn't help.

I then tried to do a system recovery which I always thought was my fail-safe but got a series of failures which had me sweating.







Fortunately I ended up finding a way by using the search and "restored" my PC to a few days ago right after I thought WD got rid of the trojan. (it said it was successful)

Now I'm convinced something is wrong and I don't know what to do next.
Do I need to go back into BIOS and change things back?
(I don't remember the original order.)

I should add that for the last few days I get a popup saying WD discovered some Malware and is removing it.
It's still happening.

I'm going now to see if this trojan is listed on the sites Bill listed. (thanks)
I hope I can just type in the name because if I have to copy and paste I'm not sure I can even get into "D".
And if I can I'm concerned I'll really screw things up.

I really appreciate the help, guys.

 

The two google toolbars are potentially unwanted , but not necessarily harmful. It looks as though WD already stashed them anyway and ESET found them in the stash - you deleted them thru ESET.

I don't think removing those files caused any harm - WD might have objected and caused some thrashing though.

WD offline failed to boot - let's skip that for now. I suggested WD offline to see if that version of defender also saw D:\...wim...\Win32/Dynamer!ac as a threat. It might answer the question if Defender flagged it and Defender offline did not, since the other scanners you ran did not.

Now about those virus database sites: they probably do list the file, but that's not going to tell you about the file on your system. They are very good reference sites about malware, but the real power comes from you sending the file from your system to them for analysis. Since the file is buried in a windows image (wim) ... let's skip that step too.

I'm more convinced that it is a false positive after doing more reading.
From the link to MS that essenbe provided:
Technical Information
Threat behavior
We've automatically analyzed this threat, determined that it's a trojan because of what it does when it gets on a PC, and blocked and removed it from your PC.

Typically, trojans try to do one or all of the following:

• Download and install other malware.
• Use your computer for click fraud.
• Record your keystrokes and the sites you visit.
• Send information about your PC, including usernames and browsing history, to a remote malicious hacker.
• Give a remote malicious hacker access to your PC.

Due to the generic nature of this threat, we are unable to provide specific information on what it does.
That's a fairly generic Technical Information about a trojan.

And over on Microsoft Answers ... false positves:
Win32/Dynamer!ac Search results

http://answers.microsoft.com/en-us/p...0-6067ee652719
http://answers.microsoft.com/en-us/p...4-89a9f3a9ba08
http://answers.microsoft.com/en-us/p...e-ac0302b32be6
http://answers.microsoft.com/en-us/p...c-91afcaf4e0d2
http://answers.microsoft.com/en-us/p...d-da6cad567e8b
http://answers.microsoft.com/en-us/p...c-a3c8f0638303
But .... there is still a risk that it is not a False positive.

D: is the HP recovery partition - right?
That is probably for the previous version of Windows - you upgraded from Win7 or Win8, is that also correct?

Here's what I would do

1) copy D: to a thumbdrive (16GB sb enough)

2) remove the D: partittion

3) Run a fair set of Malware scanners
I can give you some now and finish up after you decide what to do with D:


Restart your machine in case there are any system operations pending

Click here to download Old Timer-TFC.
>> save the application to your Desktop.
Old Timer-TFC is a standalone application, there is no install.

!!!!! Save your work and close all open windows.
TFC will close ALL open programs including your browser!

Right click, run as administrator TFC

Click the Start button to begin the cleaning up temporary files and folders.
!!!!! Do not work on other things while TFC is running - most applications use some sort of temporary files. Just let TFC run by itself on the machine until it completes.

*Busted Restart your machine immediately after TFC completes.

AdwCleaner is a two step process. Scan then Clean

Click here to download AdwCleaner (author: Xplode)
--> save the application to your Desktop.

• Right-click AdwCleaner.exe on your Desktop and select Run As Administrator to run the scanner with full privilege rights.
  AdwCleaner is a standalone executable, there is no install.
  
  
• Click on the Scan button.
  • AdwCleaner begins scanning your system. It might take some time to complete.
    
    
  • Review the detected objects grouped under each of the tabs.
    --> If there is something you KNOW should NOT be cleaned, clear the checkbox
    
    next to the object. If you're not sure about an object, paste the scan logfile (AdwCleaner[S#].txt) in a new post for a member to review and advise you.
    Otherwise, go to the next step.
  
  
• After the scan has finished and you have reviewed the objects to be cleaned, click on the Clean button.
  • Answer OK to the close all programs prompt, then follow the onscreen prompts.
  • Answer OK to the restart the computer prompt to complete the removal process.
    The AdwCleaner log file is opened in your default Text editor when the machine has restarted.
    Each time AdwCleaner runs, the log file number [#] is incremented, the highest number is the most recent. There are two log files, one for the scan (AdwCleaner[S#].txt) and one for the clean (AdwCleaner[C#].txt).

Paste the entire clean logfile (AdwCleaner[C#].txt) in your next post.
--> AdwCleaner logs are located in the C:\AdwCleaner folder if you need to reference them again

and finallay (for now)
Malwarebytes Anti-Malware Free - Windows 7 Help Forums

 

"D: is the HP recovery partition - right?
That is probably for the previous version of Windows - you upgraded from Win7 or Win8, is that also correct?

Here's what I would do

1) copy D: to a thumbdrive (16GB sb enough)

2) remove the D: partittion

3) Run a fair set of Malware scanners
I can give you some now and finish up after you decide what to do with D:"


Yes, "D" is my Recovery and I did a free upgrade to W10 from W8.
I did a W10 reinstall two days ago through a USB stick. (I wonder why WDoffline wouldn't boot with the stick?)

What does "16GB sb enough" mean? (my "D" is just over 35GB)
I also have no idea how to copy the entire "D" drive and then delete it from my laptop.*Redface

Thanks again for the help.

 

Ok, good info
Don't know why WD Offline wouldn't boot - let's skip that issue.

Well, that's embarrassing *Wink I guess a 16 GB Thumb drive is NOT big enough ... Sheesh D: is over 35GB !!!!!!
That might only be the capacity - the diskpart commands below will tell me more.

Do you have a device that can hold 36 GBs - an external drive, or a 64 GB thumb drive?

What can you see on D: in File Explorer? Is it accessible?

Launch a Command Prompt (Admin)
Quick Access menu
Right click the Windows menu (aka Start) on the Taskbar

Select Command Prompt (Admin)
and yes to the UAC prompt

Enter the following commands:

diskpart
lis dis
lis vol
sel vol # (Note, not part of the command: # is the volume number that matches drive letter D)
det vol
det parexit
Press alt+PrtScrn to grab a windowed screen shot
Open Paint
Ctrl+V to paste the shot
Ctrl+S to save the capture
you can close the Cmd Prompt window

Then please post the image to a new post.

 

I captured the results with Windows snipping Tool
I didn't know about your technique so when "alt+PrtScrn" didn't give me a sign that it captured I moved on to the one I usually use.
After I closed CP I see that it actually works...cool.

Anyways, here's the pics.
You can see I got confused at finding the "D" number.*Redface














Can I copy the "D" Partition to another laptop?

 

Thanks for the data

One more piece of the puzzle: I'd like to see your Disk Management

• Download dmDskmgr-vd.zip (contains dmDskmgr-vd.mmc)
  
  
• Double click dmDskmgr-vd.zip to open the compressed folder
  Double click dmDskmgr-vd.mmc to launch the custom Disk Management console
  
  
• Press Alt+PrtScn to grab a snapshot of just the Disk Management window
  Open Paint and Ctrl+V to paste it, then save the image
  
  
• Attach the image to a new post

Thanks
You could copy D: to another laptop, I was just trying to isolate the contents for two reasons.
A possible real threat or a flase positive, and
the Recovery isn't needed on your Win10 install. It's the OEM recovery partition,
--> I'm fairly sure of that, but I'll review the thread just in case I'm thinking of another thread *Redface

 

Hi.
This looks to me to be a part of HP installed games, on your recovery partition? And, I think, normally your recovery partition would not have a drive letter assigned to it, so Defender wouldn't normally scan this partition. So, I think it's a FP, but am wondering why your recovery partition has a drive letter.