Windows 10: Windows Defender - Trojan Dropper Malware

Malwarebytes discovered the Trojan Dropper in rundlll.32exe file. Windows Defender (WD) did not detect in a scan performed immediately before. I removed with Malwaebytes and did a follow-up scan with Norton Power Eraser which was negative. I do not have Malwarebytes installed but download periodically to do a scan.

Posting this to illustrate the importance of supplementing WD with another AV.

If you are not familiar with Trojan Dropper it is a type of Trojan whose purpose is to deliver an enclosed payload onto a destination host computer.

:)

 

TrojanDropper:JS/Exjaysee.A

I hope I can find someone who can hep me get rid of this Trojan.

Windows Defender notifies me of this Malware Dropper every 10 minutes . It says it found it and quarantined it.
I can't live with this!!.

A certified company representing Microsoft called me and talked me into putting up $500.00 and assured me they could take care of it. After Four "Computer Technicians" and a ton of frustrating phone time, it is still there laughing at me.

Before I try and get a refund I need to find out more about this Trojan and to really get rid of it. I used McAfee for years and years. They did a good job but, they really got hard to deal with, so I dropped them and started using Windows Defender.

Can someone give me some direction........PLEASE!!

Woe is me!!

Dan

 

"TrojanDropper:O97M/Donoff|"has been quarantined but still says to remove?

here is the information listed from scan file history

"The following error occurred: Error code 0x80508023. The program could not find the malware and other potentially unwanted software on this device. Category: Trojan Dropper Description: This program is dangerous and installs other programs. Recommended
action: Remove this software immediately. Items: file:\Device\HarddiskVolumeShadowCopy9\Users\Rich\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\2e547d418075e25c\120712-0049\Att\2002c8ec\shipping_5121432.doc Get
more information about this item online."

this is from the full history

"file: \Device\HarddiskVolumeShadowCopy6\Users\Rich\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\2e547d418075e25c\120712-0049\Att\2002c8ec\shipping_5121432.doc"

When clicking on "Learn More" under Details, it takes me to Microsoft (threat description - Windows Defender Security Intelligence).

Currently I am running a full scan with software removal tool dated Oct. 2017

the file ie. Trojan is called "TrojanDropper:O97M/Donoff".

Alert Level : Severe

Status : Quarantined

date 10/24/17

Recommended action: remove threat now

Category : Trojan Dropper

Details: this program is dangerous and installs other programs.

OS is Running Win 10 Pro with all latest patches up to and including today.

 

torre : Posting this to illustrate the importance of supplementing WD with another AV

Not another AV, but I understand.

You should only run ONE real time Virus protection product on your system. More than one often causes conflict when they fight each other for controll. Each one might treat the other as a virus and the fight for control escalates... well you get the idea.

Running one or more on-demand scanners IS a good idea when warranted. Your machine is exhibiting signs of infections (erratic mouse, strange homepage, excessive pop-up ads, etc - there are plenty of sites that describe what you might experience).

I run Malwarebytes FREE about once a month - maybe every two months, just to get that warm and fuzzy feeling.

The paid Malwarebytes runs well with almost every real-time AV product.

Just to clarify, there are Anti-Virus products and there are Anti-Malware products. They are tuned to process different threats.

I just looked at your post again and see that the file Mbam found is: rundlll.32exe
There's an extra l id .dlll and the extension is not an executable .32exe

It's possible that WD cleaned up the threat and that file is a remnant - it's a good rename that will never get executed anyway

If you have that file in Mbam quarantine, you might consider sending it to MS for analysis. It could help everyone *Wink

 

Typo on my part. Only one l, rundll32.exe. Is rundll.32exe an executable extension ?

I removed from quarantine. Does Malwarebytes automatically collect, or does user have to send. I saw no option.

 

Hi:

In addition to @Slartybart's excellent advice.

MBAM does conduct anonymous telemetry about detected threats, but I am not sure how that works "under the hood".
I do not think there is currently an in-app file submission process from the GUI (I think it has been a requested feature).

If you think that the detection might be a False Positive detection by MBAM, then I suggest having a look at this forum sticky and then submitting to their F/P forum AT LEAST the MBAM scan log that shows the detection. This KB article explains how to locate and export the log files.
The Research/QA teams will evaluate the data and advise you accordingly.

Also, as @Slartybart pointed out, MBAM Free is only a manual, on-demand scanner. For layered real-time protection targeting zero-hour and zero-day, mostly non-viral malware threats, you need the paid, Premium version alongside your AV.

Cheers,
MM

 

No sweat - typos and mischaracterizations happen to me a LOT *Wink

No, .32exe is not a known executable filetype

Moxie answered your other question about Mbam collecting samples.

Defender can automatically submit samples if that is on in Defender settings. The sample is sent to MS labs and that is usually shared with the other malware vendors.

I saw one tool that had a submit to VirusTotal button - can't recall or find which one it was now. Darn, I thought it was a great thing to have at your fingertips.

I've used this in the past to make sample submission to VirusTotal a little easier
VirusTotal Windows Uploader - VirusTotal

 

Thanks for the reply. I am familiar with Malwarebytes and use the free, on-demand scanner as a supplement to WD.

From my research, the rundll.32exe Trojan Dropper seems to a common threat. While there is always a possibility of a false positive, I chose to err on the side of caution and remove the reported virus.

My post was not intended to degrade WD, but to illustrate the importance of a secondary scan by another AV as is also stated on the numerous forum posts on "what is the best av."

 

You did the right thing by removing a detected threat.

Can you point me to what you found? That will help me help other folks - thanks
I know Droppers are a common threat and I thought I saw that VirusTotal determined that rundll.32exe was a threat until I noticed my search results were for rundll32.exe.

Same thing for other searches I performed - it looked as though there were .32exe files flagged as threats, but when I looked at the actual mediation the files were xyz32.exe.

I didn't think your statement was derogatory towards WD - on the contrary, your thread shows the value of 2nd opinion malware software.

My focus is on the threat Mbam found and if there is anything else that should be run.

Here are two good tools, please run them when you get the chance.

• Download Temp File Cleaner (TFC) by Oldtimer
  
  • Save your work and close all open windows.
    
    
  • Restart your machine in case there are any system operations pending
    
    
  • Navigate to your Downloads folder
    Right click on TFC
    Select Run as administrator
    
    
  • Press the start button in the TFC window
    TFC begins cleaning up temporary files and folders.
    
    !!!!! Do not work on other things while TFC is running - most applications use some sort of temporary files. !!!
    
    
  • Restart your machine immediately after TFC completes
  
  
• Download AdwCleaner by Xplode
  
  • Save your work and close all open windows.
    
    
  • Navigate to your Downloads folder
    Right click AdwCleaner
    Pick Run as administrator
    
    
  • Click on the Scan button.
    
    • AdwCleaner begins scanning your system. It might take some time to complete.
      
      
    • Review the detected objects grouped under each of the tabs.
      --> If there is something you KNOW should NOT be cleaned, clear the checkbox
      
      next to the object. If you're not sure about an object, paste the scan logfile (AdwCleaner[S#].txt) in a new post for a member to review and advise you.
      
      Otherwise, go to the next step.
    
    
  • After the scan has finished and you have reviewed the objects to be cleaned, click on the Clean button.
    
    • Answer OK to the close all programs prompt, then follow the onscreen prompts.
    • Answer OK to the restart the computer prompt to complete the removal process.
      The AdwCleaner log file is opened in your default Text editor when the machine has restarted.
      Each time AdwCleaner runs, the log file number [#] is incremented, the highest number is the most recent. There are two log files, one for the scan (AdwCleaner[S#].txt) and one for the clean (AdwCleaner[C#].txt).
    
    Paste the entire clean logfile (AdwCleaner[C#].txt) in your next post.
    --> AdwCleaner logs are located in the C:\AdwCleaner folder if you need to reference them again

 

Hi;

Thanks for the clarification.

If you had been running MBAM Premium in real-time alongside your AV, it's possible that MBAM might have prevented the infection in the first place.
In my book, at least, it seems preferable to try to PREVENT infection, rather than to try to CLEAN-UP after it.
With certain types of malware these days (e.g. ransomware), after-the-fact cleanup can be too late.

Cheers,*Smile
MM

 

The below is an example from a google search. Google

Trojan.Dropper or Application.E.Surveiller.D Removal Report


.

.

.

 

Thanks for the info - you'll get lots of hits for a generic malware type.

When I'm researching a file, I get tons of hits from malware logs - it doesn't mean the file is malware, it only means that a common file was reported in a log. Drives me bonkers - so I have to sort those things out.

I think you're in the clear and the file was the result of the remediation of a threat. Regardless, Malwarebytes cleaned it up and you deleted it from quarantine.

Still, you should run the other tools above.

 

I prefer Malwarebytes Junk Removal Tool (JRT) over AdwCleaner. If I recall correctly, about 1-2 years ago there was a malicious/fake site set up to immulate AdwCleaner. Looked the same, but contained malware. Not the sole reason, but just prefer JRT. I only download freeware from the host, not a secondary download site (softpedia, cnet, etc)

What is the advantage of TFC ? I realize it cleans temporary folders, but I am leery of some cleaning utilities. I do use CCleaner.

 

All on-demand malware scanners focus on different things. That's why they find things that another tool did not find..

Both JRT and AdwCleaner are very useful tools, it isn't a matter of preference really - it's a matter of what the tools focus and strengths are.

Run both if you like.

TFC is a small single purpose tool that is portable (not installed). That's the major advantage, it cleans known temp locations - cCleaner has a different selection criteria.

Again, you can run both - I do, but for malware remediation, I use TFC.

 

I have to say, ADWCleaner is a superb program, and you shouldn't discount it. It is high up on my list of tools, and I clean a lot of garbage/malware/viruses off machines on a pretty regular basis. I'll bet if you run it right now on your system, it will find stuff you should get rid of.
The Developer has it hosted on ToolsLib.net:
ToolsLib - Downloads - AdwCleaner

You can also download it from Bleeping Computer's site, if that makes you feel more comfortable, but the ToolsLib site will always have the most recent version (which is, of course, what you want).
AdwCleaner Download

Slartybart wouldn't steer you wrong. I would run the scans he suggests. *Wink