I've got the latest McAfee Security Center, all up to date. It detects Generic Dropper once or twice a week, but doesn't quarantine it in time to prevent System Shutdown. The shutdown is just a reboot, so relatively benign, but interrupts my work. This really shouldn't happen -- I bought the product to prevent interruptions.
I've sent the last 6 quarantined files to Mcafee, just in case it's a variation they haven't yet created protection for.
I wasted 30 mins on a chat with support (and am 2 hours into a "free scan" of my PC which I can't believe is any better than the product, but which is apparently the only solution that the chat supporters know).
I've now turned off "System Restore" for XP (even tho' I do not have a c:\_restore directory [and yes, "system files" is turned on in Explorer, so I should be able to see it if it's there]).
Anything else I can do? This really shouldn't happen, IMO. RT Scan ought to find it when it downloads, or at the very least detect it when it loads, before it executes (seems to attach to a running process). But it doesn't seem to find it til after it loads and initiates shutdown.
Please fix this.
Got hit again this morning, right after boot-up. After restart, I checked the McAfee log, and it showed RT detection of Dropper at 1:14 yesterday. It was attached to the mcagent.exe process. PC worked fine for several more hours yesterday, then got shutdown right after boot this morning. I've sent this file (from 1:14 dectection) to McAfee, also.
I'm paying you guys to prevent problems like this. Please fix it.
k3 - thanks, might try that if Mcafee can't take care of it.
PC came out of hibernation this morning and immediately found
Generic PWS.y!ckx in file c:\windows\msacm32.drv
Searching the McAfee site turns up 2 interesting facts: 1) this PWS variant was just discovered/added within the last week. 2) the .drv file is known as one that can be put there by a variant of Dropper. So there's a chance that we're getting some kind of convergence on a solution.
I sent the file to McAfee. I scanned the Temp dirs where Dropper has appeared. It's not there or in any processes at the moment.
Nice to see 68 views of this thread - at least somebody is looking at it.
Thanks Vinod, but now I'm more frustrated than ever.
I ran the Safe Scan (McAfee product only, took 2.5 hrs). Nothing was found.
As soon as I rebooted after the Safe Scan, RT detection found Dropper in one of the usual places (c:\Docs\Pete\LocalSettings\temp\hex#s.exe) running in the ctfmon.exe process (also a common process it attaches to). When in safe mode, RT scan was off. I did not switch it on because I figured this was how it runs in Safe Mode, since it came up that way by default.
So, there doesn't seem to be any point in running it in Safe Mode, since McAfee found no problems, but Dropper showed up immediately afterward. And now I'm wondering when my PC will shut down, since detecting/quarantining Dropped doesn't seem stop it from working.
Shouldn't McAfee find Dropper when it is downloaded onto my PC, rather than waiting for it to attach to a process and run? And why doesn't McAfee find whatever is downloading it? Clearly, I did no browsing during the SafeScan or on reboot, yet something put Dropper on my PC during that time - it wasn't there during the SafeScan.
there are many reasons a file is not deleted but only detected by the virus scan engine.... mostly it could mean that the real file is hosted else where amongst a possible active system related file..
Now can you please try these steps .
boot in safe mode.
do a full scan on the McAfee ( does not matter if it says disabled full scan must run)
Once this scan is done reboot the machine into safe mode again and perform a quick scan.After completeing these exercises I would need to see the On access and On demand detection logs..(I will let you know how to collect those once you have done the above steps..)
If time permits please do run the Stinger.exe file in safe mode any logs available would be handy.
Thanks for helping me work this.
I booted this morning and was instantly shutdown. I was watching, and briefly saw a DOS window pop up. I looked in
Control Panel\AdminTools\EventViewer\System and found an entry from USER32: "The process Winlogin.exe has initiated a restart." No reason given, but the first byte is 0xFF.
Will do the procedure you've outlined.
Did all that. Only issues found were some tracking cookies. Immediately on first normal boot, McAfee finds GenericDropper in my LocalSetting\temp directory, launched in process c:\windows\system32\ctfmon.exe , a directory that was just scanned at least twice in Safe Mode.
(On top of that, your latest update ran just before all this and I seem to have the inferior AVPlus UI instead of the apparently more powerful MSC interface. Bad timing, since I'm already unhappy with McAfee.)
1) Ran Stinger 843 (April 14th) and it showed 231,709 clean files. Period
2) Ran Full Scan and found 128 tracking cookies out of 3226 cookies. I've scanned cookies numerous times recently and these weren't considered a problem. Some of the cookies I recognize, so I'm thinking this is probably a "false positive" in which the Full Scan found something that isn't really important.
3) Rebooted into Safe Mode and ran Quick Scan. No issues in 2865 files and 11 processes.
I feel like I just wasted the entire day messing with this, but if you want to get some log files from me, I'll be happy to send them.
Time to load AVG.
Computer ran fine yesterday, but shutdown spontaneously this morning.
Wish you guys would fix this, but I need to get my computer working, so will try the competition.