1 2 Previous Next 10 Replies Latest reply on Apr 27, 2010 11:02 AM by PeteM

    Generic Dropper detected, but shuts me down.

      I've got the latest McAfee Security Center, all up to date.  It detects Generic Dropper once or twice a week, but doesn't quarantine it in time to prevent System Shutdown.  The shutdown is just a reboot, so relatively benign, but interrupts my work.  This really shouldn't happen -- I bought the product to prevent interruptions.

       

      I've sent the last 6 quarantined files to Mcafee, just in case it's a variation they haven't yet created protection for.

       

      I wasted 30 mins on a chat with support (and am 2 hours into a "free scan" of my PC which I can't believe is any better than the product, but which is apparently the only solution that the chat supporters know).

       

      I've now turned off "System Restore" for XP (even tho' I do not have a c:\_restore directory [and yes, "system files" is turned on in Explorer, so I should be able to see it if it's there]).

       

      Anything else I can do?  This really shouldn't happen, IMO.  RT Scan ought to find it when it downloads, or at the very least detect it when it loads, before it executes (seems to attach to a running process).  But it doesn't seem to find it til after it loads and initiates shutdown.

       

      Very annoying!

       

      Please fix this.

       

      Pete

        • 1. Re: Generic Dropper detected, but shuts me down.
          k3tg

          Try running Malwarebytes www.malwarebytes.org and SuperAntispyware www.superantispyware.com both of these programs are free and catch a lot of stuff other programs miss.

          • 2. Re: Generic Dropper detected, but shuts me down.

            Got hit again this morning, right after boot-up.   After restart, I checked the McAfee log, and it showed RT detection of Dropper at 1:14 yesterday.  It was attached to the mcagent.exe process.   PC worked fine for several more hours yesterday, then got shutdown right after boot this morning.  I've sent this file (from 1:14 dectection) to McAfee, also.

             

            I'm paying you guys to prevent problems like this.  Please fix it.

             

            k3 - thanks, might try that if Mcafee can't take care of it.

             

            Pete

            • 3. Re: Generic Dropper detected, but shuts me down.

              PC came out of hibernation this morning and immediately found

               

              Generic PWS.y!ckx   in file   c:\windows\msacm32.drv

               

              Searching the McAfee site turns up 2 interesting facts:  1) this PWS variant was just discovered/added within the last week.   2)  the .drv file is known as one that can be put there by a variant of Dropper.  So there's a chance that we're getting some kind of convergence on a solution.

               

              I sent the file to McAfee.  I scanned the Temp dirs where Dropper has appeared.  It's not there or in any processes at the moment.

               

              Nice to see 68 views of this thread - at least somebody is looking at it.

               

              Pete

              • 4. Re: Generic Dropper detected, but shuts me down.
                Vinod R

                why don;t you reboot the machine in safe mode and attempt to do a scan with mcafee and then with the free software.

                • 5. Re: Generic Dropper detected, but shuts me down.

                  Thanks Vinod, but now I'm more frustrated than ever.

                   

                  I ran the Safe Scan (McAfee product only, took 2.5 hrs).  Nothing was found.

                  As soon as I rebooted after the Safe Scan, RT detection found Dropper in one of the usual places (c:\Docs\Pete\LocalSettings\temp\hex#s.exe) running in the ctfmon.exe process (also a common process it attaches to).   When in safe mode, RT scan was off.  I did not switch it on because I figured this was how it runs in Safe Mode, since it came up that way by default.

                   

                  So, there doesn't seem to be any point in running it in Safe Mode, since McAfee found no problems, but Dropper showed up immediately afterward.  And now I'm wondering when my PC will shut down, since detecting/quarantining Dropped doesn't seem stop it from working.

                   

                  Shouldn't McAfee find Dropper when it is downloaded onto my PC, rather than waiting for it to attach to a process and run?   And why doesn't McAfee find whatever is downloading it?  Clearly, I did no browsing during the SafeScan or on reboot, yet something put Dropper on my PC during that time - it wasn't there during the SafeScan.

                   

                  Pete

                  • 6. Re: Generic Dropper detected, but shuts me down.
                    Vinod R

                    there are many reasons a file is not deleted but only detected by the virus scan engine....  mostly it could mean that the real file is hosted else where amongst a possible active system related file..

                     

                     

                    Now can you please try these steps .

                     

                    boot in safe mode.

                    do a full scan on the McAfee ( does not matter if it says disabled full scan must run)

                     

                    Once this scan is done reboot the machine into safe mode again and perform a  quick scan.After completeing these exercises I would need to see the On access and On demand detection logs..(I will let you know how to collect those once you have done the above steps..)

                     

                     

                    Note:

                     

                    If time permits please do run the Stinger.exe file in safe mode any logs available would be handy.

                    • 7. Re: Generic Dropper detected, but shuts me down.

                      Vinod,

                       

                      Thanks for helping me work this.

                       

                      I booted this morning and was instantly shutdown.  I was watching, and briefly saw a DOS window pop up.  I looked in

                      Control Panel\AdminTools\EventViewer\System  and found an entry from USER32:  "The process Winlogin.exe has initiated a restart."   No reason given, but the first byte is 0xFF.

                       

                      Will do the procedure you've outlined.

                       

                      Pete

                      • 8. Re: Generic Dropper detected, but shuts me down.

                        Vinod -

                         

                        Did all that.  Only issues found were some tracking cookies.  Immediately on first normal boot, McAfee finds GenericDropper in my  LocalSetting\temp directory, launched in process  c:\windows\system32\ctfmon.exe ,  a directory that was just scanned at least twice in Safe Mode.

                         

                        (On top of that, your latest update ran just before all this and I seem to have the inferior AVPlus UI instead of the apparently more powerful MSC interface.  Bad timing, since I'm already unhappy with McAfee.)

                         

                        Details:

                         

                        1) Ran Stinger 843 (April 14th) and it showed 231,709 clean files.  Period

                         

                        2) Ran Full Scan and found 128 tracking cookies out of 3226 cookies.  I've scanned cookies numerous times recently and these weren't considered a problem.  Some of the cookies I recognize, so I'm thinking this is probably a "false positive" in which the Full Scan found something that isn't really important.

                         

                        3) Rebooted into Safe Mode and ran Quick Scan.   No issues in 2865 files and 11 processes.

                         

                        I feel like I just wasted the entire day messing with this, but if you want to get some log files from me, I'll be happy to send them.

                        • 9. Re: Generic Dropper detected, but shuts me down.

                          Time to load AVG.

                           

                          Computer ran fine yesterday, but shutdown spontaneously this morning.

                           

                          Wish you guys would fix this, but I need to get my computer working, so will try the competition.

                          1 2 Previous Next