Advice on TrojanDropper removal?

[Sue]

After running a full scan overnight I have a notification that I have TrojanDropper Win32/Dunik!rts on my laptop.

It won't quarantine because it says "the file exceeds the limit allowed and cannot be saved."

I am using Microsoft Security Essentials (on advice last time I had major laptop problems several years ago, partly caused by the virus checker I was using) but in any case having googled, apparently it isn't picked up by other virus software anyway.

I am quite concerned as it looks serious.

I have googled and found advice on how to remove it, but to do it properly appears to involve going into the registry, and no way am I going to start messing with that, AAAARRRGH :(

Also, I don't know whether all the sites I have consulted are themselves OK, and I am concerned I could make matters a lot worse.

Microsoft itself isn't a lot of help - it just says "no further information is currently available on this threat" and "alert notifications from installed antivirus software may be the only symptom(s)".

My ancient laptop had been running very slow, but I moved a load of music files to an external hard drive yesterday and that speeded it up considerably, so I am quite p-ed off that now I've got this :(

I went into task manager to stop it running in the background at least, but it's not showing up there, so now I'm totally confused.

If anybody can help I'd be very grateful.

ETA: Bizarrely, my status is now showing as "protected", and the history is showing no detected items at all. Is this some kind of total false alarm? I have a screenshot showing the trojan was detected, advising quarantine and saying it's dangerous and installs other programs, and also that it cannot be saved into quarantine.

[DulwichFox]

Hi Sue..

Looks like a simple Registry Edit...

5. Once the Registry Editor is open, search for the registry key ?HKEY_LOCAL_MACHINE\Software\Trojan.Dropper:Win32/Dunik!rt.?

Right-click this registry key and select ?Delete.?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\random.exe"

HKEY_LOCAL_MACHINE\Software\Trojan.Dropper:Win32/Dunik!rt

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating

2 min. job.. Just be careful not to delete anything else..

I'm often poking around in my registry, seeing whats going on..

Foxy..

PS.

Certainly.. some sites ofering advice are risky.. I have Webroot Secure Anywhere as a extra to my ESET NOD32 a/v.

Webroot flags up Safe, Potentially at risk & dangerous sites and will also remove most trojans..

A/V will not always find Malware .. Trojans. and also will not always beable to remove them...

[Loz]

Woah - it might not be that simple and you might be hiding it. Most trojans aren't that easy.

Sue. Did MSE (Microsoft Security Essentials) identify which file it thought was infected?

Also, if you bring up MSE (that set of icons in the bottom right hand side of your screen, it looks like a tent), is there anything in history->quarantined?

Which version of Windows are you running?

[Loz]

A bit more info...

TrojanDropper:Win32/Dunik!rts is a name used for trojan detections that have been added to our signatures after advanced automated analysis.

A form of trojan that installs other malicious files to the infected computer either by downloading them from a remote computer or by dropping them directly from a copy contained in its own code.

The reason it is only partially removed is because it is packaged(usually a .zip file) with other files that may or may not be malicious in nature and it may be a valid file that displays charaterisics of aTrojan Dropper and to err on the side of caution only that specific file has been removed. Sometimes an error may also be displayed statng the file is too large to remove.

In other words, it may (or may not) have done anything yet. And it also sounds like this is what they call heuristic detection, in that it looks like it could be a Trojan, but they haven't actually identified it as such. (i.e. it has some code it deems suspicious).

Anyway, until it is sorted, the normal warnings apply - don't do any banking, emailing, ebaying, paypalling etc where the password getting out could do serious damage.

I'm guessing you have a dirty great big ZIP or EXE file it doesn't like the look of.

[DulwichFox]

Deeper investigation dose indeed require further Registry edits/deletes... At least 2 more...

Also 3 files need to be deleted from the TrojanDropper directory on your hard disk.. if you can find where this

directory is hidden..

This is a very nasty piece of Malware.. As Loz has pointed out, be very careful with emails, banking, etc.

Take your PC to Netquest

And get Proper Anti virus software and Anti malware software.. when all is sorted..

Otherwise you won't even know what infections your PC has.. yet alone remove them..

You could run MRT The Windows Malicious Software Removal Tool.

MRT is a Microsoft tool that removes malware from PC's that are already affected..

Foxy

[Loz]

Foxy - regedits should be the last thing you do in a cleanup process. You need to find the source of the infection first.

[Seabag]

*pulls up chair*

[Blah Blah]

What is the point of AV, firewalls, malware defenders etc if they don't stop these things?

I had something get through that turned windows updater into a massive CPU leak and ended up having to completely reinstall my laptop.

[Loz]

Blah Blah Wrote:

-------------------------------------------------------

> What is the point of AV, firewalls, malware defenders etc if they don't stop these things?

>

> I had something get through that turned windows updater into a massive CPU leak and ended up

> having to completely reinstall my laptop.

It's a compromise between security and usability. Unfortunately, people do like visiting dodgy websites, downloading iffy files and installing programs of questionable origin. Your security could stop you doing those things, but people tend to complain when they do.

It's a bit like having a burglar alarm, but not locking your doors and windows. At that point, the best it can do is tell you when people have got in.

[rodneybewes]

Last time I had a nasty I downloaded the free trial version of Kaspersky and it zapped it when all else had failed. I didn't buy the full version it's a resource hog most of the time but it's a great nasty killer.

[DulwichFox]

Blah Blah Wrote:

-------------------------------------------------------

> What is the point of AV, firewalls, malware

> defenders etc if they don't stop these things?

>

> I had something get through that turned windows

> updater into a massive CPU leak and ended up

> having to completely reinstall my laptop.

The point is that Antivirus and Malware defenders are constantly updating their Virus/Malware database lists...

New Threats happen daily so some will get through if your protection is not up to date.. up to the min..

Some will give you a warning and a reccomendation not to proceeded. Some will block the site that posses a threat.

You need to set up any software to check incoming email especially if they have pictures or other files attatched.

DulwichFox

[right-clicking]

Sue, The fact that you are getting a protected status is due to MSE having already removed the virus,

TrojanDropper Win32/Dunik!rts is M/S's name for known threat.

Have a look at this link for more clarification

http://answers.microsoft.com/en-us/windows/forum/windows_xp-security/trojandropperwin32dunikrts-files-affected-not/5abe0302-504a-4317-b556-eb438bc386e9?auth=1

[Sue]

Sorry for the delay in replying, I have been out.

Thanks everybody for your help.

I attach a screenshot of the situation previously which gives an error code and says that the file cannot be saved.

However the trojan is now showing up in my MSE history in "all detected items" and saying that the action taken is "quarantined".

It seems to have quarantined it four times!!! On 21 March (twice) then 22 and 23 March.

I really don't understand what is going on.

If I go to "quarantined items", there is nothing there.

And if it has actually been quarantined, why was I being told yesterday that I had it and it needed to be quarantined?

Does it keep coming back? Sorry to be dim.

I've attached another screenshot of what is now showing in "all detected items."

[Sue]

DulwichFox Wrote:

-------------------------------------------------------

>

> And get Proper Anti virus software and Anti

> malware software.. when all is sorted..

> Otherwise you won't even know what infections

> your PC has.. yet alone remove them..

Fox, MSE is "proper anti virus software and anti malware software."

I am using it as recommended by a computer specialist who had to reinstall Windows on my laptop a few years back due to issues caused by the anti virus software I was using before.

[ianr]

Sue, is this your first run of MSE? The offender is allegedly a file in your Dell recovery partition, and could well be a false alarm. That would tally with some similar reports I've just read in old web discussions about MSE.

[Sue]

ianr Wrote:

-------------------------------------------------------

> Sue, is this your first run of MSE? The offender

> is allegedly a file in your Dell recovery

> partition, and could well be a false alarm. That

> would tally with some similar reports I've just

> read in old web discussions about MSE.

No, it's supposed to be running a scan daily, but I occasionally run one anyway.

I ran a full scan overnight because I was getting a notification that the PC status was unprotected, and then tried to quarantine the Trojan this morning. I think. I'm losing track of time!

I was reading some stuff about false alarms last night, but couldn't work out how to tell if it was a false alarm or not :))

[DulwichFox]

Sue Wrote:

-------------------------------------------------------

> DulwichFox Wrote:

> --------------------------------------------------

> -----

>

> >

> > And get Proper Anti virus software and Anti

> > malware software.. when all is sorted..

> > Otherwise you won't even know what infections

> > your PC has.. yet alone remove them..

>

>

>

> Fox, MSE is "proper anti virus software and anti

> malware software."

>

> I am using it as recommended by a computer

> specialist who had to reinstall Windows on my

> laptop a few years back due to issues caused by

> the anti virus software I was using before.

Well it's not doing a very good job... Is it ?

Foxy..

[DulwichFox]

When an A/V detects an infected file it will TRY to quarantine it... The file can no longer be used...

... if this has no impact on any of your programms, it can later be deleted.

If the Quarantine action fails... The file will still be on your system and will not be in your 'quarantined items'

When you rescan .. you A/V will detect it again and will TRY and quarantine it again..

It will fail again...

Foxy

[ianr]

Well, here are people who've been down the same alarm path. http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/mse-cannot-quarantine-trojandropperwin32dunikrts/866372dc-6644-48d9-aeed-4845c036648b . Note particularly the referenced previous thread about it's being a false alarm. I wouldn't get immediately alarmed about it. It's not going to run itself, even if it is malign, which I doubt. For information, searching on "infected factory.wim" may also be helpful, as might scanning the D: drive with another AV program. Unless any substantial doubts remain, I think I'd be inclined to follow those who simply advise excluding the D: drive from routine scans.

[Sue]

DulwichFox Wrote:

-------------------------------------------------------

> Sue Wrote:

> --------------------------------------------------

> -----

> > DulwichFox Wrote:

> >

> --------------------------------------------------

>

> > -----

> >

> > >

> > > And get Proper Anti virus software and

> Anti

> > > malware software.. when all is sorted..

> > > Otherwise you won't even know what

> infections

> > > your PC has.. yet alone remove them..

> >

> >

> >

> > Fox, MSE is "proper anti virus software and

> anti

> > malware software."

> >

> > I am using it as recommended by a computer

> > specialist who had to reinstall Windows on my

> > laptop a few years back due to issues caused by

> > the anti virus software I was using before.

>

> Well it's not doing a very good job... Is it ?

>

It's doing a bloody sight better job than the one which totalled my laptop :))

[Sue]

DulwichFox Wrote:

-------------------------------------------------------

> When an A/V detects an infected file it will TRY

> to quarantine it... The file can no longer be

> used...

>

> ... if this has no impact on any of your

> programms, it can later be deleted.

>

> If the Quarantine action fails... The file will

> still be on your system and will not be in your

> 'quarantined items'

>

> When you rescan .. you A/V will detect it again

> and will TRY and quarantine it again..

>

> It will fail again...

>

You misunderstand.

It hasn't failed to quarantine it.

It has quarantined it. Please see my second screenshot above.

[Loz]

Sue,

The factory.wim file on the D drive is the Dell factory restore area. Rather than give you a CD/DVD with the OS on it, these days they put it onto a separate partition on your hard drive. You can do a few button presses on startup and reinstall the OS Basically, you don't ever read that file, unless you do a complete OS restore.

Looking around, you aren't the first to report this, and no one has ever seemed to have come to a conclusion one way or another as to if it just a false positive.

What was the process you said you stopped in Task Manager?

PS MSE is one of the better AVs around, if not currently the best.

[Sue]

ianr Wrote:

-------------------------------------------------------

> Well, here are people who've been down the same

> alarm path.

> http://answers.microsoft.com/en-us/protect/forum/m

> se-protect_scanning/mse-cannot-quarantine-trojandr

> opperwin32dunikrts/866372dc-6644-48d9-aeed-4845c03

> 6648b . Note particularly the referenced previous

> thread about it's being a false alarm. I wouldn't

> get immediately alarmed about it. It's not going

> to run itself, even if it is malign, which I

> doubt. For information, searching on "infected

> factory.wim" may also be helpful, as might

> scanning the D: drive with another AV program.

> Unless any substantial doubts remain, I think I'd

> be inclined to follow those who simply advise

> excluding the D: drive from routine scans.

Thanks ianr, that looks useful, I'll have a read.

ETA: Skimmed through it, will have a proper read later, but the advice given looks sensible, I'll do that. Thanks!

[Sue]

Loz Wrote:

-------------------------------------------------------

> Sue,

>

> The factory.wim file on the D drive is the Dell

> factory restore area. Rather than give you a

> CD/DVD with the OS on it, these days they put it

> onto a separate partition on your hard drive. You

> can do a few button presses on startup and

> reinstall the OS Basically, you don't ever read

> that file, unless you do a complete OS restore.

>

> Looking around, you aren't the first to report

> this, and no one has ever seemed to have come to a

> conclusion one way or another as to if it just a

> false positive.

>

> What was the process you said you stopped in Task

> Manager?

>

> PS MSE is one of the better AVs around, if not

> currently the best.

Thanks for this, Loz.

I was looking on task manager for the trojan, but it wasn't there, so in the event I didn't stop anything.

I was looking there because I found a website which said to do things in this order:

1. Stop the process running in the background via task manager - presumably as a stop gap temporary measure apart from anything else.

2. Remove all files associated with the trojan.

3. Remove registry entries associated with the trojan (which I wouldn't have done myself anyway).

[Loz]

Ah, sorry - misread your OP.

The reason you can't quarantine/remove it properly is that is is one HUUUGE zip-like file (mine is 10Gb), so the AV can't get to the one little bit it doesn't like.

Can you actually see your D drive from explorer? On my Dell, I can only see the C drive and the E drive (my dvd drive). The recovery partition is not actually mounted, so it's not accessible (and therefore my AV doesn't scan it).

I think you have two options.

1) Sit on your hands a bit, and see if it stops. If it is a false positive, then MS might release an update sometime soon that stops it being picked up. Updates for AV are released every few days. In the meantime, be careful what you use your computer for.

2) Take it into an expert.

If you want to go for 1, but sleep a bit easier, I usually run the free version of Malwarebytes (www.malwarebytes.org). There is a free version and a trial version - and even though you download the free version it will keep trying to get you to take the trial. Don't take the trial - it's really not worth it. But for one-off scans, Malwarebytes is probably the best around.