×
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
PeteM
Contributor
Message 1 of 11

Generic Dropper detected, but shuts me down.

I've got the latest McAfee Security Center, all up to date.  It detects Generic Dropper once or twice a week, but doesn't quarantine it in time to prevent System Shutdown.  The shutdown is just a reboot, so relatively benign, but interrupts my work.  This really shouldn't happen -- I bought the product to prevent interruptions.

I've sent the last 6 quarantined files to Mcafee, just in case it's a variation they haven't yet created protection for.

I wasted 30 mins on a chat with support (and am 2 hours into a "free scan" of my PC which I can't believe is any better than the product, but which is apparently the only solution that the chat supporters know).

I've now turned off "System Restore" for XP (even tho' I do not have a c:\_restore directory [and yes, "system files" is turned on in Explorer, so I should be able to see it if it's there]).

Anything else I can do?  This really shouldn't happen, IMO.  RT Scan ought to find it when it downloads, or at the very least detect it when it loads, before it executes (seems to attach to a running process).  But it doesn't seem to find it til after it loads and initiates shutdown.

Very annoying!

Please fix this.

Pete

10 Replies
k3tg
Reliable Contributor
Reliable Contributor
Message 2 of 11

Re: Generic Dropper detected, but shuts me down.

Try running Malwarebytes www.malwarebytes.org and SuperAntispyware www.superantispyware.com both of these programs are free and catch a lot of stuff other programs miss.

PeteM
Contributor
Message 3 of 11

Re: Generic Dropper detected, but shuts me down.

Got hit again this morning, right after boot-up.   After restart, I checked the McAfee log, and it showed RT detection of Dropper at 1:14 yesterday.  It was attached to the mcagent.exe process.   PC worked fine for several more hours yesterday, then got shutdown right after boot this morning.  I've sent this file (from 1:14 dectection) to McAfee, also.

I'm paying you guys to prevent problems like this.  Please fix it.

k3 - thanks, might try that if Mcafee can't take care of it.

Pete

PeteM
Contributor
Message 4 of 11

Re: Generic Dropper detected, but shuts me down.

PC came out of hibernation this morning and immediately found

Generic PWS.y!ckx   in file   c:\windows\msacm32.drv

Searching the McAfee site turns up 2 interesting facts:  1) this PWS variant was just discovered/added within the last week.   2)  the .drv file is known as one that can be put there by a variant of Dropper.  So there's a chance that we're getting some kind of convergence on a solution.

I sent the file to McAfee.  I scanned the Temp dirs where Dropper has appeared.  It's not there or in any processes at the moment.

Nice to see 68 views of this thread - at least somebody is looking at it.

Pete

vinod_r2
Reliable Contributor
Reliable Contributor
Message 5 of 11

Re: Generic Dropper detected, but shuts me down.

why don;t you reboot the machine in safe mode and attempt to do a scan with mcafee and then with the free software.

PeteM
Contributor
Message 6 of 11

Re: Generic Dropper detected, but shuts me down.

Thanks Vinod, but now I'm more frustrated than ever.

I ran the Safe Scan (McAfee product only, took 2.5 hrs).  Nothing was found.

As soon as I rebooted after the Safe Scan, RT detection found Dropper in one of the usual places (c:\Docs\Pete\LocalSettings\temp\hex#s.exe) running in the ctfmon.exe process (also a common process it attaches to).   When in safe mode, RT scan was off.  I did not switch it on because I figured this was how it runs in Safe Mode, since it came up that way by default.

So, there doesn't seem to be any point in running it in Safe Mode, since McAfee found no problems, but Dropper showed up immediately afterward.  And now I'm wondering when my PC will shut down, since detecting/quarantining Dropped doesn't seem stop it from working.

Shouldn't McAfee find Dropper when it is downloaded onto my PC, rather than waiting for it to attach to a process and run?   And why doesn't McAfee find whatever is downloading it?  Clearly, I did no browsing during the SafeScan or on reboot, yet something put Dropper on my PC during that time - it wasn't there during the SafeScan.

Pete

vinod_r2
Reliable Contributor
Reliable Contributor
Message 7 of 11

Re: Generic Dropper detected, but shuts me down.

there are many reasons a file is not deleted but only detected by the virus scan engine....  mostly it could mean that the real file is hosted else where amongst a possible active system related file..

Now can you please try these steps .

boot in safe mode.

do a full scan on the McAfee ( does not matter if it says disabled full scan must run)

Once this scan is done reboot the machine into safe mode again and perform a  quick scan.After completeing these exercises I would need to see the On access and On demand detection logs..(I will let you know how to collect those once you have done the above steps..)

Note:

If time permits please do run the Stinger.exe file in safe mode any logs available would be handy.

PeteM
Contributor
Message 8 of 11

Re: Generic Dropper detected, but shuts me down.

Vinod,

Thanks for helping me work this.

I booted this morning and was instantly shutdown.  I was watching, and briefly saw a DOS window pop up.  I looked in

Control Panel\AdminTools\EventViewer\System  and found an entry from USER32:  "The process Winlogin.exe has initiated a restart."   No reason given, but the first byte is 0xFF.

Will do the procedure you've outlined.

Pete

PeteM
Contributor
Message 9 of 11

Re: Generic Dropper detected, but shuts me down.

Vinod -

Did all that.  Only issues found were some tracking cookies.  Immediately on first normal boot, McAfee finds GenericDropper in my  LocalSetting\temp directory, launched in process  c:\windows\system32\ctfmon.exe ,  a directory that was just scanned at least twice in Safe Mode.

(On top of that, your latest update ran just before all this and I seem to have the inferior AVPlus UI instead of the apparently more powerful MSC interface.  Bad timing, since I'm already unhappy with McAfee.)

Details:

1) Ran Stinger 843 (April 14th) and it showed 231,709 clean files.  Period

2) Ran Full Scan and found 128 tracking cookies out of 3226 cookies.  I've scanned cookies numerous times recently and these weren't considered a problem.  Some of the cookies I recognize, so I'm thinking this is probably a "false positive" in which the Full Scan found something that isn't really important.

3) Rebooted into Safe Mode and ran Quick Scan.   No issues in 2865 files and 11 processes.

I feel like I just wasted the entire day messing with this, but if you want to get some log files from me, I'll be happy to send them.

PeteM
Contributor
Message 10 of 11

Re: Generic Dropper detected, but shuts me down.

Time to load AVG.

Computer ran fine yesterday, but shutdown spontaneously this morning.

Wish you guys would fix this, but I need to get my computer working, so will try the competition.

How Many Badges Can You Collect?
Ready for a little competition? Members like you are earning badges and unlocking perks for their helpful answers. Are you? Click here to find out.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community