Author Topic: Win32:Dropper-gen [Drp] in explorer.exe, can't clean with AVAST 4.8  (Read 24012 times)

0 Members and 1 Guest are viewing this topic.

whatttup_G

  • Guest
hello, please help if you can

after having multiple signs of some infection, avast finally reported Win32:Dropper found in explorer.exe... obviously this file cant be removed or quarantined, but i tried anyways

having been thru the ringer with a rootkit last year, i have several tools on me, but nothing has been able to do much to help... i have MBAM, superantispyware, process explorer, and a host of others, but i wanted expert help if i can get it... for what its worth, i cant see anything amiss in the hijackthis log, but my system is jacked up as explorer.exe will not start and i have no start bar, desktop, and i can't fire up things like control panel using the command line

the PC is booted in normal mode like this, but i get no explorer... in safe mode, i get explorer and can work fairly normally for safe mode, so i hope this infection hasn't gotten too deep

i have scanned over and over using all i have on me, and while i've snagged a few things and tossed stuff out, i'm at the end of my rope, can someone please help... as i said, i have many tools laying around, tell me what to post

my avast is a home license, registered version 4.8
the popup says Malware Was Found
file name: c:\windows\explorer.exe
Malware name: Win32:Dropper-gen [Drp]
Malware type: Dropper
VPS version: 101213-1, 12/13/2010
in the about Avast, it reports:
Build Sep2009 (4.8.1368)
Xtreme Toolkitversion 1.9.4.0
Using ActiveSkin version 4.2.7.3

3 days before all this went down, Superantispyware found a generic rootkit reported as Win32:Rootkit-gen [Rtk] and quarentined it, but its been downhill since...

thanks in advance, please let me know what to run and what logs to post, i will do so ASAP

thank you!!


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Win32:Dropper-gen [Drp] in explorer.exe, can't clean with AVAST 4.8
« Reply #1 on: December 14, 2010, 12:57:19 AM »
can you post the malwarebytes scan log ?

did you update malwarebytes before you scanned ?

latest program version is 1.50 and database as we speak is  5309
« Last Edit: December 14, 2010, 01:18:33 AM by Pondus »

nsm0220

  • Guest
Re: Win32:Dropper-gen [Drp] in explorer.exe, can't clean with AVAST 4.8
« Reply #2 on: December 14, 2010, 06:07:37 AM »
hello, please help if you can

after having multiple signs of some infection, avast finally reported Win32:Dropper found in explorer.exe... obviously this file cant be removed or quarantined, but i tried anyways

having been thru the ringer with a rootkit last year, i have several tools on me, but nothing has been able to do much to help... i have MBAM, superantispyware, process explorer, and a host of others, but i wanted expert help if i can get it... for what its worth, i cant see anything amiss in the hijackthis log, but my system is jacked up as explorer.exe will not start and i have no start bar, desktop, and i can't fire up things like control panel using the command line

the PC is booted in normal mode like this, but i get no explorer... in safe mode, i get explorer and can work fairly normally for safe mode, so i hope this infection hasn't gotten too deep

i have scanned over and over using all i have on me, and while i've snagged a few things and tossed stuff out, i'm at the end of my rope, can someone please help... as i said, i have many tools laying around, tell me what to post

my avast is a home license, registered version 4.8
the popup says Malware Was Found
file name: c:\windows\explorer.exe
Malware name: Win32:Dropper-gen [Drp]
Malware type: Dropper
VPS version: 101213-1, 12/13/2010
in the about Avast, it reports:
Build Sep2009 (4.8.1368)
Xtreme Toolkitversion 1.9.4.0
Using ActiveSkin version 4.2.7.3

3 days before all this went down, Superantispyware found a generic rootkit reported as Win32:Rootkit-gen [Rtk] and quarentined it, but its been downhill since...

thanks in advance, please let me know what to run and what logs to post, i will do so ASAP

thank you!!



have you try a boot cd like gdata for ex if not here is the link https://www.gdatasoftware.co.uk/support/main-subjects/upgrade-service/download.html

SafeSurf

  • Guest
Re: Win32:Dropper-gen [Drp] in explorer.exe, can't clean with AVAST 4.8
« Reply #3 on: December 14, 2010, 12:02:06 PM »
You should probably back up your data but no .EXE, .SCR or HTM(L) files.

Download the free Dr. Web Cure It! in SAFE MODE to your desktop to scan for Winlogon and Explorer infections. 

Download Dr Web CureIt! from here: http://www.freedrweb.com/?lng=en on the top right of the page, tick the EULA and then download.
 
It will download as an 8-digit file save it to your desktop.
Restart in Safe Mode and run.
Accept the enhanced version.
Then run the Quick Scan.
About halfway through you will be prompted to buy - just “X” the box closed.
Once finished, it will generate a log.  Please attach that to your next post: (Additional Options > Attach > Browse (the logs will be on your desktop > Post). 

How Do I Use Dr.Web CureIt!?  http://www.freedrweb.com/cureit/how_it_works/
Download Dr.Web CureIt! and launch the utility in SAFE MODE.  A notification will inform you that the utility is running in the enhanced protection mode allowing it to operate even if malicious programs block access to the Windows interface.

In the enhanced protection mode Dr.Web CureIt! is run on a protected desktop where no other application can be launched.  In order to continue working in the enhanced protection mode choose OK or click Cancel to switch to the standard mode.
Click the “Start” button in the anti-virus window. Select “Yes” in the confirmation dialogue, and wait while Dr.Web CureIt! scans system memory and autorun objects. If you need to scan all or selected disks, choose between “Full Scan” or “Custom Scan” (if you choose “Custom Scan,” you need to select the objects you want to scan), and click on the "Start" button.

Dr.Web CureIt! will cure infected files and place incurable files in quarantine. When the scanning is finished, you can view the report and perform desired actions with quarantined files.

Once the scanning is completed, simply remove the Dr.Web CureIt! file from your computer (put it in your recycle bin). 

If you need to perform another system scan using updated definitions, you will need to download Dr.Web CureIt! again.

I still suggest running an MBAM scan for the other malware.  Download free http://www.malwarebytes.org/ (the blue button) for an on-demand scanner.  After install, click update so you have latest database before scanning (version 1.50 and the latest database).  Run a Full scan and "remove selected” button to quarantine anything found."  Copy & Paste the entire report in your next reply.

I am going to refer you to our Certified Malware expert, named Essexboy.  He will also review your logs and give you further instructions, however he comes on the forum late UK time.  He will respond to you in this thread, so remember to check this thread daily.  Do not use this machine unless absolutely needed and disconnect from any network.

Let us know if you have any questions.



whatttupG

  • Guest
Re: Win32:Dropper-gen [Drp] in explorer.exe, can't clean with AVAST 4.8
« Reply #4 on: December 17, 2010, 09:34:23 AM »
first of all, thanks for all your replies... i wish i could have read them, my PC bit the dust and in the process, trying to despam my registration here, by changing my email address listed, allowed me to commit eForumsuicide with my login... say, anyone want to reup that for me, put my email back in right?? not critical though, i have larger issues now.......

so oddly enough, ironic maybe, i ran the dr.web scan that night and that was the last time that drive and o/s booted... it found 7 items or so, mostly win.dat.15 or some spelling like that i think, and it found that in explorer.exe and winlogon.exe in both the system32 folder, and the dllcache folder... it found it again in a few more places, and one other thing named something else, well it asked me if i wanted to 'cure' them so i clicked yes and after all was said and done, the next reboot was the end of my XP

today i'm up on a new hdd, and also on win7 which is fine and dandy i guess, except my previos drive looks like it got trashed in the process, because tonight i finally hooked it up again and found... from win7 now, the system is now reporting it as having a 10 MB partition in FAT format... ugh  :'(

for what its worth, before it puked i had ran a number of scans, MBAM, avast 4.8, HJT, snooped endlessly with process explorer from sysinternals, i have a flash drive full of everything i could think of, looking via every option i could find... anything updatable was running the latest version of everything, not a single one of them caught anything except for the original message as stated in my OP, where avast reported this dropper virus in my explorer.exe... well nothing ever validated that finding and as i said, running dr.web cleaned my clock, although i was excited at first because it was the only thing finding problems... anyways, back to today, not only have i not gotten that drive to boot, i'm worried now that the partition got lunched somehow because it sure as heck was never in FAT format, and surely isnt a 10 meg volume either... at last breath, it was a bootable and fully partitioned NTFS volume on a 500 Gb drive

so anyone know if my issue might be with win7 not seeing it right, wow i sure hope so, i'm not sure what was backed up on that drive and while i did have a 1.5 Tb external doing my backups, i'd honestly like to just hook up my hdd and look at it straight up so.. anyways, if you have any ideas, i'm all ears

thanks all, let me know
« Last Edit: December 17, 2010, 09:39:27 AM by whatttupG »

SafeSurf

  • Guest
Re: Win32:Dropper-gen [Drp] in explorer.exe, can't clean with AVAST 4.8
« Reply #5 on: December 17, 2010, 09:46:00 AM »
Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0

Follow the directions for obtaining the two (2) OTL logs (save them as ANSI and not Unicode).  When the OTL scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.  Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post). 

I already referred you to our Certified Malware expert, named Essexboy.  He will also review your logs.  Let me know if you have any additional questions.  Thank you.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Dropper-gen [Drp] in explorer.exe, can't clean with AVAST 4.8
« Reply #6 on: December 17, 2010, 09:31:53 PM »
If you wish to investigate the drive and remove data from it, then a windows PE is a good place to start

You will need to make the bad drive as master for the duration of the run with OTLPE

Please print these instruction out so that you know what you are doing

OTLPEStd.exe
MD5=107440596207871822220183734CF7C4
98,217,771bytes / 93.6MB

  • Download OTLPEStd.exe to your desktop
  • Download the attached scan.txt to your desktop
  • Ensure that you have a blank CD in the drive
  • Double click OTLPEStd.exe and this will then open imgburn  to burn the file to CD

  • Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
  • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads  :) 
  • Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
  • Double-click on the OTLPE icon.
  • Select the Windows folder of the infected drive if it asks for a location
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Double click the Custom scans and fixes box
  • In the dialogue locate the scan.txt you have on the USB
  • Press Run Scan to start the scan.
  • When finished, the file will be saved  in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system.
  • Right click the file and select send to : select the USB drive. 
  • Confirm that it has copied to the USB drive by selecting it
  • You can backup any files that you wish from this OS
  • Please post the contents of the C:\OTL.txt file in your reply.

PaCKINheAT

  • Guest
Re: Win32:Dropper-gen [Drp] in explorer.exe, can't clean with AVAST 4.8
« Reply #7 on: December 18, 2010, 02:23:51 AM »
i once had something like this. it was in the c:\documents and settings\*username\application data folder. i went to hijackthis. went to the misc tools and to the process manager part. and saw multiple lsass.exe's. i made sure i killed the ones that weren't there. ran hjt and found them in there and checked them to fix. then it deleted them and i had no more problems with that computer

whatttup_G

  • Guest
Re: Win32:Dropper-gen [Drp] in explorer.exe, can't clean with AVAST 4.8
« Reply #8 on: December 21, 2010, 11:05:39 AM »
ok, did as you asked, here is what i found

old drive looked to have most of my data, maybe all of it, hard to tell at a glance, but the folder structure was mostly there... what was missing was the windows folders, all of them, so i could not follow your recipe to scan them with OTL

good news is the download and imgburn worked, i made a boot CD, that came up fine and yes was sort of slow... still, that is fine, it will get me onto the volume for backing up and checking files out, maybe you have advice to repair the partition if that is jacked up (guessing here)

bad news kind of, is i opened the undelete on teh desktop, and found over 300,000 deleted files so whether or not windows is recoverable that way, its beyond worth so i'd say we skip this since its more work than its worth..

what is worth working on, and since you seem to be expert in this, is what do you think i need to do with this hdd to make it read again? seems easy to view using teh boot CD, but not in win 7. do i just go back and back up data then fdisk the hdd??

lmk your thoughts, and thanks for helping out, its very much appreciated!!



If you wish to investigate the drive and remove data from it, then a windows PE is a good place to start

You will need to make the bad drive as master for the duration of the run with OTLPE

Please print these instruction out so that you know what you are doing

OTLPEStd.exe
MD5=107440596207871822220183734CF7C4
98,217,771bytes / 93.6MB

  • Download OTLPEStd.exe to your desktop
  • Download the attached scan.txt to your desktop
  • Ensure that you have a blank CD in the drive
  • Double click OTLPEStd.exe and this will then open imgburn  to burn the file to CD

  • Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
  • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads  :) 
  • Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
  • Double-click on the OTLPE icon.
  • Select the Windows folder of the infected drive if it asks for a location
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Double click the Custom scans and fixes box
  • In the dialogue locate the scan.txt you have on the USB
  • Press Run Scan to start the scan.
  • When finished, the file will be saved  in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system.
  • Right click the file and select send to : select the USB drive. 
  • Confirm that it has copied to the USB drive by selecting it
  • You can backup any files that you wish from this OS
  • Please post the contents of the C:\OTL.txt file in your reply.


SafeSurf

  • Guest
Re: Win32:Dropper-gen [Drp] in explorer.exe, can't clean with AVAST 4.8
« Reply #9 on: December 21, 2010, 11:40:24 AM »
Follow the instructions given to you by Essexboy in his last post.  Let us know if you have any questions.  Thank you.

whatttup_G

  • Guest
Re: Win32:Dropper-gen [Drp] in explorer.exe, can't clean with AVAST 4.8
« Reply #10 on: December 21, 2010, 05:43:34 PM »
well i did, just did them too late i guess, i unplugged the wrong drive and that is why the windows folder isn't there.. LOL@me, i have a rule about troubleshooting after midnight too, guess i should have listened to myself but i felt like pushing thru since you guys had offered so much effort on my behalf


i will try the actual hdd in question tonight, then post the logs as asked unless badness strikes... ok, sorry for any confusion

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Dropper-gen [Drp] in explorer.exe, can't clean with AVAST 4.8
« Reply #11 on: December 21, 2010, 09:15:30 PM »
Been there, done that - you are not alone  ;D

whatttup_G

  • Guest
Re: Win32:Dropper-gen [Drp] in explorer.exe, can't clean with AVAST 4.8
« Reply #12 on: January 11, 2011, 08:15:39 AM »
ok, sorry for the long delay and non response.. i dislike flakes and do not want to be one, so i will just bypass the excuses and such on Christmas and such

by the way, hope all of you had a Merry Christmas!!

followed the instructions this time, rewired the HDD in question back in the system, and booted to X-PE using the disk i burned... and found that even though i booted to CD no problem, and could see other volumes still in the box, there is no partition to look at on the drive in question, so i couldnt run OTL on the windows folder or anything on the drive for that matter......

since i was up and in, but with nowhere to go, i poked around some of the other apps on the disk and.. wish i would have written it down now... i think it was disk checker maybe, that would actually look at that drive.. well it wanted to scan all the cylinders and such and seemed like it would run in a check only way so.. what the heck i figured.. and after running thru 41k plus cylinders, what i think i saw was two things. first it told me the heads on the drive were possibly reported wrong, it said it found 240 as the reported number, but said that it was probably 255. now the wording of this warning was not firm, so i was inclined to just scan/read, and not change, even though it offered to let me change the heads in the geometry settings and try again.. like i said, i did not change anything and really i didnt want to move on this app without consulting you guys first. since i know there is an NTFS partition on there, or was one, i didn't want to start messing with settings before reporting back. the second thing is showed was the drive info highlighted in green or white, and a letter... well now that i'm here writing this, i'm wondering if there was a letter that appeared in the info that told me if the partition was deleted... well in hindsight i didn't note exactly what it said, just that it did ID the drive and size correctly so, i'm wondering if maybe it had a D on it meaning deleted. if needed, i can go back to this and run this again, writing things down this time.. if needed, just ask please.

anyways, with the holidays and all birthdays now taken care of, i only have to work around work, kids, and the rest to play IT guy so.. if you would, i am still hoping to get help from you guys.. again, soorry for the delay, i dont have a ton of free time as a rule, but will try to be more responsive to your replies

its 11pm pacific my time already tonight, so i'm about out of gas myself, but i will check back as soon as i can.. again, thanks for helping out so far, there seems to be some serious knowledge in here so i offer my gratitude in advance

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Dropper-gen [Drp] in explorer.exe, can't clean with AVAST 4.8
« Reply #13 on: January 11, 2011, 03:30:05 PM »
And a happy new year to you, time in a way is irrelevant as once I pick back up on the thread I know where I am

Anyways - the drive in question is it showing anything at all i.e. files/folders ?

The D may be a system restore partition on that drive - does your system have a restore partition ?

Dependant on the answers to these will determine whether or not to allow the drive to be fixed by the disc checker 

whatttup_G

  • Guest
Re: Win32:Dropper-gen [Drp] in explorer.exe, can't clean with AVAST 4.8
« Reply #14 on: January 14, 2011, 01:27:42 AM »
well i haven't taken another shot yet, but i can answer to some of this... the drive/folders/whatnot, nope, if you pick the drive using most the apps or a browser, windows offers to format it so it can be used. my guess is the partition or boot record was hijacked or screwed up somehow, so the drive looks bare and unformated even though its not. i'll have to take another run at booting to X-PE to fill in the other blanks i left on this...

as far as s restore partition, that sounds like a great feature, however i'm pretty sure i dont have one on the drive, i've not really heard of this concept personally, so unless the drive automatically made it, its a no

anyways wanted to chime in, i'll come back with an update when possible.. or post a surrender notice and wave the white flag on this.. we'll see

lmk if you have any other ideas or questions, or what you think about this partition deal...... thx!!