Author Topic: Win32:Dropper-gen (Drp)  (Read 13538 times)

Offline Interista

  • Sr. Member
  • ****
  • Posts: 289
    • Personal Message (Offline)
Win32:Dropper-gen (Drp)
« on: January 02, 2013, 10:12:45 AM »
Avast tells me I'm infected with Win32:Dropper-gen (Drp) when it does a run-time scan, but when I do a boot scan it tells me there is nothing there.

It also tells me the infection is in two places - 1. In Malwarebytes (which is strange in itself, except that Malwarebytes itself recently changed to a new version which is now blue instead of red - the program itself asked me to update though); 2. In a file in a folder where I have recently (i.e. yesterday) found 484 movies which I never downloaded totaling over 320GB of data (which is impossible as my computer doesn't have that much space). The infected file is called something like mediaoverlays.dll

Also, the movies are unplayable, and in my opinion its a lie that there is over 320GB of them because as I said there isn't space, but there's something strange going on.

Avast can't delete or quarantine this dropper.

The only misbehaviour of the computer lately is the internet has been dog slow. I contacted my ISP and explained all the problems and he said get rid of any torrent client you have like vuze (which I have done) and you should notice an up in speed - which I have albeit I only did it ten minutes ago and the internet speed has been fast and then slow repeatedly for about a month so I need to test this one further.

Any ideas what's happening?

If its of any help I've also gotten rid of sopcast and torrent stream so I don't know if they were the culprits for slowing the internet down.

Unfortunately, the internet has slowed right down again - I'm going to play hell with my ISP but I'd like to get this issue sorted first.
« Last Edit: January 02, 2013, 10:20:40 AM by Interista »

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69213
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Win32:Dropper-gen (Drp)
« Reply #1 on: January 02, 2013, 10:26:52 AM »
What are the file names and locations of these detections ?
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Interista

  • Sr. Member
  • ****
  • Posts: 289
    • Personal Message (Offline)
Re: Win32:Dropper-gen (Drp)
« Reply #2 on: January 02, 2013, 10:44:59 AM »
Its finding the dropper in random programs (it just found it in Firefox) but it appears to be in:

C:\Documents and Settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll

And the movies are in

C:\Documents and Settings\All Users\Application Data\Microsoft\Media Tools\plugins\mediahash\downloads

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69213
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Win32:Dropper-gen (Drp)
« Reply #3 on: January 02, 2013, 11:13:51 AM »
Check the MediaIconsOverlays.dll file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to Open the chest and right click on the file and select 'Extract' it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

I think the upload limit is 25MB, so I don't know if your movies are going to be able to be checked that way, but the location doesn't suggest that they are actually movies ...\Application Data\Microsoft\Media Tools\plugins\mediahash\downloads
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Interista

  • Sr. Member
  • ****
  • Posts: 289
    • Personal Message (Offline)
Re: Win32:Dropper-gen (Drp)
« Reply #4 on: January 02, 2013, 11:42:17 AM »
It doesn't give me an option to extract it and it tells me I can't move it because its being used by another person or program.

Does this suggest I've been hacked?

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69213
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Win32:Dropper-gen (Drp)
« Reply #5 on: January 02, 2013, 11:54:01 AM »
It can't be in the chest and be in use by another program/person. Since you don't see an extract option, you aren't inside the avast chest ?

As your edited first post now states, "Avast can't delete or quarantine this dropper." So it isn't in the chest but in its original location, in which case copy it to the suspect folder that you created and excluded (given in my previous post). Then you should be able to upload it to VT for scanning.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Interista

  • Sr. Member
  • ****
  • Posts: 289
    • Personal Message (Offline)
Re: Win32:Dropper-gen (Drp)
« Reply #6 on: January 02, 2013, 11:54:35 AM »
I can't check the movies with virustotal because they are too large (though I don't believe they are that large - the computer doesn't have enough space for them all).

I checked one of the codec packs that "came" with the movies though and VirusTotal says this...

https://www.virustotal.com/file/50fd783da568930951750f547aaffcf9b73f375fdfd49e9d8190c124f81ddee8/analysis/1357131118/

Should I now delete the file from the suspect folder?

Offline Interista

  • Sr. Member
  • ****
  • Posts: 289
    • Personal Message (Offline)
Re: Win32:Dropper-gen (Drp)
« Reply #7 on: January 02, 2013, 11:55:55 AM »
It can't be in the chest and be in use by another program/person. Since you don't see an extract option, you aren't inside the avast chest ?

As your edited first post now states, "Avast can't delete or quarantine this dropper." So it isn't in the chest but in its original location, in which case copy it to the suspect folder that you created and excluded (given in my previous post). Then you should be able to upload it to VT for scanning.

That's one of the problems. Avast doesn't put it in quarantine and when I try to copy it it gives me the message that another program or person is using it.

Even if I try scanning it from its original location VirusTotal won't work, just says computing hash and freezes.
« Last Edit: January 02, 2013, 11:58:37 AM by Interista »

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69213
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Win32:Dropper-gen (Drp)
« Reply #8 on: January 02, 2013, 12:17:52 PM »
I can't check the movies with virustotal because they are too large (though I don't believe they are that large - the computer doesn't have enough space for them all).

I checked one of the codec packs that "came" with the movies though and VirusTotal says this...

https://www.virustotal.com/file/50fd783da568930951750f547aaffcf9b73f375fdfd49e9d8190c124f81ddee8/analysis/1357131118/

Should I now delete the file from the suspect folder?

Whilst they may not be 320GB, they could easily be more than 25MB.

Strange that avast didn't show a detection on that VT scan.

I'm always wary of codecs as they are a huge target, so you should be confident of the source you are getting them from.  I usually use the K-Lite Codec Pack and its updates. Yes you can remove the 'copy' you placed in the suspect folder.

@@@@

It can't be in the chest and be in use by another program/person. Since you don't see an extract option, you aren't inside the avast chest ?

As your edited first post now states, "Avast can't delete or quarantine this dropper." So it isn't in the chest but in its original location, in which case copy it to the suspect folder that you created and excluded (given in my previous post). Then you should be able to upload it to VT for scanning.

That's one of the problems. Avast doesn't put it in quarantine and when I try to copy it it gives me the message that another program or person is using it.

Even if I try scanning it from its original location VirusTotal won't work, just says computing hash and freezes.

Try opening the avast chest, from the GUI, Maintenance, Virus Chest, right click in the right side of the window and select Add, from the new explorer like window, navigate to the MediaIconsOverlays.dll, select it and click Open (it doesn't actually open it), but copies it to the avast chest.

From here you should be able to 'Extract' it to the suspect folder and upload to VT (fingers crossed).
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Interista

  • Sr. Member
  • ****
  • Posts: 289
    • Personal Message (Offline)
Re: Win32:Dropper-gen (Drp)
« Reply #9 on: January 02, 2013, 12:44:29 PM »
Getting somewhere now :)...

https://www.virustotal.com/file/8e4312aaee1dc062ef142633e400ebd7620e3cf86993e95e66b69074770055f1/analysis/1357134120/


Maybe its just wishful thinking but I have a feeling this could be behind the problems I've been having with hugely erratic internet speeds of late, and that we could be on the verge of the solution *fingers crossed*.

Offline Interista

  • Sr. Member
  • ****
  • Posts: 289
    • Personal Message (Offline)
Re: Win32:Dropper-gen (Drp)
« Reply #10 on: January 02, 2013, 12:48:58 PM »
In case its of any interest... all the films seem to have arrived at the same time on the same day and they are all at 750MB which in my opinion is a nonsense. I have never seen a movie that was exactly **0MB and for them all to be the same is odder still. (Albeit it does seem to be over 32MB because VirusTotal won't accept it).
« Last Edit: January 02, 2013, 12:51:24 PM by Interista »

Offline Interista

  • Sr. Member
  • ****
  • Posts: 289
    • Personal Message (Offline)
Re: Win32:Dropper-gen (Drp)
« Reply #11 on: January 02, 2013, 02:09:51 PM »
Malwarebytes found this...

I'll do the other scans and see what shows up.

It doesn't seem to have resolved the virus dropper issue though as Avast still tells me it exists. Is it worth using the Malicious Software Removal Tool by Microsoft?
« Last Edit: January 02, 2013, 02:11:34 PM by Interista »

Offline Interista

  • Sr. Member
  • ****
  • Posts: 289
    • Personal Message (Offline)
Re: Win32:Dropper-gen (Drp)
« Reply #12 on: January 02, 2013, 02:18:50 PM »
AdwCleaner log.

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69213
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Win32:Dropper-gen (Drp)
« Reply #13 on: January 02, 2013, 02:42:13 PM »
Getting somewhere now :)...

https://www.virustotal.com/file/8e4312aaee1dc062ef142633e400ebd7620e3cf86993e95e66b69074770055f1/analysis/1357134120/

Maybe its just wishful thinking but I have a feeling this could be behind the problems I've been having with hugely erratic internet speeds of late, and that we could be on the verge of the solution *fingers crossed*.

Well there are certainly enough hits that consider it at least suspect, generic or heuristic detections. Whilst these type of detections are more prone to false positive detection, it is hard to see them all being wrong.

In case its of any interest... all the films seem to have arrived at the same time on the same day and they are all at 750MB which in my opinion is a nonsense. I have never seen a movie that was exactly **0MB and for them all to be the same is odder still. (Albeit it does seem to be over 32MB because VirusTotal won't accept it).

It does seem somewhat strange that the movies have all been downloaded on the same day and that you didn't intentionally download them (?). Does that also coincide with the creation date of this MediaIconsOverlays.dll file ?

The MediaIconsOverlays.dll file if legit is usually found in this location 'C:\ProgramData\Microsoft\Media Tools\MediaIconsOverlays.dll' do you have that in that location, if so does avast also detect it ?
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Interista

  • Sr. Member
  • ****
  • Posts: 289
    • Personal Message (Offline)
Re: Win32:Dropper-gen (Drp)
« Reply #14 on: January 02, 2013, 02:48:39 PM »
No, the mediaiconsoverlays was created a little more than 2 weeks previous to the movies.

I can also only find it in the offending folder, not the one you suggest.

There's definitely something up because I was actually away when those films were downloaded.

I attach the OTL log.

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now