Author Topic: WIN32:dropper-gen (Read 3067 times)

wired59 · « **on:** January 12, 2014, 02:27:07 AM »

I had/have this virus on my machine. Running windows 7. I ran the Avast virus scan as well as the boot scan. This found the virus and moved it to the chest along with a few other viruses that I assume "dropper" down loaded. Not feeling quite confident that it was completely removed based on what I have read about this virus, I followed the instructions in "logs to assist in cleaning malware". I ran MBAM quick scan and 4 viruses were found and removed. I then ran the full scan and 4 more were found and removed. I am attaching the logs. I also ran the OTL and aswMBR. I am attaching those logs for these in another post as this one is now as big as they will allow. My machine seems to be running okay now. If anyone who knows what they are looking for in these logs sees something that may indicate that the virus was not irradicated then please let me know. If I see anything that is abnormal I will post again to describe the issues.

MBAM logs

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.11.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
Wireman :: WIREMAN-PC [administrator]

Protection: Enabled

1/11/2014 5:52:53 PM
mbam-log-2014-01-11 (17-52-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 254599
Time elapsed: 6 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKCR\scrfile\shell\open\command| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and repaired successfully.
HKCR\regfile\shell\open\command| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and repaired successfully.

Folders Detected: 1
C:\Users\Wireman\AppData\Local\Temp\CT3317209 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

Files Detected: 1
C:\Users\Wireman\Downloads\Java.exe (PUP.Optional.BundleInstaller.A) -> Quarantined and deleted successfully.

(end)

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.11.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
Wireman :: WIREMAN-PC [administrator]

Protection: Enabled

1/11/2014 6:06:52 PM
mbam-log-2014-01-11 (18-06-52).txt

Scan type: Full scan (C:\|D:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 419559
Time elapsed: 59 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Users\Wireman\Documents\Local Settings\Temporary Internet Files\Content.IE5\GEKK4EQ8\1273592175[1].gif (Extension.Mismatch) -> Quarantined and deleted successfully.
C:\Users\Wireman\Documents\Local Settings\Temporary Internet Files\Content.IE5\O73OMIZ2\8572[1].gif (Extension.Mismatch) -> Quarantined and deleted successfully.
C:\Users\Wireman\Documents\Local Settings\Temporary Internet Files\Content.IE5\W36I8PCV\logo[1].gif (Extension.Mismatch) -> Quarantined and deleted successfully.
F:\WIREMAN-PC\Backup Set 2013-12-22 190003\Backup Files 2013-12-29 190003\Backup files 2.zip (PUP.Optional.BundleInstaller.A) -> Quarantined and deleted successfully.

(end)

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.11.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
Wireman :: WIREMAN-PC [administrator]

Protection: Enabled

1/11/2014 7:13:23 PM
mbam-log-2014-01-11 (19-13-23).txt

Scan type: Flash scan
Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Registry | File System | P2P
Objects scanned: 203598
Time elapsed: 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

2014/01/11 17:50:40 -0500   WIREMAN-PC   Wireman   MESSAGE   Executing scheduled update: Daily
2014/01/11 17:50:44 -0500   WIREMAN-PC   Wireman   MESSAGE   Starting protection
2014/01/11 17:50:44 -0500   WIREMAN-PC   Wireman   MESSAGE   Protection started successfully
2014/01/11 17:50:44 -0500   WIREMAN-PC   Wireman   MESSAGE   Starting IP protection
2014/01/11 17:51:02 -0500   WIREMAN-PC   Wireman   MESSAGE   IP Protection started successfully
2014/01/11 17:52:21 -0500   WIREMAN-PC   Wireman   MESSAGE   Starting database refresh
2014/01/11 17:52:21 -0500   WIREMAN-PC   Wireman   MESSAGE   Stopping IP protection
2014/01/11 17:52:27 -0500   WIREMAN-PC   Wireman   MESSAGE   IP Protection stopped successfully
2014/01/11 17:52:27 -0500   WIREMAN-PC   Wireman   MESSAGE   Scheduled update executed successfully: database updated from version v2013.04.04.07 to version v2014.01.11.06
2014/01/11 17:52:30 -0500   WIREMAN-PC   Wireman   MESSAGE   Database refreshed successfully
2014/01/11 17:52:30 -0500   WIREMAN-PC   Wireman   MESSAGE   Starting IP protection
2014/01/11 17:52:32 -0500   WIREMAN-PC   Wireman   MESSAGE   IP Protection started successfully
2014/01/11 18:02:58 -0500   WIREMAN-PC   Wireman   MESSAGE   Starting protection
2014/01/11 18:02:58 -0500   WIREMAN-PC   Wireman   MESSAGE   Protection started successfully
2014/01/11 18:02:58 -0500   WIREMAN-PC   Wireman   MESSAGE   Starting IP protection
2014/01/11 18:03:01 -0500   WIREMAN-PC   Wireman   MESSAGE   IP Protection started successfully
2014/01/11 19:09:56 -0500   WIREMAN-PC   Wireman   MESSAGE   Starting protection
2014/01/11 19:09:56 -0500   WIREMAN-PC   Wireman   MESSAGE   Protection started successfully
2014/01/11 19:09:56 -0500   WIREMAN-PC   Wireman   MESSAGE   Starting IP protection
2014/01/11 19:09:59 -0500   WIREMAN-PC   Wireman   MESSAGE   IP Protection started successfully

wired59 · « **Reply #1 on:** January 12, 2014, 02:38:36 AM »

OTL and MBR logs

essexboy · « **Reply #2 on:** January 12, 2014, 01:11:05 PM »

Looks good, any problems ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
SRV - [2014/01/11 11:00:25 | 001,772,056 | ---- | M] (AVG Secure Search) [Auto | Running] -- C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe -- (vToolbarUpdater17.3.0)
IE - HKU\S-1-5-21-1058443299-1802196024-2152210550-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
IE - HKU\S-1-5-21-1058443299-1802196024-2152210550-1000\..\SearchScopes\{FC93094A-2F95-4D59-BFB2-5A36BF2BC8AE}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=U3&apn_dtid=OSJ000YYCA&apn_uid=C8360993-5D8A-4620-B47F-06F59FDC4AB9&apn_sauid=4DD25F61-3E35-4160-93B2-22C5FEF689EE
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1058443299-1802196024-2152210550-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [vProt] C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe ()
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} http://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab (Reg Error: Key error.)
O16 - DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab (Reg Error: Key error.)
[2014/01/11 12:44:25 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG SafeGuard toolbar
[2014/01/11 11:21:08 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\AVG Secure Search
[2014/01/11 11:02:58 | 000,000,000 | ---D | C] -- C:\ProgramData\CDB
[2014/01/11 11:01:37 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\AVG SafeGuard toolbar
[2014/01/11 11:01:12 | 000,046,368 | ---- | C] (AVG Technologies) -- C:\Windows\SysNative\drivers\avgtpx64.sys
[2014/01/11 11:00:38 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\AVG Secure Search
[2014/01/11 11:00:36 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AVG SafeGuard toolbar
[2014/01/10 22:50:29 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{24A9B846-B91E-4395-A087-3B1280E8DBCD}
[2014/01/08 22:40:37 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{90862987-F240-4E52-8A2B-3C2FBD6BC4D8}
[2014/01/08 20:42:54 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{1494EB81-EE8E-4E08-999A-8F877F1ADF6B}
[2014/01/07 20:54:31 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{1BA4C9E3-6840-4931-A39F-08C872C76786}
[2014/01/06 19:24:38 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{64D4A2A6-4FDF-446E-8C87-B69ACEAD0013}
[2014/01/05 08:57:59 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{9545D7FB-6BD5-49E9-B57E-763F5B38DD86}
[2014/01/04 23:10:26 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{A64A43A1-BEF3-422E-921D-C206AC53D558}
[2014/01/04 21:42:59 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{74C0434D-FEA8-4B69-B5EB-1527EE1750E6}
[2014/01/04 10:23:07 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{6D0B4EDD-EE20-49B8-8F80-33B8B9487316}
[2014/01/03 20:57:02 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{5178D10B-F171-4E1C-9098-AA2C89684014}
[2014/01/02 20:58:01 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{3C3517CD-E10A-4063-AD4B-A4CF4B39DA4C}
[2014/01/01 08:43:27 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{1AFBE774-D922-4FA8-B939-ECD82372CD5B}
[2013/12/31 15:07:16 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{D5AE562C-3237-4889-8322-8AB0BB522C1E}
[2013/12/31 00:03:44 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{DAAFF6EC-B513-4C69-B6FC-31EBF1576838}
[2013/12/30 08:38:51 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{8CE7DE66-8536-4101-9541-2CC46C39C660}
[2013/12/29 08:57:34 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{06E4F31D-6E51-4EBF-B89B-37E143B66948}
[2013/12/28 11:12:34 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{8EED0DA9-F7BE-4DED-8041-DFFB7541C670}
[2013/12/27 18:36:29 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{B543E898-01BA-4072-9EE9-3F03741D3A28}
[2013/12/27 14:13:42 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{4581AE22-6039-4621-A45E-BE8FFE1104DB}
[2013/12/27 10:32:39 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{DC7D4F37-38EA-44CB-A26F-C46413CF67BE}
[2013/12/26 15:19:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\sweetpacks bundle uninstaller
[2013/12/26 10:36:55 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{E747CB3D-521D-41D2-B2ED-A5179DDB4915}
[2013/12/25 09:30:44 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{622EC573-6685-43A4-9619-2D4DAEA4B8B6}
[2013/12/24 18:58:59 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{D827CE2C-CB0A-492B-A407-AFB5EE237CEA}
[2013/12/24 09:56:11 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{09A2CB4C-50BE-4E07-BC8B-372252151892}
[2013/12/23 17:35:32 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{7B8BAFAC-7B37-438F-A90E-0D232497FC30}
[2013/12/22 15:36:27 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{8C19D6EE-1475-4E82-81A2-10AF4350B78A}
[2013/12/21 08:35:40 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{5107FDE1-53DF-40BF-8C47-E5FF51012052}
[2013/12/20 19:26:50 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{BF5097B5-F8CE-430E-A2C6-F141DCD48CD9}
[2013/12/19 20:11:05 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{E80E4098-0942-40C1-829B-DF6F0CFF1F43}
[2013/12/18 19:56:38 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{2E236963-F165-4939-8BB4-3BDD08316B1B}
[2013/12/17 19:32:31 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{DD311436-80FF-459E-BF98-203B946D577E}
[2013/12/16 20:12:24 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{21460C74-8F78-4180-B1AA-D496842316C5}
[2013/12/15 12:26:11 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{E6E9CDF6-8539-4BC8-90A1-FB8ACCD78F98}
[2013/12/15 00:25:31 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{CBCFBB76-DAAB-4EF6-B76B-05B782EE41F6}
[2013/12/13 18:37:49 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{AE37F8CB-737B-40BE-B0BA-D9E6283CEE0A}
[2013/12/12 19:33:25 | 000,000,000 | ---D | C] -- C:\Users\Wireman\AppData\Local\{9B2FC5D8-FEFF-47F6-BD28-1D31209B80BA}

:Commands
[resethosts]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

wired59 · « **Reply #3 on:** January 12, 2014, 05:36:23 PM »

Thanks essexboy. Everything seems to be functioning as it should. If there are any changes I will post what I have observed.

essexboy · « **Reply #4 on:** January 12, 2014, 05:54:12 PM »

Author Topic: WIN32:dropper-gen (Read 3067 times)

wired59

WIN32:dropper-gen

wired59

Re: WIN32:dropper-gen

essexboy

Re: WIN32:dropper-gen

wired59

Re: WIN32:dropper-gen

essexboy

Re: WIN32:dropper-gen