Win32:Dropper-gen[Drp] -unable to move file and its new friends to virus chest

[Tilly Smillie]

Hi, I've tried different methods suggested on the internet for ridding myself of this infection but nothing has worked...Avast locates the infected file and the 5 new ones it's generated but I get error messages when I try to move them to the virus chest...I get either "Error: The process cannot access the file because it is being used by another programme" or, in the case of the Dropper: "Error: Virus Chest server is not running. RPC communication failed.(2147422219)". I've followed the instructions on this forum and have scanned with AdwCleaner. Log is attached. Anyone out there successfully got rid of this unwelcome visitor?

[TwinHeadedEagle]

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

• Click on the Scan button.
  
• After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  
• Post logfile will also be saved in the C:\AdwCleaner folder.

Then...



Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named



Double-clicking to run GMER.

• Wait for initial scan to finish - if there is any query, click No;
  
• Click Scan button and wait until the full scan is complete;
  
• Click Save ... - save the report to the Desktop (named Gmer );
  

> Attach here Gmer logreports.



Then...



Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[Tilly Smillie]

Thanks for that. I managed to do the first part...scanned and cleaned with AdwCleaner and, saved the SO file but while I've managed to download the GMER programme, the scan crashes. It does the initial scan, I hit the scan button, it scans for a while and then I get a Windows error message and it forces a close.  Should I just try moving to the next step in your process? I've tried attaching a screen dump of the error message to this post but that just seems to make my connection to the forum crash!

[Pondus]

Have you tried to run GMER from safe mode?

[TwinHeadedEagle]

No need for Safe Mode, proceed with FRST, we will rescan system later with another tool similar to GMER

[Tilly Smillie]

Cheers. Have run FRST, both logs attached.

[TwinHeadedEagle]

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
C:\Users\Helen\AppData\Local\Temp\NOSEventMessages.dll
C:\Users\Helen\AppData\Local\Temp\Quarantine.exe
C:\Users\Helen\AppData\Local\Temp\uninst1.exe
C:\Users\Helen\AppData\Local\Temp\{66688D96-CA0A-4CCA-81BA-C021ED2D0BAD}-29.0.1547.76_29.0.1547.66_chrome_updater.exe
cmd: ipconfig /flushdns

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.



Then...



Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[Tilly Smillie]

OK...have worked through your solution 1-3...and am now re-running a full system scan with Avast. The two logs are attached...no issues with how the computer is running...are we all good?

[TwinHeadedEagle]

Yes, we're done here

You had ZeroAccess dropper on your system, trying to call it's brothers and sisters for help, but Avast blocked it


Please download DelFix by "Xplode" to your Desktop.

Run the tool and check the following boxes below;

• Remove disinfection tools
• Create registry backup
• Purge System Restore

Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt


> I don't need DelFix log report.



You are running outdated versions of Java. Please uninstall all of them and download latest version.


Stay safe :)

[Tilly Smillie]

Thanks for that. I haven't yet run through your last bit of the process but Avast just finished its full scan and I now seem to have a new visitor...am attaching a screen dump of the results after I tried moving the files to the virus chest. Any suggestions? Will this resolve once I finish the clean up?

[TwinHeadedEagle]

About the last two entries in Avast chest, that was from the registry backup, and this cannot harm your system. You're free to delete erdnt folder.  First two entries is Potentially Unwanted Software, and you can delete it...