Author Topic: Win64:Dropper-Gen[Drp] (Read 25222 times)

Rautakettu · « **Reply #15 on:** March 07, 2014, 08:48:22 PM »

Also got alert from Avast about this, ran all the suggested fixes and checked with Virustotal.
Seems like false positive. https://www.virustotal.com/fi/file/868efdba6e8e51bbdc99a45bbdfd2fccfa16b5e4851d86e905cf3cd0e89b602d/analysis/1394221096/

EDIT: definitions are 140307-1 (on wife's laptop 140307-0 and no virus detected)

wowmuchdoge · « **Reply #16 on:** March 07, 2014, 09:08:39 PM »

Quote from: Rautakettu on March 07, 2014, 08:48:22 PM

Also got alert from Avast about this, ran all the suggested fixes and checked with Virustotal.
Seems like false positive. https://www.virustotal.com/fi/file/868efdba6e8e51bbdc99a45bbdfd2fccfa16b5e4851d86e905cf3cd0e89b602d/analysis/1394221096/

EDIT: definitions are 140307-1 (on wife's laptop 140307-0 and no virus detected)

Interesting to see it affect some of us and not others. I bet if you checked your wife's explorer.exe, it would be different from the one on your computer. I have whitelisted explorer.exe for myself for now.

phanta5 · « **Reply #17 on:** March 07, 2014, 09:13:54 PM »

Looking at the replies, should i system restore to before the scans I've done?

The computer I'm using atm is very old and slow, so I kinda need to get back to my usual computer.

wowmuchdoge · « **Reply #18 on:** March 07, 2014, 09:20:36 PM »

Quote from: phanta5 on March 07, 2014, 09:13:54 PM

Looking at the replies, should i system restore to before the scans I've done?

The computer I'm using atm is very old and slow, so I kinda need to get back to my usual computer.

well unfortunately for you I think you have other issues other than the false positive so...

essexboy · « **Reply #19 on:** March 07, 2014, 09:31:32 PM »

Yes system restore to the point prior to the AdwCleaner run and we will do a manual removal instead

Combofix should have created a restore point after it finished

phanta5 · « **Reply #20 on:** March 07, 2014, 10:13:06 PM »

Ok, system restore complete and internet access is back.

I've attached the ComboFix.txt

essexboy · « **Reply #21 on:** March 07, 2014, 10:14:44 PM »

OK time to remove manually

Could you now run a fresh OTL scan please, ensure that all users is selected

There will only be one log this time

phanta5 · « **Reply #22 on:** March 07, 2014, 10:18:53 PM »

Sorry, do you mean another quick scan or the scan you mentioned earlier with

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir "%systemdrive%\*" /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT

essexboy · « **Reply #23 on:** March 07, 2014, 10:21:44 PM »

Just a quick scan as I have seen the data from the script, just ensure that all users is checked

phanta5 · « **Reply #24 on:** March 07, 2014, 10:34:35 PM »

Not sure if I did something wrong, I still got two logs.

Both are attached.

Morbus · « **Reply #25 on:** March 07, 2014, 10:46:57 PM »

I got this same exact problem today. The computer booted fin this morning and I did not do anything noteworthy with the system. This evening it wouldn't open explorer.exe.

I reverted back to my week old backup (full system image), it would boot fine, then as soon as it updated the virus detection database, avast wouldn't let explore.exe open. I tried to scan my month old backup of explorer.exe, Avast still detects Win64:dropper-gen.

I figured it's one of two things:
- I've been running the virus all this time and only now has avast! started detecting it
- it's a false positive

I used a couple of other scanners (including combofixer), none detect a problem with explorer.exe, so I whitelisted it. Everything seems perfect.

I'm starting to thing I did a bad move coming back to avast... It let me down once, many years ago, and no, fortunately, it didn't let my system get infected, but I'm not too happy about this.

essexboy · « **Reply #26 on:** March 07, 2014, 10:58:19 PM »

@Morbus could you start your own thread please

OK I can see what adwcleaner did now

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5}
IE - HKLM\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snapdo.com/?publisher=Somoto&dpid=Somoto&co=CA&userid=ce917bfa-2d26-d2b1-b4f3-bd2e4720613a&searchtype=ds&q={searchTerms}&installDate=19/10/2013
IE - HKU\S-1-5-21-3854713794-3905390332-3595074850-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://feed.snapdo.com/?publisher=Somoto&dpid=Somoto&co=CA&userid=ce917bfa-2d26-d2b1-b4f3-bd2e4720613a&searchtype=ds&q={searchTerms}&installDate=19/10/2013
IE - HKU\S-1-5-21-3854713794-3905390332-3595074850-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://feed.snapdo.com/?publisher=Somoto&dpid=Somoto&co=CA&userid=ce917bfa-2d26-d2b1-b4f3-bd2e4720613a&searchtype=ds&q={searchTerms}&installDate=19/10/2013
IE - HKU\S-1-5-21-3854713794-3905390332-3595074850-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://feed.snapdo.com/?publisher=Somoto&dpid=Somoto&co=CA&userid=ce917bfa-2d26-d2b1-b4f3-bd2e4720613a&searchtype=hp&installDate=19/10/2013
IE - HKU\S-1-5-21-3854713794-3905390332-3595074850-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://feed.snapdo.com/?publisher=Somoto&dpid=Somoto&co=CA&userid=ce917bfa-2d26-d2b1-b4f3-bd2e4720613a&searchtype=ds&q={searchTerms}&installDate=19/10/2013
IE - HKU\S-1-5-21-3854713794-3905390332-3595074850-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://feed.snapdo.com/?publisher=Somoto&dpid=Somoto&co=CA&userid=ce917bfa-2d26-d2b1-b4f3-bd2e4720613a&searchtype=ds&q={searchTerms}&installDate=19/10/2013
IE - HKU\S-1-5-21-3854713794-3905390332-3595074850-1000\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5}
IE - HKU\S-1-5-21-3854713794-3905390332-3595074850-1000\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snapdo.com/?publisher=Somoto&dpid=Somoto&co=CA&userid=ce917bfa-2d26-d2b1-b4f3-bd2e4720613a&searchtype=ds&q={searchTerms}&installDate=19/10/2013
IE - HKU\S-1-5-21-3854713794-3905390332-3595074850-1000\..\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}: "URL" = http://search.conduit.com/Results.aspx?ctid=CT3314958&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=2&UP=SPB1BE246B-8474-43EC-A585-B1520C31887D&q={searchTerms}
FF - prefs.js..browser.search.defaultenginename,S: S", "WebSearch"
FF - prefs.js..browser.search.defaulturl: "http://websearch.soft-quick.info/?l=1&q="
FF - prefs.js..browser.search.order.1: "WebSearch"
FF - prefs.js..browser.search.order.1,S: S", "WebSearch"
FF - prefs.js..browser.search.selectedEngine,S: S", "WebSearch"
FF - prefs.js..keyword.URL: "http://feed.snapdo.com/?publisher=Somoto&dpid=Somoto&co=CA&userid=ce917bfa-2d26-d2b1-b4f3-bd2e4720613a&searchtype=ds&installDate=19/10/2013&q="
[2014/01/26 00:23:02 | 000,119,670 | ---- | M] () (No name found) -- C:\Users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\z2o2e9yv.default\extensions\jid1-mqCpKcAruymyAA@jetpack.xpi
[2013/12/02 12:23:56 | 000,494,053 | ---- | M] () (No name found) -- C:\Users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\z2o2e9yv.default\extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi
[2014/02/26 14:51:01 | 000,957,290 | ---- | M] () (No name found) -- C:\Users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\z2o2e9yv.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
O3:64bit: - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3854713794-3905390332-3595074850-1000\..\Toolbar\WebBrowser: (no name) - {7473B6BD-4691-4744-A82B-7854EB3D70B6} - No CLSID value found.
O4 - HKU\S-1-5-21-3854713794-3905390332-3595074850-1000..\Run: [LoL Summoner Information] C:\Program Files (x86)\LSI\LoLSummonerInfo.exe File not found

:Files
C:\ProgramData\Tarma Installer
C:\Program Files (x86)\MyPC Backup
C:\Windows\SysWOW64\AI_RecycleBin
C:\Users\Jason\AppData\Local\blekkotb_031
C:\Users\Jason\AppData\LocalLow\Conduit
C:\Users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\z2o2e9yv.default\searchplugins\conduit-search.xml
C:\Windows\System32\Tasks\Your File Updater
C:\Windows\System32\Tasks\YourFile Update

:Commands
[resethosts]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

phanta5 · « **Reply #27 on:** March 07, 2014, 11:12:56 PM »

Here's the result of the quick scan; 1 file this time.

essexboy · « **Reply #28 on:** March 07, 2014, 11:18:46 PM »

How is the computer behaving now ?

phanta5 · « **Reply #29 on:** March 07, 2014, 11:29:29 PM »

Computer seems great, although I have put the explorer.exe in File Systems Shield exclusions.

Author Topic: Win64:Dropper-Gen[Drp] (Read 25222 times)

Rautakettu

Re: Win64:Dropper-Gen[Drp]

wowmuchdoge

Re: Win64:Dropper-Gen[Drp]

phanta5

Re: Win64:Dropper-Gen[Drp]

wowmuchdoge

Re: Win64:Dropper-Gen[Drp]

essexboy

Re: Win64:Dropper-Gen[Drp]

phanta5

Re: Win64:Dropper-Gen[Drp]

essexboy

Re: Win64:Dropper-Gen[Drp]

phanta5

Re: Win64:Dropper-Gen[Drp]

essexboy

Re: Win64:Dropper-Gen[Drp]

phanta5

Re: Win64:Dropper-Gen[Drp]

Morbus

Re: Win64:Dropper-Gen[Drp]

essexboy

Re: Win64:Dropper-Gen[Drp]

phanta5

Re: Win64:Dropper-Gen[Drp]

essexboy

Re: Win64:Dropper-Gen[Drp]

phanta5

Re: Win64:Dropper-Gen[Drp]