Author Topic: Win64:Dropper-Gen[Drp] Confusion  (Read 8965 times)

0 Members and 1 Guest are viewing this topic.

Offline mashcarafore

  • Newbie
  • *
  • Posts: 6
Re: Win64:Dropper-Gen[Drp] Confusion
« Reply #15 on: March 08, 2014, 02:38:01 AM »
This might be very important. I am experiencing exaclty the same on Windows 7 Home 64. I do have a patched version of explorer, I modified it something like 1 year ago, but what it important is that after replacing it with an old backup (I luckily have Ubuntu installed) the system is back working.
I will test it and see if it comes back with the same problem then cases are two:

1. Everything goes on working as usual - meaning that it was a fp due to the patch or the patch itself did contain a virus which slmehow activated only now or I somehow deleted the virus (I deleted temp and temporary internet files from Ubuntu).

2. At next reboot I get back to the same - then it means that the infection is not a fp and it is not related with patching.

Anyway it is also worth to mention that yesterday Chrome was reporting me a dangerous download,  which actually  was not but could potentially be as it contained programs related with bioses which anyway I didn't open there since were for another laptop. But the point is that this virus has been probably downloaded by some other malware which xould have been there for a long time...

Offline wowmuchdoge

  • Newbie
  • *
  • Posts: 15
Re: Win64:Dropper-Gen[Drp] Confusion
« Reply #16 on: March 08, 2014, 06:19:24 AM »
The problem occured for me because I had a patched version of explorer.exe. See here. If you had knowingly modified explorer.exe (with a program such as W7SBC) and trust that program, then you may do as I did and whitelist explorer.exe in Avast for now.

Of course, there is still the chance that explorer.exe is malware. So do it at your own risk.

linking all the threads together:

http://forum.avast.com/index.php?topic=147308
http://forum.avast.com/index.php?topic=147328
http://forum.avast.com/index.php?topic=147333 (this thread)
http://forum.avast.com/index.php?topic=147339

I have also alerted Avast of the file (although the last time I did this they took >3 months to reply...)
« Last Edit: March 08, 2014, 09:05:27 AM by wowmuchdoge »

Offline mashcarafore

  • Newbie
  • *
  • Posts: 6
Re: Win64:Dropper-Gen[Drp] Confusion
« Reply #17 on: March 08, 2014, 11:48:47 AM »
I used exactly W7SBC and as I said backup files created by that program are safe. Then it would really be the first time that I see a malware creating safe backup copies for you...
Maybe there is a new malware which affecta only modified copies of explorer.exe maybe exploiting some bugs. So I think that the best advice is to possibly unpatch/restore explorer.exe.

Offline wowmuchdoge

  • Newbie
  • *
  • Posts: 15
Re: Win64:Dropper-Gen[Drp] Confusion
« Reply #18 on: March 08, 2014, 11:56:53 AM »
Maybe there is a new malware which affecta only modified copies of explorer.exe maybe exploiting some bugs.
Unlikely. This is easily reproducible by anyone with a 64bit W7 machine.
1. Install Avast! & lastest definitions
2. get W7SBC and a random bitmap file for that (plus gaining control over explorer.exe if needed)
3. Once the changes are applied, Avast immediately blocks explorer.exe
4. If the changes are unapplied, it is immediately unblocked and if the changes are reapplied, it is immediately blocked.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: Win64:Dropper-Gen[Drp] Confusion
« Reply #19 on: March 08, 2014, 12:02:21 PM »
Could you all upload the patched explorers to Avast as false positives please

Offline mashcarafore

  • Newbie
  • *
  • Posts: 6
Re: Win64:Dropper-Gen[Drp] Confusion
« Reply #20 on: March 08, 2014, 12:15:28 PM »
Thank you very much wowmuchdoge I was planning to do exactly the same thing. So, finally, or we are facing a FP or W7SBC is a malware,  the latter being very unlikely in my opinion...Moreover I also confirm that Virustotal finds threats only with Avast .
Can we conclude that we have a false positive?

Offline TheAtomicGoose

  • Newbie
  • *
  • Posts: 15
Re: Win64:Dropper-Gen[Drp] Confusion
« Reply #21 on: March 08, 2014, 12:19:45 PM »
Sorry for the ignorance, but I know neither what an FP is nor what W7SBC is...Could somebody fill me in?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: Win64:Dropper-Gen[Drp] Confusion
« Reply #22 on: March 08, 2014, 12:21:25 PM »
Windows 7 start button changer alters the appearance of the start button by modifying explorer.exe this is what Avast is picking up.  I have alerted Avast to this problem so hopefully it will be resolved shortly.  Could you all ensure you have the latest VPS version 140308-0

Offline wowmuchdoge

  • Newbie
  • *
  • Posts: 15
Re: Win64:Dropper-Gen[Drp] Confusion
« Reply #23 on: March 08, 2014, 12:22:11 PM »
Sorry for the ignorance, but I know neither what an FP is nor what W7SBC is...Could somebody fill me in?

FP: false positive
W7SBC: Windows 7 Start Button Changer

Could you all ensure you have the latest VPS version 140308-0
I sure do.

Offline TheAtomicGoose

  • Newbie
  • *
  • Posts: 15
Re: Win64:Dropper-Gen[Drp] Confusion
« Reply #24 on: March 08, 2014, 12:22:51 PM »
Ok my bad, in that case I do have a modified explorer.exe...I didn't realize changing the start button appearance modified explorer.exe. My bad.

Offline TheAtomicGoose

  • Newbie
  • *
  • Posts: 15
Re: Win64:Dropper-Gen[Drp] Confusion
« Reply #25 on: March 08, 2014, 12:23:59 PM »
If it is a false positive, could I just add explorer.exe to the exceptions in Avast and have it work? And yes I do have the lastest VPS version.
« Last Edit: March 08, 2014, 12:26:34 PM by TheAtomicGoose »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: Win64:Dropper-Gen[Drp] Confusion
« Reply #26 on: March 08, 2014, 12:26:06 PM »
Yes add it to the exceptions until an update is released, check it every day or so until no virus is reported and then remove the exception

Offline mashcarafore

  • Newbie
  • *
  • Posts: 6
Re: Win64:Dropper-Gen[Drp] Confusion
« Reply #27 on: March 08, 2014, 12:31:24 PM »
Ok my bad, in that case I do have a modified explorer.exe...I didn't realize changing the start button appearance modified explorer.exe. My bad.

Why is it your bad? To modify something doesn't imply to push a malware in it. If you used W7SBC and downloaded it from a trusted source you are definitely safe.

Windows 7 start button changer alters the appearance of the start button by modifying explorer.exe this is what Avast is picking up.  I have alerted Avast to this problem so hopefully it will be resolved shortly.  Could you all ensure you have the latest VPS version 140308-0

I confirm that I have that version.

Offline TheAtomicGoose

  • Newbie
  • *
  • Posts: 15
Re: Win64:Dropper-Gen[Drp] Confusion
« Reply #28 on: March 08, 2014, 12:32:04 PM »
It seems as though Avast won't let me add single-file exceptions...is that true? And my bad in that earlier I said to essexboy that I hadn't modified explorer.exe.

Offline mashcarafore

  • Newbie
  • *
  • Posts: 6
Re: Win64:Dropper-Gen[Drp] Confusion
« Reply #29 on: March 08, 2014, 12:40:06 PM »
It seems as though Avast won't let me add single-file exceptions...is that true? And my bad in that earlier I said to essexboy that I hadn't modified explorer.exe.

If you have the lastest version you should find it in Settings->Antivirus->Exeptions->File Path...up to translations mistakes since I have italian language for my version...
Anyway another option could be to recover your original exploer.exe. If you used W7SBC you find it in the Windows folder named as explorer_backup_w7sbc.exe. But you should be able to recover it directly via W7SBC...

EDIT: sorry if your question was how to add a single file instead of the whole folder, then just write C:\Windows\explorer.exe
« Last Edit: March 08, 2014, 12:46:06 PM by mashcarafore »