Author Topic: Win64:Dropper-gen[drp] - verry strange  (Read 6015 times)

0 Members and 1 Guest are viewing this topic.

zilez2003

  • Guest
Win64:Dropper-gen[drp] - verry strange
« on: April 06, 2014, 09:44:49 AM »
Hi all,

This morning I started to look for the free space possibilities on my PC (Win7 Home Premium 64 bit), and found that there is huge space occupied in

C:\ProgramData\Microsoft\Crypto\RSA64\MachineKeys\data

This folder is hidden and has 60 GB of data in it.
The structure of sub folders is very strange: many folders with names like this 0897f7583dc0be15045af2cbe5be636c, and in these folders many different file names , but with same size. For example, in mentioned folder there are files:

Guardians of the Galaxy 2014.avi - size 838,860,000 bytes
Total Codec Pack.exe - 12.582.912 bytes

Next Folder is 09924fcc261beb58f5e95ceae8c79c01 and files inside are:

Lone Survivor 2013.avi - same size as previous avi - 838,860,800 bytes
WMP x264 Codec Pack.exe - of course, same size as file listed above - 12.582.912 bytes

etc...

I am quite sure that I never tried to download these files, so what I first done is to try to scan these exe files with Avast Free Anti-virus - no treats detected. Than I tried to start one exe file. It opened installation screen with next button, but I canceled installation. After about 30 seconds, avast informed me that treat was found under location c:\users\zz\Appdata\local\temp\ and that file tmpAE9.tmp is movet to virus vault. Virus description is Win64:Dropper-gen[drp].

So, what should I do:

1) can I delete complete folder "C:\ProgramData\Microsoft\Crypto\RSA64\MachineKeys\data"  ?
2) What steps should I take in order to be sure that my PC is clean ?

Looking for some replies.

Regards

Zoran


Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Win64:Dropper-gen[drp] - verry strange
« Reply #1 on: April 06, 2014, 11:30:17 AM »
Please follow the instructions and attach the logs:
http://forum.avast.com/index.php?topic=53253.0

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Win64:Dropper-gen[drp] - verry strange
« Reply #2 on: April 06, 2014, 12:10:04 PM »
You can upload and test suspicious files at one of these places  www.virustotal.com  /  www.metascan-online.com  /  www.jotti.org


zilez2003

  • Guest
Re: Win64:Dropper-gen[drp] - verry strange
« Reply #3 on: April 06, 2014, 12:33:06 PM »
Ok, here are the steps I took from this morning:

1) Since forum was down for maybe one hour (i checked it with is it down web site), i deleted all the files under folder

C:\ProgramData\Microsoft\Crypto\RSA64\MachineKeys\

because all the files were 12 MB exe's or 800 MB avis.

2) I think I found source of problem. Because all the files were 20.02.2014 and younger, i looked at my download history, and found that on that day I downloaded via torrent file "system surveillance Pro". I just re-downloaded it again and boom - it has the same size and icon as all these exe files which were in many sub-folders I deleted. Strange is that when you check this (uploaded on virustotal) - no threat. Same as scanning with avast here. But, when you try to execute it, there is error like I described in firs post.

3) Here is the log from malware Bytes Anti Malware:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6.4.2014
Scan Time: 12:23:57
Logfile: Malwarebytes Anti log.txt
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.04.06.04
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Zoran Zivkovic

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 306768
Time Elapsed: 22 min, 17 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 6
PUP.Hacktool.Patcher, C:\$Recycle.Bin\S-1-5-21-1924369737-3741230650-190925272-1000\$RYTVMRN.rar, , [c953f92e512a3ef8426cbc493cc426da],
Backdooor.HydraLoader, C:\Users\Zoran Zivkovic\AppData\Local\Temp\tmpBD6F.tmp, , [011b2bfc7308ce68e6ad2b2ffc053cc4],
PUP.Wpakill, C:\Users\Zoran Zivkovic\Downloads\AntiWPA.rar, , [ff1d52d5542777bf47376db4040038c8],
PUP.Optional.LiveSoftAction.A, C:\Users\Zoran Zivkovic\Downloads\LG 32LG3000 user guide provided through pdfretriever.com.exe, , [8498e542f388fb3ba1529182b54c7090],
PUP.Optional.Softonic.A, C:\Users\Zoran Zivkovic\Downloads\SoftonicDownloader_for_borland-database-engine-bde.exe, , [39e3f235c4b7cc6a217b46d27f8222de],
PUP.BundleInstaller.DW, C:\Users\Zoran Zivkovic\Downloads\Windows_7_Loader_Activator_v2.2.exe, , [cc50a780c2b9d16580a3c53819e7728e],

Physical Sectors: 0
(No malicious items detected)


(end)

Ok, what now, should I quarantine everything ?

Regards,

Zoran

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Win64:Dropper-gen[drp] - verry strange
« Reply #4 on: April 06, 2014, 12:49:57 PM »
system surveillance Pro = spyware

Do as I told you in my first post.
ATTACH the log files.

zilez2003

  • Guest
Re: Win64:Dropper-gen[drp] - verry strange
« Reply #5 on: April 06, 2014, 01:13:48 PM »
I did OTL, but got only one file. It is in attachment.

regards,

Zoran

zilez2003

  • Guest
Re: Win64:Dropper-gen[drp] - verry strange
« Reply #6 on: April 06, 2014, 01:19:26 PM »
I just started aswMBR, but I have to go.

will come back home tonight.

regards,

Zoran

zilez2003

  • Guest
Re: Win64:Dropper-gen[drp] - verry strange
« Reply #7 on: April 06, 2014, 05:30:14 PM »
ok, here is aswMBR log file.

What should I do next  ?

Zoran

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win64:Dropper-gen[drp] - verry strange
« Reply #8 on: April 06, 2014, 05:36:03 PM »
Is Avast alerting on a file from the rsa64 folder ?

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

zilez2003

  • Guest
Re: Win64:Dropper-gen[drp] - verry strange
« Reply #9 on: April 06, 2014, 06:24:50 PM »
Well, everything done, combofix has finish job, computer restarted.

so, I can't tell now is there any difference, becasue most of the time i didn't notice problems during my work on pc.

What do you think, is my pc clean now ? Was it badly infected or not ?

Thanks a lot for your assistance, of course !!!

Regards,

Zoran

zilez2003

  • Guest
Re: Win64:Dropper-gen[drp] - verry strange
« Reply #10 on: April 06, 2014, 06:27:26 PM »
Forgot to say - avast didn't ever complain on rsa64 folder, even when i manualy scan files.
Only when i try to execute some of the exe files,  which were some kind of installers executables, it woul notice virus in my temp folder.

Regards,

Zoran

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win64:Dropper-gen[drp] - verry strange
« Reply #11 on: April 06, 2014, 07:16:01 PM »
That folder is not a standard windows one and normally contains one file that Avast alerts on, but neither it nor the registry entry are present

 
Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:Commands
[CREATERESTOREPOINT]

:Files
C:\ProgramData\Microsoft\Crypto\RSA64

:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

zilez2003

  • Guest
Re: Win64:Dropper-gen[drp] - verry strange
« Reply #12 on: April 06, 2014, 09:50:49 PM »
Ok, I did this .
in Attachment there is log file.

Should I do something else ?

Regards,

Zoran

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win64:Dropper-gen[drp] - verry strange
« Reply #13 on: April 06, 2014, 10:27:21 PM »
Not really as the folder is now history, how is the computer behaving ?

zilez2003

  • Guest
Re: Win64:Dropper-gen[drp] - verry strange
« Reply #14 on: April 06, 2014, 10:34:23 PM »
PC is fine.
One big thank you for all efforts you made to help me make my pc clean.

Regards,

Zoran