Author Topic: Win32:Dropper-gen [Drp]  (Read 6463 times)

0 Members and 1 Guest are viewing this topic.

LilyDee

  • Guest
Win32:Dropper-gen [Drp]
« on: April 06, 2014, 03:55:19 PM »
Hello!

Every time I try to open a folder, any folder, Avast prevents it and I get a warning that it contains a virus, this one: Win32:Dropper-gen [Drp]
It's not possible to delete the infected files or place them in the virus chest or anything else.

I would really appreciate help in removing it.

Thanks in advance!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Dropper-gen [Drp]
« Reply #1 on: April 06, 2014, 04:11:11 PM »
Could you attach a screenshot of the alert please

Download OTL  to your Desktop
Secondary link
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.


  • Select All Users
  • Select LOP and Purity
  • Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir "%systemdrive%\*" /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Attach  both logs

LilyDee

  • Guest
Re: Win32:Dropper-gen [Drp]
« Reply #2 on: April 06, 2014, 04:52:17 PM »
Thanks for replying!

Here is the screenshot of the alert and OTL, but there was no Extras.Txt.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Dropper-gen [Drp]
« Reply #3 on: April 06, 2014, 04:57:49 PM »
I see you have run combofix, could you attach that log please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
[2014/04/04 23:09:29 | 000,000,000 | ---D | C] -- C:\Program Files\SW-Booster
[2014/04/04 23:08:59 | 000,000,000 | ---D | C] -- C:\ProgramData\safeweb
[2014/04/04 23:08:59 | 000,000,000 | ---D | C] -- C:\Program Files\safeweb
[2014/04/04 23:08:51 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Torch

:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 
  • Doubleclick on TDSSKiller.exe to run the application


  • Then click on Change parameters.
     

     
  • Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system  and Use KSN to scan objects , then click OK.
     
  • Click the Start Scan button.
     
     
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
     

     
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

  • Get the report by selecting Reports

 
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Win32:Dropper-gen [Drp]
« Reply #4 on: April 06, 2014, 05:57:23 PM »
While Essex fixes your computer up. I have a few warnings for you...

I have noticed from your logs that you have uTorrent.

Quote
[2014/01/18 16:31:40 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\uTorrent

This program is/can be dangerous and can lead to re-infection.

http://www.fbi.gov/scams-safety/peertopeer
http://www.computerweekly.com/news/2240082893/Seattle-man-arrested-for-peer-to-peer-identity-theft

VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

LilyDee

  • Guest
Re: Win32:Dropper-gen [Drp]
« Reply #5 on: April 06, 2014, 06:38:57 PM »
Okay...

I had to run combofix again because I couldn't find the previous log.

Also, when I changed the parameters in TDSSKiller, there wasn't the "Use KSN to scan objects" option.

And I can't copy the contents of the TDSSKiller report at all.

Should I turn off Avast when running all these programs?

LilyDee

  • Guest
Re: Win32:Dropper-gen [Drp]
« Reply #6 on: April 06, 2014, 06:43:46 PM »
While Essex fixes your computer up. I have a few warnings for you...

I have noticed from your logs that you have uTorrent.

Quote
[2014/01/18 16:31:40 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\uTorrent

This program is/can be dangerous and can lead to re-infection.


Thanks for the tip, Michael!
So, is it enough to uninstall this program?

zilez2003

  • Guest
Re: Win32:Dropper-gen [Drp]
« Reply #7 on: April 06, 2014, 06:51:02 PM »
Michael, can you put some more light on this - how uTorrent can re-infect PC ?

I understand that it can be done if I download some dangerous files using torrent ? But it can be done also through some other torrent clients ? Is the problem in uTorrent or generally in using torrent client software ?

Regards,

Zoran

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Dropper-gen [Drp]
« Reply #8 on: April 06, 2014, 07:10:26 PM »
OK lets see if we can fix this.  The main item of concern in the TDSSKiller log is the number of infections (if any) that it found

1. Close any open browsers.
 
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 
 
3. Open notepad and copy/paste the text in the quotebox below into it:
 
Quote

FCopy::
c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe|c:\windows\explorer.exe

 
Save this as CFScript.txt, in the same location as ComboFix.exe
 
 
 
 
Refering to the picture above, drag CFScript into ComboFix.exe
 
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

LilyDee

  • Guest
Re: Win32:Dropper-gen [Drp]
« Reply #9 on: April 06, 2014, 07:50:20 PM »
Okay. Here it is.

P.S. If it means anything now, when I ran TDSSKiller before, it detected 7 suspicious threats and 0 malicious ones.
« Last Edit: April 06, 2014, 07:59:56 PM by LilyDee »

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Win32:Dropper-gen [Drp]
« Reply #10 on: April 06, 2014, 08:56:05 PM »
Michael, can you put some more light on this - how uTorrent can re-infect PC ?

I understand that it can be done if I download some dangerous files using torrent ? But it can be done also through some other torrent clients ? Is the problem in uTorrent or generally in using torrent client software ?

Regards,

Zoran

uTorrent it self is not dangerous. But when you download files, the seed can be infected. I've seen a few cases around. I'll see if I can find 1 or two.

Here's a case involving uTorrent. Infected seed was causing JS:Redirector-BOS [Trj]. http://forum.avast.com/index.php?topic=145700.msg1057552#msg1057552
« Last Edit: April 06, 2014, 08:59:17 PM by Michael (alan1998) »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Dropper-gen [Drp]
« Reply #11 on: April 06, 2014, 10:26:00 PM »
Could you confirm that the alerts have now ceased

LilyDee

  • Guest
Re: Win32:Dropper-gen [Drp]
« Reply #12 on: April 06, 2014, 11:20:40 PM »
Yes. I can open the folders without problem; I don't get alerts anymore. Thank you!
Is that it? Do I have to do anything else?

I have one concern though. I now scanned with Avast again and another Win32:Dropper-gen [Drp] remains.
Before your help, there were two of those. I'll just attach a screenshot of the scan.

I'm sorry to be a bother.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Dropper-gen [Drp]
« Reply #13 on: April 06, 2014, 11:27:20 PM »
That one is in the combofix quarantine folder and is harmless

In that case methinks I will send you on your merry way :)

Subject to no further problems   :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Download and run Delfix



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



Malwarebytes.

Update and run weekly to keep your system clean


It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide  Best security practices Keep safe  :wave:

LilyDee

  • Guest
Re: Win32:Dropper-gen [Drp]
« Reply #14 on: April 06, 2014, 11:49:28 PM »
Oh... really? Perfect! You're a life saviour!  :D
Thank you so much!  :D

*goes on her merry way*