explorer.exe infected with Win32:Dropper-gen [Drp]

Hello avast forum,I’m on windows 7 32bit. I can’t shake this dropper-gen with a simple move to chest or MBAM scan,avast scanner gives me error messages when i try something and MBAM doesn’t even detect it

Avast scan log info: “C:\Windows\explorer.exe Threat: Win32:Dropper-gen [Drp]”

explorer.exe can’t open because it’s infected so I have to do everything via task manager.

I’m stuck…

Sorry for lack of information,let me know what to post and thanks in advance for response!

attach OTL and aswMBR diagnostic logs http://forum.avast.com/index.php?topic=53253.0

Here is OTL log

Hi skeeter24,

I do need aswMBR log, but I’ll need addition scan-check OTL.

Re-run OTL.exe.
Click None button. None will change to ‘Standard’

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.


/md5start
explorer.exe
/md5stop 

[*]Then click the Run Scan button
[*]Attach here fresh created OTL logreport.

Okay,will post the logs when aswMBR is done scanning

Here is the new OTL log and aswMBR log

Hi skeeter24,

OTL has confirmed. MD5 hash for explorer isn’t legit origin. We shall deploy ComboFix immediately.

  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    Note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

  • ComboFix will check if there is a newer version of ComboFix available.
    Click Yes if prompted to download.[/size]
    -If Recovery Console is not installed, ComboFix will offer download & installation.
    Click Yes to allow ComboFix to install Recovery Console.
  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

Alright,here is the log for ComboFix scan. Also my desktop is back after combofix rebooted the machine.

Hi,

Before I continue with telling CF to taget the malware, I’ll again need an extra check. We shall again use OTL for that …

Re-run OTL.exe.
Click None button. None will change to ‘Standard’

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.


c:\windows\system32\mshtml.tlb /md5
c:\windows\system32\inetcpl.cpl /md5 

[*]Then click the Run Scan button
[*]Attach here fresh created OTL logreport.

Here’s OTL log

Thanks.

We shall run ComboFix one more time but this with his CFScript for running:

Open notepad and copy/paste the text present inside the code box below:

FileLook:: c:\windows\system32\wer.dll c:\users\Michale\AppData\Roaming\Microsoft\Installer\{C37A0BC1-52EE-4F97-8223-5CA9FC0357B0}\ARPPRODUCTICON.exe

KillAll::

FCopy::
c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_51a3a583dafd0cef\explorer.exe|c:\windows\explorer.exe

File::
C:\Users\Michale\AppData\Roaming\Mozilla\Firefox\Profiles\pheavj40.default\extensions{771f3037-9885-4423-b50f-a5ede4854e26}.xpi
C:\Users\Michale\AppData\Roaming\Mozilla\Firefox\Profiles\pheavj40.default\searchplugins\aol-search.xml
C:\Users\Michale\AppData\Roaming\Mozilla\Firefox\Profiles\pheavj40.default\searchplugins\mixidj-v30-customized-web-search.xml

Driver::
ALSysIO

ClearJavaCache::

DDS::
Trusted Zone: $talisma_url$

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Alright here is the CFScript combofix log

Hi skeeter24,
Malware is now disinfected. We shall now use OTL to fix the remains.

Note: this is OTL’s fix, so press RunFix button, not RunScan button.

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:OTL
IE - HKU\S-1-5-21-3786237071-1961379503-1528672897-1001\..\SearchScopes\{C5D499DD-5C6B-4389-AC2E-DB1A78EE0997}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289847&CUI=UN24770683995210289&UM=2

:Files
C:\ProgramData\*.tmp
C:\ProgramData\*.tmp
C:\Windows\*.tmp

:COMMANDS
[EMPTYTEMP]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

Alright here’s the OTL fix log

Tell me how your computer behaving now?

Any malware alerts?

Computer seems top notch everything is working like it should and no alerts/popups.

Cool.

I can go with deeper look but I think that there is no need for that. I will remove used tools. :wink:

The following will implement some post-cleanup procedures:

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.

I recommend to use MCShield if you will.
You may download MCShield from the following links:

MyCity - Official download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Alright magna86,

Thanks for your time and guidance,much appreciated.

ComboFix is uninstalled
Ran CleanUp option in OTL
Downloaded and installed MCShield

All systems are go! 8)