Win32:Dropper-gen (Drp)

Avast tells me I’m infected with Win32:Dropper-gen (Drp) when it does a run-time scan, but when I do a boot scan it tells me there is nothing there.

It also tells me the infection is in two places - 1. In Malwarebytes (which is strange in itself, except that Malwarebytes itself recently changed to a new version which is now blue instead of red - the program itself asked me to update though); 2. In a file in a folder where I have recently (i.e. yesterday) found 484 movies which I never downloaded totaling over 320GB of data (which is impossible as my computer doesn’t have that much space). The infected file is called something like mediaoverlays.dll

Also, the movies are unplayable, and in my opinion its a lie that there is over 320GB of them because as I said there isn’t space, but there’s something strange going on.

Avast can’t delete or quarantine this dropper.

The only misbehaviour of the computer lately is the internet has been dog slow. I contacted my ISP and explained all the problems and he said get rid of any torrent client you have like vuze (which I have done) and you should notice an up in speed - which I have albeit I only did it ten minutes ago and the internet speed has been fast and then slow repeatedly for about a month so I need to test this one further.

Any ideas what’s happening?

If its of any help I’ve also gotten rid of sopcast and torrent stream so I don’t know if they were the culprits for slowing the internet down.

Unfortunately, the internet has slowed right down again - I’m going to play hell with my ISP but I’d like to get this issue sorted first.

What are the file names and locations of these detections ?

Its finding the dropper in random programs (it just found it in Firefox) but it appears to be in:

C:\Documents and Settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll

And the movies are in

C:\Documents and Settings\All Users\Application Data\Microsoft\Media Tools\plugins\mediahash\downloads

Check the MediaIconsOverlays.dll file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to Open the chest and right click on the file and select ‘Extract’ it to a temporary (not original) location first, see below.

Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.

I think the upload limit is 25MB, so I don’t know if your movies are going to be able to be checked that way, but the location doesn’t suggest that they are actually movies …\Application Data\Microsoft\Media Tools[b]plugins[/b][b]mediahash[/b]\downloads

It doesn’t give me an option to extract it and it tells me I can’t move it because its being used by another person or program.

Does this suggest I’ve been hacked?

It can’t be in the chest and be in use by another program/person. Since you don’t see an extract option, you aren’t inside the avast chest ?

As your edited first post now states, “Avast can’t delete or quarantine this dropper.” So it isn’t in the chest but in its original location, in which case copy it to the suspect folder that you created and excluded (given in my previous post). Then you should be able to upload it to VT for scanning.

I can’t check the movies with virustotal because they are too large (though I don’t believe they are that large - the computer doesn’t have enough space for them all).

I checked one of the codec packs that “came” with the movies though and VirusTotal says this…

https://www.virustotal.com/file/50fd783da568930951750f547aaffcf9b73f375fdfd49e9d8190c124f81ddee8/analysis/1357131118/

Should I now delete the file from the suspect folder?

That’s one of the problems. Avast doesn’t put it in quarantine and when I try to copy it it gives me the message that another program or person is using it.

Even if I try scanning it from its original location VirusTotal won’t work, just says computing hash and freezes.

Whilst they may not be 320GB, they could easily be more than 25MB.

Strange that avast didn’t show a detection on that VT scan.

I’m always wary of codecs as they are a huge target, so you should be confident of the source you are getting them from. I usually use the K-Lite Codec Pack and its updates. Yes you can remove the ‘copy’ you placed in the suspect folder.

@@@@

Try opening the avast chest, from the GUI, Maintenance, Virus Chest, right click in the right side of the window and select Add, from the new explorer like window, navigate to the MediaIconsOverlays.dll, select it and click Open (it doesn’t actually open it), but copies it to the avast chest.

From here you should be able to ‘Extract’ it to the suspect folder and upload to VT (fingers crossed).

Getting somewhere now :)…

https://www.virustotal.com/file/8e4312aaee1dc062ef142633e400ebd7620e3cf86993e95e66b69074770055f1/analysis/1357134120/

Maybe its just wishful thinking but I have a feeling this could be behind the problems I’ve been having with hugely erratic internet speeds of late, and that we could be on the verge of the solution fingers crossed.

In case its of any interest… all the films seem to have arrived at the same time on the same day and they are all at 750MB which in my opinion is a nonsense. I have never seen a movie that was exactly **0MB and for them all to be the same is odder still. (Albeit it does seem to be over 32MB because VirusTotal won’t accept it).

Malwarebytes found this…

I’ll do the other scans and see what shows up.

It doesn’t seem to have resolved the virus dropper issue though as Avast still tells me it exists. Is it worth using the Malicious Software Removal Tool by Microsoft?

AdwCleaner log.

Well there are certainly enough hits that consider it at least suspect, generic or heuristic detections. Whilst these type of detections are more prone to false positive detection, it is hard to see them all being wrong.

It does seem somewhat strange that the movies have all been downloaded on the same day and that you didn’t intentionally download them (?). Does that also coincide with the creation date of this MediaIconsOverlays.dll file ?

The MediaIconsOverlays.dll file if legit is usually found in this location ‘C:\ProgramData\Microsoft\Media Tools\MediaIconsOverlays.dll’ do you have that in that location, if so does avast also detect it ?

No, the mediaiconsoverlays was created a little more than 2 weeks previous to the movies.

I can also only find it in the offending folder, not the one you suggest.

There’s definitely something up because I was actually away when those films were downloaded.

I attach the OTL log.

You could try copying/restoring that file and try uploading it to virustotal, the problem being MBAM restores to the original location (I don’t like that with suspect stuff), this isn’t the same as the MediaIconsOverlays.dll as system restore changes the file name but retains the file type and this isn’t a dll file.

I’m not a fan of the Malicious Software Removal Tool as I don’t think you have a great deal of control over it.

Do you actually have the Microsoft Media Tools installed ?
I can’t ever remember installing this on either of my systems, so I obviously don’t need it. I just wonder if you did install it, have you ever used/need it ?

OK, I take it you are using the information and tools mentioned in the ‘Logs to assist in cleaning malware’ topic, http://forum.avast.com/index.php?topic=53253.0 if so when you have the other logs attached I will get a malware removal specialist to take a look at them.

EDIT: A malware removal specialist has been informed of your topic.

I’m exhausting every angle because I’m worried that something is working away in secret (and that it may be slowing up my internet connection). I haven’t heard of many of those films nevermind downloaded them.

I restored the file that MBAM found but now I can’t find it.

AswMbr log here.

I have never used Microsoft Tools btw.

RogueKiller logs (though I’m not sure I needed to do them).