Win32:Dropper-gen [Drp]

Hello!

Every time I try to open a folder, any folder, Avast prevents it and I get a warning that it contains a virus, this one: Win32:Dropper-gen [Drp]
It’s not possible to delete the infected files or place them in the virus chest or anything else.

I would really appreciate help in removing it.

Thanks in advance!

Could you attach a screenshot of the alert please

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[]Select LOP and Purity
[
]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir “%systemdrive%*” /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

Thanks for replying!

Here is the screenshot of the alert and OTL, but there was no Extras.Txt.

I see you have run combofix, could you attach that log please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
[2014/04/04 23:09:29 | 000,000,000 | ---D | C] -- C:\Program Files\SW-Booster
[2014/04/04 23:08:59 | 000,000,000 | ---D | C] -- C:\ProgramData\safeweb
[2014/04/04 23:08:59 | 000,000,000 | ---D | C] -- C:\Program Files\safeweb
[2014/04/04 23:08:51 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Torch

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

While Essex fixes your computer up. I have a few warnings for you…

I have noticed from your logs that you have uTorrent.

[2014/01/18 16:31:40 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\uTorrent

This program is/can be dangerous and can lead to re-infection.

http://www.fbi.gov/scams-safety/peertopeer
http://www.computerweekly.com/news/2240082893/Seattle-man-arrested-for-peer-to-peer-identity-theft

Okay…

I had to run combofix again because I couldn’t find the previous log.

Also, when I changed the parameters in TDSSKiller, there wasn’t the “Use KSN to scan objects” option.

And I can’t copy the contents of the TDSSKiller report at all.

Should I turn off Avast when running all these programs?

Thanks for the tip, Michael!
So, is it enough to uninstall this program?

Michael, can you put some more light on this - how uTorrent can re-infect PC ?

I understand that it can be done if I download some dangerous files using torrent ? But it can be done also through some other torrent clients ? Is the problem in uTorrent or generally in using torrent client software ?

Regards,

Zoran

OK lets see if we can fix this. The main item of concern in the TDSSKiller log is the number of infections (if any) that it found

  1. Close any open browsers.

  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy:: c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe|c:\windows\explorer.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Okay. Here it is.

P.S. If it means anything now, when I ran TDSSKiller before, it detected 7 suspicious threats and 0 malicious ones.

uTorrent it self is not dangerous. But when you download files, the seed can be infected. I’ve seen a few cases around. I’ll see if I can find 1 or two.

Here’s a case involving uTorrent. Infected seed was causing JS:Redirector-BOS [Trj]. http://forum.avast.com/index.php?topic=145700.msg1057552#msg1057552

Could you confirm that the alerts have now ceased

Yes. I can open the folders without problem; I don’t get alerts anymore. Thank you!
Is that it? Do I have to do anything else?

I have one concern though. I now scanned with Avast again and another Win32:Dropper-gen [Drp] remains.
Before your help, there were two of those. I’ll just attach a screenshot of the scan.

I’m sorry to be a bother.

That one is in the combofix quarantine folder and is harmless

In that case methinks I will send you on your merry way :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

Oh… really? Perfect! You’re a life saviour! :smiley:
Thank you so much! :smiley:

goes on her merry way