Win64:Dropper-Gen[Drp] Confusion

Hi All,
I recently discovered that I had the virus in the title, and looked up what to do. I downloaded ComboFix and ran it, but I didn’t realize that I wasn’t supposed to have other programs open while it was running, and it didn’t run correctly. In the thread where it said to download ComboFix it also said not to run it again if it doesn’t work the first time, but to try to figure out another issue. However, in my case, ComboFix just didn’t run correctly, which I know by the fact that ComboFix is supposed to restart the computer when it’s done running, but it didn’t in my case. What should I do?

Thanks!

It can be dangerous to run combofix if you do not know what you are doing

What file is Avast reporting ?

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[]Select LOP and Purity
[
]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir “%systemdrive%*” /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

It is reporting C:\Windows\explorer.exe. Also, I’m slightly reluctant to run the program you suggested, because in the other thread I read you suggested that and the person’s internet stopped working. Is that a common problem with that program?

OTL does not do anything at first run…it just create a diagnostic log
The fix comes after (if needed) when essexboy have seen that log

Oh, ok. Thanks.

The other thread was where adwcleaner wrongly reset the proxy settings

What is the Avast update version that you have is it 140307-1

Yes, it is.

OK I was wondering if it was an FP but I have that VPS and no problems

Extras log: http://pastebin.com/G4s80qLy
OTL log: http://pastebin.com/PKvATHhd

Have you patched your explorer ?

Are the alerts still appearing

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
FF - prefs.js..keyword.URL: "http://feed.snapdo.com/?publisher=SnapdoGOblidooYB&dpid=GOB1&co=US&userid=d0834b7d-d15e-7452-7abe-972cc2d3e3bd&searchtype=ds&installDate={installDate}&q="
O2:64bit: - BHO: (no name) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - No CLSID value found.
O2:64bit: - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {b278d9f8-0fa9-465e-9938-0c392605d8e3} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-474631609-1521078636-1054246077-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I don’t know what it means to patch your explorer.exe, so I’m assuming I haven’t. And if by the alerts you mean avast! telling me that explorer.exe is malicious, yes.

Could you run combofix again please

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Ok, but real quick: I realize you said when you run OTL your desktop and icons could disappear, but mine are still gone after reboot…I had to use the task manager to get my browser running. Did you mean the reboot caused by OTL or that you need to reboot after OTL auto-reboots?

Here’s the log from the quick scan: http://pastebin.com/q3pPsKrs

OK, well I ran ComboFix, and the command prompt stopped at step 50 and my internet isn’t working.

EDIT: The internet’s back, but my desktop is gone again (it had come back).

This might be very important. I am experiencing exaclty the same on Windows 7 Home 64. I do have a patched version of explorer, I modified it something like 1 year ago, but what it important is that after replacing it with an old backup (I luckily have Ubuntu installed) the system is back working.
I will test it and see if it comes back with the same problem then cases are two:

  1. Everything goes on working as usual - meaning that it was a fp due to the patch or the patch itself did contain a virus which slmehow activated only now or I somehow deleted the virus (I deleted temp and temporary internet files from Ubuntu).

  2. At next reboot I get back to the same - then it means that the infection is not a fp and it is not related with patching.

Anyway it is also worth to mention that yesterday Chrome was reporting me a dangerous download, which actually was not but could potentially be as it contained programs related with bioses which anyway I didn’t open there since were for another laptop. But the point is that this virus has been probably downloaded by some other malware which xould have been there for a long time…

The problem occured for me because I had a patched version of explorer.exe. See here. If you had knowingly modified explorer.exe (with a program such as W7SBC) and trust that program, then you may do as I did and whitelist explorer.exe in Avast for now.

Of course, there is still the chance that explorer.exe is malware. So do it at your own risk.

linking all the threads together:

http://forum.avast.com/index.php?topic=147308
http://forum.avast.com/index.php?topic=147328
http://forum.avast.com/index.php?topic=147333 (this thread)
http://forum.avast.com/index.php?topic=147339

I have also alerted Avast of the file (although the last time I did this they took >3 months to reply…)

I used exactly W7SBC and as I said backup files created by that program are safe. Then it would really be the first time that I see a malware creating safe backup copies for you…
Maybe there is a new malware which affecta only modified copies of explorer.exe maybe exploiting some bugs. So I think that the best advice is to possibly unpatch/restore explorer.exe.

Unlikely. This is easily reproducible by anyone with a 64bit W7 machine.

  1. Install Avast! & lastest definitions
  2. get W7SBC and a random bitmap file for that (plus gaining control over explorer.exe if needed)
  3. Once the changes are applied, Avast immediately blocks explorer.exe
  4. If the changes are unapplied, it is immediately unblocked and if the changes are reapplied, it is immediately blocked.

Could you all upload the patched explorers to Avast as false positives please