Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Ransomware Clop D

13 Dec 2019   #1
bendipa

Windows 7 Pro 64 Bit, Windows 10 Pro 64 Bit, Linux Ubuntu 18.04 LTS
 
 
Ransomware Clop D

I don't use Windows 7 much these days. But recently I booted into it since 2 months ago, did some updates and ran an MSE full scan. For the first time in using Win 7 a virus was found, which is apparently shown here as ransomware, but nothing was triggered and no harm was done. I quarantined then deleted it and thought that was that.

However I booted back into Win 7 today and updated the MSE database, and ran another full scan, only to find the same virus was flagged up again. I used Explorer to find the offending file and saw the creation date of it was about the same time that I had booted up. This turned out to be a .tar file which is like a Linux zip file. I also have Linux on the same PC, but don't know if this is a coincidence. This time I did not quarantine it. I then ran Free Malwarebytes but it found nothing. I ran MSE again doing a quick scan but it too was negative. Puzzled, I re-ran the MSE full scan and this time it was negative. I returned to the folder containing the virus .tar file but now it had now disappeared.

Can anyone suggest what is happening here?


My System SpecsSystem Spec
.
13 Dec 2019   #2
Alejandro85

Windows 7 Ultimate x64
 
 

Based on your screenshot, I'm leaning towards thinking that it's a false positive, but also it's showing an important problem in your computer.

If you look at the path of the offending file, it says c:\programdata\checkpoint\endpoint security\tpcommon\updater\atps\download\dc\sigs_package.tar.gz. Based on that path, it seems that it belongs to another antivirus program, and the filename points directly to its signature database (concretely, I found Checkpoint Endpoint Security to be the most probable one).
Since the signature databases of antiviruses contain, well, virus fragments, it's not unlikely that another antivirus finds them and confuses with actual malware. This is one of the prime reasons why you should never have more than one antivirus at a time (they tend to attack each other).

The solution in this case is to get rid of one of them and delete all of its files, thus preventing their databases to be taken as viruses by the other.

Of course, there is always the chance that I'm wrong and it IS a real infection, specially if you don't know anything about the other antivirus (a virus trying to disguise itself as an antivirus). In this case, the solution is the standard response for every malware attack: wipe the affected computer and perform a clean install of the operating system. Since you mention you also use Linux as another OS, I would suggest for the security sake, that you also wipe and reinstall it too.
My System SpecsSystem Spec
17 Dec 2019   #3
bendipa

Windows 7 Pro 64 Bit, Windows 10 Pro 64 Bit, Linux Ubuntu 18.04 LTS
 
 

OK. I've found that this virus only appears whenever there's an MSE update. It's always located in the same place and each time when I scan the folder containing the file, Malwarebytes gives a negative. Only MSE considers it a ransomware threat.
My System SpecsSystem Spec
.

18 Dec 2019   #4
Donbo

Windows 7 Professional 64 bit
 
 

I have the same problem that just appeared on my win 7 home 32bit I use at work. MSE finds it and removes it and asks me to reboot to finish cleaning the computer. It's an endless cycle, scanned with spybot and malwarbytes found nothing. Going to try tomorrow to search computer for location. Here is the virus name XRansom:BAT/Clop.D
I have not opened or clicked anything suspicious but have been looking and downloading other antivirus to try. I tried avast free but it was really slow. Got rid of it and that is when the bug showed up, when I was uninstalling it.
My System SpecsSystem Spec
19 Dec 2019   #5
bendipa

Windows 7 Pro 64 Bit, Windows 10 Pro 64 Bit, Linux Ubuntu 18.04 LTS
 
 

I think it's a false positive. My data files have not been affected. It's a .gz file which is an archive file used in Linux. Windows cannot open or run it directly. So it would not be much use as a ransomware file. It would need something like Winzip to extract or examine the contents. It only seems to download or appear when MSE is updated, and there was nothing about this file when I googled.
My System SpecsSystem Spec
19 Dec 2019   #6
Donbo

Windows 7 Professional 64 bit
 
 

I guess you are right. I had four of them in mse and removed and deleted them from my system. Did a full scan with malwar and mse and nothing. Thank you.
My System SpecsSystem Spec
Reply

 Ransomware Clop D




Thread Tools




Similar help and support threads
Thread Forum
WannaCry Ransomware
What do we need to know about WannaCry Ransomware?
System Security
Ransomware
I too would like to know how to completely remove Bitlocker. <Attempting to provide relevant data only> I upgraded to Windows 10 a few weeks ago, and today I woke up and SURPRISE; All my hard drives now read as encrypted with Bitlocker (except for my primary OS drive (SSD)) I went...
System Security
CryptoWall Ransomware
Hi guys! Yesterday I got the CryptoWall Ransomware Virus and I re-installed my Windows. Today I realized that I had a DVDinside the DVD-RW when I got the virus. My question is if my DVD is fine or he's virused as well...
System Security
Ransomware?
Hi All, A friend of mine recently had an online experience where he was browsing and a screen popped-up telling him he had been downloading blahblahblah, demanding $300 , locking his computer, he thinks. He is a bit of a novice on-line and I first thought he had some ransom malware or virus. He...
System Security
FBI Ransomware
I had the Fbi ransomware a couple of days ago but I did a system restore and ran malwarebytes and it found 1 file so I thought it fixed the problem but today It came back so I did the same thing but I believe its still on my pc somewhere, please help me kill it.
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 07:02.
Twitter Facebook