Ransomware Clop D

[bendipa]

I don't use Windows 7 much these days. But recently I booted into it since 2 months ago, did some updates and ran an MSE full scan. For the first time in using Win 7 a virus was found, which is apparently shown here as ransomware, but nothing was triggered and no harm was done. I quarantined then deleted it and thought that was that.

However I booted back into Win 7 today and updated the MSE database, and ran another full scan, only to find the same virus was flagged up again. I used Explorer to find the offending file and saw the creation date of it was about the same time that I had booted up. This turned out to be a .tar file which is like a Linux zip file. I also have Linux on the same PC, but don't know if this is a coincidence. This time I did not quarantine it. I then ran Free Malwarebytes but it found nothing. I ran MSE again doing a quick scan but it too was negative. Puzzled, I re-ran the MSE full scan and this time it was negative. I returned to the folder containing the virus .tar file but now it had now disappeared.

Can anyone suggest what is happening here?

 

[Alejandro85]

Based on your screenshot, I'm leaning towards thinking that it's a false positive, but also it's showing an important problem in your computer.

If you look at the path of the offending file, it says c:\programdata\checkpoint\endpoint security\tpcommon\updater\atps\download\dc\sigs_package.tar.gz. Based on that path, it seems that it belongs to another antivirus program, and the filename points directly to its signature database (concretely, I found Checkpoint Endpoint Security to be the most probable one).
Since the signature databases of antiviruses contain, well, virus fragments, it's not unlikely that another antivirus finds them and confuses with actual malware. This is one of the prime reasons why you should never have more than one antivirus at a time (they tend to attack each other).

The solution in this case is to get rid of one of them and delete all of its files, thus preventing their databases to be taken as viruses by the other.

Of course, there is always the chance that I'm wrong and it IS a real infection, specially if you don't know anything about the other antivirus (a virus trying to disguise itself as an antivirus). In this case, the solution is the standard response for every malware attack: wipe the affected computer and perform a clean install of the operating system. Since you mention you also use Linux as another OS, I would suggest for the security sake, that you also wipe and reinstall it too.

 

[bendipa]

OK. I've found that this virus only appears whenever there's an MSE update. It's always located in the same place and each time when I scan the folder containing the file, Malwarebytes gives a negative. Only MSE considers it a ransomware threat.

 

[Donbo]

I have the same problem that just appeared on my win 7 home 32bit I use at work. MSE finds it and removes it and asks me to reboot to finish cleaning the computer. It's an endless cycle, scanned with spybot and malwarbytes found nothing. Going to try tomorrow to search computer for location. Here is the virus name XRansom:BAT/Clop.D
I have not opened or clicked anything suspicious but have been looking and downloading other antivirus to try. I tried avast free but it was really slow. Got rid of it and that is when the bug showed up, when I was uninstalling it.

 

[bendipa]

I think it's a false positive. My data files have not been affected. It's a .gz file which is an archive file used in Linux. Windows cannot open or run it directly. So it would not be much use as a ransomware file. It would need something like Winzip to extract or examine the contents. It only seems to download or appear when MSE is updated, and there was nothing about this file when I googled.

 

[Donbo]

I guess you are right. I had four of them in mse and removed and deleted them from my system. Did a full scan with malwar and mse and nothing. Thank you.