BleepingComputer.com: exploit.drop.3 plus other malware

Jump to content

Forum Rules

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If you have not received help after three days, please post a link to your topic HERE.
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

exploit.drop.3 plus other malware I need help!

#1 User is offline   dr_matrix 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 1
  • Joined: 11-January 12

Posted 11 January 2012 - 10:12 PM

[color="#FF0000"]EDIT:Moved from XP to Am I Infected..[/color]
I picked up malware/virus from watching an online college basketball game.

A message started telling me that I had a virus and that I needed to download some phoney virus scanner to stop it. I downloaded Maleware Bytes and ran a scan. It removed a number of infected files. I then ran Microsoft Security Essentials and it found a few more files. I kept getting critical errors with dlls and so I ran Unblue RegistryBooster. I'm not sure what this did.

I thought things were better but I still have serious problems. My symptoms include:
* wireless network card seems to drop the signal and then pick it back up again. However I don't seem to lose connectivity.
* fan on my computer will all of a sudden fire up on high but then will slow back down after awhile
* computer lags during this time
* When I start the computer after the desktop appears it takes about 10 minutes before I can do anything
* When I go to a website sometimes another site is opened instead (here is an example url - http://9newstoday.net/hoj/hoj/index.html)
* MalBytes keeps blocking connections although it seems to have stopped
* Occasionally Malbytes quarantines a file. It mentions the "exploit.drop.3" as well as a number of others
* I tried to run the dds script by double clicking and I get nothing. When I try to run it from the command line I see a brief black box but then nothing. I have tried to restart but it doesn't help.
* I run Gmer and it says that there is a problem. I uncheck "IAT/EAT" "D:/" (system files are on C:) and the "show all" is not checked.
* Gmer starts to run but then crashes after a few minutes. I have included the log created before it crashes.

Ughh!!! please help!


I have included the Malbytes logs from the last few days at the bottom of the post.

I am running Windows XP with sp 3
I am using Firefox 9.0.1 although I might have been using a previous version when I was infected.



2012/01/10 14:21:07 -0600 DETECTION C:\WINDOWS\Temp\tue0.13854448580674306.exe Spyware.Agent QUARANTINE
2012/01/10 14:21:08 -0600 DETECTION C:\WINDOWS\Temp\oiu0.36497560343934954.exe Spyware.Agent QUARANTINE
2012/01/10 17:32:01 -0600 MESSAGE Executing scheduled update: Daily
2012/01/10 17:32:11 -0600 MESSAGE Scheduled update executed successfully: database updated from version v2012.01.08.04 to version v2012.01.10.06
2012/01/10 17:32:11 -0600 MESSAGE Starting database refresh
2012/01/10 17:32:11 -0600 MESSAGE Stopping IP protection
2012/01/10 17:32:11 -0600 MESSAGE IP Protection stopped
2012/01/10 17:32:14 -0600 MESSAGE Database refreshed successfully
2012/01/10 17:32:14 -0600 MESSAGE Starting IP protection
2012/01/10 17:32:16 -0600 MESSAGE IP Protection started successfully
2012/01/10 17:42:29 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:42:32 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:42:38 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:42:50 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:42:53 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:42:59 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:43:11 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 17:43:14 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 17:43:20 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 17:43:31 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:43:34 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:43:40 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:43:52 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:43:55 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:44:01 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:44:13 -0600 IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/01/10 17:44:16 -0600 IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/01/10 17:44:22 -0600 IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/01/10 17:44:34 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:44:37 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:44:43 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:44:52 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:44:55 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:45:01 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:45:13 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:45:16 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:45:22 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:45:34 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 17:45:37 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 17:45:43 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 17:45:52 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:45:55 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:46:01 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:13:29 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:13:33 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:13:39 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:13:51 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:13:54 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:13:59 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:14:12 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 18:14:15 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 18:14:20 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 18:14:32 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:14:35 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:14:41 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:14:53 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:14:56 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:15:02 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:15:14 -0600 IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/01/10 18:15:17 -0600 IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/01/10 18:15:23 -0600 IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/01/10 18:15:35 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:15:38 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:15:44 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:15:53 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:15:56 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:16:02 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:16:14 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:16:17 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:16:23 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:16:44 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 18:16:47 -0600 (null) IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 18:16:54 -0600 (null) IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 18:17:02 -0600 (null) IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:17:05 -0600 (null) IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 21:28:27 -0600 MESSAGE Starting protection
2012/01/10 21:28:46 -0600 MESSAGE Protection started successfully
2012/01/10 21:28:49 -0600 MESSAGE Starting IP protection
2012/01/10 21:36:50 -0600 MESSAGE IP Protection started successfully
2012/01/10 22:50:07 -0600 MESSAGE Starting protection
2012/01/10 22:50:25 -0600 MESSAGE Protection started successfully
2012/01/10 22:50:28 -0600 MESSAGE Starting IP protection
2012/01/10 22:58:30 -0600 MESSAGE IP Protection started successfully


2012/01/11 09:54:16 -0600 DETECTION C:\WINDOWS\Temp\tue0.6510460565748282.exe Rogue.FakeHDD QUARANTINE
2012/01/11 09:54:17 -0600 DETECTION C:\WINDOWS\Temp\oiu0.08497246974876727.exe Spyware.Agent QUARANTINE
2012/01/11 17:46:20 -0600 MESSAGE Starting protection
2012/01/11 17:46:36 -0600 MESSAGE Protection started successfully
2012/01/11 17:46:39 -0600 MESSAGE Starting IP protection
2012/01/11 17:50:43 -0600 MESSAGE IP Protection started successfully
2012/01/11 18:04:49 -0600 DETECTION C:\WINDOWS\Temp\p9pl9213865069381759345.tmp Exploit.Drop.3P QUARANTINE


First Gmer output:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-01-11 21:04:22
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST9200420ASG rev.3.ADD
Running: gmer.exe; Driver: C:\DOCUME~1\TYLERL~1\LOCALS~1\Temp\agtyykog.sys


---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Processes - GMER 1.0.15 ----

Process C:\WINDOWS\system32\ping.exe (*** hidden *** ) 3160

---- EOF - GMER 1.0.15 ----



Gmer script before it crashes. I have run this three times now and it crashes in the same spot.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-11 20:54:03
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\TYLERL~1\LOCALS~1\Temp\agtyykog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB902A360, 0x349367, 0xE8000020]
.text afd.sys B755F001 103 Bytes [B7, 6A, 00, FF, 73, 0C, FF, ...]
.text afd.sys B755F069 6 Bytes [EB, 45, C7, 45, E4, 0D]
.text afd.sys B755F070 20 Bytes [00, C0, EB, 21, 90, 90, 90, ...]
.text afd.sys B755F085 124 Bytes [C3, 90, 90, 90, 90, 90, 8B, ...]
.text afd.sys B755F102 146 Bytes [01, 00, 00, 83, 65, FC, 00, ...]
.text ...
? C:\WINDOWS\System32\drivers\afd.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[608] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 026C000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[608] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0271000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[608] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 026B000C
.text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[1168] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 1 Byte [C3]
.text C:\WINDOWS\System32\svchost.exe[1568] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0215000A
.text C:\WINDOWS\System32\svchost.exe[1568] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0216000A
.text C:\WINDOWS\System32\svchost.exe[1568] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0214000C

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

This post has been edited by boopme: 11 January 2012 - 10:21 PM

#2 User is offline   Broni 

  • The Coolest BC Computer
  • PipPipPipPipPipPip
  • Find Topics
  • Group: BC Advisor
  • Posts: 22,167
  • Joined: 01-February 08
  • Gender:Male
  • Location:Daly City, CA

Posted 11 January 2012 - 11:47 PM

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
My Website

Posted Image

My help doesn't cost a penny, but if you'd like to consider a donation, click Posted Image



Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users