Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32/Meredrop


  • Please log in to reply
9 replies to this topic

#1 sinneduy

sinneduy

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 28 December 2008 - 03:16 AM

Hi I have been infected with W32/Meredrop. The Trojan File was identified as Meredrop, however, it was detected weeks after I had actually run the file within, and therefore am infected. How can I remove the infection?

Edited by Orange Blossom, 28 December 2008 - 03:20 AM.
Move from HiJack This forum to Am I Infected as there are no logs. ~ OB


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 PM

Posted 29 December 2008 - 05:26 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 sinneduy

sinneduy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 30 December 2008 - 01:21 AM

Sorry for the late reply

malwarebytes has found nothing. and i accidentally did a full scan

Malwarebytes' Anti-Malware 1.31
Database version: 1561
Windows 6.0.6001 Service Pack 1

12/28/2008 12:32:55 PM
mbam-log-2008-12-28 (12-32-55).txt

Scan type: Full Scan (C:\|D:\|E:\|G:\|J:\|)
Objects scanned: 400333
Time elapsed: 5 hour(s), 8 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by sinneduy, 30 December 2008 - 01:21 AM.


#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 PM

Posted 30 December 2008 - 05:46 AM

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 sinneduy

sinneduy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 30 December 2008 - 03:27 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/30/2008 at 02:20 PM

Application Version : 4.24.1004

Core Rules Database Version : 3689
Trace Rules Database Version: 1665

Scan type : Complete Scan
Total Scan Time : 03:33:10

Memory items scanned : 65
Memory threats detected : 0
Registry items scanned : 6830
Registry threats detected : 0
File items scanned : 369241
File threats detected : 1

Trace.Known Threat Sources
D:\Users\Dennis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2WA8JITW\4megaupload_powered-by_zango_com[1]




oh and by the way. i ran an analysis of the trojan i had run on threatexpert.com and this is what i got back on it

Submission Summary:
Submission details:
Submission received: 29 December 2008, 08:18:16
Processing time: 6 min 26 sec
Submitted sample:
File MD5: 0xE8DF88F3AD528657FE1241D86BA045E6
Filesize: 562,534 bytes
Alias:
Trojan-Ransom.Win32.Gpcode.at [Kaspersky Lab]
W32/Ransom.worm.a [McAfee]
Mal/Generic-A [Sophos]
Trojan:Win32/Meredrop [Microsoft]
BehavesLike.Win32.Malware [Ikarus]
Summary of the findings:
What's been found Severity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.




Technical Details:
The new window was created, as shown below:


NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.



Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:
Security Risk Description
Trojan-Spy.Ransom.VB.A Trojan-Spy.Ransom.VB.A on execution encrypts some files on the infected computer and demands a ransom in order to provide the decryptor.
Adware.Component.Unrelated These common components have files and keys that are in different threats but the threats are not related to one another in that the author of the signature is not the same. It is recommended that all these entries be removed.




File System Modifications

The following files were created in the system:
# Filename(s) File Size File MD5 Alias
1 %Temp%\errir.exe 20,480 bytes 0xCD5AD643398F4DB0D5D2DC8866C3D395 Trojan:Win32/Embhit.B [Microsoft]
2 %Windir%\Mswinsck.ocx 124,688 bytes 0xE8A2190A9E8EE5E5D2E0B599BBF9DDA6 (not available)
3 %Windir%\NeroDigit32.inf 406,104 bytes 0x3644B3302E9C88F72C1231FBC91A8DD8 Trojan-Ransom.Win32.Gpcode.at [Kaspersky Lab]
W32/Ransom.worm.a [McAfee]
Mal/Generic-A [Sophos]
Worm:Win32/Embhit.A [Microsoft]
Trojan-Ransom.Win32.Gpcode [Ikarus]
4 %Windir%\services.exe 122,880 bytes 0x381F208286CFF5403FBF89ADB7AAC607 W32.Randsom.A [Symantec]
Trojan-Ransom.Win32.Gpcode.at [Kaspersky Lab]
W32/Ransom.worm.a [McAfee]
Mal/Generic-A [Sophos]
Worm:Win32/Embhit.A [Microsoft]
5 [file and pathname of the sample #1] 562,534 bytes 0xE8DF88F3AD528657FE1241D86BA045E6 Trojan-Ransom.Win32.Gpcode.at [Kaspersky Lab]
W32/Ransom.worm.a [McAfee]
Mal/Generic-A [Sophos]
Trojan:Win32/Meredrop [Microsoft]
BehavesLike.Win32.Malware [Ikarus]
6 %Windir%\ulodb3.ini 6 bytes 0xD5651C95ACC2813E80EBC7F45C61A610 (not available)
7 %Windir%\UNISTLWT16.exe 28,672 bytes 0x714E030502B6CCCC2ACE39D7CE2A8BEE W32.Randsom.A [Symantec]
Trojan-Ransom.Win32.Gpcode.at [Kaspersky Lab]
W32/Ransom.worm.a [McAfee]
Mal/Generic-A [Sophos]
Trojan:Win32/Embhit.C [Microsoft]


Note:
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
The following directory was created:
%ProgramFiles%\Trona
Notes:
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.


Memory Modifications

There were new processes created in the system:
Process Name Process Filename Main Module Size
services.exe %Windir%\services.exe 126,976 bytes
UNISTLWT16.exe %Windir%\UNISTLWT16.exe 28,672 bytes
[filename of the sample #1] [file and pathname of the sample #1] 548,864 bytes
errir.exe %Temp%\errir.exe 20,480 bytes




Registry Modifications

The following Registry Keys were created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6A0-OTRV-U5KH-S1UE-E0BC10B4E666}
HKEY_LOCAL_MACHINE\SOFTWARE\Trona.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Trona.exe\Trona
The newly created Registry Values are:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6A0-OTRV-U5KH-S1UE-E0BC10B4E666}]
StubPath = "%Windir%\UNISTLWT16.exe"

so that UNISTLWT16.exe runs every time Windows starts

[[pathname with a string SHARE]\SharedDlls]
%Windir%\Mswinsck.ocx = 0x00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Trona.exe\Trona]
Directory = "%ProgramFiles%\Trona"
Version = "1.00"
Uninstaller = "%Windir%\Trona Uninstaller.exe"
The following Registry Value was deleted:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
InprocServer32 = "IW[F9`$@Q?NcrI3z%N[,>`NTP6lYuf(laaqF-Q9q."
The following Registry Values were modified:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}]
(Default) = "Microsoft WinSock Control, version 6.0 (SP6)"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
(Default) = "%Windir%\Mswinsck.ocx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32]
(Default) = "%Windir%\Mswinsck.ocx, 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
(Default) = "%Windir%\Mswinsck.ocx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock]
(Default) = "Microsoft WinSock Control, version 6.0 (SP6)"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1]
(Default) = "Microsoft WinSock Control, version 6.0 (SP6)"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0]
(Default) = "Microsoft Winsock Control 6.0 (SP6)"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32]
(Default) = "%Windir%\Mswinsck.ocx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR]
(Default) = ""


Other details

To mark the presence in the system, the following Mutex object was created:
Trona_inst_m




All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright 2008 ThreatExpert. All rights reserved.

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 PM

Posted 30 December 2008 - 05:47 PM

Try this scan:

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 sinneduy

sinneduy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 17 January 2009 - 03:36 PM

I am running vista and this is not working on vista. This forum says that SDFix won't work for vista. is that correct?
\
http://www.bleepingcomputer.com/forums/lof...hp/t184591.html

It is not workign for me. when i try to run it, it simply flashes blue and then disappears. I have tried all the fixes in the beginning of your link, but they all say there is nothign wrong

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 PM

Posted 17 January 2009 - 04:02 PM

You are correct - SDFix does not with Vista.

Update Malwarebytes and run another scan.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 sinneduy

sinneduy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 17 January 2009 - 11:30 PM

Malwarebytes' Anti-Malware 1.33
Database version: 1663
Windows 6.0.6001 Service Pack 1

1/17/2009 10:04:22 PM
mbam-log-2009-01-17 (22-04-22).txt

Scan type: Full Scan (C:\|D:\|E:\|G:\|J:\|)
Objects scanned: 403234
Time elapsed: 2 hour(s), 50 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 PM

Posted 18 January 2009 - 04:49 PM

If Malwarebytes doesn't find anything and you have no other signs of infection I would say you're clean.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users