Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Multidropper infection


  • Please log in to reply
2 replies to this topic

#1 Leeeeeeelo

Leeeeeeelo

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 16 April 2011 - 07:05 AM

Hello all ,

To whom it may concern ,

I am posting here in order to seek help for a possible infection . Here's what happened :

  • I had Malwarebyte's Anti-Malware, Ad-aware free edition and McAfee Antivirus Plus installed on my PC. I was running a full scan with ad-aware and McAfee, when ad-aware suddenly closed and McAfee encountered an error ( sorry I don't have a print screen nor the exact words but it said it encountered an error while scanning , and it stopped scanning ). I tried several times to rerun a full scan for each of ad-aware and McAfee, but ad-aware kept disappearing sometime after the scan began, and McAfee kept encountering an error. I uninstalled ad-aware and didn't install it back, and I uninstalled McAfee and re-installed it back, ran a full scan and found nothing. I also ran a full Malwarebyte's Anti-Malware and found nothing.
  • I have virtual box installed, along with a ISO image of backtrack 4 which I used to run a virtual machine. I used nmap yesterday in order to scan all ports of my PC ( I used the following command : nmap internal-ip ) and it showed few open ports, and among them was TCP 1035 with a service called 'multidropper'. A quick search on Google shows that this is most probably a trojan, however nothing showed on the full scans of McAfee and Malwarebyte's Anti-Malware. I rescanned all ports today with nmap and port 1035 TCP is no longer open, however there are few unknown open ports and few that looks suspicious ( i.e. TCP 1027 for the IIS service, knowing that I have never ever had IIS server, I use Apache 2 instead ).
  • I installed SUPERAntiSpyware Free Edition and ran a full scan and found this : Trojan.Vundo-Variant/F located in C:\WINDOWS\CRYSTAL\U2LESBSE.DLL however I am afraid that this might be a false positive; I don't want to remove it via SAS unless I am sure this is really the multidropper Trojan ( or an other Trojan ) because this is a DLL file located in the windows folder and I know that removing such a file might be dangerous.
Any help is appreciated .

I am running Windows 7 Ultimate 64 bits edition.

Thank you in advance ,

Have a nice day ,

Best Regards ,

Leeeeeeelo.

Edited by Leeeeeeelo, 16 April 2011 - 07:07 AM.


BC AdBot (Login to Remove)

 


#2 Leeeeeeelo

Leeeeeeelo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 26 April 2011 - 02:25 PM

Major Update :

  • The title must be modified, because this is no multidropper trojan.
  • Port 1035 TCP is being used by some javaw.exe for some application in the program files.
Anyone ?

#3 Leeeeeeelo

Leeeeeeelo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 28 April 2011 - 12:56 AM

Major Update :

It turned out a false positive. The topic can be closed now. Hope this will help someone one day !




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users