Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

exploit.drop.3 plus other malware


  • Please log in to reply
1 reply to this topic

#1 dr_matrix

dr_matrix

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 11 January 2012 - 10:12 PM

[color="#FF0000"]EDIT:Moved from XP to Am I Infected..[/color]
I picked up malware/virus from watching an online college basketball game.

A message started telling me that I had a virus and that I needed to download some phoney virus scanner to stop it. I downloaded Maleware Bytes and ran a scan. It removed a number of infected files. I then ran Microsoft Security Essentials and it found a few more files. I kept getting critical errors with dlls and so I ran Unblue RegistryBooster. I'm not sure what this did.

I thought things were better but I still have serious problems. My symptoms include:
* wireless network card seems to drop the signal and then pick it back up again. However I don't seem to lose connectivity.
* fan on my computer will all of a sudden fire up on high but then will slow back down after awhile
* computer lags during this time
* When I start the computer after the desktop appears it takes about 10 minutes before I can do anything
* When I go to a website sometimes another site is opened instead (here is an example url - http://9newstoday.net/hoj/hoj/index.html)
* MalBytes keeps blocking connections although it seems to have stopped
* Occasionally Malbytes quarantines a file. It mentions the "exploit.drop.3" as well as a number of others
* I tried to run the dds script by double clicking and I get nothing. When I try to run it from the command line I see a brief black box but then nothing. I have tried to restart but it doesn't help.
* I run Gmer and it says that there is a problem. I uncheck "IAT/EAT" "D:/" (system files are on C:) and the "show all" is not checked.
* Gmer starts to run but then crashes after a few minutes. I have included the log created before it crashes.

Ughh!!! please help!


I have included the Malbytes logs from the last few days at the bottom of the post.

I am running Windows XP with sp 3
I am using Firefox 9.0.1 although I might have been using a previous version when I was infected.



2012/01/10 14:21:07 -0600 DETECTION C:\WINDOWS\Temp\tue0.13854448580674306.exe Spyware.Agent QUARANTINE
2012/01/10 14:21:08 -0600 DETECTION C:\WINDOWS\Temp\oiu0.36497560343934954.exe Spyware.Agent QUARANTINE
2012/01/10 17:32:01 -0600 MESSAGE Executing scheduled update: Daily
2012/01/10 17:32:11 -0600 MESSAGE Scheduled update executed successfully: database updated from version v2012.01.08.04 to version v2012.01.10.06
2012/01/10 17:32:11 -0600 MESSAGE Starting database refresh
2012/01/10 17:32:11 -0600 MESSAGE Stopping IP protection
2012/01/10 17:32:11 -0600 MESSAGE IP Protection stopped
2012/01/10 17:32:14 -0600 MESSAGE Database refreshed successfully
2012/01/10 17:32:14 -0600 MESSAGE Starting IP protection
2012/01/10 17:32:16 -0600 MESSAGE IP Protection started successfully
2012/01/10 17:42:29 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:42:32 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:42:38 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:42:50 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:42:53 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:42:59 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:43:11 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 17:43:14 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 17:43:20 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 17:43:31 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:43:34 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:43:40 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:43:52 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:43:55 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:44:01 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:44:13 -0600 IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/01/10 17:44:16 -0600 IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/01/10 17:44:22 -0600 IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/01/10 17:44:34 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:44:37 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:44:43 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:44:52 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:44:55 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:45:01 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 17:45:13 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:45:16 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:45:22 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:45:34 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 17:45:37 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 17:45:43 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 17:45:52 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:45:55 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 17:46:01 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:13:29 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:13:33 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:13:39 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:13:51 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:13:54 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:13:59 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:14:12 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 18:14:15 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 18:14:20 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 18:14:32 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:14:35 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:14:41 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:14:53 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:14:56 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:15:02 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:15:14 -0600 IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/01/10 18:15:17 -0600 IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/01/10 18:15:23 -0600 IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/01/10 18:15:35 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:15:38 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:15:44 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:15:53 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:15:56 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:16:02 -0600 IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/10 18:16:14 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:16:17 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:16:23 -0600 IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:16:44 -0600 IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 18:16:47 -0600 (null) IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 18:16:54 -0600 (null) IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/10 18:17:02 -0600 (null) IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 18:17:05 -0600 (null) IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/10 21:28:27 -0600 MESSAGE Starting protection
2012/01/10 21:28:46 -0600 MESSAGE Protection started successfully
2012/01/10 21:28:49 -0600 MESSAGE Starting IP protection
2012/01/10 21:36:50 -0600 MESSAGE IP Protection started successfully
2012/01/10 22:50:07 -0600 MESSAGE Starting protection
2012/01/10 22:50:25 -0600 MESSAGE Protection started successfully
2012/01/10 22:50:28 -0600 MESSAGE Starting IP protection
2012/01/10 22:58:30 -0600 MESSAGE IP Protection started successfully


2012/01/11 09:54:16 -0600 DETECTION C:\WINDOWS\Temp\tue0.6510460565748282.exe Rogue.FakeHDD QUARANTINE
2012/01/11 09:54:17 -0600 DETECTION C:\WINDOWS\Temp\oiu0.08497246974876727.exe Spyware.Agent QUARANTINE
2012/01/11 17:46:20 -0600 MESSAGE Starting protection
2012/01/11 17:46:36 -0600 MESSAGE Protection started successfully
2012/01/11 17:46:39 -0600 MESSAGE Starting IP protection
2012/01/11 17:50:43 -0600 MESSAGE IP Protection started successfully
2012/01/11 18:04:49 -0600 DETECTION C:\WINDOWS\Temp\p9pl9213865069381759345.tmp Exploit.Drop.3P QUARANTINE


First Gmer output:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-01-11 21:04:22
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST9200420ASG rev.3.ADD
Running: gmer.exe; Driver: C:\DOCUME~1\TYLERL~1\LOCALS~1\Temp\agtyykog.sys


---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Processes - GMER 1.0.15 ----

Process C:\WINDOWS\system32\ping.exe (*** hidden *** ) 3160

---- EOF - GMER 1.0.15 ----



Gmer script before it crashes. I have run this three times now and it crashes in the same spot.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-11 20:54:03
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\TYLERL~1\LOCALS~1\Temp\agtyykog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB902A360, 0x349367, 0xE8000020]
.text afd.sys B755F001 103 Bytes [B7, 6A, 00, FF, 73, 0C, FF, ...]
.text afd.sys B755F069 6 Bytes [EB, 45, C7, 45, E4, 0D]
.text afd.sys B755F070 20 Bytes [00, C0, EB, 21, 90, 90, 90, ...]
.text afd.sys B755F085 124 Bytes [C3, 90, 90, 90, 90, 90, 8B, ...]
.text afd.sys B755F102 146 Bytes [01, 00, 00, 83, 65, FC, 00, ...]
.text ...
? C:\WINDOWS\System32\drivers\afd.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[608] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 026C000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[608] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0271000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[608] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 026B000C
.text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[1168] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 1 Byte [C3]
.text C:\WINDOWS\System32\svchost.exe[1568] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0215000A
.text C:\WINDOWS\System32\svchost.exe[1568] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0216000A
.text C:\WINDOWS\System32\svchost.exe[1568] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0214000C

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Edited by boopme, 11 January 2012 - 10:21 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:59 PM

Posted 11 January 2012 - 11:47 PM

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users