Jump to content

Multiple Exploit.Drop.3p detection


Recommended Posts

Hello,

After conducting my weekly scan of Malwarebytes, a full scan found four detections of a malware (?). The following is the log from the full scan:

"Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.01.11.14

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Eric :: ERIC-PC [administrator]

1/11/2013 4:35:37 PM

mbam-log-2013-01-11 (16-35-37).txt

Scan type: Full scan (C:\|D:\|E:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 338383

Time elapsed: 20 minute(s), 12 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 4

C:\Users\Eric\AppData\Local\Temp\i4b1531516455917632659.tmp (Exploit.Drop.3P) -> Quarantined and deleted successfully.

C:\Users\Eric\AppData\Local\Temp\i4b6494933294504545606.tmp (Exploit.Drop.3P) -> Quarantined and deleted successfully.

C:\Users\Eric\AppData\Local\Temp\i4b6614693329097637048.tmp (Exploit.Drop.3P) -> Quarantined and deleted successfully.

C:\Users\Eric\AppData\Local\Temp\i4b6746732887919696758.tmp (Exploit.Drop.3P) -> Quarantined and deleted successfully.

(end)"

After receiving this report, I was given the prompt of moving the files into quarantine and were subsequently deleted. I followed up by going to the quarantine tab and clicking on 'Delete All.' It should also be noted that I previously scanned with Avira anti-virus with no detections.

This was then followed by completing two additional full scans throughout today. The respective reports indicated that there were no detections, but I would like some guidance in determining if I am safe or compromised, and/or if there are additional steps needed in order to remove this malicious software/malware.

I've looked into this prior to posting and very little information is available regarding this particular detection. The only conclusions I can come to regarding what I found is either that it is: a) a false positive or b) by visiting a specific website.

If possible, any help would be appreciated.

Thanks.

Link to post
Share on other sites

Hello santori and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

At first look, your database version is very old.

Please follow the instructions here and post the log files from DDS:

http://forums.malwarebytes.org/index.php?showtopic=9573

Link to post
Share on other sites

Hello Maniac,

Thank you for your response.

In regards to the database version, I believe the scan was completeled on two days ago. My current version is: "v2013.01.13.06" - or are you referring to a different databse? I should preface that I'm not that great at computers so I hope I can follow along.

I disconnected my ethernet access and left my Avira anti-virus on. When double-clicking on the dds.scr I clicked once on the desktop to remove the highlighting on the icon as the process was running. Please let me know if I need to re-do this process. However, if not, the logs that were found after the process was completed are included in the attachments below.

Please advise when you can,

Thanks.

dds.txt

attach.txt

Link to post
Share on other sites

Turn on your internet connection again.

Step 1

Please uninstall this application: Vuze

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • a new fresh DDS log

Link to post
Share on other sites

Hello again,

Here is the Malwarebytes Anti-Malware log of a quick scan (please note that when the scan was complete, there was no prompt or checklist following the notification that there were no detections):

"Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.01.13.06

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Eric :: ERIC-PC [administrator]

1/13/2013 1:49:26 PM

mbam-log-2013-01-13 (13-49-26).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 228369

Time elapsed: 1 minute(s), 13 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

"

The DDS logs are attached below. Just to note, after the intial detection two days ago, there have been no prompts after scanning with Malwarebytes (full or quick scan alike) to 'Remove Selected,' or to restart.

Thanks for your time.

dds.txt

attach.txt

Link to post
Share on other sites

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Just to confirm before I begin the process, Internet Explorer is giving me a prompt on the bottom of the second window when I click Start on the ESET website.

I tried clicking install and Windows gives me a UAC prompt before installing.

A screenshot of the prompt is attached below. Should I click install or right-click in the white space and install Active-X that way?

post-124915-0-52797100-1358105392.png

Link to post
Share on other sites

For the computer scan settings, the 'Enable Anti-Stealth technology' box is checked, should I leave it as it is? Other then that, the 'Scan archives,' 'Scan for potentially unsafe applications,' and 'Use custom proxy settings' boxes are unchecked.

ESET also detected my Avira Anti-virus, may I leave it on or would it be best to stop the program before continuing?

I'll begin once confirmed.

Thanks.

Link to post
Share on other sites

No, you should use Normal mode.

To disable Avira: Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: )

right click it-> untick the option AntiVir Guard enable.

You should now see a closed, white umbrella on a red background

Link to post
Share on other sites

The scan has finished, first, here's the results from the window that conducted the scan:

No threats found.

Scanned Files: 120269

Infected Files: 0

Cleaned Files: 0

Total scan time: 00:20:32

Scan status: Finished

There's also the option to uninstall the application upon closing the window. Should I opt to or not?

Here is the log.txt - seems a bit on the small side though:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

Link to post
Share on other sites

I haven't noticed any hiccups even before knowing that I had an infection. The only oddity (not sure if this is even related) was Windows 7 aero reverted back to basic for a couple minutes while CPU usage was hovering around 100% (about 15 hours ago).

Would you happen to know what the infection was in the first place? What does it do?

Link to post
Share on other sites

I haven't noticed any hiccups even before knowing that I had an infection. The only oddity (not sure if this is even related) was Windows 7 aero reverted back to basic for a couple minutes while CPU usage was hovering around 100% (about 15 hours ago).

No, I don't think is malware related.

Would you happen to know what the infection was in the first place? What does it do?

I wouldn't tell you any specific details, because all I know is this from the log file, with which you started this thread.

Looks good. If you have any further problems, please let me know.

You could uninstall ESET Online Scanner and to manually delete DDS.

I suggest you take a look at these malware prevention tips:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Link to post
Share on other sites

Thanks for your help throughout this process,

Would you conclude that my computer is not infected at this point in time then? I ask because I've been avoiding logging into sensitive accounts as well as backing up my HDD. Based on the reports, do you think my external hard drive would get infected by this?

Lastly, will uninstalling ESET Online Scanner through the Control Panel fully uninstall the program? And by manually deleting DDS, you just mean dragging it into the Recycle Bin?

Again, thank you for your time!

Link to post
Share on other sites

Would you conclude that my computer is not infected at this point in time then? I ask because I've been avoiding logging into sensitive accounts as well as backing up my HDD. Based on the reports, do you think my external hard drive would get infected by this?

This is what these log files shows, so... yes. If you want to be sure, change all of your passwords.

Lastly, will uninstalling ESET Online Scanner through the Control Panel fully uninstall the program? And by manually deleting DDS, you just mean dragging it into the Recycle Bin?

Yes, that's right.

Glad I could help! :)

Link to post
Share on other sites

Just had a quick follow-up question,

I've gone through the process of changing passwords for most of my accounts (primarily targeting accounts I've used since the infection). Would you suggest changing the passwords for accounts that I have not used for a while (i.e. month or so)?

Link to post
Share on other sites

When Malwarebytes quarantined the files, is it safe to delete them afterwards (by going into MWB > selecting quarantine tab > and clicking on 'Delete All')? Would this have any detrimental effect on isolating those infected files? I did this, so I'm wondering if there will be any repercussions.

And lastly, in the event of this occuring again, would you suggest that I quarantine > delete infected temp. files > prepare DDS files and scan with ESET Online Scanner before starting a new thread?

Thanks for your continued assistance, I appreciate it!

Link to post
Share on other sites

When Malwarebytes quarantined the files, is it safe to delete them afterwards (by going into MWB > selecting quarantine tab > and clicking on 'Delete All')? Would this have any detrimental effect on isolating those infected files? I did this, so I'm wondering if there will be any repercussions.

There is no problem at all. This is your decision and will not adversely affect your system.

And lastly, in the event of this occuring again, would you suggest that I quarantine > delete infected temp. files > prepare DDS files and scan with ESET Online Scanner before starting a new thread?

My suggestion is: If you have any kind of problem, start with this thread:

http://forums.malwarebytes.org/index.php?showtopic=9573

Explain on the best way your problem, give maximum information and the log files from the link. That's all you need to do.

Link to post
Share on other sites

Okay, sounds good.

The only other concern I have is regarding backing up my HDD. Since there does not seem to be an infection anymore (no detection from a full scan today) and files have been subsequently quarantined and deleted (from first detection), there should be no risk of transferring anything malcious/compromising to my external hard drive, correct? The last thing I'd like to deal with is transfering files back onto my desktop and dealing with an infection.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.