MB captured an Exploit.Drop9 but then....

[Anna_noyed]

I when to a site that I guess was posiioned and MB pop up and stated it stopped loading page and catutured this Exploit.drop9, now as I was telling MB to quaretine it my java poped up and leftsome comandes on it...

If Im allowed to post it I will... just dont want to break rules and such, so tell me I can and I will...

any who, it looks like it alot of words string with ending of " Proxy = Direct"

Now I dont surf on an admin account, so nothing can install, or shouldnt [ i could be wrong] correct me if Im wrong [my websurf account has the premission of a child [limited] O/S =XP

Now do to have had some mean happi scrappy redirct bug, that I fixed and cleaned [ easy peezy - read my other thread] I did not have any plugins outside of adobe stuff

any ideas on what it could be ???

I removed java from my browsers, and while there it look like Microsoft foundation wanted to be updated too in FF, which I have disabled.

any way, any ideas... FYI it doesnt seem that my PC is having problems now and MByte gave an all clear...

Should there be something to look out for ??

[exile360]

If you're still getting redirects, then it's likely that it was able to bypass your limited account and gain admin access due to an exploit, either in your browser or in your Java plugin.

I'd highly recommend doing the following in order to get the system checked and cleaned, as it's likely, based on the symptoms you describe, that you may have a nasty rootkit on the system, which can often be difficult to safely remove without expert guidance and special tools:

Please read and follow the directions here, skipping any steps you are unable to complete. Then create a NEW topic here.

One of the expert helpers there will give you one on one assistance when one becomes available.

Please note that it may take 48 hours or more for you to receive a response in the malware removal forum, as it is often busy at times. Please do not reply to your own post asking for help unless its been more than 48 hours since you originally posted, as this can make it appear as though you are being helped and take longer for you to get help.

If you are unable to do all or any of the steps in the link to the directions above, just post your problem into the forum I gave you a link to anyway and someone will be able to assist you.

If you prefer to be assisted via email you may contact Consumer Support and one of our support staff members will assist you directly.

Thanks

[Anna_noyed]

Thanks exile for the reply, Ill post the java box that poped up

what does this mean ?

what is this telling me ::::::::::::

security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.

security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws

security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws

security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws,com.sun.deploy

security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws,com.sun.deploy

security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws,com.sun.deploy,com.sun.jnlp

security: property package.definition value null

security: property package.definition new value com.sun.javaws

security: property package.definition value com.sun.javaws

security: property package.definition new value com.sun.javaws,com.sun.deploy

security: property package.definition value com.sun.javaws,com.sun.deploy

security: property package.definition new value com.sun.javaws,com.sun.deploy,com.sun.jnlp

security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws,com.sun.deploy,com.sun.jnlp

security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss

security: property package.definition value com.sun.javaws,com.sun.deploy,com.sun.jnlp

security: property package.definition new value com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss

basic: Added progress listener: sun.plugin.util.ProgressMonitorAdapter@63a8af

network: Connecting hxxp://www.beipwas.c...rybMzoavb.class with proxy=DIRECT

network: Connecting hxxp://www.beipwas.com:80/ with proxy=DIRECT

Java Plug-in 10.2.0.13

Using JRE version 1.7.0_02-b13 Java HotSpot™ Client VM

User home directory = C:\Documents and Settings\SurfSafe

----------------------------------------------------

c: clear console window

f: finalize objects on finalization queue

g: garbage collect

h: display this help message

l: dump classloader list

m: print memory usage

o: trigger logging

q: hide console

r: reload policy configuration

s: dump system and deployment properties

t: dump thread list

v: dump thread stack

x: clear classloader cache

0-5: set trace level to <n>

----------------------------------------------------

network: Connecting hxxp://www.beipwas.c...rybMzoavb.class with proxy=DIRECT

network: Connecting hxxp://www.beipwas.com:80/ with proxy=DIRECT

basic: Applet loaded.

basic: Applet resized and added to parent container

basic: PERF: AppletExecutionRunnable - applet.init() BEGIN ; jvmLaunch dt 3049243 us, pluginInit dt 4860685 us, TotalTime: 7909928 us

network: Connecting hxxp://www.beipwas.c...twgpXrepz.class with proxy=DIRECT

network: Connecting hxxp://www.beipwas.com:80/ with proxy=DIRECT

network: Connecting hxxp://www.beipwas.com/053/217.php with proxy=DIRECT

network: Connecting hxxp://www.beipwas.com:80/ with proxy=DIRECT

basic: Applet initialized

basic: Starting applet

basic: completed perf rollup

basic: Applet made visible

basic: Applet started

basic: Told clients applet is started

::::::::::::::::::::::::::::::::::::::::::::::

is that anything I should worry about ? what is this telling me ???

How is this connected to that exploit.drop9?????

thanks in advance

Edited April 27, 2012 by MysteryFCM
Disabled exploit URLs

[exile360]

I'm honestly not sure to tell you the truth. I'm not familiar with Java code myself.

I will ask one of our Research team members to take a look for you though.

[exile360]

OK, after taking a look, the researcher did indeed confirm that the above Java code is malicious.

Do you happen to know what site you were visiting when this happened?

[exile360]

Also, the researcher has suggested that even though it does appear that your system is clean, that you should probably get checked anyway just to make certain you aren't infected.

To do so, please follow the instructions I posted here.