Endpoint Protection

Has anyone encountered this key logger trojan? I've tried many tools but cannot get rid of it.

Thanks,

Phil

You can scan your system with the help of symhelp tool if symhelp tool does not help you can submit your submission file Symantec Security Response Team.

Upload a suspected infected file (Retail)

https://submit.symantec.com/websubmit/retail.cgi

How to run the Threat Analysis Scan in Symantec Help (SymHelp)

http://www.symantec.com/business/support/index?page=content&id=TECH215519

How to run Symantec Power Eraser with the SymHelp utility

How to submit suspicious files via the online submission form that have been quarantined by Symantec Endpoint Protection (SEP) or Symantec AntiVirus (SAV)

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

What tools have you tried?

Did you submit to symantec?

http://www.symantec.com/security_response/submitsamples.jsp

upload to https://www.virustotal.com for analysis

Brian,

Tools I tried which did not even detect this trojan: Norton Security Scan, avast, AGV, Malwarebytes and UnHackme.

Try combofix

http://www.bleepingcomputer.com/download/combofix/

Thanks Brian, I'll try that one. I also did submit this to Symantec.

Brian - combofix did not remove Muldrop3

So it sounds like whatever you're using is detecting it but cannot remove. What is the location of the infected file?

Can you share any risk logs or screenshots so I can have a look?

Have you tried removal in safemode?

Hi James,

Thanks for your response. I submitted the issue to Symantec and I tried Power Eraser which did not detect or remove Muldrop3.

Phil

Yes, I have tried multiple times in Safemode. The way I detect it is not via a tool; when using Firefox, Muldrop3 creates a series of folder and files under:

C:\Users\<username>\AppData\Local\Mozilla\Firefox\Profiles\5fgg65mm.default-1400295701961

Using IE it creates files under:

C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9IVL3QAI

Running ComboFix created the attached log.

Attachment(s)

ComboFix log.txt   24 KB 1 version

James,

I ran the Threat Analysis Scan and uploaded the output file per the instructions and is located at:

ftp://ftp.entsupport.symantec.com/pub/support/incoming/symhelp/PHIL-PC__2014_06_10__12_34_23_TSF.sdbz

Attached is the zip file of 2 files to be investigated.

Sorry but I deleted the attached file as malware/potential malware shouldn't be uploaded here.

However, both of the files are coming back as clean, see here:

https://www.virustotal.com/en/file/ac1b39feb82b437bb66230cc2828bedaa3771f3a67505c1032363562d96b2f89/analysis/1402419978/

https://www.virustotal.com/en/file/a82c7a62491bbe27582eec572beb26f18a5c2c539c61db2d271e638186a278fd/analysis/1402420027/

Hi caribbeandreamer,

Feel free to PM me the tracking number for those submissions.

https://www.virustotal.com/en/file/ac1b39feb82b437...

https://www.virustotal.com/en/file/a82c7a62491bbe2...

No vendor has detection for either of those and the files are tiny (544 bytes).

The name you mention sounds like another vendor's designation: most companies have their own system for naming threats.  Do you also have that other vendor's product installed on your computer?  What version of SEP is installed?

Many thanks!

Mick

Hi Mick,

The tracking # is 38401122. The name Muldrop3 is what I found on the web; here are a few examples:

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor:MSIL/Pontoeb.J

http://www.uninstalltips.net/remove-trojan-muldrop3-6866-how-to-remove-trojan-muldrop3-6866-effectively/

I've gone thru almost all of the supposed "fixes" but most either don't work or instruct the installation of bogus or questionable tools (e.g., Dr Web) to remove the infection.

I tried most of the main AV/AMW tools (see thread above) including SymHelp, even in Safemode. I even uninstalled/reinstalled Firefox to no avail. Chrome & IE are also affected. I've also removed many questionable registry entries only to see them return. The source of this infection is VERY well hidden.

One a daily basis, Muldrop3 is creating upwards of 1000+ files and up to 350Mb of space. I run Wise Disk cleaner daily to remove them but as soon as a browser is opened there are immediately several hundred files and up to 20 Mb.

Any help appreciated,

Phil

Thanks for the update Phil! &: )

Mick,

The Security Response team has closed the incident because the original file I sent them was not infected. However, I've asked them to please read the entire thread and reach out to you.

I've been using Wise Disk Cleaner after i close each browser to scan and remove cached files in IE & Firefox. Just opening IE created almost 400 files totaling 25 Mb in the IE cache! I have them zipped; let me know if you want them uploaded somewhere.

Thanks again,

Phil

Hi Phil,

I really recommend opening a case with Tech Support at this point.  If there is malware on your machine, they can provide the professional tools and assistance necessary to track it down.

Best of luck!

Mick