Tuesday, March 17, 2009

Trojan.Refpron is Back!!! But not for long, I hope.

Last night before I went to bed, as an afterthought almost, I ran a Malwarebytes' Anti-Malware (MBAM) quick scan, and left it to run on its own.  It takes about 12-15 minutes to run, and I have my computer set up to go into stand-by, then shut down after 30 mins of inactivity.   It's really a careless & maybe sloppy thing to do.  

I also have Windows defender scheduled to run everyday, and Norton runs in the background off an on pretty much continuously.

So this morning when I powered the computer up, there was my MBAM report - and it had found Trojan.Refpron and Backdoor.Bot, and was waiting patiently for me to look at the report.  

Another WTF moment.

Here is an excerpt from the report:

Files Infected:
C:\WINDOWS\system32\msrstart.exe (Trojan.Refpron) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully

The last time I had Trojan.Refpron on my computer, my computer about bought the farm.  I don't know Refpron's relation to all that, but I do know I dont want it anywhere near me.  

So this is what I did:

  • Gave MBAM the go ahead to quarantine and delete (or maybe it just did it.  It's several hours ago now, and you know how my attention span is)
  • Checked to make sure that the Win32 service was still checked in the Data Execution Prevention section in the control panel.

This is how I did that:

  • Went to control panel
  • Clicked on Performance & Maintenance
  • Clicked on Systems
  • Selected Advanced Tab
  • Selected Settings button in Performance Box
  • Selected Data Execution Prevention Tab
  • Made sure that button for "Turn on DEP for all services and processes except those I select" was still active
  • Made sure that the box next to Generic Host Process for Win32 Services was still selected.

The reason I did this was because last month, in conjunction with this malware, I had a terrible problem with data exception errors (syshost32.exe), and this seemed to solve that problem.  I wanted to make sure it hadn't changed.  One of these days I'll unclick that box and see if anything bad happens.   

I also looked to make sure soxpeca.exe was NOT running on my computer.  It is associated with Trojan.Refpron, and if it's running that means trouble.  I wish I had looked before the MBAM delete, but I didnt think to.   Anyway, it's not there.  At least I can't find it.

So, everything is working normally, I've seen no symptoms.  

I wish I knew where it was coming from.  And I wish I knew how it's getting past my firewall, and the virus scans of my normal virus protection software.



5 comments:

Patti Anne said...

Good thing you caught it so quickly! Don't know where they're coming from, but it's too bad Norton and Windows Defender don't catch them - thank goodness for Malwarebytes!

Martin In Bulgaria said...

Good that you wormed them out quickly!c

A Valdese Blogger said...

PA: Yep, I agree.

Martin: I was only able to do it quickly this time because of the massive "learning opportunity" I had with it last month. It did go smoothly this time.

Ms. O. D. said...

still got virus even after switching to firefox and opera? :(

A Valdese Blogger said...

Ms. OD: Yep. I use Opera for dropping & blogging & Fire fox for most other things now. It still popped up, but this time it was caught pretty quikly. Thanks for letting me know about Opera, btw.