Last night before I went to bed, as an afterthought almost, I ran a Malwarebytes' Anti-Malware (MBAM) quick scan, and left it to run on its own. It takes about 12-15 minutes to run, and I have my computer set up to go into stand-by, then shut down after 30 mins of inactivity. It's really a careless & maybe sloppy thing to do.
I also have Windows defender scheduled to run everyday, and Norton runs in the background off an on pretty much continuously.
So this morning when I powered the computer up, there was my MBAM report - and it had found Trojan.Refpron and Backdoor.Bot, and was waiting patiently for me to look at the report.
Another WTF moment.
Here is an excerpt from the report:
Files Infected:
C:\WINDOWS\system32\msrstart.exe (Trojan.Refpron) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully
The last time I had Trojan.Refpron on my computer, my computer about bought the farm. I don't know Refpron's relation to all that, but I do know I dont want it anywhere near me.
So this is what I did:
- Gave MBAM the go ahead to quarantine and delete (or maybe it just did it. It's several hours ago now, and you know how my attention span is)
- Checked to make sure that the Win32 service was still checked in the Data Execution Prevention section in the control panel.
This is how I did that:
- Went to control panel
- Clicked on Performance & Maintenance
- Clicked on Systems
- Selected Advanced Tab
- Selected Settings button in Performance Box
- Selected Data Execution Prevention Tab
- Made sure that button for "Turn on DEP for all services and processes except those I select" was still active
- Made sure that the box next to Generic Host Process for Win32 Services was still selected.
The reason I did this was because last month, in conjunction with this malware, I had a terrible problem with data exception errors (syshost32.exe), and this seemed to solve that problem. I wanted to make sure it hadn't changed. One of these days I'll unclick that box and see if anything bad happens.
I also looked to make sure soxpeca.exe was NOT running on my computer. It is associated with Trojan.Refpron, and if it's running that means trouble. I wish I had looked before the MBAM delete, but I didnt think to. Anyway, it's not there. At least I can't find it.
So, everything is working normally, I've seen no symptoms.
I wish I knew where it was coming from. And I wish I knew how it's getting past my firewall, and the virus scans of my normal virus protection software.
5 comments:
Good thing you caught it so quickly! Don't know where they're coming from, but it's too bad Norton and Windows Defender don't catch them - thank goodness for Malwarebytes!
Good that you wormed them out quickly!c
PA: Yep, I agree.
Martin: I was only able to do it quickly this time because of the massive "learning opportunity" I had with it last month. It did go smoothly this time.
still got virus even after switching to firefox and opera? :(
Ms. OD: Yep. I use Opera for dropping & blogging & Fire fox for most other things now. It still popped up, but this time it was caught pretty quikly. Thanks for letting me know about Opera, btw.
Post a Comment