Last night before I went to bed, as an afterthought almost, I ran a Malwarebytes' Anti-Malware (MBAM) quick scan, and left it to run on its own. It takes about 12-15 minutes to run, and I have my computer set up to go into stand-by, then shut down after 30 mins of inactivity. It's really a careless & maybe sloppy thing to do.
I also have Windows defender scheduled to run everyday, and Norton runs in the background off an on pretty much continuously.
So this morning when I powered the computer up, there was my MBAM report - and it had found Trojan.Refpron and Backdoor.Bot, and was waiting patiently for me to look at the report.
Another WTF moment.
Here is an excerpt from the report:
C:\WINDOWS\system32\msrstart.exe (Trojan.Refpron) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully
The last time I had Trojan.Refpron on my computer, my computer about bought the farm. I don't know Refpron's relation to all that, but I do know I dont want it anywhere near me.
So this is what I did:
- Gave MBAM the go ahead to quarantine and delete (or maybe it just did it. It's several hours ago now, and you know how my attention span is)
- Checked to make sure that the Win32 service was still checked in the Data Execution Prevention section in the control panel.
This is how I did that:
- Went to control panel
- Clicked on Performance & Maintenance
- Clicked on Systems
- Selected Advanced Tab
- Selected Settings button in Performance Box
- Selected Data Execution Prevention Tab
- Made sure that button for "Turn on DEP for all services and processes except those I select" was still active
- Made sure that the box next to Generic Host Process for Win32 Services was still selected.
The reason I did this was because last month, in conjunction with this malware, I had a terrible problem with data exception errors (syshost32.exe), and this seemed to solve that problem. I wanted to make sure it hadn't changed. One of these days I'll unclick that box and see if anything bad happens.
I also looked to make sure soxpeca.exe was NOT running on my computer. It is associated with Trojan.Refpron, and if it's running that means trouble. I wish I had looked before the MBAM delete, but I didnt think to. Anyway, it's not there. At least I can't find it.
So, everything is working normally, I've seen no symptoms.
I wish I knew where it was coming from. And I wish I knew how it's getting past my firewall, and the virus scans of my normal virus protection software.