Tuesday, March 17, 2009

Trojan.Refpron is Back!!! But not for long, I hope.

Last night before I went to bed, as an afterthought almost, I ran a Malwarebytes' Anti-Malware (MBAM) quick scan, and left it to run on its own.  It takes about 12-15 minutes to run, and I have my computer set up to go into stand-by, then shut down after 30 mins of inactivity.   It's really a careless & maybe sloppy thing to do.  

I also have Windows defender scheduled to run everyday, and Norton runs in the background off an on pretty much continuously.

So this morning when I powered the computer up, there was my MBAM report - and it had found Trojan.Refpron and Backdoor.Bot, and was waiting patiently for me to look at the report.  

Another WTF moment.

Here is an excerpt from the report:

Files Infected:
C:\WINDOWS\system32\msrstart.exe (Trojan.Refpron) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully

The last time I had Trojan.Refpron on my computer, my computer about bought the farm.  I don't know Refpron's relation to all that, but I do know I dont want it anywhere near me.  

So this is what I did:

  • Gave MBAM the go ahead to quarantine and delete (or maybe it just did it.  It's several hours ago now, and you know how my attention span is)
  • Checked to make sure that the Win32 service was still checked in the Data Execution Prevention section in the control panel.

This is how I did that:

  • Went to control panel
  • Clicked on Performance & Maintenance
  • Clicked on Systems
  • Selected Advanced Tab
  • Selected Settings button in Performance Box
  • Selected Data Execution Prevention Tab
  • Made sure that button for "Turn on DEP for all services and processes except those I select" was still active
  • Made sure that the box next to Generic Host Process for Win32 Services was still selected.

The reason I did this was because last month, in conjunction with this malware, I had a terrible problem with data exception errors (syshost32.exe), and this seemed to solve that problem.  I wanted to make sure it hadn't changed.  One of these days I'll unclick that box and see if anything bad happens.   

I also looked to make sure soxpeca.exe was NOT running on my computer.  It is associated with Trojan.Refpron, and if it's running that means trouble.  I wish I had looked before the MBAM delete, but I didnt think to.   Anyway, it's not there.  At least I can't find it.

So, everything is working normally, I've seen no symptoms.  

I wish I knew where it was coming from.  And I wish I knew how it's getting past my firewall, and the virus scans of my normal virus protection software.


Anonymous said...

Good thing you caught it so quickly! Don't know where they're coming from, but it's too bad Norton and Windows Defender don't catch them - thank goodness for Malwarebytes!

Anonymous said...

Good that you wormed them out quickly!c

A Valdese Blogger said...

PA: Yep, I agree.

Martin: I was only able to do it quickly this time because of the massive "learning opportunity" I had with it last month. It did go smoothly this time.

Ms. O. D. said...

still got virus even after switching to firefox and opera? :(

A Valdese Blogger said...

Ms. OD: Yep. I use Opera for dropping & blogging & Fire fox for most other things now. It still popped up, but this time it was caught pretty quikly. Thanks for letting me know about Opera, btw.