Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Infected while helping :(


06 Mar 2011   #1

 
 
Infected while helping :(

While searching for a solution to a problem poster here on sevenforums I found an answer that was close to what I needed, it was on another tech forum. Only thing was as soon as I closed the page down I was informed by MSE that I was infected.

After a full system scan, and some 750,000 files checked it reported to have remove 3 severe threats.

Infected while helping :(-mse.png

I then thought I'd check Task Manager to see if anything untoward was running and to my surprise I was faced with several processed with an 'Installer' description. Needless to say I immediately killed all suspect processes and deleted all temporary files from both

%systemroot%\Temp
%userprofile%\Appdata\Local\Temp

I then performed a reboot and all seemed well until the processes appeared once again so I downloaded MalwareBytes and performed a Quick Scan and again, I was faced with threats.

Below Is a copy of the log...
Code:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5976
Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8080.16413
06/03/2011 21:25:24
mbam-log-2011-03-06 (21-25-24).txt
Scan type: Quick scan
Objects scanned: 189694
Time elapsed: 2 minute(s), 54 second(s)
Memory Processes Infected: 12
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16
Memory Processes Infected:
c:\Users\Jeff\AppData\Local\Temp\WinSATa.exe (Trojan.Agent) -> 4524 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\WinSATa.exe (Trojan.Agent) -> 6004 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\atibtmonb.exe (Trojan.Agent) -> 4028 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\atibtmonb.exe (Trojan.Agent) -> 6092 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\klista.exe (Trojan.Agent) -> 2368 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\klista.exe (Trojan.Agent) -> 6068 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\forfilesb.exe (Trojan.Agent) -> 5692 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\forfilesb.exe (Trojan.Agent) -> 4444 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\odbcconfb.exe (Trojan.Agent) -> 4796 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\odbcconfb.exe (Trojan.Agent) -> 5336 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\logagenta.exe (Trojan.Agent) -> 6048 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\logagenta.exe (Trojan.Agent) -> 5964 -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Spyware.Passwords.XGen) -> Value: conhost -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\Jeff\AppData\Local\Temp\WinSATa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\atibtmonb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\klista.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\forfilesb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\odbcconfb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\logagenta.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\microsoft\conhost.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\dwm.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\calca.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\fixmapia.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\ocsetupa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\printa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\psra.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
Quite a lost really as I'm a very careful browser.

I have one main question...

If MSE detected a threat file after closing the browser page why did it not detect that the file was attempting to be downloaded to c:\windows\system32?

From that stems another one...

Why did it then allow for other files to embed themselves into Task Manager Registry and my temp locations?

Is it not the job of AntiVirus & Internet Security to do exactly what their name intends? Especially as 1 of the severe threats was months old (see info below).


TrojanDownloader:Win32/Ponmocup.A




Encyclopedia entry
Updated: Nov 25, 2010 | Published: Jun 04, 2010



Aliases
  • Swisyn.s (McAfee)
  • Trojan.Win32.Swisyn.jyb (Kaspersky)
  • W32.Changeup!gen (Symantec)
Alert Level (?)

Severe




My System SpecsSystem Spec
.

06 Mar 2011   #2

Microsoft Community Contributor Award Recipient

Windows 7 Ult. x64 Windows 8.1 x64
 
 

Holy Crap! Sorry about that.....the replies will be interesting. Did you manage to clean your system?

Regards,
Golden
My System SpecsSystem Spec
06 Mar 2011   #3

Microsoft Community Contributor Award Recipient

Windows 7 x64
 
 

This is why I browse with firefox running the noscript plugin. It's a bit problematic but very secure if you actually know what you're doing with it.
Injections are just too easy to make...
My System SpecsSystem Spec
.


06 Mar 2011   #4

Windows 7 Home Premium x64 SP1
 
 

Another MSE swing and miss. It's gotta be the most over rated AV on the planet. MBAM, HMP, SAS, NPE, Housecall are what I would start with, and hopefully all of those will work.....Good luck, and time to rethink your antivirus!
My System SpecsSystem Spec
06 Mar 2011   #5

Windows 7 Professional 64 Bit SP1
 
 

Yes it is, the web of trust addon is also helpful.

Quote   Quote: Originally Posted by Maguscreed View Post
This is why I browse with firefox running the noscript plugin. It's a bit problematic but very secure if you actually know what you're doing with it.
Injections are just too easy to make...
Wow, that's one hell of a attack there, I hope you get it all cleared out.
My System SpecsSystem Spec
06 Mar 2011   #6

Windows 7 Home Premium 64bit
 
 

I use WOT all the time when going to new places along with the favorites MBAM, SAS, and WinPatrol.
Yes it is an overkill but you don't see me asking for BSOD help.
My System SpecsSystem Spec
06 Mar 2011   #7

Windows 7 Professional 64 Bit SP1
 
 

Prevention (for the most part) is better than a cure WOT really helps you avoid making a bad move.

Quote   Quote: Originally Posted by The Howling Wolves View Post
I use WOT all the time when going to new places along with the favorites MBAM, SAS, and WinPatrol.
Yes it is an overkill but you don't see me asking for BSOD help.
My System SpecsSystem Spec
06 Mar 2011   #8

Win 7 64 premium
 
 

Greetings.................... 1st, there is no such thing as "safe surfing, just use your common sense" anymore. 2nd A/V's wont protect you like they use too anymore either. 3rd, Please for the love of pete download and use Sandboxie for all your surfing needs from now on. I have never ever heard of any malware being able to get past sandboxie, so dont say you werent warned. Oh yea, its good enough to use all by itself.
My System SpecsSystem Spec
06 Mar 2011   #9

Main - Windows 7 Pro SP1 64-Bit; 2nd - Windows Server 2008 R2
 
 

I had a friend who died after getting infected while helping someone.

(His wife killed him.)
My System SpecsSystem Spec
06 Mar 2011   #10

Windows 7 Ultimate (32 bit)
 
 

Prevention

Take the following steps to help prevent infection on your system:

  • Enable a firewall on your computer.
  • Get the latest computer updates for all your installed software.
  • Use up-to-date antivirus software.
  • Use caution when opening attachments and accepting file transfers.
  • Use caution when clicking on links to Web pages.
  • Avoid downloading pirated software.
  • Protect yourself against social engineering attacks.
  • Use strong passwords.
My System SpecsSystem Spec
Reply

 Infected while helping :(




Thread Tools



Similar help and support threads for2: Infected while helping :(
Thread Forum
Helping Getting Customization Info Customization
BSODīs and nothing is helping BSOD Help and Support
Startup recovery not helping Backup and Restore
Solved Helping the Stupid General Discussion
this is what the forum is all about (helping others) Chillout Room

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Đ Designer Media Ltd

All times are GMT -5. The time now is 03:10 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33