New
#1
Infected while helping :(
While searching for a solution to a problem poster here on sevenforums I found an answer that was close to what I needed, it was on another tech forum. Only thing was as soon as I closed the page down I was informed by MSE that I was infected.
After a full system scan, and some 750,000 files checked it reported to have remove 3 severe threats.
I then thought I'd check Task Manager to see if anything untoward was running and to my surprise I was faced with several processed with an 'Installer' description. Needless to say I immediately killed all suspect processes and deleted all temporary files from both
%systemroot%\Temp
%userprofile%\Appdata\Local\Temp
I then performed a reboot and all seemed well until the processes appeared once again so I downloaded MalwareBytes and performed a Quick Scan and again, I was faced with threats.
Below Is a copy of the log...
Quite a lost really as I'm a very careful browser.Code:Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5976 Windows 6.1.7601 Service Pack 1 Internet Explorer 9.0.8080.16413 06/03/2011 21:25:24 mbam-log-2011-03-06 (21-25-24).txt Scan type: Quick scan Objects scanned: 189694 Time elapsed: 2 minute(s), 54 second(s) Memory Processes Infected: 12 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 16 Memory Processes Infected: c:\Users\Jeff\AppData\Local\Temp\WinSATa.exe (Trojan.Agent) -> 4524 -> Unloaded process successfully. c:\Users\Jeff\AppData\Local\Temp\WinSATa.exe (Trojan.Agent) -> 6004 -> Unloaded process successfully. c:\Users\Jeff\AppData\Local\Temp\atibtmonb.exe (Trojan.Agent) -> 4028 -> Unloaded process successfully. c:\Users\Jeff\AppData\Local\Temp\atibtmonb.exe (Trojan.Agent) -> 6092 -> Unloaded process successfully. c:\Users\Jeff\AppData\Local\Temp\klista.exe (Trojan.Agent) -> 2368 -> Unloaded process successfully. c:\Users\Jeff\AppData\Local\Temp\klista.exe (Trojan.Agent) -> 6068 -> Unloaded process successfully. c:\Users\Jeff\AppData\Local\Temp\forfilesb.exe (Trojan.Agent) -> 5692 -> Unloaded process successfully. c:\Users\Jeff\AppData\Local\Temp\forfilesb.exe (Trojan.Agent) -> 4444 -> Unloaded process successfully. c:\Users\Jeff\AppData\Local\Temp\odbcconfb.exe (Trojan.Agent) -> 4796 -> Unloaded process successfully. c:\Users\Jeff\AppData\Local\Temp\odbcconfb.exe (Trojan.Agent) -> 5336 -> Unloaded process successfully. c:\Users\Jeff\AppData\Local\Temp\logagenta.exe (Trojan.Agent) -> 6048 -> Unloaded process successfully. c:\Users\Jeff\AppData\Local\Temp\logagenta.exe (Trojan.Agent) -> 5964 -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Spyware.Passwords.XGen) -> Value: conhost -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\Users\Jeff\AppData\Local\Temp\WinSATa.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\Users\Jeff\AppData\Local\Temp\atibtmonb.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\Users\Jeff\AppData\Local\Temp\klista.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\Users\Jeff\AppData\Local\Temp\forfilesb.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\Users\Jeff\AppData\Local\Temp\odbcconfb.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\Users\Jeff\AppData\Local\Temp\logagenta.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\Windows\System32\config\systemprofile\AppData\Roaming\microsoft\conhost.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully. c:\Windows\System32\config\systemprofile\AppData\Roaming\dwm.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully. c:\Users\Jeff\AppData\Local\Temp\calca.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\Users\Jeff\AppData\Local\Temp\fixmapia.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\Users\Jeff\AppData\Local\Temp\ocsetupa.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\Users\Jeff\AppData\Local\Temp\printa.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\Users\Jeff\AppData\Local\Temp\psra.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully. c:\Windows\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
I have one main question...
If MSE detected a threat file after closing the browser page why did it not detect that the file was attempting to be downloaded to c:\windows\system32?
From that stems another one...
Why did it then allow for other files to embed themselves into Task Manager Registry and my temp locations?
Is it not the job of AntiVirus & Internet Security to do exactly what their name intends? Especially as 1 of the severe threats was months old (see info below).
TrojanDownloader:Win32/Ponmocup.A
Encyclopedia entry
Updated: Nov 25, 2010 | Published: Jun 04, 2010
Aliases
Alert Level (?)
- Swisyn.s (McAfee)
- Trojan.Win32.Swisyn.jyb (Kaspersky)
- W32.Changeup!gen (Symantec)
Severe