Infected while helping :(

Page 1 of 3 123 LastLast

  1. Posts : 6,305
    Windows 7 Ultimate x64
       #1

    Infected while helping :(


    While searching for a solution to a problem poster here on sevenforums I found an answer that was close to what I needed, it was on another tech forum. Only thing was as soon as I closed the page down I was informed by MSE that I was infected.

    After a full system scan, and some 750,000 files checked it reported to have remove 3 severe threats.

    Infected while helping :(-mse.png

    I then thought I'd check Task Manager to see if anything untoward was running and to my surprise I was faced with several processed with an 'Installer' description. Needless to say I immediately killed all suspect processes and deleted all temporary files from both

    %systemroot%\Temp
    %userprofile%\Appdata\Local\Temp

    I then performed a reboot and all seemed well until the processes appeared once again so I downloaded MalwareBytes and performed a Quick Scan and again, I was faced with threats.

    Below Is a copy of the log...
    Code:
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org
    Database version: 5976
    Windows 6.1.7601 Service Pack 1
    Internet Explorer 9.0.8080.16413
    06/03/2011 21:25:24
    mbam-log-2011-03-06 (21-25-24).txt
    Scan type: Quick scan
    Objects scanned: 189694
    Time elapsed: 2 minute(s), 54 second(s)
    Memory Processes Infected: 12
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 16
    Memory Processes Infected:
    c:\Users\Jeff\AppData\Local\Temp\WinSATa.exe (Trojan.Agent) -> 4524 -> Unloaded process successfully.
    c:\Users\Jeff\AppData\Local\Temp\WinSATa.exe (Trojan.Agent) -> 6004 -> Unloaded process successfully.
    c:\Users\Jeff\AppData\Local\Temp\atibtmonb.exe (Trojan.Agent) -> 4028 -> Unloaded process successfully.
    c:\Users\Jeff\AppData\Local\Temp\atibtmonb.exe (Trojan.Agent) -> 6092 -> Unloaded process successfully.
    c:\Users\Jeff\AppData\Local\Temp\klista.exe (Trojan.Agent) -> 2368 -> Unloaded process successfully.
    c:\Users\Jeff\AppData\Local\Temp\klista.exe (Trojan.Agent) -> 6068 -> Unloaded process successfully.
    c:\Users\Jeff\AppData\Local\Temp\forfilesb.exe (Trojan.Agent) -> 5692 -> Unloaded process successfully.
    c:\Users\Jeff\AppData\Local\Temp\forfilesb.exe (Trojan.Agent) -> 4444 -> Unloaded process successfully.
    c:\Users\Jeff\AppData\Local\Temp\odbcconfb.exe (Trojan.Agent) -> 4796 -> Unloaded process successfully.
    c:\Users\Jeff\AppData\Local\Temp\odbcconfb.exe (Trojan.Agent) -> 5336 -> Unloaded process successfully.
    c:\Users\Jeff\AppData\Local\Temp\logagenta.exe (Trojan.Agent) -> 6048 -> Unloaded process successfully.
    c:\Users\Jeff\AppData\Local\Temp\logagenta.exe (Trojan.Agent) -> 5964 -> Unloaded process successfully.
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Spyware.Passwords.XGen) -> Value: conhost -> Quarantined and deleted successfully.
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    c:\Users\Jeff\AppData\Local\Temp\WinSATa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\Jeff\AppData\Local\Temp\atibtmonb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\Jeff\AppData\Local\Temp\klista.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\Jeff\AppData\Local\Temp\forfilesb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\Jeff\AppData\Local\Temp\odbcconfb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\Jeff\AppData\Local\Temp\logagenta.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Windows\System32\config\systemprofile\AppData\Roaming\microsoft\conhost.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
    c:\Windows\System32\config\systemprofile\AppData\Roaming\dwm.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
    c:\Users\Jeff\AppData\Local\Temp\calca.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\Jeff\AppData\Local\Temp\fixmapia.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\Jeff\AppData\Local\Temp\ocsetupa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\Jeff\AppData\Local\Temp\printa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\Jeff\AppData\Local\Temp\psra.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\Windows\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    Quite a lost really as I'm a very careful browser.

    I have one main question...

    If MSE detected a threat file after closing the browser page why did it not detect that the file was attempting to be downloaded to c:\windows\system32?

    From that stems another one...

    Why did it then allow for other files to embed themselves into Task Manager Registry and my temp locations?

    Is it not the job of AntiVirus & Internet Security to do exactly what their name intends? Especially as 1 of the severe threats was months old (see info below).


    TrojanDownloader:Win32/Ponmocup.A




    Encyclopedia entry
    Updated: Nov 25, 2010 | Published: Jun 04, 2010



    Aliases
    • Swisyn.s (McAfee)
    • Trojan.Win32.Swisyn.jyb (Kaspersky)
    • W32.Changeup!gen (Symantec)
    Alert Level (?)

    Severe
      My Computer


  2. Posts : 19,383
    Windows 10 Pro x64 ; Xubuntu x64
       #2

    Holy Crap! Sorry about that.....the replies will be interesting. Did you manage to clean your system?

    Regards,
    Golden
      My Computer


  3. Posts : 6,668
    Windows 7 x64
       #3

    This is why I browse with firefox running the noscript plugin. It's a bit problematic but very secure if you actually know what you're doing with it.
    Injections are just too easy to make...
      My Computer


  4. Posts : 431
    Windows 7 Home Premium x64 SP1
       #4

    Another MSE swing and miss. It's gotta be the most over rated AV on the planet. MBAM, HMP, SAS, NPE, Housecall are what I would start with, and hopefully all of those will work.....Good luck, and time to rethink your antivirus!
      My Computer


  5. Posts : 826
    Windows 7 Professional 64 Bit SP1
       #5

    Yes it is, the web of trust addon is also helpful.

    Maguscreed said:
    This is why I browse with firefox running the noscript plugin. It's a bit problematic but very secure if you actually know what you're doing with it.
    Injections are just too easy to make...
    Wow, that's one hell of a attack there, I hope you get it all cleared out.
      My Computer


  6. Posts : 9,537
    Windows 7 Home Premium 64bit
       #6

    I use WOT all the time when going to new places along with the favorites MBAM, SAS, and WinPatrol.
    Yes it is an overkill but you don't see me asking for BSOD help.
      My Computer


  7. Posts : 826
    Windows 7 Professional 64 Bit SP1
       #7

    Prevention (for the most part) is better than a cure :) WOT really helps you avoid making a bad move.

    The Howling Wolves said:
    I use WOT all the time when going to new places along with the favorites MBAM, SAS, and WinPatrol.
    Yes it is an overkill but you don't see me asking for BSOD help.
      My Computer


  8. Posts : 117
    Win 7 64 premium
       #8

    Greetings.................... 1st, there is no such thing as "safe surfing, just use your common sense" anymore. 2nd A/V's wont protect you like they use too anymore either. 3rd, Please for the love of pete download and use Sandboxie for all your surfing needs from now on. I have never ever heard of any malware being able to get past sandboxie, so dont say you werent warned. Oh yea, its good enough to use all by itself.
      My Computer


  9. Posts : 3,187
    Main - Windows 7 Pro SP1 64-Bit; 2nd - Windows Server 2008 R2
       #9

    I had a friend who died after getting infected while helping someone.

    (His wife killed him.)
      My Computer


  10. Posts : 846
    Windows 10 Pro
       #10

    Prevention

    Take the following steps to help prevent infection on your system:


    • Enable a firewall on your computer.
    • Get the latest computer updates for all your installed software.
    • Use up-to-date antivirus software.
    • Use caution when opening attachments and accepting file transfers.
    • Use caution when clicking on links to Web pages.
    • Avoid downloading pirated software.
    • Protect yourself against social engineering attacks.
    • Use strong passwords.
      My Computer


 
Page 1 of 3 123 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Đ Designer Media Ltd
All times are GMT -5. The time now is 20:48.
Find Us