MSE finds and removes Trojan three times

bru · 04 Sep 2011

While on a reputable site for my local newspaper MSE signaled it found TrojanDownloader:JS/Qakbot.H, classifying it as severe. I told it to remove it and it said it succeeded. Ran a Quick Scan right away which came up clean.

12 hours later when I ran CCleaner to clean temp files MSE again found the same Trojan. I had it remove it and it again found it while CCleaner removed the temp files.

So in my history there are three instances of this same Trojan all listed as being removed. Is it really gone?

IF MSE removed the Trojan the first time why did it remain in a temp file? If I had never cleared the temp files using CCleaner it seems to me the Trojan would have remained on my computer. What damage was done in the twelve hours between when MSE initially removed it and it hopefully was removed for good from the temp files?

Is this how MSE is supposed to work? Seems like a flaw if it leaves what it cleans in a temp file? Would a full scan have found the temp file infection?

seth500 · 04 Sep 2011

I found this info on the trojan I would be changing passwords and such:
Backdoor.Qakbot.H - malware that steals everything | help.artaro.eu

Removal:
Remove Qakbot, W32.Qakbot removal tutorial

I believe it may still be on your system and I would download malwarebytes and run a full sweep of the system after a full update bru.

Corrine · 04 Sep 2011

An MSE quick scan checks the places, processes in the memory, and registry files on your computer's hard disk that malicious software is most likely to infect. A full scan checks all files on the hard disk and all currently running programs.

Unless dealing with a rogue such as HDD Defragmenter, which makes it so that certain folders on your computer display no contents, it is generally recommended to run a temp file cleaner prior to scanning. My current preference is TFC by OldTimer.

bru · 04 Sep 2011

Yes it certainly appears to be a nasty one. But I'm pretty confident MSE did it's job properly. Full Scans using MSE, MBAM and SAS in regular and Safe mode all come up clean.

I spoke with MS support and they said that MSE did it's job by initially preventing the Trojan from downloading. They also said it was residing in a temp file waiting for a chance to infect my system but CCleaner and/or MSE also removed it from there (I'm still a bit unsure of this part). Apparently it's a good thing I regularly clean temp files. I'm not sure everyone does.

I have used TFC in the past on another computer. I probably should revisit it. The fact that it hasn't been updated in two years was one reason I was a bit hesistant to install it on my new system.

What is disturbing is that this was a very reputable website. It probably gets thousands if not millions of visitors a day. Who knows how many of them are now infected.

It's truly scary out there. Even safe surfing doesn't mean much anymore.

Crossing fingers that this one is solved. And am happy MSE did it's job.

DBone · 04 Sep 2011

For this reason, and this reason alone is why virtualization should be your first line of defense, not MSE. Sandboxie is a great tool to prevent drive-by infections.

FranzB · 15 Sep 2011

bru said:

Yes it certainly appears to be a nasty one. But I'm pretty confident MSE did it's job properly. Full Scans using MSE, MBAM and SAS in regular and Safe mode all come up clean.

I spoke with MS support and they said that MSE did it's job by initially preventing the Trojan from downloading. They also said it was residing in a temp file waiting for a chance to infect my system but CCleaner and/or MSE also removed it from there (I'm still a bit unsure of this part). Apparently it's a good thing I regularly clean temp files. I'm not sure everyone does.

I have used TFC in the past on another computer. I probably should revisit it. The fact that it hasn't been updated in two years was one reason I was a bit hesistant to install it on my new system.

What is disturbing is that this was a very reputable website. It probably gets thousands if not millions of visitors a day. Who knows how many of them are now infected.

It's truly scary out there. Even safe surfing doesn't mean much anymore.

Crossing fingers that this one is solved. And am happy MSE did it's job.

That's the whole problem, viz. that it happens with very reputable sites. You would think those people would have their security organized. Apparently not, so you have to do it. I want to repeat here again that e.g. my internet provider
let's me log into my account where i can also change my password (!) on a not encrypted website, although there is also an https webpage at the same time.
That really beats me (why not remove the not encrypted webpage?) and i complained but i only received a silly answer that you have to check it all. So the whole problem is also caused by the people behind the websites.
I personally use CCleaner a few times a day. You can always make a backup and use the restore function should something go wrong. Of course, any good cleaner would do as the one mentioned by Corrine.
The use of sandboxie as DBone suggests is probably the only safe solution and although i am using Linux Mint when i am surfing it's sometimes not convenient, especially since i use Windows Live Mail and want to click on a link that someone (always known to me but who knows...) sends to me. So i have to get that sandboxie. Thanks, DBone, for mentioning it over and over again, not just here.