Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pesky infection / re-infection - is it gone?


  • Please log in to reply
3 replies to this topic

#1 newoh

newoh

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:27 PM

Posted 06 February 2015 - 08:21 PM

New member here and it seems like I should first post in this forum and see where things go based on advice.

 

System related info:

Windows 7 home premium 64 sp1 (regularly updated)

Microsoft Security Essentials (regularly updated)

Ccleaner (updated somewhat regularly)

Malwarebytes anti-malware (installed recently and updated regularly)

 

Problem/symptoms:

Short version:  How do I investigate whether or not my system is still infected?

 

Long version (rough timeline)::

MS security essentials finds infection and it is quarantined and removed.

System seems fine

IE10 begins launching on its own and homepage it auto-launches to is Microsoft.com (not my normal homepage and not my normal browser)

 

Days/weeks later - MS security essentials finds infection and it is quarantined and removed.

System seems ok.

 

Steps taken:

After repeat infection notification, download Malwarebytes anti-malware and run.  Malwarebytes finds a few items.  Items are quarantined and removed. 

System seems ok.

 

Days/weeks later – both MS security essentials and and Malwarebytes find infections (again quarantined and removed).  Also, computer now starting to have blue screen of death shutdown/restarts (It might be coincidence, but it seems that BSD’s occur when both Malwarebytes is scanning and system is online.  System uptime much longer/indefinite when offline.)

 

As of today:

MS security essentials and Malwarebytes are showing no infections, but I’m skeptical that the infection(s) have been completely removed.  IE auto launch into Microsoft.com hasn’t occurred recently.  Although, BSD/restart still occurring (again may be coincidence, but seems to occur when online – and possibly when both online and when Malwarebytes scan is running).

 

Examples of items found by Malwarebytes:

In January 2015:

Trojan.Agent.ED, C:\Users\*\AppData\Roaming\Microsoft\Poshib\poshib.exe

 

In November 2014:

Backdoor.Bot.ED, C:\Users\*\AppData\Roaming\Microsoft\Poshib\poshib.exe

PUP.Optional.OpenCandy, C:\Users\*\Downloads\ShapeCollage-2.5.3-Setup.exe

PUP.Optional.Somoto, C:\Users\*\Downloads\Dummies_downloader_by_Fonts101.exe

Exploit.Drop.GS, C:\Users\*\AppData\Local\Temp\2F88.tmp

 

 

Thank you for your time.



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:27 PM

Posted 06 February 2015 - 09:57 PM

Hello newoh
Just from what we have here I see .... Backdoor.Bot.ED, C:\Users\*\AppData\Roaming\Microsoft\Poshib\poshib.exe
 
 
We should consider this.
 
One or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and download and execute files. I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? When Should I Format, How Should I Reinstall We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 newoh

newoh
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:27 PM

Posted 06 February 2015 - 11:37 PM

Boopme -

Thank you for the prompt and informative response (and link).  The computer is disconnected, I'm working on passwords, etc -- and I assume that a reformat and reinstall is in my future. 

 

That said, I would like to try to clean this install  (assuming no guarantees of 100% clean) for a few reasons.  I'm assuming that - I will learn something about infection, protection, tools, etc. by going through the cleaning process & that I may be able to use that knowledge to examine my back-ups (and to prevent future problems).  Is that thinking sound in this instance?

 

Also, I do have a few questions:

1. How do I know my backups/external drives aren't infected?  How do I check?  (fyi - one backup drive has not been connected to the system since before the first notification of infection, other external drives and usb sticks have been connected.)

2. I will do another backup via usb tonight or tomorrow, but I'm assuming that I should not back up the system -- just back-up the data files that I value.  Correct?  (and that the past full system and data back-ups are possibly infected.)

3. Also, I'm assuming that I will be cleaning the infected system via usb because the system will be offline.  Is there a risk of distributing the infection via usb (or via LAN for that matter)?  (or is there a recommended way to handle this scenario -  cleaning an offline infected system?)

4. Through the cleaning process will I gain a sense of how the infection is likely to have occurred in the first place?

 

Thanks again for your time and insight.

Newoh



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:27 PM

Posted 09 February 2015 - 02:23 PM

You're welcome,

That USB will need to be reformatted.

For the PC.. I say lets get a deeper look and you can ask about the backups again in this new topic as they will be looking inside.

Please follow this Preparation Guide and post in a new topic.
You can include this link back here.

http://www.bleepingcomputer.com/forums/t/565968/pesky-infection-re-infection-is-it-gone/#entry3620292

Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users