Today Microsoft Security Essentials began quarantining a trojan called “medfos.B” every five minutes or so. But MSE’s scan utility wasn’t finding anything. It was blocking the thing when it tried to go active, but couldn’t find the thing when it was not active.
I didn’t try to remove it this morning because I had to go to work. Later this evening, when I turned on the machine again, it was doing the same thing–and then, after a few minutes, somehow either medfos.B or something else did get past MSE, and I had one of those fake “antispyware 2012” programs begin to give me popups and block access to any website but its own. I went to a different user account in safe mode and ran malwarebytes’ scan, and this seemed to take care of the antispyware 2012 thing. (Note: When I went back to the original account, the antispyware2012 behavior was gone, but also, I was unable to run any .exe files. A downloaded registry patch fixed this.)
But, though malwarebytes seems to have gotten rid of antispyware2012, it apparently did not get rid of medfos.B. Microsoft Security Essentials continued to quarantine it every five minutes or so.
At this point I did some “sleuthing” (i.e. more google searching) and found this page: http://social.technet.microsoft.com/Forums/en-US/ieitprocurrentver/thread/21984fdc-daeb-44c4-b6ab-18c0643ead57
At that page, someone describes the same behavior I was having on this machine. In reply, someone said to them they also had the same behavior happening–and were able to resolve it by deleting a certain .dll file in their %appdata% folder, killing rundll and iexplorer in their task manager, then removing a registry entry from hkcu/software/microsofty/windows/current-version/run.
I looked in my folder c:/users/myname/appdata, and found nothing. Then went on to /appdata/roaming and did find two dlls listed there. Meanwhile, in the registry folder named above, I found two entries corresponding to exactly those two dlls. Moreover, neither .dll was found to be mentioned anywhere online by google, which seems suspicious–it seems as though they are randomly named, and I can’t think of any non-evil reason for an application to create a randomly named .dll file. So: I killed my iexplorer and rundll processes, tacked on a .bak to both the dlls, made a backup of the registry folder, and removed both the registry entries. I then restarted my computer.
So, since then, I have not had MSE pop up with a message about quarantining medfos.B. But I worry that I have not done everything I should do. Given the actions described above, do you think it’s probably all taken care of? Or is there some malicious somethingorother still sitting on my computer just waiting to create a couple more malicious dll files or something? I have no idea how it really works.
Neither MSE nor malwarebytes finds anything upon scanning. But MSE never did, and malwarebytes sometimes did not find anything on some of the occasions in which I ran it today, yet a little while later the problem would prove to persist. (BTW neither program finds anything wrong with either of the .dll files.)
I also worry because occasionally in between medfos.B messages, there would be messages for two or three other pieces of malware. Those messages seem to have stopped as well, but it feels like something on my computer is just trying to open me up to all kinds of attacks and I don’t know whether I should feel confident that I’ve stopped that underlying problem.
Running Windows 7, with MSE and Malwarebytes Pro both running in the background, with Windows firewall.
Thanks for any pointers…
ETA: The two dll files were named remsds and scepr, in case it matters…