2 replies to this topic

[Stanarious77]

Last night around 2-3AM I downloaded a file that [expectedly... and unfortunately] turned out to be a trojan. The problem is I'm not sure if it infected me or not... I saved the file to a folder in my desktop, and immediately was warned by Microsoft Endpoint Protection 2010 that it turned out to be Orsam!rts (which after some research seems to have many... many different iterations... I don't know which one I have.) I was given the option to "quarantine" and "remove" Orsam!rts by microsoft endpoint, which I chose to do. I never WILLINGLY opened or even saw the file (maybe it opened itself...) on my computer. As soon as it finished downloading, endpoint protection immediately took action... I'm very wary, however, of endpoint protection... so I ran a Malwarebytes quick scan, and then a full scan while I slept. Both times Malwarebytes did not detect anything. Still, I'm skeptical... So now I have come here to ask for help from people who are experts.

Now, I'm no slouch when it comes to computers, but I am paranoid, so I already had a whole slew of traffic monitoring tools on my computer. I recently ran a netstat -bfo in the command prompt which only showed that processes I knew about and allowed were accessing the internet. I have proxifier, privoxy, and peerblock, all of which let me monitor outgoing/incoming traffic, as well as wireshark which can sniff packets. I'm just wondering if there is some way Orsam!rts could go undetected by every single one of these measures...

Also, after looking through some folders... in the "Users" folder, (windows 7) I found a bunch of folders of users that I did not create... Two I knew about before hand... Administrator and Giacof were there, but also appeared: Default... SysAdmin... UpdatusUser... and UpdatusUser.giacoft420 (my computer name). I'm not sure if these were created by the trojan, or if they are legitimate, but they all have creation dates way before last night (also not sure if Orsam can spoof creation date). The problem which makes them skeptical, is that each one of them has a file in their "Downloads"folder called tvtvrnr431_001en.exe. All iterations of the tvtvrnr431_001en.exe have the same creation date, but it is again far prior to last night.

At any rate... thanks in advanced for any help you might be able to give me, I apologize for the winded first post, but I figured it'd be better to get the circumstances across early than have to explain them over time... I have included the requested logs, even though they do have a rather large amount of personal information in them...

Edited by Maurice Naggar, 12 August 2012 - 07:04 AM.

[Stanarious77]

Forget it. I am 100% positive I fixed the problems myself. I thank you for providing this service, though. There are many others who need it much more than myself.

If you can, will you please delete my two attatched logs? I feel that they contain personal information, and the fact that 4 people have downloaded both, but not replied to this thread actually worries me... Perhaps you should implement some sort of restriction on who can download such logs.

Thanks for your time, kindly,
Stonarious77

[Maurice Naggar]

As you say you are positive, I will close this thread.