We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Help - Stupidly opened and ran a malware attachment
Options
AirCooledHeaven
Posts: 884 Forumite
in Techie Stuff
:doh:
Received an email today supposedly from [EMAIL="donotreply@dart-charge.co.uk"]donotreply@dart-charge.co.uk[/EMAIL] containing an attachment 'payment receipt.xml' I do have a Dart Charge account and it's setup to automatically debit my credit card, so absent mindedly I opened it. And then I opened the attachment. And then when internet explorer told me it was blocking an activ-x control I told it to run it. Yes, utterly stupid I know. Shortly afterwards my network icon in the system tray popped up to tell me there was no network connectivity, and then disappeared again. I'm not connected to any other PCs, only my BT Hub.
I have Avast and Malwarebytes installed, both with real time protection, neither raised an eyebrow.
How can I find out what payload I've downloaded? And get rid of it.
Thanks in advance
Received an email today supposedly from [EMAIL="donotreply@dart-charge.co.uk"]donotreply@dart-charge.co.uk[/EMAIL] containing an attachment 'payment receipt.xml' I do have a Dart Charge account and it's setup to automatically debit my credit card, so absent mindedly I opened it. And then I opened the attachment. And then when internet explorer told me it was blocking an activ-x control I told it to run it. Yes, utterly stupid I know. Shortly afterwards my network icon in the system tray popped up to tell me there was no network connectivity, and then disappeared again. I'm not connected to any other PCs, only my BT Hub.
I have Avast and Malwarebytes installed, both with real time protection, neither raised an eyebrow.
How can I find out what payload I've downloaded? And get rid of it.
Thanks in advance
0
Comments
-
You're assuming the two things are linked, presumably your internet connectivity is working?
http://whois.domaintools.com/dart-charge.co.uk
https://www.saneftolling.co.uk/contact
http://blog.dynamoo.com/2015/07/malware-spam-payment-receipt.html
http://techdows.com/2015/01/sysinternals-autoruns-v13-0-integrates-virustotal.htm
take the spaces out
https://www.virustotal.com/en/file/9e4ef2f6b2d1c3d4cc4e25e77c423de406e03db888ecc2a6195125ad06009245/analysis/1437572697/Don't you dare criticise what you cannot understand0 -
Select boot time scan on avast by opening from the icon and shut down and re-start, it can take several hours, but you either want rid of it or not.I do Contracts, all day every day.0
-
I agree with above. Avast can pick up nasties in dos better than if scanned via windows, I know I've done it.“Learn from the mistakes of others. You can never live long enough to make them all yourself.”
― Groucho Marx0 -
Well I performed a full system scan with malwarebytres and a boot time scan with Avast and nothing found. A scan with windows defender offline found TrojanDownloader:O97M/Adnel.F
Not sure if this was already lurking on my system or if it was the payload from paymentreceipt.xml
Anyway, I'm hoping the system's clean now. Thanks for your input.0 -
It found a DIR entry not a file, hence why avast did not pick it up.
Now its password change time on anything stored in xml encrypted passwords saved on the machine.
Banking, paypal, e-mail, active logins
Work on assumption, that they have already extracted the passwords and active log in files.
Change them.I do Contracts, all day every day.0 -
Marktheshark wrote: »Now its password change time on anything stored in xml encrypted passwords saved on the machine.
Banking, paypal, e-mail, active logins
Work on assumption, that they have already extracted the passwords and active log in files.
Change them.
Oh dear... Will this be limited to my saved login details in firefox ? I don't use IE, or Outlook.0 -
AirCooledHeaven wrote: »TrojanDownloader:O97M/Adnel.F
that's the xml being detected, not the payload it creates, which at the time you posted wasn't detected by many av's, avast if upto date should pick up any payload as Win32:Malware-gen , run a virustotal/autoruns/process explorer check to scan what's running against many antivirus products
https://live.sysinternals.com/procexp.exeDon't you dare criticise what you cannot understand0 -
Anything that saves a password to your computer.
It may have been a session or "man in the window" attack if it has left a directory entry.
I those few seconds they can grab the passwords and active login files.
Change them all ASAP.I do Contracts, all day every day.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.7K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards