Tuesday, December 28, 2010

Infiltration Alert Virus attacked my notebook

My notebook is running Windows 7 Home Premium 64bit.

It was infected by a series Trojan viruses that displayed 4 symptoms:

  1. Outlook 2003 stopped showing non-embedded images
    (This was because the trojan had turned on Internet Explorer’s Proxy settings and was directing all Internet traffic to itself. I use FireFox so I didn’t notice)
  2. Some hours later, I started to get popup windows that warned of an infiltration alert while running a fake anti-virus scanner.
    1. I found each of these using task manager, killed the process and deleted the offending EXE which was usually within my User Application Data folders
    2. Variations of this virus kept reappearing
    3. each variation offered to fix my problem by installing an anti-virus package
  3. The virus then started up IE and directed me to porn sites or displayed pages that told me my computer was infected and directed me to sites that would fix my problem
  4. The viruses became more aggressive and started deleting processes
    1. sometimes the virus warned that the EXE had become infected and again offered to install the solution
    2. I could not start task manager or my anti-virus software.

Eventually I rebooted in safe mode (see here to see how) and tried various free anti-virus scanners:

  1. "AVG Anti-Virus Free” found nothing (and was the solution being used when the PC became infected)
  2. McAfee VirusScan” and “Microsoft Security Essentials” each found and deleted some viruses
  3. http://www.malwarebytes.org/ found and deleted the offending trojans

Here is an incomplete list of anti-virus solutions that does not include malwarebytes.

This tutorial gives some background.

I am currently running belt and braces:

Here is the Malwarebytes log file:

Malwarebytes' Anti-Malware



Database version: 5402


Windows 6.1.7600 (Safe Mode)

Internet Explorer 8.0.7600.16385


27/12/2010 9:43:28 PM

mbam-log-2010-12-27 (21-43-28).txt


Scan type: Quick scan

Objects scanned: 156278

Time elapsed: 2 minute(s), 31 second(s)


Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 5

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3


Memory Processes Infected:

(No malicious items detected)


Memory Modules Infected:

(No malicious items detected)


Registry Keys Infected:

(No malicious items detected)


Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mbbloqvs (Trojan.FakeAlert) -> Value: mbbloqvs -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Agent) -> Value: Shell -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMap.NET (Trojan.Agent) -> Value: SysMap.NET -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\abhqgrhe (Trojan.FakeAlert.Gen) -> Value: abhqgrhe -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\lcdgdvcm (Trojan.FakeAlert.Gen) -> Value: lcdgdvcm -> Quarantined and deleted successfully.


Registry Data Items Infected:

(No malicious items detected)


Folders Infected:

(No malicious items detected)


Files Infected:

c:\Users\John\AppData\Local\Temp\pqnwiwvmd\sydyluulajb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\John\AppData\Local\Temp\0.9150089036818203.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\John\AppData\Local\Wdcfg3xx\sysmap.net.dll (Trojan.Agent) -> Quarantined and deleted successfully.