My notebook is running Windows 7 Home Premium 64bit.
It was infected by a series Trojan viruses that displayed 4 symptoms:
- Outlook 2003 stopped showing non-embedded images
(This was because the trojan had turned on Internet Explorer’s Proxy settings and was directing all Internet traffic to itself. I use FireFox so I didn’t notice) - Some hours later, I started to get popup windows that warned of an infiltration alert while running a fake anti-virus scanner.
- I found each of these using task manager, killed the process and deleted the offending EXE which was usually within my User Application Data folders
- Variations of this virus kept reappearing
- each variation offered to fix my problem by installing an anti-virus package
- The virus then started up IE and directed me to porn sites or displayed pages that told me my computer was infected and directed me to sites that would fix my problem
- The viruses became more aggressive and started deleting processes
- sometimes the virus warned that the EXE had become infected and again offered to install the solution
- I could not start task manager or my anti-virus software.
Eventually I rebooted in safe mode (see here to see how) and tried various free anti-virus scanners:
- "AVG Anti-Virus Free” found nothing (and was the solution being used when the PC became infected)
- “McAfee VirusScan” and “Microsoft Security Essentials” each found and deleted some viruses
- http://www.malwarebytes.org/ found and deleted the offending trojans
Here is an incomplete list of anti-virus solutions that does not include malwarebytes.
This tutorial gives some background.
I am currently running belt and braces:
Here is the Malwarebytes log file:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5402
Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385
27/12/2010 9:43:28 PM
mbam-log-2010-12-27 (21-43-28).txt
Scan type: Quick scan
Objects scanned: 156278
Time elapsed: 2 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mbbloqvs (Trojan.FakeAlert) -> Value: mbbloqvs -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Agent) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMap.NET (Trojan.Agent) -> Value: SysMap.NET -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\abhqgrhe (Trojan.FakeAlert.Gen) -> Value: abhqgrhe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\lcdgdvcm (Trojan.FakeAlert.Gen) -> Value: lcdgdvcm -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\John\AppData\Local\Temp\pqnwiwvmd\sydyluulajb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\John\AppData\Local\Temp\0.9150089036818203.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\John\AppData\Local\Wdcfg3xx\sysmap.net.dll (Trojan.Agent) -> Quarantined and deleted successfully.
Subscribe for email