3 Replies Latest reply on Mar 7, 2011 1:57 AM by muaddib67

    A missed trojan.

      Hi all,

       

      Today I had a program pop up claiming my antivirus wasn't working. I knew instantly that I had a virus/trojan/spyware on my machine. It's vista patched up to date, and MacAfee security center through my ISP. I did a full scan, but it found nothing. I tried to make sure my DAT file was up to date, but it couldn't connect. I opened a browser window, and couldn't connect to the internet (though my other 2 systems were working fine). I checked the settings, and sure enough, it was set to use a proxy. I unchecked that, and tried again to update, but it still wouldn't update. Long story short, I ended up downloading Malwarebytes anti-malware, and it took care of the problem. My question is, since this seems to be an older trojan (unless it's a brand new version of it), why didn't McAfee catch it. I have it set for all the recommended settings, and I have 2 hardware firewalls (one on cable/phone modem, one on my router) as well as the software firewall in the security suite.

      I'll copy/paste the output instead of attaching the file.

      Memory Processes Infected: 0

      Memory Modules Infected: 0

      Registry Keys Infected: 1

      Registry Values Infected: 2

      Registry Data Items Infected: 0

      Folders Infected: 0

      Files Infected: 1

       

      Memory Processes Infected:

      (No malicious items detected)

       

      Memory Modules Infected:

      (No malicious items detected)

       

      Registry Keys Infected:

      HKEY_CURRENT_USER\SOFTWARE\mdnkso81qq2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

       

      Registry Values Infected:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fljxlqam (Trojan.FakeAlert.Gen) -> Value: fljxlqam -> Quarantined and deleted successfully.

       

      Registry Data Items Infected:

      (No malicious items detected)

       

      Folders Infected:

      (No malicious items detected)

       

      Files Infected:

      c:\Users\xxxxx\AppData\Local\Temp\hdlhcduvq\dxyeymhhmof.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

       

      Is this a known hole, or a new variant that the DAT file just didn't recognize? I don't use p2p and I stay away from pages the site advisor doesn't like, so have no idea how it got in. I checked my other 2 systems, and neither one of them (xp 32, and win 7 x64) were infected, just this vista x32 machine.

        • 1. Re: A missed trojan.
          Dinz

          muaddib67 wrote:

           

          browser window, and couldn't connect to the internet (though my other 2 systems were working fine). I checked the settings, and sure enough, it was set to use a proxy. I unchecked that, and tried again to update, but it still wouldn't update. Long story short, I ended up downloading Malwarebytes anti-malware, and it took care of the problem. My question is, since this seems to be an older trojan (unless it's a brand new version of it), why didn't McAfee catch it. I have it set for all the recommended settings, and I have 2 hardware firewalls (one on cable/phone modem, one on my router) as well as the software firewall in the security suite.

           

           

          I believe the system is behind a proxy all the time thus When connecting to the Internet through a proxy, McAfee products may not able to simulate this process, causing updates to fail and signature files to be out of date. So I think during this infection got over your computer the dat wasnt uptodate.   Moreover, we do not recommend using multiple antivirus software/firewalls as its not a security; rather a conflict that happens between them during update process.

           

          Infections can sometimes occur silently, by visiting a website containing malicious code.  Other times, a user can allow an infection by installing a program or plug-in, hiding malware within its code.  These programs are often disguised as free search utilities, screensavers or are even labeled as 'critical software updates'.  Even a protected PC can be made vulnerable under these circumstances.Hope the PC is right now clean and make sure to keep the software updated always and you should be alright.

           

           

          Regards,

          • 2. Re: A missed trojan.
            k3tg

            Just wanted to let you know that McAfee has published a document to assist with virus or malware issues should you ever need it in the future.

             

            Required Reading - Home User Assistance Malware Troubleshooting

            • 3. A missed trojan.

              No proxy, just a router with hardware firewall, and also the cable/phone modem has a hardware firewall I believe (it may not, no way of accessing it like the router).