PC infected with Win32.LocalInfect.2, need advice...

  • 17 April 2016
  • 9 replies
  • 8836 views

Userlevel 2
Hi,
 
OK, here is the situation.
 
This morning I was streaming the Formula 1 auto race and half way through Webroot came up with a notification that it had detected and quaranteened the file "mw4b3qqj.exe.part".  I let Webroot do it's thing but then after the race I then scanned my system and Webroot came up with THREE files that were infected and it indicated that they were infected with the "Win32.LocalInfect.2" Trojan.
 
I actuallly scanned my system only a few days ago and my system was clean.
 
I have since studied this and found this trojan to be quite nasty.  I have a few questions about this.
 
First, it was unclear to me if all three files were infected with this trojan.  Webroot listed 3 files and indicated a "Win32.LocalInfect.2" but it was unclear to me if ALL three files were infected with the same trojan.  Can someone please clarify this for me?
 
The confusing part to this is that two of the three files Webroot indicated were infected were the same exe in two different directories.  But let me explain, Years ago I wrote a very simple file manipulation program in VB Basic .  This program is very simple and only does things like bulk renames of files, copies files, moves files, etc., and that's it.  I guarantee there is no code in this exe that changes registry entries, installs things, accesses the internet, or ANYTHING like that.  Additionally, I have occasionally used this program for years and have used Webroot for years and Webroot has never had an issue with this program.  Also, this program was kept in two different directories that are completely unrelated to any directories that windows might normally access during it's operation.
 
So I'm confused.  If this simple program was infected with the "Win32.LocalInfect.2" trojan, WHY did this trojan target this simple exe?  In what possible way was this simple exe infected by this trojan?
 
OR, am I getting things mixed up and maybe the only program infected with the trojan was "mw4b3qqj.exe.part".  But if so, then why did Webroot suddenly have issues with this simple file manipulation program and claim that it was a threat?
 
OK, so those are some questions I have about Webroot and the trojan. 
 
As far as the trojan itself, I went online and looked at what things this trojan can do and found certain things to look for.  I clean up my HDD after every session and so I keep no history, cookies, or anything like that.  I checked msconfig and found no startup programs that shouldn't be there.  I checked these registry entries that this website said to check but found no entries that matched:
 
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WMDMPMSP000”ConfigFlags” = “0?
HKEY_CLASSES_ROOTurlsearchhook.toolbarurlsearchhook
HKEY_LOCAL_MACHINEsoftwareclassesurlsearchhook.toolbarurlsearchhook
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar
HKEY_LOCAL_MACHINESOFTWAREClientsStartMenuInternetFIREFOX.EXEshellsafemodecommand "(Default)" = ""%LocalAppData%.exe" -a "C:Program FilesMozilla Firefoxfirefox.exe" -safe-mode"
HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogonshell = "explorer.exe,%AppData%skype.dat"
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun Win32.LocalInfect.2
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “.exe”
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWmdmPmSp”Start” = “2?
 
I checked my entire HDD for anything like "Win32.LocalInfect.2" but found nothing.  I have not noticed any unusual behavior from my PC since I got this warning from Webroot.  I've looked at all processes and didn't find anything obviousely suspicious but of course there are lots of processes that are under "system" and the like so I don't know about these.
 
Are there other things that I can do or check for to make sure that this trojan is not on my system?
 
I definitely want to MAKE SURE that my system is clean from this trojan so please I need some expert advice on this.
 
 
Thank you for your time and help,
Peter
 
----
 
 
 
 

9 replies

Userlevel 7
Badge +56
Hi Peter,
 
Must of been under a different username but I'm glad to help!
 
Thanks,
 
Daniel ;)
 

Userlevel 2
Hi Daniel,
 
Yes, it was maybe 6-8 months ago and I was having massive problems with an Acer computer doing wierd things.  I couldn't figure out whether it was the computer, a virus, or Webroot.  I had talked to tech support 3 times and they all had installed the latest version of Webroot but the problems persisted.  So I figured that it must be a hardware problem.  Turned out it was Webroot itself and you told me that the version I was running had problems so I uninstalled it and installed the newest version and all problems were gone!  It was a great relief as I was about to give up.
 
Anyway, back then I may have been under a different name... can't remember actually.  Anyway, that's when I discovered the Webroot forum and I mainly interacted with you.  So that is why I came here first when I had this issue.  Honestly I've never encountered a malware as vicious as this one (this "Win32.LocalInfect.2" trojan).  Got me a little freaked out.
 
My system does appear to be behaving though so I think things are good.  Webroot did a good job at isolating it and stopping it from getting to my system.  It was a website that was supposed to stream F1 for free but with commercials.  I will tell you, I'm never going to that website again!  If you guys are curious to know which website I can probably find the URL for you.  Perhaps the website should be blacklisted although I can't prove that is where the trojan came from. 
 
Anyway, good luck to you and if you need any beta testers let me know, I may be interested in something like that.  I understand programs pretty well but I do have a bit to learn about malware.  Never really looked into them on a technical level... like byte by byte kind of level.  Been a bit afraid to as it seems you just need a throw away computer so that if one gets your system, it won't matter.  A bit like studying a lion from within it's own cage.
 
Thanks again for your help!
 
Best Regards,
Peter
 
---
Userlevel 7
Badge +56
@ wrote:
Hi Triple Helix,
 
I remember you.  You helped me with another issue I had with another computer quite a while ago.  How are you?
 
If anything new pops up I'll start another ticket as you suggest but I would call this problem resolved.
 
I've always had great response from this forum and tech support so I thank you all for that.
 
Thanks for your response,
 
Best Regards,
Peter
 
I'm doing Awesome and I hope you are as well? Where was it when I helped you at Wilders?
 
Yes if any other issues like this it's best to contact support as most times files just need to be whitelisted in the Webroot Cloud Database!
 
Best Regards,
 
Daniel 😉
Userlevel 2
Hi Triple Helix,
 
I remember you.  You helped me with another issue I had with another computer quite a while ago.  How are you?
 
Anyway, I just talked to Tech Support and they said simply that Webroot had a false positive with the program.  Why it has not had this issue before I don't know.  But whatever.
 
I have scanned and rescanned and I think my system is clean.  They are looking into the file that appeared to bring in the trojan and they are going to add it to their definitions.
 
I did check the location that the file was in and it is a directory that is cleaned so it cannot have have been there long.
 
My function volume key seems to work but I'll have to check on that.  It seems that when some windows are up it does not work but in other cases it does.  Maybe I just hadn't noticed that before.
 
I'm going to just sit back and see how my system performs.  I do think Webroot caught the trojan before it did anything bad and I do believe that I am free of it... so I'll try to relax a bit about this.
 
If anything new pops up I'll start another ticket as you suggest but I would call this problem resolved.
 
I've always had great response from this forum and tech support so I thank you all for that.
 
Thanks for your response,
 
Best Regards,
Peter
 
----
 
Userlevel 7
Badge +56
Please Submit a Support Ticket and work with them as they can help you with this.
 
Thanks,
 
Daniel 😉
Userlevel 2
Hi,
 
OK, well I have had issues with my system now.   I have not talked to the tech support people yet.
 
Whenever I try to run the original file manipulation program, I'm going to call it AR5.exe for short, Webroot flags it as a "Win32.LocalInfect.2" trojan and quarantines it.  I have found a way around this by re-compiling under a different name so I'm guessing that Webroot doesn't actually look for the file name itself but must look at a specific location within the compiled program and identifies it that way.  I say this because I found an original version that Webroot hadn't flagged yet and renamed it and then tried to run that but Webroot flagged that also.  So simply renaming it didn't help.  Also, I am certain that this copy was not infected.
 
Additionally, whenever I tried to run AR5.exe Webroot flagged it and quarantined it but ALSO my wireless driver crashed immediately.  The computer didn't freeze immediately but when I tried to shutdown or reboot, then it froze on me.  I had to remove power completely by "unplugging" it.  It's a laptop so I basically disconnected the battery.
 
More odd things:
 
1)  I lost some Windows Explorer right click context menu items.  I was able to get them back but why did I loose them in the first place?
2)  Windows has failed to automatically keep my network login information and so I would have to manually enter in the password every time.  I fixed this by manually adding the network info but I have never had this problem before.  Windows 7 has always done this automatically.
3)  My speaker volume function keys don't work anymore.  I am almost certain this is not a hardware failure.
 
So, I think my system was infected with the Win32.LocalInfect.2 trojan.  I believe it came in through streaming the race and it came in from the file "mw4b3qqj.exe.part" and that file was located in path "c:usershpappdatalocal emp".  Webroot did catch it when it tried to do something but how long it was actually on my system I don't know.
 
I do clean my system after EVERY session but I will have to go back and see if this specific location is cleaned.
 
The fact that my system was/is infected with this trojan is not really bothering me.  I mean, it is but OK I can understand it.  Again, what I don't understand is WHY Webroot also identified AR5.exe as being a Win32.LocalInfect.2 trojan.  What connection between this trojan and AR5.exe is there?  That is what is really bugging me.  This I just don't understand.
 
I am very close to just wiping my entire HDD and rebuilding my system to factory default.  Not something I want to do but I don't want some trojan lurking around my system either.  I have read that this particular trojan is a very nasty one and very hard to get rid of once infected.  It appearently allows hackers to gain access to your system, information you might send over the internet, and can mess with and.or damage your system as well.  It can do all this without windows or virus protection programs even knowing it... or so I have read.
 
For now I have restored my system settings to about 10 days ago using System Restore.  But even after doing this Windows failed to automatically save my network settings, which is unusual.  So have I really gotten rid of the effects of this trojan?  I'm not sure.
 
I will wait until I talk to the tech support people before I go to the extreme of rebuilding though.
 
One more thing, I have lots of programs that I have written and use here and there so I don't think this is a VB Basic thing.  There seems to be some mysterious specific connection between this trojan and AR5.exe.
 
Anyway, that is what I have learned and discovered so far.  When this comes to some kind of resolution I'll let you know.
 
 
Thanks for your help and interest,
Peter
 
---
 
Userlevel 7
Hi Peter
 
You could well be right...especially if as you say you have been using WSA and the small program with no issue previously...that is probably why it is best that the Professionals investigate to find out what the cause is...but having said that it does look like WSA has done it's job...:D...unless of course what it has come up with is in fact a False Positive...but the Support Team should be able to rule that in or out as part of their investigations.
 
Either way please do come back to us hear with details of what if anything they find/determined...this is of interest/useful to us in terms of assisting other members in the future.
 
Many thanks in anticipation.
 
Regards, Baldrick
Userlevel 2
Hi Baldrick,
 
Thank you for your response!
 
Yes, I think you are right in that Webroot did it's job and the system is clean.  But I still want to understand why the simple file manipulation program was detected as a threat by Webroot.  This does not make any sense to me.  Especially since I have been using both the program and Webroot for years with no issues.  It is almost as if something targeted THAT specific program and infected it or changed it in some way that made Webroot see it as a threat.  I just don't understand that.
 
To answer your question, yes, all three files were quarantined but I permanently removed the exe that I wrote (which I guess I should not have done so you guys could have analyzed it) but left the file that I believe brought in the trojan.  That file again is "mw4b3qqj.exe.part" and remains in quarantine.
 
I can and will re-compile the exe that I wrote as it is now gone and you guys are welcome to take a look at it.  In fact, if you want I could send you guys the code itself.  But again, it is nothing special... just a small, simple VB Basic program.  There is no reason at all that I can think of that could cause Webroot to detect it as a threat UNLESS the program itself had been changed by someone or by a virus and that is what concerns me.
 
If you or anyone has any further ideas on this let me know but I will also go ahead and start a support ticket as you suggest.
 
 
Thank you again for your help!
 
Best Regards,
Peter
 
---
 
 
Userlevel 7
Hi peter55
 
Welcome to the Community Forums.
 
Thanks for the excellent information provided. It is possible that WSA has indeed intercepted a nasty so first question is; have you checked for anything that might have been quarantined by WSA (to do that click on the gear/cog to the right of the 'Pc Security' tab in the main app panel, and then click on the 'Quarantine' tab from the next panel displayed...is there anything recorded there? If so what?
 
If they are the 3 files you mention then I would say that WSA has done its job and that you should get professional assistance by Opening a Support Ticket ; the service is free of charge to WSA users with an active subscription.
 
Justincoude a link to this thread, so you do not have to repeat all of the informastion that you have provided already...and then wait to see what the SupportTeam comen back with as advice as to how to proceed.
 
The fact that rerunning scans and them coming up clean suggests that all is well and that you are not infected...but best to check if you have any doubt, and the Support team can do that for you.
 
Hope that helps?
 
Regards, Baldrick
 
 
 

Reply