Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse: Sheur.albz (how Do I Remove It)


  • Please log in to reply
11 replies to this topic

#1 solorize

solorize

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berkshire UK
  • Local time:02:42 AM

Posted 24 January 2008 - 08:53 AM

Hi,

The other night my AVG antivirus detected the Trojan horse: SHeur.ALBZ
which killed my internet access and disabled my firewall.

Then realised that TCPIP had somehow been effected and would not work,
which was stopping internet access, and causing my pc to take ages
to start up when windows was loading.

So I looked on the net and found the following, on a Dutch forum
which after I had translated into English and glanced over all the
thread, at the end there was the advice below:

Link to Thread

So I did the above and that cured my problem..... .. . ..

Until I rebooted the machine and then it looks as if the Trojan affected the system
again and I had to repeat the above process again.

Which leads me to believe that I still have something somewhere on my
machine that is affecting it.

I have done a full scan with AVG and A-squared spyware program and LavaSofts Adaware
and none of them have found anything.


Could some one advise what I should do now?


Thanks in advance

Mark

Edited by quietman7, 24 January 2008 - 09:33 AM.

..:[ MD Photography ]:..
http://www.mdunn.co.nr

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:42 AM

Posted 24 January 2008 - 09:37 AM

...AVG antivirus detected the Trojan horse: SHeur.ALBZ

Did AVG provide a specific file name associated with this malware threat and if so, where was it located (full file path) at on your system? If your scan saved a log file, it should show exactly what and where the malware was found so post that instead.

You should not be following specific instructions provided to someone else especially if they were given in the HijackThis forum. Those instructions were given under the guidance of a trained staff expert to help fix that particular member's problems, NOT YOURS. Before taking any action, the helper must investigate the nature of the malware issues and then formulate a fix for the victim. Although your problem may be similar, the solution could be different based on the kind of hardware, software, system requirements, etc. and the presence of other malware. Using someone else's fix instructions could lead to disastrous problems with your operating system. It's best that you tell us what specific issues YOU are having rather than point to someone else.

I removed the specific instructions you reposted that were given by Marckie to the OP being helped in that thread.

Have your tried running your scans in "Safe Mode"?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 solorize

solorize
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berkshire UK
  • Local time:02:42 AM

Posted 24 January 2008 - 01:26 PM

Sorry I was clutching at straws trying to get my pc back up and
running and all I could find was that thread on the internet for that Trojan.


I have the info below that AVG found, info is from the Virus Vault:

Trojan horse SHeur.ALBZ
C:\DOCUME~1\solorize\LOCALS~1\Temp\jre-6u3-windows-i586-p-iftw_2cd32978a.exe
22/01/2008
18:14:46
jre-6u3-windows-i586-p-iftw_2cd32978a.exe
52.41 KB


I will try running the scans in Safemode now and see if that finds anything.

At the moment my pc "seems" to be behaving ok, but I am not 100% sure
the problem has gone.

If you could tell me what I should do now that would be much
appreciated.

Regards

Mark

Edited by solorize, 24 January 2008 - 01:28 PM.

..:[ MD Photography ]:..
http://www.mdunn.co.nr

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:42 AM

Posted 24 January 2008 - 03:20 PM

When an anti-virus quarantines a file by moving it into a virus vault (chest), that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. One reason for doing this is to prevent deletion of a crucial file that may have been flagged as a "False Positive". If that is the case, then you can restore the file and add it to the exclusion or ignore list. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the quarantined file is known to be bad, you can delete it at any time.

"Understanding AVG7 Free Virus Vault"
"AVG FAQ #647: I have some files in the AVG Virus Vault. What next?"

If AVG is not finding anything more, you should get another opinion by performing an Online Virus Scan like BitDefender.
(These require Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component. If given the option, choose "Quarantine" instead of delete.)

No single product is 100% foolproof and can detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 solorize

solorize
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berkshire UK
  • Local time:02:42 AM

Posted 24 January 2008 - 04:44 PM

Hi I ran AVG from SafeMode and it did not find anything.

So I rebooted my PC and now I can not access the internet and
my firewall has been disabled again =(

I have just run a program called GMER and it came up with a message saying that a
modification has happened caused by a Rootkit.

See Log below (at the bottom under Services, a file called aopyfiaa.dat
which is shown as hidden and flagged as a Rootkit). Do you think that this could be
causing the problem? and if so do you know what I need to do to clean it?


GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-01-24 21:37:11
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.14 ----

PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 44F 805BA359 7 Bytes JMP BAB292C6 aopyfiaa.dat
? aopyfiaa.dat The system cannot find the file specified. !
.text win32k.sys!EngAcquireSemaphore + 262F BF808B27 5 Bytes JMP 87CEE4D0
.text win32k.sys!EngFreeUserMem + 54CB BF80EFA7 5 Bytes JMP 87CEE430
.text win32k.sys!EngUnmapFontFileFD + F30E BF8496C1 5 Bytes JMP 87CEE610
.text win32k.sys!EngGradientFill + 189B BF89E361 5 Bytes JMP 87CEE750
.text win32k.sys!EngGradientFill + 3075 BF89FB3B 5 Bytes JMP 87CEE570
.text win32k.sys!EngAlphaBlend + 4C8A BF8C3327 5 Bytes JMP 87CEE6B0
.text win32k.sys!PATHOBJ_bCloseFigure + 19D0 BF8EDAD6 5 Bytes JMP 87CEE7F0

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[3692] SHELL32.dll!SHGetPathFromIDList + 2A9D 7CA3768E 1 Byte [ DB ]
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F2C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A166F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A15F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A1634 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A157C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A15B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A16AA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F31676 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

Device \Driver\Tcpip \Device\Ip avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Ip NVTcp.sys (NVIDIA Networking Protocol Driver./NVIDIA Corporation)

Device \Driver\Tcpip \Device\Tcp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp NVTcp.sys (NVIDIA Networking Protocol Driver./NVIDIA Corporation)

Device \Driver\Tcpip \Device\Udp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

---- Services - GMER 1.0.14 ----

Service system32\drivers\aopyfiaa.dat (*** hidden *** ) [BOOT] eaarslae <-- ROOTKIT !!!

---- EOF - GMER 1.0.14 ----
..:[ MD Photography ]:..
http://www.mdunn.co.nr

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:42 AM

Posted 24 January 2008 - 06:37 PM

Rootkits are very dangerous because they use advanced techniques as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read "When should I re-format?" and "Reformatting the computer or troubleshooting; which is best?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 solorize

solorize
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berkshire UK
  • Local time:02:42 AM

Posted 25 January 2008 - 03:31 AM

Thanks again for your advice.

If I tried to remove the Trojan with your guidance, and it was successful.
In your opinion, would you think I should be ok? and is there a way to
be able to monitor if the Trojan has come back again?

If not I will go for the reformat and reinstall of the OS.
..:[ MD Photography ]:..
http://www.mdunn.co.nr

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:42 AM

Posted 25 January 2008 - 08:31 AM

Your decision as to what action to take should be made by asking yourself the questions presented in the "When should I re-format?" link and whether it is worth the effort as described in the "Reformatting the computer or troubleshooting; which is best?" link. Reformatting and doing a clean install of the OS is the safest action but I cannot make that decision for you.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 solorize

solorize
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berkshire UK
  • Local time:02:42 AM

Posted 25 January 2008 - 04:25 PM

Hi,

I have bitten the bullet and gone for a ReFormat and ReInstall as after
thinking about what you said it makes more sence to start again with a
totally clean OS.

I am currently formating my other machine as I type this from another
one of my PC's

Just hope I have all my driver CD's ;-)

I managed to copy all the files that I did not want to loose onto an
external HD, so I can copy them back once I have re Installed the OS.

One last question, do you think that the the virus could infect or get onto my External HD?
while I copied all my files I wanted to keep. Obviously none of the files are windows files, just
photos, music, doc's etc..

I just want to make sure that I dont stand a chance of reinfecting the clean OS when I copy
these files back onto the PC.
..:[ MD Photography ]:..
http://www.mdunn.co.nr

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:42 AM

Posted 25 January 2008 - 05:05 PM

That's the decision I would have made if this were my system.
You should not backup any .exe files because they may be infected. Your photos, music, doc's should be ok but to be safe, scan them with your anti-virus before you copy them back to your pc.

Also see "How to keep your Windows XP activation after clean install".

Edited by quietman7, 25 January 2008 - 05:08 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 solorize

solorize
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berkshire UK
  • Local time:02:42 AM

Posted 26 January 2008 - 04:43 AM

After spending all evening up to 2:00am reinstalling and
loading all my drivers etc.. back onto my pc I am almost
at the stage to start installing all my software back on to
my machine.

Before I start doing that can I ask one last question ;-)

Out of all the antispyware programes out there which ones
would you recommend me installing to try and keep this new
installation clean? There are so many out there now I
dont know which ones are good and which ones to avoid.

If you could offer me any advise I would be very grateful.

Regards

Mark
..:[ MD Photography ]:..
http://www.mdunn.co.nr

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:42 AM

Posted 26 January 2008 - 10:33 AM

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1".
"Hardening Windows Security - Part 2".
"IE Recommended Minimal Security Settings".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users