Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sheur.albz Infection.


  • Please log in to reply
3 replies to this topic

#1 simoninstow

simoninstow

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 14 March 2008 - 01:05 PM

Been having problems with my PC and I think SHeur.albz could be the culprit. I found it in my AVG virus vault and after a bit of googling it seems a likely contenter.

I am running Windows XP Version 2002 Service pack 2. AVG is my anti virus software.

Basically the problem is this.

1. I can't get Internet Explorer to get online.
2. The Windows Firewall has been Disabled and won't enable.
3. System restore also not working and won't create new restore points.

The details in the Virus Vault say:

Object name dmC3.exe
Object path C:\DOCUME~1\Owner\LOCALS~1\Temp\
Discovery Trojanhorse SHeur.ALBZ
Date of detection 22/01/2008 11:26:52
Source computer Desktop
Finder Simon Clarke
File size 52.41KB
Healable No
Source Backup copy
Status Infected.


I've been working in Oz for a month and this all kicked off before I left.

Also in the Virus Vault JS/Psyme ( object name 24.117.96[1].htm ) which says its healable but I don't know how and Generic2.NEY which has been there over a year.( object name kdkgn.exe)

Before coming here I downloaded XoftSpySE. Was this a bad move?

If anyone can help that would be great.

Please remember that my techie skills are limited so simple instructions would be really good. Please excuse my ignorance!

hope to hear soon. many thanks for reading this. I'm getting desperate.
cheers

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 14 March 2008 - 01:44 PM

XoftSpySE seems like a legitiment tool. You might want to look at the Wikipedia article. Note that Wiki could have been edited by anyone.

The modifications are likely to be caused by a rootkit. Let's first scan for rootkits of anykind. This scan will not change anything on your computer.
  • Please download Rootkit Revealer
    and unzip it onto your desktop.
  • Open the .exe file and run a scan.
  • Once the scan is finished, go to File>Save and save somewhere.
  • Upload the scan file in your next response.

Edited by PropagandaPanda, 14 March 2008 - 01:45 PM.


#3 simoninstow

simoninstow
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 17 March 2008 - 05:13 AM

ok . heres what it found:



HKLM\SECURITY\Policy\Secrets\SAC* 16/12/2006 17:07 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 16/12/2006 17:07 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\webcal\URL Protocol 19/12/2006 09:28 13 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 17/03/2008 08:59 80 bytes Data mismatch between Windows API and raw hive data.
C:\WINDOWS\Temp\$26830686.t$m 17/03/2008 09:26 1.01 KB Visible in directory index, but not Windows API or MFT.


I ran it again and got this:

HKLM\SECURITY\Policy\Secrets\SAC* 16/12/2006 17:07 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 16/12/2006 17:07 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Carbonite\CarboniteService\Stats.ConnectFails 17/03/2008 09:30 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Carbonite\CarboniteService\Stats.ConnectFailGetHostByName 17/03/2008 09:30 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\webcal\URL Protocol 19/12/2006 09:28 13 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 17/03/2008 09:29 80 bytes Data mismatch between Windows API and raw hive data.
C:\WINDOWS\setupapi.log 17/03/2008 09:41 2.31 KB Hidden from Windows API.
C:\WINDOWS\system32\CatRoot2\tmp.edb 17/03/2008 09:41 1.01 MB Hidden from Windows API.
C:\WINDOWS\Temp\$17AD15E8.t$m 17/03/2008 09:44 6.68 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\$20D90F37.t$m 17/03/2008 09:44 211 bytes Hidden from Windows API.
C:\WINDOWS\Temp\$33887502.t$m 17/03/2008 09:45 1.14 KB Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\Temp\$601B790D.t$m 17/03/2008 09:33 1.03 KB Visible in Windows API, but not in MFT or directory index.


I hope trhis all makes sense to you.

look forward to hearing from you.

#4 simoninstow

simoninstow
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 18 March 2008 - 04:58 AM

Doh!

Just remembered something that may be relevant with my problem.
When starting up.... very slow....I get the error message xkid7vre.exe come up and asked to debug which doesn't appear to do anything.


Anyone got any thoughts..




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users