Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SHeur2.BQDA virus and 15 other infections found!


  • This topic is locked This topic is locked
9 replies to this topic

#1 cavepunk

cavepunk

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 06 November 2009 - 11:29 PM

Hi there!

I've used this site - with great success! - before and was wondering if you guys could help me again?

I'm running WinXP Service Pack 3 and last night AVG popped up with a warning that it had found a file infected with SHeur2.BQDA. I had AVG remove the infection but it seems to reinstall every time I reboot. (There are three instances of the infection listed in AVG's virus vault:

Virus found Win32/Heur C:\WINDOWS\Temp\wpv841257463018.exe
Virus found Win32/Heur C:\WINDOWS\Temp\wpv261257463018.exe
Virus found Win32/Heur C:\WINDOWS\Temp\wpv581257463018.exe)


In addition, a quick scan with Malwarebytes reveals 15 other infections, as shown in the log below:

Malwarebytes' Anti-Malware 1.41
Database version: 3102
Windows 5.1.2600 Service Pack 3

11/7/2009 3:22:05 AM
mbam-log-2009-11-07 (03-22-05).txt

Scan type: Quick Scan
Objects scanned: 107405
Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wab (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\JOHNSM~1\APPLIC~1\MACROM~1\Common\3907803c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\JOHNSM~1\APPLIC~1\MACROM~1\Common\3907803c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\JOHNSM~1\APPLIC~1\MACROM~1\Common\3907803c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\JOHNSM~1\APPLIC~1\MACROM~1\Common\3907803c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\JOHNSM~1\APPLIC~1\MACROM~1\Common\3907803c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\JOHNSM~1\APPLIC~1\MACROM~1\Common\3907803c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\JOHNSM~1\APPLIC~1\MACROM~1\Common\3907803c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\JOHNSM~1\APPLIC~1\MACROM~1\Common\3907803c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\John Smith\Application Data\Macromedia\Common\3907803c1.dll (Hijack.Sound) -> Quarantined and deleted successfully.
C:\Documents and Settings\John Smith\Application Data\Macromedia\Common\3907803c19.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

However, again, when I reboot my system and re-scan with Malwarebytes - even after I've turned off System Restore - the deleted infections are found to be still there. I've also run a Spybot scan, but that came up clean.

I've read on Google that the SHeur trojan can be very difficult to remove so I'd be hugely grateful if you could advise me on how to proceed from here.

Thanks in advance for your help!

john

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:42 PM

Posted 06 November 2009 - 11:41 PM

Hello John and welcome. Let' s run these now and see how we are. am signing off now but will be back in the morning here(east coast).

Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 cavepunk

cavepunk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 07 November 2009 - 01:48 PM

Hi there boopme!

Thanks for your fast response!

I already have the ATF cleaner and Superantispyware Professional on my desktop; however, as of four days ago, I've been unable to update Superantispyware (I'm also unable to update Malwarebytes - even when I turned off AVG's firewall, which I thought might've been blocking my connection somehow). When I try to update SAS (or Malwarebytes) the programme just hangs and I have to exit it using Taskmanager. I did perform a quick SAS scan though which came up with the following warning:

Trojan.Unclassified-Packed/Suspicious
C:\WINDOWS\SYSTEM32\AVERM.DLL


However, after letting SAS apparently quarantine the infection, it reappears on rebooting!

After half hour Googling I did find a way to manually update SAS. Do you recommend I try this or not? I'll wait for your reply before attempting anything else as I don't want to mess up my system any more than it already is...

Thanks again for your help - and I eagerly await your reply!

Cheers!
john

#4 cavepunk

cavepunk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 08 November 2009 - 02:31 PM

Ooops! This problem seems to be snowballing! Now I'm getting new threat warnings from AVG as soon as my PC boots up:


Trojan horse agent_r.PA
which is located in C:\Documents and Settings\_My Name_\Application Data\Macromedia\Common\3907803c1.dll

AVG seems to remove the infected file but then there are four instances that says:

Some files cannot be healed
Specified file wasn't found


Then I get another alert from AVG saying it's found:

Trojan horse PSW.Agent.ADKI


Then Spybot-SD's Resident Shield gave me this alert:

c.exe - Morpheus toolbar

which I - hopefully! - blocked from starting, although I have a suspicion it's still lurking on my system.

A quick Googling shows that c.exe is a pretty pernicious infection so I'd be really grateful if you could advise me how to go about cleaning up my system!

Thanks (again) in advance!

john

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:42 PM

Posted 08 November 2009 - 03:46 PM

Hi,sorry we lost internet here,'
Ok run this then update and run MBAM and SAS do not reboot til after the second completes.
If the machine does reboot you will need to run RKill again.


Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.

Edited by boopme, 08 November 2009 - 03:47 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 cavepunk

cavepunk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 08 November 2009 - 10:56 PM

Hi again!

Thanks for your help - but I've downloaded all four Rkill files and none of them work. The DOS box comes up, but then 10 seconds or so later everything on my screen vanishes - taskbar, icons, etc. - until all I'm left with is my desktop wallpaper and cursor. After that I'm forced to reboot to get my PC working again...

I'm guessing this isn't good...?

CORRECTION:

Scratch that!

On rebooting I am now able to update both Malwarebytes and Superantispyware. Should I continue and run MBAM and SAS as you suggest?

Thanks again!
john

Edited by cavepunk, 08 November 2009 - 11:00 PM.


#7 cavepunk

cavepunk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 08 November 2009 - 11:48 PM

So I've run both programs and they came up clean. However, I'm still not sure *just* how clean that is...

Earlier today I got another AVG warning highlighting C:\WINDOWS\system32\lowsec, along with lowsec\local.ds and lowsec\user.ds...

Is there any way to double-check that my system is really free of these infections?

Thanks again!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:42 PM

Posted 09 November 2009 - 11:44 AM

Hi, Yes post and HJT log and they will verify you system.
You will need to run HJT/DDS.
Please follow this guide. Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 cavepunk

cavepunk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 11 November 2009 - 06:52 PM

Okay - I've just done as you suggested!

Thanks a lot for your help, mate!

john

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:42 PM

Posted 11 November 2009 - 10:02 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/270832/trojan-and-virus-infection-exploit-javascript/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users