Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I believe I am infected with Trojans, please Help!


  • Please log in to reply
6 replies to this topic

#1 Fish-on

Fish-on

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 29 September 2010 - 09:42 AM

PC started running strange a week ago. Running Windows XP. I have AVG 9.0 free version which updates and runs daily. Resident shield detected mutiple viruses so I ran the update and full scan manually. Full scan revealed Trojan SHeur3.AQRA and Virus Win32/Zbot.A. AVG sent infections to vault except for the Trojan and possibly another virus (can't recall). Resident shield now continually finds mulitpe infections but unable to remove. I realized I had a major problem when my Outlook Express would no longer open, MSOE.DLL could be found, is the error that appears. Apon start-up there is a .DLL error but can't recall, sorry. I have also noticed that now Internet Explorer is being redirrected to unknwon sites when navigating. Windows update center is unable to be located now as well. Yesterday I downloaded PC Tools Spyware Doctor to try another antivirus. Installed and ran full scan, immediately Spydoctor pop-up notified that it had blocked an attack from Trojan - Bamital and Malware - Ramnit. Scan revealed that I was infected with Trojans Bamital, Downloader.Renos and Backdoor Agent. Oh No! As I don't have E-mail at home working I have signed up at my office, so I am not sure how I will be notified that help is on the way? I should be available through my sign-up mail account from 8am to 4pm mountain standard time. Please help.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 PM

Posted 29 September 2010 - 10:52 AM

Hello and welcome...These were not good finds..
RAMNIT = VIRUT
Trojan SHeur3.AQRA (AVG)
TR/Spy.Gen (Avira)
Win32.Rmnet (Dr.Web)
Trojan-Spy (Ikarus)
Mal/SillyFDC-A (Sophos)
W32.Ramnit!html (Symantec)

I'm afraid I have very bad news.

Your system is infected with a Win32/Ramnit.A!dll, a file infector with IRCBot functionality which infects .exe, .dll and .HTML files and opens a back door that compromises your computer.

Ramnit.A!dll is a component injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Win32/Ramnit.A infected executable file. Ramnit.A also infects .exe, and .HTML/HTM files, downloads more malicious files to your system, and opens a back door that compromises your computer. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A

In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer Ramnit.A remains on a computer, the more files will become infected and corrupt so the degree of infection can vary.

Ramnit.A is commonly spread via a flash drive (usb, pen, thumb, jump) infection which is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Fish-on

Fish-on
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 29 September 2010 - 12:02 PM

Thanks for your reply, Yes I am aware that reformat may be the only option, but as a last resort I hope. Is there anything I can try?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 PM

Posted 29 September 2010 - 12:59 PM

If you insist on trying to fix this infection instead of following our advice to reformat and reinstall your operating system, there are some tools and various rescue disks available from major anti-virus vendors. You can try them or booting from every rescue disk you can find but they will likely leave you computer in an unbootable state as a result of futile attempts to repair critical system files and drivers. Even the vendors like Kaspersky say there is no quarantee that some files will not get corrupted during the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

Bleeping Computer DOES NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against our advice.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD utilities that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Fish-on

Fish-on
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 29 September 2010 - 02:42 PM

OK Thank you for information. I new I was in trouble but not to this extent. I have just been reading a few blogs, Miekiemoes for one. I see my best and safest option is to reformat. I thought I was farely protected we but have kids that seem to go any where on the net without worry. I guess this is proof of how important safe guarding really is. Thanks again.

#6 Fish-on

Fish-on
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 29 September 2010 - 03:03 PM

Hi again, just another thought. I have an external hard drive plugged in via USB which was used to store pictures and back ups and files. Would the external hard drive also be infected? I disconnect it just yesterday, I don't think I had any file transfers occur since the infection was picked up a week ago.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 PM

Posted 29 September 2010 - 08:45 PM

Not likely as pctures are not the type of file it infects.

Here's some info our quietman7 has on this.

In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.


2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.


If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Windows XP Home and Professional forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users