Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sHeur3.AQRA Trojan Horse help please?


  • Please log in to reply
5 replies to this topic

#1 TheCorner

TheCorner

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 01 October 2010 - 05:32 AM

Hello everyone,

I have the sHeur3.AQRA Trojan Horse and its nearly killed my desktop.

I run AVG and do a system check ona weekly basis.

I got back from honeymoon on Thursday and started my PC up and it seemed a little slow, then all of a sudden I kept getting loads of AVG reports about infections, I ran a scan and it showe dup 905 infections, I healed/deleted these then ran another scan and more showed up.

I also ran a Malaware program but that showed nothing.

This won't go away and I haven't a clue what to do.

Can anyone help please?

Thanks
TC

BC AdBot (Login to Remove)

 


#2 Johnny Boy

Johnny Boy

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island
  • Local time:01:53 AM

Posted 01 October 2010 - 06:48 AM

Restart your computer and as it is booting up tap F8, that will bring up the option to enter into safe mode, you want to click on safemode with networking. When you reach the desktop, go to internet explorer and google malwarebytes antimalware..download and update that program and then run a full scan and post back the results
Posted Image
Staples Easytech Associate
Staples Certified Onsite PC Technician
Computer Science Major, Stonybrook University

Society leans heavily on computers. If you have the power to take out computers, you have the power to take out society.

#3 TheCorner

TheCorner
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 01 October 2010 - 09:17 AM

Okay Johnny Boy, done that and here are the results:

Thanks
TC

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4727

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.11

01/10/2010 15:16:05
mbam-log-2010-10-01 (15-16-05).txt

Scan type: Full scan (A:\|C:\|D:\|)
Objects scanned: 217038
Time elapsed: 52 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 19
Registry Values Infected: 7
Registry Data Items Infected: 2
Folders Infected: 16
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> No action taken.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{53e0b6e8-a51d-448b-b692-40b67b285543} (Adware.180Solutions) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{53e0b6e8-a51d-448b-b692-40b67b285543} (Adware.180Solutions) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcapvj0el9t (Rogue.AntiVirusXP) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khazut (Trojan.Hiloti.Gen) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nonep (Trojan.Ransom) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{0de8fda0-8815-82f2-5d1a-0165ab267026} (Trojan.ZbotR.Gen) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcapvj0el9t (Rogue.AntiVirusXP) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rlist (Malware.Trace) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\myid (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\desktoplayer.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,,c:\program files\microsoft\desktoplayer.exe) Good: (userinit.exe) -> No action taken.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\12822034 (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Campbell\Application Data\rhcapvj0el9t (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Campbell\Application Data\rhcapvj0el9t\Quarantine (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Campbell\Application Data\rhcapvj0el9t\Quarantine\Autorun (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Campbell\Application Data\rhcapvj0el9t\Quarantine\Autorun\HKCU (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Campbell\Application Data\rhcapvj0el9t\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Campbell\Application Data\rhcapvj0el9t\Quarantine\Autorun\HKLM (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Campbell\Application Data\rhcapvj0el9t\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Campbell\Application Data\rhcapvj0el9t\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Campbell\Application Data\rhcapvj0el9t\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Campbell\Application Data\rhcapvj0el9t\Quarantine\BrowserObjects (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Campbell\Application Data\rhcapvj0el9t\Quarantine\Packages (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Campbell\Application Data\FunWebProducts (Adware.MyWebSearch) -> No action taken.
C:\Documents and Settings\Campbell\Application Data\FunWebProducts\Data (Adware.MyWebSearch) -> No action taken.
C:\Documents and Settings\Campbell\Application Data\FunWebProducts\Data\Campbell (Adware.MyWebSearch) -> No action taken.
C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

Files Infected:
C:\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> No action taken.
C:\WINDOWS\avftfp.dll (Trojan.Hiloti.Gen) -> No action taken.
C:\Documents and Settings\Campbell\Local Settings\Temp\tmpa3a2d765\KillEXE.exe (Trojan.Ransom) -> No action taken.
C:\Program Files\MSN Messenger\msimg32.dll (Adware.MyWebSearch) -> No action taken.
C:\Program Files\system\ssa3o.exe (Trojan.Hiloti.Gen) -> No action taken.
C:\System Volume Information\_restore{544AF2B8-D795-44E3-8BA1-EF3949045677}\RP1364\A0094465.dll (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{544AF2B8-D795-44E3-8BA1-EF3949045677}\RP1364\A0095414.dll (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{544AF2B8-D795-44E3-8BA1-EF3949045677}\RP1364\A0096122.dll (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{544AF2B8-D795-44E3-8BA1-EF3949045677}\RP1364\A0096990.dll (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{544AF2B8-D795-44E3-8BA1-EF3949045677}\RP1365\A0100032.dll (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{544AF2B8-D795-44E3-8BA1-EF3949045677}\RP1365\A0100637.exe (Trojan.Hiloti.Gen) -> No action taken.
C:\WINDOWS\Temp\EC.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\ED.tmp (Trojan.Agent) -> No action taken.
C:\Documents and Settings\All Users\Application Data\12822034\12822034 (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Application Data\12822034\pc12822034ins (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Campbell\Application Data\FunWebProducts\Data\Campbell\avatar.dat (Adware.MyWebSearch) -> No action taken.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.
C:\Program Files\Microsoft\desktoplayer.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Campbell\Local Settings\Temp\0.3532345900534075.exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Campbell\Local Settings\Temp\d.exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Campbell\Application Data\Qoecy\ahle.exe (Trojan.ZbotR.Gen) -> No action taken.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:53 AM

Posted 01 October 2010 - 11:44 AM

Hello TheCorner. You do not need to perform any more scans.
RAMNIT = VIRUT
Trojan SHeur3.AQRA (AVG)

I'm afraid I have very bad news.

Your system is infected with a Win32/Ramnit.A!dll, a file infector with IRCBot functionality which infects .exe, .dll and .HTML files and opens a back door that compromises your computer.

Ramnit.A!dll is a component injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Win32/Ramnit.A infected executable file. Ramnit.A also infects .exe, and .HTML/HTM files, downloads more malicious files to your system, and opens a back door that compromises your computer. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A

In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer Ramnit.A remains on a computer, the more files will become infected and corrupt so the degree of infection can vary.

Ramnit.A is commonly spread via a flash drive (usb, pen, thumb, jump) infection which is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).



Also...About the ZBOT and Backdoor Malwares found ..........
This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS.

Edited by boopme, 01 October 2010 - 11:46 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 TheCorner

TheCorner
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 01 October 2010 - 01:38 PM

Hi,

Thats not good news is it?

I can reformat etc but one question I have is that will my photographs be affected by this?.....I have some that are not yet backed up on disc. Will these be infected if I download them and re-install afterwards?

Thanks
TC

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:53 AM

Posted 01 October 2010 - 02:00 PM

Yeah I don't like to make those posts myself.
Your photos should be fine.. I will post our quietman7's answer to reformatting as he covered it so well.

Caution: If you are considering backing up data and reformatting, keep in mind, with a Virut infection, there is always a chance of backed up data reinfecting your system. If the data is that important to you, then you can try to salvage some of it but there is no guarantee so be forewarned that you may have to start over again afterwards if reinfected by attempting to recover your data. Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users