Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Badly infected with Sheur3.AQRA. Please HELP!


  • This topic is locked This topic is locked
17 replies to this topic

#1 Green Goddess

Green Goddess

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 01 October 2010 - 02:15 PM

Hi

Today when I was browsing, AVG Free detected a couple of threats (Sheur3.AQRA and also ZBot.A). I asked AVG to move the infections to the vault thinking that it would cure the problem. However, now AVG is detecting threats constantly (we are talking about a list of over 2500 threats, mostly SHeur3, ZBot.A and Generic Viruses). My computer was completely clean before today.

I ran a program called Trojan Remover in Safe Mode which found a suspicious file and registry entry and removed it. However, each time I rebooted it kept coming back. I then ran Malwarebytes which found 3 infections (Trojan.Dropper, ZBot and another which I have now forgotten). It removed them and now Malwarebytes and Trojan Remover show a clean bill of health for my PC.

Unfortunately AVG is still throwing up thousands of infections and many of the programs on my computer have now been corrupted and no longer work. I am relectant to leave it running in normal mode so it is now sitting in safe mode. I have no idea what to do now, other than to reformat it.

Is there any way to get rid of this thing without wiping my entire HDD?

Win XP is fully up to date and so are all my anti-virus and spyware programs.

Many thanks.

Edited by hamluis, 03 October 2010 - 10:26 AM.
Moved from XP to Am I Infected ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:08 PM

Posted 01 October 2010 - 02:21 PM

Hello and welcome.. Wish I had some thing good to say here. but the ZBOt ,backdoor trojan has allowed hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?


The malware Trojan SHeur3.AQRA (AVG) is another name for a Ramnit or Virut infection.


RAMNIT = VIRUT
Trojan SHeur3.AQRA (AVG)
TR/Spy.Gen (Avira)
Win32.Rmnet (Dr.Web)
Trojan-Spy (Ikarus)
Mal/SillyFDC-A (Sophos)
W32.Ramnit!html (Symantec)

I'm afraid I have very bad news.

Your system is infected with a Win32/Ramnit.A!dll, a file infector with IRCBot functionality which infects .exe, .dll and .HTML files and opens a back door that compromises your computer.

Ramnit.A!dll is a component injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Win32/Ramnit.A infected executable file. Ramnit.A also infects .exe, and .HTML/HTM files, downloads more malicious files to your system, and opens a back door that compromises your computer. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A

In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer Ramnit.A remains on a computer, the more files will become infected and corrupt so the degree of infection can vary.

Ramnit.A is commonly spread via a flash drive (usb, pen, thumb, jump) infection which is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Green Goddess

Green Goddess
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 01 October 2010 - 02:34 PM

Hi,

Thanks for your extremely helpful advice. This is the worst infection I have ever experienced.

At the time of infection I had two additional external 1TB drives running and connected to the PC. Is it likely those will be infected? The last thing I want is to have to wipe those as they contain ALL my most critical information. The PC kept running (and was connected to the internet) for around 40 minutes after the initial infection. The external HDDs were manually turned off after 5 minutes of discovering the infection.

Also, is it possible to save some of the important data (emails etc) from my PC's main internal HDD before I wipe it clean?

Edited by Green Goddess, 01 October 2010 - 02:36 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:08 PM

Posted 01 October 2010 - 03:21 PM

I would scan those drives and did you use any flash drives from this infected pC. The other drives may be OK. here's info on reformatting and files you can save. Mpst music and Photo and text are OK.

Caution: If you are considering backing up data and reformatting, keep in mind, with a Virut infection, there is always a chance of backed up data reinfecting your system. If the data is that important to you, then you can try to salvage some of it but there is no guarantee so be forewarned that you may have to start over again afterwards if reinfected by attempting to recover your data. Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Green Goddess

Green Goddess
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 01 October 2010 - 04:43 PM

Hi,

Thanks again for all your help. I really appreciate it. I would like to scan my two external HDDs. How do I do that without risking infecting them? Do I wipe my main computer clean first, reinstall XP and then scan my external drives, or do I scan them before I wipe the main computer? Or would I need to connect them to an uninfected computer to scan them?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:08 PM

Posted 01 October 2010 - 07:19 PM

Well that would be the absolute safest way,after you reformat. Else you could update your AV then disconnect from the internet. Reboot to safe mode coneect the External and select that drive to scan.
Either way i would also scan with a second tool for thoroughnes. SAS is good in safe mode. Install,update and scan.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Green Goddess

Green Goddess
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 01 October 2010 - 09:34 PM

Hi boopme,

Thanks again! You're a hero!

I had a new internal HDD that was about to go in so I installed it and started from scratch. I got Win XP installed and managed to import all my emails off a USB flash drive without re-infecting. I have also been able to restore 95% of my important data using one of my daily backup files. So far so good.

My old infected internal HDD is now sitting on my desk. I could really do with a few files off it before I wipe it clean. Would it be safe to install it back into my computer as a second drive and drag across those few files in safe mode? Or would I risk re-infecting the computer? I don't want any executable files, just my Windows Address Book and a few saved internet favourites.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:08 PM

Posted 02 October 2010 - 10:05 AM

Greta!! Yes you can connect it as a slave safely and get those files. Easy to do.
How to Slave a Hard Drive
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Gabrial

Gabrial

  • Members
  • 468 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 02 October 2010 - 12:57 PM

When accessing the data on this drive, I recommend right clicking on My Computer and clicking Explore.

If you double click the drive and there is a \autorun.inf file on the drive pointing to an executable, it could execute the program from that drive that this file points to and reinfect your computer.

Virut is a horrid infection and I wouldn't wish it on anyone.

Edited by Gabrial, 02 October 2010 - 12:58 PM.


#10 Green Goddess

Green Goddess
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 02 October 2010 - 12:59 PM

Thanks again boopme (and also Gabrial)!

I have now managed to transfer all my files across safely. My computer is now working perfectly and I have lost no data. I could not have done it without you. Thank you so much!!!

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:08 PM

Posted 02 October 2010 - 04:19 PM

Glad to hear it, you are welcome from all of us at BC.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read: {Thanks to our quietman7}
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Green Goddess

Green Goddess
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 03 October 2010 - 10:20 AM

Hi boopme,

Oh dear... something's still not right here. I was away from my computer for a couple of hours today and when I came back the AVG program was warning me that it had found two threats. One of them was ZBot.A, I can't remember what the other one was but it wasn't SHeur3. The threats were both located in a directory called "Restore" on my C drive. I immediately turned off System Restore on all drives and ran full scans with Malwarebytes, AVG and Trojan Remover. All came up completely clean. Do you think my computer is safe? Or do I need to do anything else just to be 100% sure that there's nothing left lurking around? Sorry to be a nuisance.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:08 PM

Posted 03 October 2010 - 01:31 PM

Hello, sorry to hear this. The best thing we should do at this point then is get a deep llok here and find all traces so we know for sure. It will take a few days for a reply but alll logs are answered,just very busy.

Please go here....
Preparation Guide ,do steps 6 - 9.
Explaiin the situation ,Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Green Goddess

Green Goddess
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 03 October 2010 - 03:24 PM

Hi boopme,

Thanks again for your help. I have gone through all the instructions. GMER gave me a blue screen of death and an automatic reboot on the 1st attempt. The 2nd attempt locked up but it managed the full scan on the 3rd attempt. I have managed to post all the logs and details in the appropriate forum section as you advised.

Just one quick question... is the new Windows 7 as susceptible to these sort of threats? I was just wondering if it was worth the upgrade whilst my computer is in pieces. I have no real desire to upgrade but if it would reduce the likelihood of these sort of serious problems then I would definitely consider it.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:08 PM

Posted 03 October 2010 - 03:32 PM

Hello, Some thiong to consider before the plunge. The 64 bit version of 7 is a lot safer,but not a guarantee. Also you will need to see if your XP machine is capab;e of running it. Then you need to check if the applications you now have will run in the 64 environment. Questions about these need to be taken up in the Win7 forum as they know that side of 7 better than I.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users