Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A Little Help Please


  • Please log in to reply
12 replies to this topic

#1 safc32

safc32

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 06 October 2010 - 12:59 PM

Hi, I first encountered this problem yesterday, I keep getting pop up threat warnings, such as those described in this thread here

AVG quarantines the risks right away, however 2 things confuse me:-

1) the files that are being described as risks are files associated with certified programmes such as nero, microsoft office and windows mail

2) after quarantine still more threat alerts continue to occur

Due to the continuation of threats I ran a full scan with malware bytes which didn't find any threats and so I thought I was in the clear.

However this afternoon I was hit by another threat, which again AVG quarantined, although the fact that the threat hadn't been picked up in previous scans by both AVG and malware bytes convinced me to run the eset on-line scan, which picked up a further 4 malicious threats.

Here is the list in my AVG virus vault:-

Posted Image

And here are the results of the eset on-line scan:-


C:\Users\***\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\71575eb5-265712fc a variant of Java/Mugademel.A trojan deleted - quarantined
C:\Users\***\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\71575eb5-75a60c0b a variant of Java/Mugademel.A trojan deleted - quarantined
C:\Users\***\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\5945d2f6-67d3ba56 Java/TrojanDownloader.Agent.NBU trojan deleted - quarantined
C:\Users\***\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\5945d2f6-72c3c540 Java/TrojanDownloader.Agent.NBU trojan deleted - quarantined


I was wondering if anyone had any information as to what this virus is, where I could have picked it up or whether or not I have managed to get rid of it?


Thanks in advance.

BC AdBot (Login to Remove)

 


#2 safc32

safc32
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 06 October 2010 - 05:07 PM

Having read through this forum further, particularly the information found here I have another question I'd like to ask...

When it states that the virus Win32/Zbot.A infects the .exe, does it have to have been executed during the infection for this to happen?

#3 safc32

safc32
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 06 October 2010 - 07:18 PM

Please guys, I could really do with some advice on this, I've read that it's suggested to reformat, however my PC doesn't seem to be as badly infected as those in the threads where this was suggested. Anyone?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:34 PM

Posted 06 October 2010 - 10:13 PM

Hello, sorry it took a while to get to you..and maybe you'll wish I hadn't. In your screen shot your AVG found a Ramnit/Virut infection.
RAMNIT = VIRUT
Trojan SHeur3.AQRA (AVG)
TR/Spy.Gen (Avira)
Win32.Rmnet (Dr.Web)
Trojan-Spy (Ikarus)
Mal/SillyFDC-A (Sophos)
W32.Ramnit!html (Symantec)

I'm afraid I have very bad news.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).



Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 safc32

safc32
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 07 October 2010 - 09:03 AM

Hello, sorry it took a while to get to you..and maybe you'll wish I hadn't. In your screen shot your AVG found a Ramnit/Virut infection.


So my worst fears are confirmed then, oh well, rather flatten it now than have to replace it some other time, thanks very much for your response. :thumbsup:

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:34 PM

Posted 07 October 2010 - 09:53 AM

Yes it it best,especially if you do any financials as these infections will look to steal such info.
Here's some info on reformattinf from our quietman7.

In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.


2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.


If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Windows XP Home and Professional forum.

Edited by boopme, 07 October 2010 - 09:55 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 safc32

safc32
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 07 October 2010 - 10:04 AM

Thanks again, I'm running Windows 7 and have the recovery partition built in, however I also have the recovery disks should I need to go down that route so I should be ok, thanks very much for both your time and advice. :thumbsup:

#8 safc32

safc32
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 07 October 2010 - 10:13 AM

Sorry, just 1 more quick question, is it safe to back up .msi installation files? I downloaded a trial version of eset smart security which I haven't yet executed, could I back that up safely?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:34 PM

Posted 07 October 2010 - 10:21 AM

I think it's better to make that one of the first things you do after.. as they will most likely be exe or html files.

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

You're welcome froma all of us. :thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 safc32

safc32
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 07 October 2010 - 10:29 AM

You're welcome froma all of us. :flowers:

:thumbsup:

#11 safc32

safc32
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 07 October 2010 - 05:57 PM

I managed to successfully reformat windows, just ran a full scan and everything's clear, thanks once again for your help and advice. :thumbsup:

EDIT:- Actually there was one thing, dont know if I'm just being paranoid, however once I'd validated my install I immediately went to the AVG website through internet explorer to download AVG, however ie crashed constantly every time I made it to the site. After the crash I tried browsing other sites and it was fine, then back to AVG and it crashed again. I repeated this step a couple of times. In the end I downloaded google chrome, which made it onto the AVG site without any problems & I successfully downloaded and installed AVG. Is there any reason why ie repeatedly crashed attempting to reach the AVG website, or am I just being paranoid? (I hope it's the latter)

Edited by safc32, 07 October 2010 - 06:03 PM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:34 PM

Posted 07 October 2010 - 07:34 PM

Not a 100 percent sure. Probably just the registry settling in. Are you at IE 8?
You could ask in the Win 7 forum, Someone there may have some better info than I on it.



Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 safc32

safc32
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 08 October 2010 - 07:52 AM

Not a 100 percent sure. Probably just the registry settling in. Are you at IE 8?
You could ask in the Win 7 forum, Someone there may have some better info than I on it.


Ok, thanks. Yes I'm at IE8 and I have posted a topic in the Win 7 forum here :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users