Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

STOPzilla finding Win.32 rogue and trojans, recently had 3AE.exe, all which related to Cycbot.G


  • Please log in to reply
5 replies to this topic

#1 Mediterrasian

Mediterrasian

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 26 February 2012 - 04:49 PM

Hi there.
Recently, I had an infection on my computer which has been removed (I have written a description of it at the end). However, I am still wary that I have something on my computer. I know this doesn't sound important but I have personal files on here and I also have 19 exams coming up and I really don't want this to be an extra worry. Anyway, I recently just had a STOPzilla scan (I had the trial version, and it has run out but it still scans) and it found 4 things. It found: Rogue.Win32.Antivirus 7 in the Temp folder, Trojan.Win32.Vundo.gen!a in AppData/Roaming/Remote, Trojan.Win32.Mal.gen!a46 in AppData/Roaming and some folder with loads of letters and numbers, and also some thing called Hidden Files & Folders in my Videos folder which I originally, before the infection, had hidden.
Also, the infection I had hid all my files. I have put them on show, but they are still on hidden, even though the infection has been removed. Should they have gone back to normal, or do I need to un-hide them?
I have done research on this Rogue Win32 Antivirus and it says I should be getting popups trying to trick me into putting my details in but I am not getting these popups. I'm assuming and hoping that this has been quarantined but the fact that STOPzilla found it after the infection I had stil worries me, particularly as my trial days have ran out.
I've tried MalwareBytes, and that has found nothing. I then tried SUPERAntiSpyware and tried a Custom Scan. I tried to type in the folder that this Rogue.Win32.Antivirus 7 is in, but it said the folder could not be used.

Do you think I should be concerned about this, and do you think I should try and delete the folders the Rogue and Trojans are in? I know this maybe doesn't sound important, but I really just want to be able to rest easy.
If this helps, this is a description of the infection I had:
I was on a Tumblr blog and something about Java kept coming up and closing my Internet. After I re-loaded the blog, it worked fine. Then one day, I tried going on it again, and this popup kept coming up, asking for my permission to install Adobe Flash Player. I kept denying but it kept popping up over and over till I closed my Internet where it stopped.
I was suspicious something had got onto my computer so I went on Task Manager, checked my processes and noticed two weird ones called 3AE.exe and 4380B.exe. I tried looking them up, but couldn't find much aside from a few websites stating that 3AE.exe was highly critical. There were no instructions, however, on how to remove them. I tried setting the priority to them as 'Low', but they just returned to 'Normal' without my doing so. Eventually, I found what folder they were in and stupidly, I got McAfee to shred it. Then my background disappeared, along with the majority of my shortcuts, and my computer kept restarting. A ton of pop ups kept coming up also, saying something about a failure of my hardrive. I'm not quite sure what is said because I was freaking out, and eventually had to call a friend over to remove it because I was in such a panic to try and do it myself. Ever since he sorted it, I have not seen 3AE.exe nor 4380B.exe since.

If this also helps, I've read somewhere that 3AE.exe has been related to Cycbot.G who also has been related to the Win.32 Trojans STOPzilla is finding.
Thank you for any advice you can give me.
Oh and I am using Windows Vista Home Edition.

Edited by Mediterrasian, 26 February 2012 - 04:53 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:44 PM

Posted 26 February 2012 - 06:14 PM

Hello 3AE.exe appears to be a Backdoor malware see >> VirusTotal
As such I need to tell you this first.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Mediterrasian

Mediterrasian
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 27 February 2012 - 06:11 PM

Hello, thank you so much for the advice.
I didn't really get the chance to use the computer that got infected with banking or financial matters as it was new, so that's pretty lucky I guess.
Ah I see. Yes I did suspect something like that would happen as even though 3AE.exe has been removed, or so I think it has, the infected computer has been still acting strangely so I think I'm going to go with your advice and do a re-install. After all, better to be safe than sorry, right?
Thank you again for the clear up of 3AE.exe and the advice, it is much appreciated.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:44 PM

Posted 27 February 2012 - 11:53 PM

You're welcome. Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action.


Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Mediterrasian

Mediterrasian
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 01 March 2012 - 03:26 PM

Sorry for the late reply but thank you for providing advice, it is much appreciated, particularly as I have never done a re-install before. I'm going to do it now and feel really secure doing it thanks to you.
Thank you for your help!

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:44 PM

Posted 02 March 2012 - 10:44 AM

You're welcome. If you have any further questions on it as in the corresponding Operating System forum and they will gladly assist.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users