[Not curable - Ramnit] Help with 1000+ instances of SHeur3.AQRA and Win32/Zbot.A

By Rmonkey
Oct 1, 2010
Topic Status:
Not open for further replies.
  1. Hi guys,

    Bit of a problem with my PC; after turning it on this afternoon AVG free picked up some instances of SHeur3. After disconnecting from my router, I did a full scan which picked up 1283 instances of SHeur3.AQRA and Win32/Zbot.A less some tracking cookies. I changed all my passwords from another PC and found some threads round the Internet on removal. I didn't want to charge in headlong as many steps of the solutions seem to be customised to the PC in question.

    So now I'm at your mercy, please help!

    Thanks in advance.
  2. Broni

    Broni Malware Annihilator Posts: 45,208   +243

  3. Rmonkey

    Rmonkey Newcomer, in training Topic Starter

    Hi, sorry for the delay.. GMER took a good half day to run. I have two hard drives; a system drive E: a storage-ish drive D: and I wasn't able to get GMER to work if D:\ was selected in the scan even in safe mode. I'm hoping that the system drive scan log will be sufficient. Additionally, I was not able to update MBAM prior to scan, although it was updated fairly recently to my knowledge.

    Let me know if anything further is needed, thanks for your assistance.

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 45,208   +243

    You're infected with Paladin Antivirus (at least).

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  5. Rmonkey

    Rmonkey Newcomer, in training Topic Starter

    Combofix has been run, a couple of issues which I will explain below:

    When I clicked 'Yes' to installing Recovery Console, this failed. I allowed Combofix to continue anyway.

    Toward the end of displaying a long list of filenames, a pop-up advising that an application could not start because of a problem with msls5l.dll was shown 40+ times and had to be dismissed by clicking OK.

    Also, the Paladin infection was from some time ago and I believed it to be completely removed by a series of instructions I followed from bleepingcomputer (I think).

    Combofix log attached.

    Thanks for your help so far.

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 45,208   +243

    Unfortunately, I don't have good news.

    Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

    -- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
    With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

    Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

    Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

    In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

    Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
    Backdoors and What They Mean to You

    This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

    Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
  7. Rmonkey

    Rmonkey Newcomer, in training Topic Starter

    That's disappointing, but is pretty much as bad as I expected.

    What would be the safest way to transfer files that I need to keep? You mentioned it can spread by flash disk so I assume external hard drives would be infected if connected?

    Thanks for taking the time to look at my problem.
  8. Broni

    Broni Malware Annihilator Posts: 45,208   +243

    You can do it, but you have follow some strict rules.
    Hook up your external drive and transfer what you need.

    Now, the important part!

    On any computer, you want to connect that drive afterward, do this...

    Download, and run Flash Disinfector, and save it to your desktop (Windows Vista and Windows 7 users, scroll down)

    *Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
    • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.
    Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

    Windows Vista and Windows 7 users
    Flash Disinfector is not compatible with the above Windows version.
    Please, use Panda USB Vaccine

    Now, you should be safe to hook up USB drive.

    Next important step.
    BEFORE moving any file from external drive to freshly installed Windows, scan a whole USB drive with at least couple of tools:
    - your AV program
    - Malwarebytes
    - online scan like Eset: http://www.eset.com/onlinescan
  9. Rmonkey

    Rmonkey Newcomer, in training Topic Starter

    Okay cool, that sounds painless enough.

    Thanks for all your assistance and advice Broni, it's appreciated :)
  10. Broni

    Broni Malware Annihilator Posts: 45,208   +243

    You're very welcome :)
    I'm sorry to be bad news bearer.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.