Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Trojan SHeur2.GAS csrssc.exe  (Read 6204 times)

0 Members and 1 Guest are viewing this topic.

mam4q

    Topic Starter


    Greenhorn

    Trojan SHeur2.GAS csrssc.exe
    « on: December 21, 2008, 11:47:23 AM »
    Hi -

    It looks like my XP Pro. Laptop has picked up this nasty Trojan - SHeur2.GAS - csrssc.exe

    I have followed the recommended process but unfortunately could not carry out steps 3 and 4 as the applications could not be installed.

    Here are my notes and HJT log file -
    Suggestions and recommendations would be greatly appreciated: (Many Thanks)

    Initial Symptoms:
    Outlook Express 6 - closing when mails deleted
    IE - Not opening
    FF - Search results, when clicked, go to various sites for PC protection, travel discounts etc.
    Visual Studio Debugger reports Unhandled Win32 exception occurred in GoogleUpdate.exe
    AVG not updating. Unable to connect to AVG.com from Firefox

    AVG 8 scan showed Trojan Horse SHeur2.GAS in csrssc.exe + registry key
    6 objects removed -
    Still unable to update via AVG.com
    Firefox 3.1 crashes

    Step 1
    Add / Rem programs - not certain of these

    Advertisement Service
    System Requirements Lab

    Step 2
    CCleaner OK

    Step 3
    Super Anti Spyware -
    Unable to install
    Unhandled WIN32 exception

    Step 4
    MBAM - Installer would not execute

    Step 5
    Log Files:
    JavaRa 1.12 Removal Log.

    Report follows after line.

    ------------------------------------

    The JavaRa removal process was started on Sun Dec 21 18:22:01 2008

    Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

    Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}

    Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}

    Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610003

    Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610003

    Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003

    Found and removed: SOFTWARE\Classes\JavaPlugin.160_03

    Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_03

    Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_03

    Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610003

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610003

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160030}

    Found and removed: Software\Classes\JavaPlugin.160_03

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_03

    Found and removed: Software\JavaSoft\Java2D\1.6.0_03

    Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_03

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\bin\

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_03.b05\

    ------------------------------------

    Finished reporting.

    Step 6
    Hijack This
    Log file attached









    [attachment deleted by admin]

    CBMatt

    • Mod & Malware Specialist


    • Prodigy

    • Sad and lonely...and loving every minute of it.
    • Thanked: 167
      • Yes
    • Experience: Experienced
    • OS: Windows 7
    Re: Trojan SHeur2.GAS csrssc.exe
    « Reply #1 on: December 21, 2008, 09:11:52 PM »
    Before tackling this infection, try reading this and posting back with the MBAM and SAS logs...
    http://www.computerhope.com/forum/index.php/topic,46313.0.html

    Then download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    http://subs.geekstogo.com/ComboFix.exe

    Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

    Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

    Double-click combofix.exe and follow the prompts.
    When finished, ComboFix will produce a log for you.
    Post the ComboFix log and a new HijackThis log in your next reply.

    NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

    Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.
    Quote
    An undefined problem has an infinite number of solutions.
    —Robert A. Humphrey

    mam4q

      Topic Starter


      Greenhorn

      Re: Trojan SHeur2.GAS csrssc.exe
      « Reply #2 on: December 22, 2008, 12:59:00 PM »
      Hi Chris -

      Thanks for taking the time to reply -

      Unfortunately Combofix will not execute on the infected computer.
      Neither will MBAM nor SAS.

      Looking at my system processes I see GADCOM.exe. Yesterday I was seeing CSRSSC.exe.

      It's looking like my system has been modified to prevent installation / execution.
      I'm at a loss as to what to do next so your suggestions and guidance would be greatly appreciated.

      evilfantasy

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Calm like a bomb
      • Thanked: 489
      • Experience: Familiar
      • OS: Windows 10
      Re: Trojan SHeur2.GAS csrssc.exe
      « Reply #3 on: December 22, 2008, 01:41:15 PM »
      You should be able to run the steps after completing the below procedure.

      Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.
      • Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.
      • Then search for TDSSserv.sys
      • Let me know if you find this or not.
      • If you do find it, right click on it, and select “Disable”. Do not try to uninstall it.
      • Also if this is found and you disable it.
      • Now reboot and see if you can run the other scans that would not run.

      mam4q

        Topic Starter


        Greenhorn

        Re: Trojan SHeur2.GAS csrssc.exe
        « Reply #4 on: December 23, 2008, 12:42:44 AM »
        Thanks for your reply -

        TDSServ.sys found and disabled - this allowed repair progs to execute.
        Combofix run
        Super Anti Spyware run
        MBAM run
        HJT run

        Log files for each attached -

        I'm enormously grateful for your assistance -
        Many thanks

        [attachment deleted by admin]

        CBMatt

        • Mod & Malware Specialist


        • Prodigy

        • Sad and lonely...and loving every minute of it.
        • Thanked: 167
          • Yes
        • Experience: Experienced
        • OS: Windows 7
        Re: Trojan SHeur2.GAS csrssc.exe
        « Reply #5 on: December 23, 2008, 04:43:26 AM »
        Please print these instructions as they will be needed later when Internet access is not available.
         
        Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/156236231/SDFix.exe.html

        When using this tool, you must use the Administrator's account or an account with Administrative rights

        • Double-click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix).
        • DO NOT use it just yet.
        Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears), press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

        Open the SDFix folder and double-click RunThis.bat to start the script.
        • Type Y to begin the cleanup process.
        • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to reboot.
        • Press any Key and it will restart the PC.
        • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished.  Press any key to end the script and load your desktop icons.
        • Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
        • Copy and paste the contents of the results file Report.txt in your next reply.

        This log will help me find any additional files that may need to be removed.
        Quote
        An undefined problem has an infinite number of solutions.
        —Robert A. Humphrey

        mam4q

          Topic Starter


          Greenhorn

          Re: Trojan SHeur2.GAS csrssc.exe
          « Reply #6 on: December 23, 2008, 02:12:35 PM »
          Hi -
          SDFix Report Log file attached -

          Many Thanks

          [attachment deleted by admin]

          CBMatt

          • Mod & Malware Specialist


          • Prodigy

          • Sad and lonely...and loving every minute of it.
          • Thanked: 167
            • Yes
          • Experience: Experienced
          • OS: Windows 7
          Re: Trojan SHeur2.GAS csrssc.exe
          « Reply #7 on: December 23, 2008, 04:09:23 PM »
          Looking much better.  Just to make sure all of the bad files are gone, please do the following...

          Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

          Delete these files/folders, as follows:

          1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
          It must be Notepad, not Wordpad.
          2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

          Code: [Select]
          KillAll::

          File::
          c:\windows\system32\TDSSlxcp.dll

          3. Go to the Notepad window and click Edit > Paste
          4. Then click File > Save
          5. Name the file CFScript.txt - Save the file to your Desktop
          6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



          ComboFix will begin to execute, just follow the prompts.
          After reboot (in case it asks to reboot), it will produce a log for you.
          Post that log (Combofix.txt) in your next reply.

          Note: Do not click ComboFix's window while it is running. That may cause your system to freeze
          Quote
          An undefined problem has an infinite number of solutions.
          —Robert A. Humphrey

          mam4q

            Topic Starter


            Greenhorn

            Re: Trojan SHeur2.GAS csrssc.exe
            « Reply #8 on: December 24, 2008, 08:21:52 AM »
            Completed as requested -
            ComboFix Log file attached -

            Many Thanks

            [attachment deleted by admin]

            CBMatt

            • Mod & Malware Specialist


            • Prodigy

            • Sad and lonely...and loving every minute of it.
            • Thanked: 167
              • Yes
            • Experience: Experienced
            • OS: Windows 7
            Re: Trojan SHeur2.GAS csrssc.exe
            « Reply #9 on: December 26, 2008, 12:37:05 AM »
            Looking much better.  How are things running now?
            Quote
            An undefined problem has an infinite number of solutions.
            —Robert A. Humphrey

            mam4q

              Topic Starter


              Greenhorn

              Re: Trojan SHeur2.GAS csrssc.exe
              « Reply #10 on: December 30, 2008, 06:58:22 AM »
              Really sorry for not responding sooner - Xmas.

              All has been looking good -
              Any recommendations to help me stay clean?

              Many Thanks

              CBMatt

              • Mod & Malware Specialist


              • Prodigy

              • Sad and lonely...and loving every minute of it.
              • Thanked: 167
                • Yes
              • Experience: Experienced
              • OS: Windows 7
              Re: Trojan SHeur2.GAS csrssc.exe
              « Reply #11 on: December 31, 2008, 01:39:36 AM »
              No worries, I know how the holidays are.

              First, you need a decent firewall.  You're vulnerable without a firewall, so you should look into getting either ZoneAlarm, Kerio Personal Firewall, or Comodo.  They're all good free firewalls.  Just be sure you only have one installed at a time!  Download the firewall of your choice, disconnect from the internet, disable Windows Firewall, and install your new firewall.

              Download OTCleanIt.exe and save it to your Desktop.
              • Double-click OTCleanIt.exe.
              • Click the CleanUp! button.
              • Select Yes when the "Begin cleanup Process?" prompt appears.
              • If you are prompted to Reboot during the cleanup, select Yes.
              • The tool will delete itself once it finishes, if not delete it yourself.
              .

              Then you should clear out your restore points.  This is to remove any infected files that have been backed up by Windows.  Please follow these steps...

              1.  Go to Start > Programs > Accessories > System Tools > System Restore
              2.  Click on System Restore Settings.
              3.  Check Turn off System Restore and click OK.
              4.  Restart your computer.
              5.  Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK.
              6.  Create a new restore point and close the program.

              System Restore will now be active again.  If you would like to learn more about System Restore, go here.



              As for avoiding infection...you just have to use caution.  If you download anything, scan it with AVG first.  If you receive an e-mail attachment from someone you don't know, don't open it.  Even if you do know the person, be careful; they could be infected without knowing it.  And don't go to suspicious web sites. 
              Quote
              I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
              Quote
              An undefined problem has an infinite number of solutions.
              —Robert A. Humphrey

              mam4q

                Topic Starter


                Greenhorn

                Re: Trojan SHeur2.GAS csrssc.exe
                « Reply #12 on: December 31, 2008, 01:55:37 AM »
                Many thanks for your outstanding support, help and advice.

                Greatly appreciated -
                 ;D