Sheur2.gas/Vundo - Followed directions, anything left to fix?

[uriel96]

Hi there,

AVG 7.5 detected the Sheur2.gas trojan on my machine, and the usually reported problems immediately started -- AV couldn't update, browser hijacks, etc. So, I booted back up in safe mode + networking, disabled the TDSSserv.sys driver as directed in another troubleshooting thread, and downloaded the following:

- CCleaner
- MBAM
- SUPER AntiSpyware
- HijackThis
- ComboFix

and followed the excellent guideline instructions posted here on ComputerHope, in order. So far, I've only run CCleaner, MBAM, Super AntiSpyware and HijackThis (along with Spybot S&D), and stopped before going on to ComboFix to post my progress so far.

The logs I've posted are in chronological order, as follows:

1. SUPER AntiSpyware, where it detected the Sheur2/Vondo mess
2. MBAM Results immediately following the SAS disinfection, where it found more of the same.
3. MBAM results AFTER the MBAM disinfection
4. HijackThis results that reflect current system state

It looks like I've gotten the rootkit/trojan out of the OS for the moment, and I know I need to replace AVG 7.5 (leaning to AVast at the moment, AVG 8 is a system pig), but I'd appreciate a review of my current logs, to see if I've missed anything, or need to proceed to ComboFix.

Also, there are still 2 hidden drivers that are installed, that I've disabled, and would like to remove -- they are known malware, and I'd imagine I shouldn't just leave them disabled in the Device Manager. They are named:

- TDSSserv
- ipnatt

How should I proceed?

Thanks in advance!


[attachment deleted by admin]

[uriel96]

Hm,

Looks like I spoke too soon on everything being fixed. Like in this case, images no longer properly load in Internet Exploder.

Looking forward to advice, and Merry Xmas everyone.

[CBMatt]

Sorry for the long wait.  We are VERY backed-up right now!  If you still require assistance, please do the following...

Please print these instructions as they will be needed later when Internet access is not available.
 
Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/156236231/SDFix.exe.html

When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double-click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix).
• DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears), press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double-click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to reboot.
• Press any Key and it will restart the PC.
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished.  Press any key to end the script and load your desktop icons.
• Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Copy and paste the contents of the results file Report.txt in your next reply, along with a new HijackThis log.