Computer Hope

Software => Computer viruses and spyware => Topic started by: fridaysdream on December 23, 2008, 09:24:45 AM

Title: Infected with SHeur2.gas and associates - followed lots of advice, am I cured?
Post by: fridaysdream on December 23, 2008, 09:24:45 AM

Hi,

Firstly, as this is the first time I have found your site. I just wanted to say I am really impressed. Thanks for having such an awesome and helpful forum!

So since yesterday my laptop has been infected with a Trojan. Being a novice to these things I firstly ran AVG (8.0) and believed it had been successfully removed. However I this morning the random internet windows was appearing again and following an AVG scan I realised I was still infected.

Obviously AVG is not removing this thoroughly so I did a Google search for
Trojan Horse SHeur2.gas (the name of the threat appearing in AVG) and found this post: http://www.computerhope.com/forum/index.php?topic=72713.0 as the symptoms and description seemed the same I followed the following steps:
1. Disabled TDSSserv.sys (which was there)
2. Ran AVG update
3. Ran Hijack this (could NOT find any of the listed entries from that post) - I didn't save the log from this run, but have in the later one.
4. Downloaded combo fix and ran that (log attached)

So before posting here I have also followed the instructions on:http://www.computerhope.com/forum/index.php/topic,46313.0.html

Disabled AVG Shield

Step 1: Add or Remove Programs
There’s nothing I can see that looks obviously wrong
Items I don't associate with anything 'SearchAssist', 'Digital line support', High Definition Audio Driver Package - KB835221', 'MSXML 4.0 SP2 (KB936181)', MSXML 6.0 Phaser (KB933579)'.

Step 2: House Cleaning
Complete

Step 3: SUPERAntiSpyware
This has found threats which I assume will be in the log which I attach.

Step 4: Malwarebytes' Anti-Malware (MBAM)
Run, one threat was found which was removed, log is attached.

Step 5: Update Your Java (JRE)
I didn't have the newer version of java, this is now installed, i have run javara and cccleaner.
 
Step 6: HijackThis
Run and log attached.

I have now turned back on AVG shield, until such time as I am advised to disable it again.

Other details
Obviously, when I started, I clearly had a virus, there were random internet windows appearing, AVG refused to update, and windows firewall was turned off (though I discovered this later). Images were also not appearing in IE (though I think this kicked in a little later as I didn't notice it originally).

Disabling TDSSserv.sys cured the AVG update and I was able to turn windows firewall back on (although I hadn't noticed it was off until this point).

I have also reset my Web Settings & Default Security Settings in IE, in order to restore the images (as suggested in the first post I mentioned).

Things I have noticed since doing all the above.
I don't seem to be getting the random windows anymore; however I wasn't getting them last night, after AVG, until this morning.
The only noticeable think is that there now seem to be two internet explorer icons in my start bar (maybe related to running combo fix, seemed to appear after this?)

Logs, attached are:
SuperAntispyware
Malwarebytes' Anti-Malware
HijackThis
Also is the Combofix log, which was run before following the instructions on 'Read this before requesting malware removal help', as documented above.

My question is, am I cured? Is there anything else I should be doing?
I am going to re-run AVG now and see if anything is picked up..

Thanks for any help you can offer me, and again my commendations on your site!

Laura

[attachment deleted by admin]

Title: Re: Infected with SHeur2.gas and associates - followed lots of advice, am I cured?
Post by: CBMatt on January 04, 2009, 03:28:08 PM

Sorry for the long wait.  We are VERY backed-up right now!  If you still require assistance, please post a new ComboFix log and we'll see what we can do.  Your infection is mostly gone, but there may still be traces.

Title: Re: Infected with SHeur2.gas and associates - followed lots of advice, am I cured?
Post by: fridaysdream on January 05, 2009, 07:42:49 AM

Hi,

Thanks for responding!
It would be good to check the infection has all gone, the log report is attached.

Laura

[attachment deleted by admin]

Title: Re: Infected with SHeur2.gas and associates - followed lots of advice, am I cured?
Post by: CBMatt on January 05, 2009, 05:11:22 PM

Well, I don't really see much of anything now, but just to be sure, you may want to also run the following scan...

Please print these instructions as they will be needed later when Internet access is not available.
 
Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/179891642/SDFix.exe.html

When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double click SDFix.exe and it will extract the files to %systemdrive%
  
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
  
• DO NOT use it just yet.

.Reboot your computer in Safe Mode (http://www.bleepingcomputer.com/tutorials/tutorial61.html) using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
 
Open the SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
  
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  
• Copy and paste the contents of the results file Report.txt in your next reply.