Computer Hope

Software => Computer viruses and spyware => Topic started by: mam4q on December 21, 2008, 11:47:23 AM

Title: Trojan SHeur2.GAS csrssc.exe
Post by: mam4q on December 21, 2008, 11:47:23 AM
Hi -

It looks like my XP Pro. Laptop has picked up this nasty Trojan - SHeur2.GAS - csrssc.exe

I have followed the recommended process but unfortunately could not carry out steps 3 and 4 as the applications could not be installed.

Here are my notes and HJT log file -
Suggestions and recommendations would be greatly appreciated: (Many Thanks)

Initial Symptoms:
Outlook Express 6 - closing when mails deleted
IE - Not opening
FF - Search results, when clicked, go to various sites for PC protection, travel discounts etc.
Visual Studio Debugger reports Unhandled Win32 exception occurred in GoogleUpdate.exe
AVG not updating. Unable to connect to AVG.com from Firefox

AVG 8 scan showed Trojan Horse SHeur2.GAS in csrssc.exe + registry key
6 objects removed -
Still unable to update via AVG.com
Firefox 3.1 crashes

Step 1
Add / Rem programs - not certain of these

Advertisement Service
System Requirements Lab

Step 2
CCleaner OK

Step 3
Super Anti Spyware -
Unable to install
Unhandled WIN32 exception

Step 4
MBAM - Installer would not execute

Step 5
Log Files:
JavaRa 1.12 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sun Dec 21 18:22:01 2008

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Classes\JavaPlugin.160_03

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_03

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_03

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610003

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160030}

Found and removed: Software\Classes\JavaPlugin.160_03

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_03

Found and removed: Software\JavaSoft\Java2D\1.6.0_03

Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_03

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_03.b05\

------------------------------------

Finished reporting.

Step 6
Hijack This
Log file attached









[attachment deleted by admin]
Title: Re: Trojan SHeur2.GAS csrssc.exe
Post by: CBMatt on December 21, 2008, 09:11:52 PM
Before tackling this infection, try reading this and posting back with the MBAM and SAS logs...
http://www.computerhope.com/forum/index.php/topic,46313.0.html

Then download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.
Title: Re: Trojan SHeur2.GAS csrssc.exe
Post by: mam4q on December 22, 2008, 12:59:00 PM
Hi Chris -

Thanks for taking the time to reply -

Unfortunately Combofix will not execute on the infected computer.
Neither will MBAM nor SAS.

Looking at my system processes I see GADCOM.exe. Yesterday I was seeing CSRSSC.exe.

It's looking like my system has been modified to prevent installation / execution.
I'm at a loss as to what to do next so your suggestions and guidance would be greatly appreciated.
Title: Re: Trojan SHeur2.GAS csrssc.exe
Post by: evilfantasy on December 22, 2008, 01:41:15 PM
You should be able to run the steps after completing the below procedure.

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.
Title: Re: Trojan SHeur2.GAS csrssc.exe
Post by: mam4q on December 23, 2008, 12:42:44 AM
Thanks for your reply -

TDSServ.sys found and disabled - this allowed repair progs to execute.
Combofix run
Super Anti Spyware run
MBAM run
HJT run

Log files for each attached -

I'm enormously grateful for your assistance -
Many thanks

[attachment deleted by admin]
Title: Re: Trojan SHeur2.GAS csrssc.exe
Post by: CBMatt on December 23, 2008, 04:43:26 AM
Please print these instructions as they will be needed later when Internet access is not available.
 
Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/156236231/SDFix.exe.html

When using this tool, you must use the Administrator's account or an account with Administrative rights

Reboot your computer in Safe Mode (http://www.computerhope.com/issues/chsafe.htm) using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears), press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double-click RunThis.bat to start the script.

This log will help me find any additional files that may need to be removed.
Title: Re: Trojan SHeur2.GAS csrssc.exe
Post by: mam4q on December 23, 2008, 02:12:35 PM
Hi -
SDFix Report Log file attached -

Many Thanks

[attachment deleted by admin]
Title: Re: Trojan SHeur2.GAS csrssc.exe
Post by: CBMatt on December 23, 2008, 04:09:23 PM
Looking much better.  Just to make sure all of the bad files are gone, please do the following...

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]
KillAll::

File::
c:\windows\system32\TDSSlxcp.dll

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not click ComboFix's window while it is running. That may cause your system to freeze
Title: Re: Trojan SHeur2.GAS csrssc.exe
Post by: mam4q on December 24, 2008, 08:21:52 AM
Completed as requested -
ComboFix Log file attached -

Many Thanks

[attachment deleted by admin]
Title: Re: Trojan SHeur2.GAS csrssc.exe
Post by: CBMatt on December 26, 2008, 12:37:05 AM
Looking much better.  How are things running now?
Title: Re: Trojan SHeur2.GAS csrssc.exe
Post by: mam4q on December 30, 2008, 06:58:22 AM
Really sorry for not responding sooner - Xmas.

All has been looking good -
Any recommendations to help me stay clean?

Many Thanks
Title: Re: Trojan SHeur2.GAS csrssc.exe
Post by: CBMatt on December 31, 2008, 01:39:36 AM
No worries, I know how the holidays are.

First, you need a decent firewall.  You're vulnerable without a firewall, so you should look into getting either ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=dbtopnav_za), Kerio Personal Firewall (http://www.sunbelt-software.com/Kerio.cfm), or Comodo (http://www.personalfirewall.comodo.com).  They're all good free firewalls.  Just be sure you only have one installed at a time!  Download the firewall of your choice, disconnect from the internet, disable Windows Firewall, and install your new firewall.

Download OTCleanIt.exe (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to your Desktop.
.

Then you should clear out your restore points.  This is to remove any infected files that have been backed up by Windows.  Please follow these steps...

1.  Go to Start > Programs > Accessories > System Tools > System Restore
2.  Click on System Restore Settings.
3.  Check Turn off System Restore and click OK.
4.  Restart your computer.
5.  Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK.
6.  Create a new restore point and close the program.

System Restore will now be active again.  If you would like to learn more about System Restore, go here (http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx).



As for avoiding infection...you just have to use caution.  If you download anything, scan it with AVG first.  If you receive an e-mail attachment from someone you don't know, don't open it.  Even if you do know the person, be careful; they could be infected without knowing it.  And don't go to suspicious web sites. 
Quote
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
Title: Re: Trojan SHeur2.GAS csrssc.exe
Post by: mam4q on December 31, 2008, 01:55:37 AM
Many thanks for your outstanding support, help and advice.

Greatly appreciated -
 ;D