Trojan: SHeur2.gnw

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Solved Trojan: SHeur2.gnw

Post by ronsonol on Thu Jan 15, 2009 11:23 pm

Hi all, just got this site recommended so hopefully somebody will know how to help me with my trojan problem.

Some time ago my IE7 came to life with some beautiful banners in at the bottom of the page, in russian. (I use Firefox, but my girlfriend uses IE, so I blame her).
I also found some strange processes in the task manager (that I stopped).

Did a AVG8 scan and found the bloody thing SHeur2.gnw in windows/system32/userinit.exe. Avg could not do anything about it.
Downloaded Malwarebytes Anti-Malware and ran a scen. Found the same problem. However Malware claimed to remove it. Later scans have found nothing. AVG disagrees and claims it is still there. (the trojan seems to have disabled automatic updates of AVG btw)

Yes I also turned of system restore and did scans in safe mode.
I also use CCleaner and ATF-cleaner and SpybotSD extensively.

Now; Ive been through the sticky posts before posting here so hopefully Ive done good, everything should be up to date, including acrobat reader, java etc.
Btw: im running win xp prof. (V.2002) SP3.

Hopefully Ive gone by the book and done things right so far and supplied the information required.
I know my problems are petty in the larger picture, but any help would be greatly appreciated, thanks in advance. Thank You!
Under is my hjt log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:21:54, on 16.01.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Geir\Desktop\Hijack(GP)This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: brelibP - {7B78D0DE-65FD-4B55-8502-8A1E747C28D5} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: XBTP00092 - {9AC83520-B347-4190-870A-DBB2AD2E22FE} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: GuleSider Toolbar - {F275EF20-1E52-47B8-98D3-0537A2EB8223} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: E&ksporter til Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Lookup on Merriam Webster - [You must be registered and logged in to see this link.] Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - [You must be registered and logged in to see this link.] Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7560 bytes

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Thu Jan 15, 2009 11:36 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: brelibP - {7B78D0DE-65FD-4B55-8502-8A1E747C28D5} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: XBTP00092 - {9AC83520-B347-4190-870A-DBB2AD2E22FE} - (no file)
    O3 - Toolbar: GuleSider Toolbar - {F275EF20-1E52-47B8-98D3-0537A2EB8223} - (no file)
    O4 - Global Startup: AutorunsDisabled
    [/b]

  • Press "Fix Checked"
  • Close Hijack This.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Fri Jan 16, 2009 7:24 am

Hey amigo, thanks.
HJT - Check
DDS - Coming right up:


DDS (Ver_09-01-07.01) - NTFSx86
Run by Geir at 8:22:08,46 on 16.01.2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.625 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Geir\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - No File
TB: GuleSider Toolbar: {f275ef20-1e52-47b8-98d3-0537a2eb8223} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\\nTune.exe" clear
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [nForce Tray Options] sstray.exe /r
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&ksporter til Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - [You must be registered and logged in to see this link.] files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - [You must be registered and logged in to see this link.] files\iespell\wikipedia.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\geir\applic~1\mozilla\firefox\profiles\le4vspii.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll

============= SERVICES / DRIVERS ===============

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2007-1-22 102528]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-19 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-19 26824]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-19 76040]
S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [2007-1-28 4096]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-9-8 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-9-8 8320]
S3 win32x;win32x;\??\c:\windows\system32\drivers\win32x.sys --> c:\windows\system32\drivers\win32x.sys [?]

=============== Created Last 30 ================


==================== Find3M ====================

2009-01-06 11:16 3,532 a------- C:\drmHeader.bin
2008-12-20 01:52 74,240 a------- c:\windows\system32\userinit.exe
2008-12-11 11:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-04 01:00 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-23 13:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-04-09 22:26 87,608 a------- c:\docume~1\geir\applic~1\inst.exe
2008-04-09 22:26 47,360 a------- c:\docume~1\geir\applic~1\pcouffin.sys

============= FINISH: 8:22:35,04 ===============

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Fri Jan 16, 2009 5:01 pm

Hello.
Userinit has indeed been patched, but it's only patched one of them, th backup file in a hidden folder on your machine should be okay to replace the patched one.
First, we need to fix a registry item.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

But, I also see there is no files created within a month, which probably means the tdss rootkit is on board.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to disable:
win32x

Drivers to delete:
win32x

Files to delete:
c:\windows\system32\drivers\win32x.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Mon Jan 19, 2009 2:47 pm

Hi again Belahzur, Ive just come back from a weekend in the mountains, ready to finish this thing.
Just one thing I'd like to know before we proceed; are any of the things we do of any risk to my system? Should I back up my files and prepare for a meltdown?
Thanks in advance

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Mon Jan 19, 2009 3:20 pm

Nothing should go wrong, the patched file needs replacing, but we can replace it with a backup copy that's in a hidden folder.
But yes, backup anything you need just in case.

Please do what is instructed in my last post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved moving on

Post by ronsonol on Mon Jan 19, 2009 11:34 pm

Ok Mr B, I've done what the doctor ordered, though I was very nervous while doing so, it seemed pretty serious. You certainly weild a lot of power over peoples well.being! (must feel great!) Bow or Thanks

Fix reg - chack
Avenger - check
Below is report from Avenger:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "win32x" disabled successfully.
Driver "win32x" deleted successfully.

Error: file "c:\windows\system32\drivers\win32x.sys" not found!
Deletion of file "c:\windows\system32\drivers\win32x.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Mon Jan 19, 2009 11:37 pm

Okay, lets see if we can fix userinit.exe


  • Now open a new notepad file.
  • Input this into the notepad file:

    For /F "TOKENS=*" %%g IN ('dir /s/a-d/b %windir%\system32\userinit.exe'
    ) Do @echo "%%~g" %%~zg %%~tg >>report.txt 2>nul
    start notepad report.txt & exit

  • Save this as look.bat, save it to your desktop.
  • Double click look.bat to run it.
  • Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Mon Jan 19, 2009 11:39 pm

Done:

"C:\WINDOWS\system32\userinit.exe" 74240 20.12.2008 01:52

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Mon Jan 19, 2009 11:41 pm

Darn it, no backup file.
Do you have your XP disc?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Mon Jan 19, 2009 11:42 pm

I have a XP disc, but if I remember correctly its not the one I installed from..

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Mon Jan 19, 2009 11:45 pm

So it's recovery disc?
It might work.

Put it in and let me know what letter it uses as a drive.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Mon Jan 19, 2009 11:47 pm

I have two win xp disks here, but I think this OS installed is from a disk at my former employer..


Last edited by ronsonol on Mon Jan 19, 2009 11:50 pm; edited 1 time in total

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Mon Jan 19, 2009 11:48 pm

Okay, if it's a recovery disk, it might work.
Put it in and let me know what letter it uses as a drive.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Mon Jan 19, 2009 11:49 pm

That would be H

Btw: my AVG just told me avenger is a threat. Im guessing that is bogus?

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Mon Jan 19, 2009 11:53 pm

Thanks.
Open the CD as a folder, is there an i386 folder on the CD?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Mon Jan 19, 2009 11:55 pm

Aye

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Mon Jan 19, 2009 11:58 pm

That is "yes" in auld english, or so I've been taught.. Smile

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Tue Jan 20, 2009 12:00 am

Hello.
Haha, yeah. I'm from good ole England, the land of sheep and dirt.
Just seen your edit, yes it's bogus. AVG have detected a second tool now, I got it too.
Trojan.Downloader.Banload

Alittle while ago, it detected OTMoveIt as generic backdoor. AVG is going down the drain.

Now lets fix this problem.

Press Start > Run
Type in cmd and press enter.
Once the command opens, type this in:

expand H:\i386\userinit.ex_ c:\windows\system32\userinit.exe

Press enter.

Now delete the avenger.exe from your Desktop, along with DDS.
Delete this folder:
C:\avenger

What problems remain?


Last edited by Belahzur on Tue Jan 20, 2009 12:19 am; edited 1 time in total


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Tue Jan 20, 2009 12:05 am

Done.
cmd says: "no destination secified for H:\i386\userinit.ex_ c:\windows\system32\userinit.exe

is that good or bad?

and the infection is still there according to avg

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Tue Jan 20, 2009 12:11 am

Did you put a space between _ and C?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Tue Jan 20, 2009 12:12 am

nope. ill try again. (btw that space is alomst impossible to see for the naked eye)

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Tue Jan 20, 2009 12:13 am

copied

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Tue Jan 20, 2009 12:13 am

Okay, everything should be fine now. The malware is gone and userinit is replaced.

Any problems remaining?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Tue Jan 20, 2009 12:14 am

now; this file is used to log on to windows am i right? we dont really know if this was a success until i reboott and see if i can still log onto the system?

1,5 min 'til scan is complete

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Tue Jan 20, 2009 12:16 am

Yes, hopefully it won't lock you out. Indifferent or Blank


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Tue Jan 20, 2009 12:17 am

0/0 - you did it man! Hooray!

heres hoping my computer will start..

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Tue Jan 20, 2009 12:17 am

that bleak smiley of yours didnt fill me with confidence?!

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Tue Jan 20, 2009 12:18 am

I'm confident, just hoping. LOL Banner


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Tue Jan 20, 2009 12:19 am

wtf?!
yeah yeah, might as well try it at once.
if im not posting backwithin 5 minutes ive jumped from the balcony..

any pointers to what i do if it crashes?

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Tue Jan 20, 2009 12:22 am

Put this image onto a CD buying writing to a blank disc.
[You must be registered and logged in to see this link.]

If your locked out, we can use that to recover it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Tue Jan 20, 2009 12:24 am

memory stick sufficient? i need to make a image cd?


Last edited by ronsonol on Tue Jan 20, 2009 12:27 am; edited 1 time in total

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Tue Jan 20, 2009 12:25 am

CD image, not memory stick.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Tue Jan 20, 2009 12:28 am

done.
but how do i use it?

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Tue Jan 20, 2009 12:30 am

We can boot from it.

Try rebooting now we have something to recover from.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Tue Jan 20, 2009 12:33 am

Heureka!
Bless your cotton socks, Im back!

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Tue Jan 20, 2009 12:35 am

Thanks god for that. Hooray!

You may be able to help me now, and save a few hundred machine.
Is your OS normal XP SP3 or SP3 Media Centre?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Tue Jan 20, 2009 12:36 am

normal

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Tue Jan 20, 2009 12:38 am

Okay.
Please upload this file:
C:\windows\system32\userinit.exe
To here for me.
[You must be registered and logged in to see this link.]

If you can't access that, upload it to rapidshare or some other upload site.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Tue Jan 20, 2009 12:39 am

will try
a few things:
i will do a thorough scan tomorow, after work, checking everything.
i will not declare victory until then. need to get up i 5 hours.

i notice i cant turn on automatic updates on avg, looks suspicious. gut feeling?

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Tue Jan 20, 2009 12:41 am

Trust be told - I would prefer you uninstall AVG, as you see the false positive of picking up the avenger.

I would prefer you use avast! or avira, but we'll talk about that later if you need sleep, now go sleep. LMBO or ROFL


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Tue Jan 20, 2009 12:46 am

god knows i need my beautysleep.. :crazy:

trying to upload at the mo, sent my firefox crashing.. (using ie now)
ill try again tomorrow, ok?

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Tue Jan 20, 2009 12:48 am

Okay. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Tue Jan 20, 2009 12:48 am

ok, thanks mate
c ya tomorrow

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved I think we are ok

Post by ronsonol on Tue Jan 20, 2009 6:21 pm

Hi again B.
Been doing checks and scans today and it looks as though Im in the clear.

AVG is still not able to sustain automatic updates though, a bit worried by that. Ive downloaded Avast! though, will install it later, if that is what you recomend.

Ive also downloaded spywareblaster and superantispyware to give them a test. I understand the fist one is good to prevent attacks?!

The file you wanted is uploaded at [You must be registered and logged in to see this link.] (the one you suggested just kept crashing on me).
Please scan it to make sure its safe, cos Marlwarebytes claimed the file was infected. Not the original file, but I copied to my desktop to .rar it and Malware meant the copy was corrupt.


Ive been doing a few reboots as well, that works just fine.

I thought maybe I could ask you to look at my HJT log again, so you can see if you find any threats?

HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:22:26, on 20.01.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Geir\Desktop\Hijack(GP)This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksporter til Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Lookup on Merriam Webster - [You must be registered and logged in to see this link.] Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - [You must be registered and logged in to see this link.] Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7546 bytes

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Tue Jan 20, 2009 7:01 pm

Thanks for the file.
Log looks good, all that is left is the AV issue, feel free to take your time, but please remember to do this as AVG maybe corrupt and you aren't safe.
Do not surf the net between uninstall/install new AV as you will not be protected.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Tue Jan 20, 2009 7:43 pm

I wont. I think I'll try it at once, as my skiing plans just went down the drain.
I wish I was in your land of sheep and dirt right now, over here its a land of snow and slush. Recieved 3 feet in one night, the whole country came to a standstill. and now its raining on top of it. i bet that is a problem youre not used to...

I used to live in Leeds btw. (and London) I remember when Leeds had half an inch of snow the whole place collapsed on itself. And I, in my renault 5, was the king of the road, the only person with the guts to go out and face the white menace of the heavens..

Anyways; Feel free to hit the "solved" button if youd like, I imagine you take pride in it. Thank You!
I cant thank you enough for taking the time and effort, it is greatly appreciated.

I understand geekpolice would like feedback/review as a token of appreciation?

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Tue Jan 20, 2009 8:03 pm

Can we switch places? pretty please? I love the snow. LMBO or ROFL
I WANT it to snow heavy here, I hate getting up early for college. LOL Banner

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by ronsonol on Tue Jan 20, 2009 8:15 pm

Ill switch places only if you live close to Anfield (or at least a bloody good pub). Love the snow myself, but not the slush..

Btw; College is for partying not studiyng. You country is not of sheep and dirt (that would be New Zealand) but rather beer and skimply clad chicks..

I turned of system restore before I even came here for help, time to turn it on again now, thanks for reminding me.

Read through the articles allready, good reading. Now to make my girlfriend. read them... (and to convert her to firefox)

Feedback submitted. Pretty much told you off Goofy
Cheers mate!

ronsonol
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-01-13
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 28847
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan: SHeur2.gnw

Post by Belahzur on Tue Jan 20, 2009 8:17 pm

LOL Banner Your welcome.
Solved.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum