BleepingComputer.com: How Do I Remove Trojan Horse Sheur2

all of a sudden I got this sheild in the small icons menu that never been there before, trying to scare me into buying some bogus antivirus software by continually opening pop up windows. I restarted the computer in safe mode and ran malwarebytes and AVG. Malwarebytes showed 12 infections!! and AVG also showed SEVERAL infections. All were removed except for a couple that had to be removed by restarting the computer. Fortunately, it did get rid of the blue sheild icon and the pop ups but I ran AVG again & it showed Trojan Horse Sheur2, which I have read is not easy to get rid of as it has a host of other viruses with it. I can't get rid of this thing for nothin! The main problem I continue to have is everytime I google something and click on a link, I get redirected to these trash websites over and over again. Periodically I can get to the website I intended to go to but this is still a problem - also, my computer will shut off from time to time without warning!

Can anyone please give some step-by-step advice on how to get rid of this thing?

Best Regards.

Please post the results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.

• Click the Logs Tab at the top.
  • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
    -- If you have previously used MBAM, there may be several logs showing in the list.
  
  
• Click on the log name to highlight it.
  
• Go to the bottom and click on Open.
  
• The log should automatically open in notepad as a text file.
  
• Go to Edit and choose Select all.
  
• Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  
• Come back to this thread, click Add Reply, then right-click and choose Paste.
  
• Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
alternate download link

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.

• Under Main "Select Files to Delete" choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
  
• Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with Dr.Web CureIt as follows:

• Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  
• Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  
• The Express scan will automatically begin.
  (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  
• If prompted to dowload the Full version Free Trial, just ignore and click the X to close the window.
  
• If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)

• After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  
• In the top menu, click Settings > Change settings, and unheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  
• Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  
• Please be patient as this scan could take a long time to complete.
  
• Click Select All, then choose Cure > Move incurable.
  
• In the top menu, click file and choose save report list.
  
• Save the DrWeb.csv report to your desktop.
  
• Exit Dr.Web Cureit when done.
  
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Thanks for the help. The Mbam log is as follows...

Malwarebytes' Anti-Malware 1.36
Database version: 2164
Windows 5.1.2600 Service Pack 3

6/17/2009 1:44:17 AM
mbam-log-2009-06-17 (01-44-17).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 164910
Time elapsed: 43 minute(s), 14 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Failed to unload process.

Memory Modules Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4f494ad1-e3aa-47bb-b4ea-a05be501807e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4f494ad1-e3aa-47bb-b4ea-a05be501807e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4f494ad1-e3aa-47bb-b4ea-a05be501807e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\pp10.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.


After running Dr. Web cure it in safe mode, this is the log...

skynetrrslrxyt.sys;c:\windows\system32\drivers;Trojan.Packed.2479;Incurable.Moved.;
SKYNETxuwmnaeg.dll;C:\WINDOWS\system32;Trojan.DownLoad.38278;Deleted.;
SKYNETrrslrxyt.sys;C:\WINDOWS\system32\drivers;Trojan.Packed.2479;Incurable.Moved.;
proquota.exe;C:\WINDOWS\system32\wbem;Trojan.PWS.Multi.35;Deleted.;
SKYNETapxtdcdxer.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETbxxgqhpoub.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETchdlnxqcfe.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETehumoxxxif.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETekncgrohti.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETeqmfexfaap.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETibwjxyisxh.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETifiqufphrs.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETitoxdhqiwp.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETjpuxhvdial.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETkwinchysio.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETlukepwtvle.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETmendiukadl.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETminbclipmk.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETmydeyegqix.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETnwwkljbpgk.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETorhimxpuwn.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETptnrqufpoo.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETpyjpvehjjh.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETqnkqbppubm.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETqtwotsffkv.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETrdpnkhvpuy.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETriyqxtigsl.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETswrjwqqaxe.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETtfwehpsxcp.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETwkwsmnwyrc.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETwpjopbqdrk.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETwwtqjxcevg.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETxbdmeyuxnn.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETxgqxxtxtnw.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETxtyerxnlns.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETxxcmybtulv.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETyayramemmw.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETymjxdmtuly.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETymqbtcxynh.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
SKYNETyxtusgxpid.tmp;C:\WINDOWS\temp;Trojan.DownLoad.38278;Deleted.;
A0024133.exe\core.cab\GTDOWNAO_106.ocx;D:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP157\A0024133.exe;Adware.Gdown;;
A0024133.exe;D:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP157;Archive contains infected objects;Moved.;


Looks bad, I know. Thanks for the help, though. Also, I noticed something about volumn info; my speakers haven't been working correctly lately. Is this something that could be contributing to the problem? Thanks so much!

Yes, you are dealing with multiple nasty infections.

Please print out and follow the generic instructions for using "SmitfraudFix".
-- If you have downloaded SmitfraudFix previously, please delete that version and download it again as the tool is frequently updated!
-- If using Windows Vista be sure to Run As Administrator

• Make sure you scroll down to Clean and perform the steps where you reboot in "Safe Mode" and run option #2.
  
• The tool will go through a series of cleanup processes and automatically start the Disk Cleanup program to remove Temporary files. Wait for it to complete and Disk Cleanup to finish.
  
• When done, a text file named rapport.txt will appear on screen with results from the cleaning process.
  
• The file is automatically saved to the root of the system drive (typically C:\rapport.txt).
  
• Please copy/paste the contents of that report into your next reply.

-- If the tool fails to launch from the Desktop, please move smitfraudFix.exe to the root of the system drive (typically at C:\), and run it from there.

Your Malwarebytes Anti-Malware log indicates you are using an older version of MBAM (v1.36) with an outdated database. Please download and install the most current version (1.38) from here.
You may have to reboot after updating in order to overwrite any "in use" protection module files.

Update the database through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install.

• alternate mbam-rules.exe download link 1
  
• alternate mbam-rules.exe download link 2

Your database shows 2164. Last I checked it was 2307.

Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.

• XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  
• Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware

Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component and another was a backdoor Trojan. Backdoor Trojans, rootkits, Botnets and IRCBots are very dangerous because they compromise system integrity] by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

• Danger: Remote Access Trojans
  
• What danger is presented by rootkits?
  
• Rootkits and how to combat them
  
• r00tkit Analysis: What Is A Rootkit

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
  
• What Should I Do If I've Become A Victim Of Identity Theft?
  
• Identity Theft Victims Guide - What to do

Although the infection was identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Even tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• When should I re-format? How should I reinstall?
  
• Help: I Got Hacked. Now What Do I Do?
  
• Where to draw the line? When to recommend a format and reinstall?

Ok, I updated and scanned with Mbam first and it found 21 infections. Then I rebooted the computer, downloaded Smitfraud and then rebooted in safe mode, followed the steps for use and then restarted the computer. After which, I ran mbam again and it found zero infections. Here is the log from the last mbam scan...

Malwarebytes' Anti-Malware 1.38
Database version: 2308
Windows 5.1.2600 Service Pack 3

6/19/2009 2:07:55 PM
mbam-log-2009-06-19 (14-07-55).txt

Scan type: Quick Scan
Objects scanned: 94551
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Do I also need to post the rapport from Smitfraud?
I can't believe this computer was infected like that. I think from now on I'm going to use foxfire instead of IE.
I breifly read some of the topics for reinstalling the system. Would you say that this computer should never again be used for any kind of activity where one must log into a website, such as email, ebay, and banking, even if the system gets reinstalled? Should I just get a new computer to do my banking and so forth on?
It seems like this one may as well be trash...

Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and What Do I Do? links previously provided. As I already said, in some instance the malware may leave so many remnants behind that security tools cannot find them and your system cannot be completely cleaned, repaired or trusted. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore with a vendor-specific Recovery Disk or Recovery Partition removes everything and is the safest action but I cannot make that decision for you.

How is your computer running now? Are there any more reports/signs of infection?

Haven't had any problem with being redirected or the blue screen shut off - at least not yet, anyway. I just finished running an AVG which found 2 infections:

"C:\Documents and Settings\Owner\DoctorWeb\Quarantine\SKYNETrrslrxy0.sys";"Trojan horse Rootkit-Agent.DZ";"Moved to Virus Vault"
"C:\Documents and Settings\Owner\DoctorWeb\Quarantine\skynetrrslrxyt.sys";"Trojan horse Rootkit-Agent.DZ";"Moved to Virus Vault"


Malwarebytes stills say zero infections and windows defender also shows nothing.

Please download F-Secure Easy Clean and save the file to your desktop.
Be sure to read the Frequently Asked Questions before performing a scan.

• Double-click on fseasyclean.exe to launch the program.
  
• Read the license agreement and click Accept.
  
• Click Start to begin the scan and cleaning.
  
• Please be patient as the scan may take a while to complete.
  
• If a rootkit is detected, Easy Clean will require you to restart the computer in order to complete the removal process.
  
• Once the computer restarts, Easy Clean will launch automatically and continue with disinfection.
  
• When finished it will show the results of what was found and removed.
  
• Exit Easy Clean when done.

The fseasyclean didn't find anything at all but later when I ran an mbam scan it found one thing. I guess the best thing for me to do is just keep cleaning it and save some $ for a new computer.
Also, I've been getting more and more items containing macros from AVG and I have no idea what to do about that...
Thanks for the help.

Hi Blue Moon,

For that infection, you need to go to the forum with the tougher tools. Before you post there, please go through the following instructions:


Preparation Guide

Zllio

Hi Zllio,

Thanks for the tip. Fortunately, I've already gone to the HJT forum and got plenty of help from Propagandapanda. It looks like everything is fine again but I was still advised that even though everything may look good, there is always a possibility that a backdoor could still be exposed. So even though my computer is back to "normal" I still won't use it to do banking, paypal, etc. because the system was compromised. The help I've gotten here is exceptional and great. Thanks so much, everyone, for the help. Very educational.

Thanks for posting back Blue Moom,

Perhaps at some point you may want to back up your data and reformat, but while the computer is working, you have a chance to relax and consider all of that in peace.

Good luck.
Zllio

Your DDS/Hijackthis log is posted here and you are getting help from Propagandapanda.

Now that your log is posted, and you are getting assistance, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

The HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic.

Thanks for your cooperation.