AVG reports SHeur.cmmr trojan, removal process finds nothing

Explain. Does it hang when you go to open it? Do you receive any errors?

What do you mean by "firefox inbox"??

This could be because what AVG is reporting is a false positive. You need to give me the exact file path of where avg is finding the "threats" please.

You downloaded both SAS and MBAM but you didn't scan with them. You need to follow instructions from the R&R correctly and in the right order.

1. Please now run both SUPERantispyware and Malware Bytes > update > scan > fix all it finds and attach me the logs from each.


2. Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

File::
c:\windows\~GLH0000.TMP
c:\windows\~GLC0000.TMP

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

3. Please go to Jotti's malware scan

(If more than one file needs scanned they must be done separately and logs posted for each one)

• Copy the file path in the below Code box:
  
  Code:

  c:\windows\system32\Drivers\TED200M5.sys

• At the upload site, click once inside the window next to Browse.
• Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
• Next click Submit file
• Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• This will perform a scan across multiple different virus scanning engines.
• Important: Wait for all of the scanning engines to complete.
• Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

Then do the same for the below file and also let me know the results:

Code:

c:\windows\system32\drivers\TED200S5.sys

4. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix. also let me know the results on those two files from jotti. and the logs from both SAS and MBAM.

5. Please don't forget to tell me the exact file path of where AVG is finding suspicious files.

Thanks
Kes13!

 

Ahh, I suspected this would be the case.

Do you mean attempting to remove them by using avg results in it telling you the file is too large to remove? You could try yourself Manually by using Windows EXplorer to find and delete the below:

Just follow the file paths and delete them one by one, see if they go quietly, if not, let me know and we will deal with it another way.

Yes please. IT's important you also attach the other logs I require. Do this as soon as you are ready. I will be here waiting.

 

Okay then, if avg cannot delete them, and you cannot see the emails we need to delete using windows explorer, then simply navigate to the inbox yourself and delete them. If they do not show up there we have to ask ourselves if what avg is reporting is correct. I am not seeing any malware in your logs.

 

I still suspect that what avg is finding is a false positive somehow. And it could be that any other issues you are having you should post in the software forum about, however let's do the below just to be sure:

Please disable your antivirus program while running this scan to avoid running into issues with your existing program conflicting with the online scan.

You can use either Internet Explorer or Mozilla FireFox for this scan.

• Please go here then click on:
  
• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is checked, and the option Scan archives is also checked.
• Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on:
• The virus signature database... will begin to download. Be patient this may take some time depending on the speed of your Internet Connection.
• When the download is finished, the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When the scan completes, click List of found threats
• Next click Export to text file and save the file to your desktop using a name such as ESETScan.txt. Attach this report to your next reply.
• Click the <<Back button then click
• Attach the ESETScan.txt to your next reply.

 

Hmmm may not have the same threat name as what avg gave however it is indeed pointing to infected files in your inbox:

This is just part of MGTools and nothing to worry about.

Bad file found in sys restore which our final steps will flush out anyway once you have toggled system restore.

I will get back to you with a reply as soon as possible. It's late for me now and I shall be going to sleep soon.

Thanks for your patience.
Kes13!

 

You are welcome. To deal with the infected emails you will have to clean up your email account yourself, by accessing the accounts and removing all the junk. In Outlook you may even need to compress the databases to remove anything trapped in entries of the dB that have already been deleted.

Apart from these issues though I am not seeing any other malware in your logs.
So manually tidy up your email accounts and then you can follow my final steps below:

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!