AVG reports SHeur.cmmr trojan, removal process finds nothing

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by RubyDist, Dec 13, 2009.

  1. RubyDist

    RubyDist Private E-2

    My notebook w/ XP Pro seems to have a problem - there are occasions where IE doesn't want to open properly. So, I manually ran a complete scan w/ AVG free using the latest detection files. It reports multiple instances of "SHeur.cmmr" trojan in the Firefox inbox. Manually searching through the inbox, I did not locate any such instances.

    I followed the current "Malware Removal Guide" and none of the malware killers located anything they found objectionable.

    I just ran another full scan w/ AVG overnight, and it still complains about the SHeur.cmmr trojan multiple times.

    Logs are attached. Where do I go next?
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Explain. Does it hang when you go to open it? Do you receive any errors?

    What do you mean by "firefox inbox"??

    This could be because what AVG is reporting is a false positive. You need to give me the exact file path of where avg is finding the "threats" please.

    You downloaded both SAS and MBAM but you didn't scan with them. You need to follow instructions from the R&R correctly and in the right order.

    1. Please now run both SUPERantispyware and Malware Bytes > update > scan > fix all it finds and attach me the logs from each.


    2. Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    
    KILLALL::
    
    File::
    c:\windows\~GLH0000.TMP
    c:\windows\~GLC0000.TMP
    
    Registry::
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    3. Please go to Jotti's malware scan

    (If more than one file needs scanned they must be done separately and logs posted for each one)
    • Copy the file path in the below Code box:
      Code:
      c:\windows\system32\Drivers\TED200M5.sys
    • At the upload site, click once inside the window next to Browse.
    • Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
    • Next click Submit file
    • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
    • This will perform a scan across multiple different virus scanning engines.
    • Important: Wait for all of the scanning engines to complete.
    • Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

    Then do the same for the below file and also let me know the results:

    Code:
    c:\windows\system32\drivers\TED200S5.sys
    4. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix. also let me know the results on those two files from jotti. and the logs from both SAS and MBAM.

    5. Please don't forget to tell me the exact file path of where AVG is finding suspicious files.

    Thanks
    Kes13!
     
  3. RubyDist

    RubyDist Private E-2

    I did run run SAS and Malware Bytes, I just forgot to attach the logs. They didn't find anything.

    IE will open a window with a white background, and report that it is opening the homepage like normal. It may take a couple minutes to actually display the homepage, or it may never display it even after more than an hour. Firefox opens and runs normally.

    Sorry, I meant "Thunderbird inbox" - the locations reported are:
    "C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\5vo9l44n.default\Mail\Local Folders\Inbox"
    "C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\5vo9l44n.default\Mail\Local Folders\Inbox:\UPS_letter.zip"
    "C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\5vo9l44n.default\Mail\Local Folders\Inbox:\UPS_letter.zip:\UPS_letter.doc.exe"

    Each of the files are reported twice for a total of 5 threats found. Attempting to remove the files manually results in AVG reporting that the file is too large to remove.

    I will do the additional steps you specified above here shortly and report what is found.
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Ahh, I suspected this would be the case.
    Do you mean attempting to remove them by using avg results in it telling you the file is too large to remove? You could try yourself Manually by using Windows EXplorer to find and delete the below:

    Just follow the file paths and delete them one by one, see if they go quietly, if not, let me know and we will deal with it another way.
    Yes please. IT's important you also attach the other logs I require. Do this as soon as you are ready. I will be here waiting. :)
     
  5. RubyDist

    RubyDist Private E-2

    Additional logs attached as requested.

    The file C:\....\TED200M5.sys does not appear to exist.

    If I look for the 'threats' using Windows Explorer, the only one that appears is the entire inbox, which I am obviously reluctant to delete......

    Here is the Jotti link: (it reports no problems, except NORMAN timed out)
    http://virusscan.jotti.org/en/scanresult/5f7b61a7f19aace5f1584e447e9da65675944582

    Thanks for your help!
     

    Attached Files:

  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Okay then, if avg cannot delete them, and you cannot see the emails we need to delete using windows explorer, then simply navigate to the inbox yourself and delete them. If they do not show up there we have to ask ourselves if what avg is reporting is correct. I am not seeing any malware in your logs.
     
  7. RubyDist

    RubyDist Private E-2

    They do not appear in the inbox in Thunderbird. I have searched multiple times and they just do not appear. I guess I will chalk it up to an erroneous 'threat' report.

    I still have the occasional issue w/ IE not opening.... (although it opened fine this morning - I'm wondering if one of the other programs I use has a memory leak that affects IE more than Firefox)

    Thanks for your help!!!
     
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I still suspect that what avg is finding is a false positive somehow. And it could be that any other issues you are having you should post in the software forum about, however let's do the below just to be sure:

    Please disable your antivirus program while running this scan to avoid running into issues with your existing program conflicting with the online scan.

    You can use either Internet Explorer or Mozilla FireFox for this scan.


    • Please go here then click on: [​IMG]
    • Select the option YES, I accept the Terms of Use then click on: [​IMG]
    • When prompted allow the Add-On/Active X to install.
    • Make sure that the option Remove found threats is checked, and the option Scan archives is also checked.
    • Now click on Advanced Settings and select the following:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
    • Now click on: [​IMG]
    • The virus signature database... will begin to download. Be patient this may take some time depending on the speed of your Internet Connection.
    • When the download is finished, the Online Scan will begin automatically.
    • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
    • When the scan completes, click List of found threats
    • Next click Export to text file and save the file to your desktop using a name such as ESETScan.txt. Attach this report to your next reply.
    • Click the <<Back button then click [​IMG]
    • Attach the ESETScan.txt to your next reply.
     
    Last edited: Dec 15, 2009
  9. RubyDist

    RubyDist Private E-2

    I tried to run it last night in IE and it hung, so I ran it today in Firefox. The log is attached. It also claims there is un-cleanable stuff, but its different from what AVG complains about....
     

    Attached Files:

  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hmmm may not have the same threat name as what avg gave however it is indeed pointing to infected files in your inbox:


    This is just part of MGTools and nothing to worry about.

    Bad file found in sys restore which our final steps will flush out anyway once you have toggled system restore.

    I will get back to you with a reply as soon as possible. It's late for me now and I shall be going to sleep soon.

    Thanks for your patience.
    Kes13!
     
  11. RubyDist

    RubyDist Private E-2

    Thanks for your help.

    I should also mention that somewhere along the way through this cleanup process, something restored all of the emails that I have deleted from my inbox (for the past couple of years apparently) back into my inbox, so there are now thousands of emails showing up in my inbox..... :(
     
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You are welcome. To deal with the infected emails you will have to clean up your email account yourself, by accessing the accounts and removing all the junk. In Outlook you may even need to compress the databases to remove anything trapped in entries of the dB that have already been deleted.

    Apart from these issues though I am not seeing any other malware in your logs.
    So manually tidy up your email accounts and then you can follow my final steps below:

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds