Infected with Trojan Horse SHeur2.AEFY

Hello:

First time using this forum so hopefully I have done everything correctly.

I am running Windows XP Home Edition w/ SP3. I use AVG Free Edition Version 8.

Recently AVG was reporting that the machine had become infected with numerous trojan horses and/or malware.

I have therefore followed all of the instructions in the "Read & Run Me First", and have run my machine completely through the Windows XP Cleaning Procedure as described in this forum.

Apparently now the only item that remains on my machine is the Trojan Horse SHeur2.AEFY (as reported by AVG). The machine seems to be operating normally, however I continually get periodic messages from AVG reporting that the Trojan Horse SHeur2.AEFY exists in the following path/file:

C:\Program Files\pplive\pplives.exe

I have attached the relevant log files generated during the cleaning procedure as directed. I would greatly appreciate any help that can be provided to rid my machine of this malware. Thank you in advance.

 

Hi Kes13:

Thanks for the reply. I should first give you some updated information since my original post.

After my original post, I went ahead and flushed my system restore points, as I had not yet done this. Additionally, I went ahead and deleted the C:\Program Files\pplive\pplives.exe, as well as the folder itself. I then went completely through the system registry and deleted all entries related to PPlive. (To answer one of your questions, neither myself nor my other family members who use this machine recall installing the PPlive software on May 5, therefore it must have been inadvertantly installed.) The folder/file (or any registry entries) have not reappeared in my system.

Since performing these actions, AVG has not detected the Trojan Horse SHeur2.AEFY and/or the PPlive file(s). However, AVG is still reporting that it is finding some residual malware. Below I have pasted the info reported by AVG from yesterday's (May 16, 2009) system scan:

***begin paste from AVG***
File:
"C:\Qoobox\Quarantine\C\WINDOWS\Temp\739371346.dll.vir"
Infection:
"Trojan horse PSW.Agent.AAGS"
Result:
"Moved to Virus Vault"


File:
"C:\WINDOWS\system32\avp.dll"
Infection:
"Trojan horse Downloader.Agent2.CWH"
Result:
"Moved to Virus Vault"
***end paste from AVG***

With respect to your question about the c:\windows\system32\localtest.exe file, I am not positive that I know how to correctly check if there is a file signature. What I did was right-click on the filename, select "Properties", then clicked on the "Summary" tab. All of the fields in the Summary tab are empty.

Thanks very much for your help so far.

 

Hi Kes13!:

Thanks for the reply. Sorry about the restore system points....I will not take any further actions other than the instructions you give me.

I have renamed the file c:\windows\system32\localtest.exe
to
c:\windows\system32\localtest.exe.old

FYI, today's AVG system scan was clean with no infections or warnings. I will provide an update on the health of my system in a couple of days.

Thanks again for your assistance,
sjbryce

 

Posting an update. I have had clean daily scans by AVG with no threats or infections over the past 3 days. So all seems much better at this point (knock on wood??!!)

Thanks,
sjbryce

 

Hi Kes13!

Thanks very much for your assistance. I will follow your instructions on the final steps.

This is an excellent forum, and once again your help is greatly appreciated.

Best Regards,
sjbryce