Need help removing Trojan FraudAV.SJhorwPa

Hello,
I have been following the Majorgeeks protection guidelines for years and everything works well. But now this thing got through: "FraudAV.SJhorwPa".

This trojan is only detected by Spybot and even tends to disappear from the source file where it is indicated to be, but where Spybot still tells me it resides.

Please help me declare war onto this enemy.

Thank you.

 

So, should I install and run RogueKiller, etc.? (I have Windows Vista.)
Or am I reading too far?

 

Well, here are the logs anways.

 

Take 2.

 

Here it is.

 

Will this help?

http://forums.spybot.info/showthread.php?t=64169

 

They were in the "Logs" zip file.
Here.

 

Here is what came out of it.

 

First it told me that the file had already been analyzed on the 21st (Monday). I can't say how, so I clicked "reanalyze".

I'll list the results in a second post.

Heads-up: I realized there were some mistakes on my part in the sequences. After running Spybot, which would detect the trojan, I didn't always re-deactivate Antivir after reboots of the system, for example. This had the effect that Antivir would jump onto the Trojan and quarantine it by moving FraudAV.SJhorwPa elsewhere, I don't know where to. Since I know where the Trojan is supposed to be, I kept an eye on it directly, but because of the constant re-quarantining, FraudAV.SJhorwPa isn't always where it's supposed to be, making it harder for us to eliminate it, and for your suggested software to detect it. Right now, FraudAV.SJhorwPa is moved soemwhere and I can't find it, but Spybot still detects it (but won't tell me where it is either).

 

https://www.virustotal.com/file/1ae97262a5b5e5441cfd323d417bbf1ffc098b3f89511dede3acae0a9674dc09/analysis/1359145414/

SHA256: 1ae97262a5b5e5441cfd323d417bbf1ffc098b3f89511dede3acae0a9674dc09
SHA1: 619e67d565bb4e5ce9557aff4e0a3bdf8d11b74d
MD5: d5816bddd4382975c1693cce68547fcc
File size: 18.8 KB ( 19286 bytes )
File name: cleanup.exe
File type: Win32 EXE
Tags: peexe mz
Detection ratio: 14 / 44
Analysis date: 2013-01-25 20:23:34 UTC ( 12 minutes ago )
0
0
Less details

Analysis
Comments
Votes
Additional information

Antivirus Result Update
Agnitum RiskTool.Avenger!4K/L0L7NudI 20130125
AntiVir - 20130125
Antiy-AVL - 20130125
Avast - 20130125
AVG - 20130125
BitDefender - 20130125
ByteHero - 20130123
CAT-QuickHeal Trojan.Agent.WD.cw6 20130125
ClamAV - 20130125
Commtouch W32/Zapchast.M 20130125
Comodo - 20130125
DrWeb - 20130125
Emsisoft - 20130124
eSafe Win32.Banker 20130120
ESET-NOD32 - 20130125
F-Prot W32/Zapchast.M 20130125
F-Secure - 20130125
Fortinet - 20130125
GData - 20130125
Ikarus - 20130125
Jiangmin Trojan/Zapchast.gd 20121221
K7AntiVirus Riskware 20130125
Kaspersky - 20130125
Kingsoft Win32.Troj.Zapchast.uy.(kcloud) 20130121
Malwarebytes - 20130125
McAfee-GW-Edition ZapChast.gen 20130125
Microsoft - 20130125
MicroWorld-eScan Win32.SuspectCrc (ES) 20130125
NANO-Antivirus - 20130125
Norman Zapchast.CTP 20130125
nProtect Trojan/W32.Zapchast.19286 20130125
Panda - 20130125
PCTools - 20130125
Rising - 20130125
Sophos - 20130125
SUPERAntiSpyware - 20130125
Symantec - 20130125
TheHacker Trojan/Zapchast.uy 20130124
TotalDefense Win32/Crykee.A 20130124
TrendMicro - 20130125
TrendMicro-HouseCall - 20130125
VBA32 - 20130125
VIPRE - 20130125
ViRobot - 20130125

 

So what now?
Awaiting orders.

 

Oh, btw, more detail:
When I tell Spybot to "fix it", Spybot gives me an error saying it "can't open the file", then I guess making it show that something is wrong, Antivir swoops in and quarantines the file altogether. BUT, Antivir is not able to detroy the Trojan. He is just cockblocking, right now.

 

Otherwise, I guess I can't say I noticed any issues.
According to Spybot's forum (see link from a few days ago), the Trojan is supposed to make my computer download things in the background, which is bad. But, indeed, I can't say I noticed anything.

So... stalemate for now, I'll wait for a patch from Spybot, I guess.

Thank you for the help, TimW.

 

Oh. Here you go.

 

I deleted the items in Antivir's quanrantine.
But, I cannot find Spybot's "Start Center" and I do not have the SBTray icon (I try to have as few tray icons as possible.) Because of that, I canot find the quarantine area in Spybot. I went to their tutorials and forum; no clue.

What next? I'll run Spybot again in the mean time.

 

Still there.

 

Huh. Apparently, clicking the "Update" button doesn't actually update the software that much. I have version 1.6.2.46, according to the "About". I will do as you said and come back later with the result.

 

Good news!
It was as simple as that. I did two scans with the new Spybot 2 (now I understand what that "quarantine" and "Start center" things were) and on the first time, it detected the "cleanup.exe". I "fixed" it. 2nd scan, it wasn't there anymore.

Huzzah!

I think we're done!

Thanks a whole lot! Nice work, guys!

 

Thank you.