Trojan Horse Sheur2.gnw

Trojan Horse Sheur2.gnw is a generic detection for a harmful file that is normally used by malware author to spread separate virus infection. The threat was also designed to gather email addresses from the infected system. In addition, Trojan Horse Sheur2.gnw also interfere with your connection to security-related web sites making sure that no updates will be downloaded onto the infected computer.

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Windows Vista/7

Characteristics
When Trojan Horse Sheur2.gnw is executed, it will connect to specified command and control (C&C) server. When connection is established, the Trojan then downloads a malicious file. This file is hard to identify due to random file name it is utilizing. Trojan Horse Sheur2.gnw then infects certain system files in order to initiate its command each time you start Windows.

There is also an observation that Trojan Horse Sheur2.gnw Trojan is utilized to alter settings of victim’s Internet browser. Effects of these changes can be browser redirection, search result hijacking, and unknown home page setting. However, search result hijacking is apparent to most victims. Report shows that after using Google to search the web, user will be redirected to unknown web site after clicking on any of the result. This however leads to an income generating action. The landing page delivers advertisements that when clicked or viewed will earn a profit for the referrer.

Distribution
Trojan Horse Sheur2.gnw normally spreads on spam email messages. It is attached to an email with deceptive messages prompting recipient to open the file. When executed, Trojan Horse Sheur2.gnw checks the computer for installed antivirus program and disable it.

Signs and Symptoms of Trojan Horse Sheur2.gnw Infection:

Trojan Horse Sheur2.gnw will disable your antivirus program
Once a Trojan infects a computer, it has a tendency to lower security settings and disable firewall and antivirus program. Trojan Horse Sheur2.gnw carry out this task to ensure that antivirus software will not respond on the attack.

Blocks Internet access to security web site
Trojan Horse Sheur2.gnw attacks the center of the security system. Aside from disabling antivirus software, this Trojan also blocks your access to security web site to prevent downloading of any removal tools.

Presence of Trojan Horse Sheur2.gnw reduces PC's performance
Trojans are known to reside in the memory, thus, it can consume resources that can cause computer to slow down. There are cases that infected computer crashes due to insufficient resources.

Other Functions of Trojan Horse Sheur2.gnw:

  • Trojan Horse Sheur2.gnw can communicate to a remote server to download more threats
  • It can infect executable files on the local and network drives
  • This hazardous Trojan can connects to a distant server to update its configuration
  • Some variants of Trojan Horse Sheur2.gnw can destroy system files making the computer unstable
  • This Trojan can allow a backdoor entry for an attacker to control the infected PC

How to Remove Trojan Horse Sheur2.gnw

Step 1 - Run a thorough scan using your antivirus program

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Open your antivirus application and update the virus definitions. This method ensures that your antivirus program can detect even newer variants of Trojan Horse Sheur2.gnw

3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Select Safe Mode with Networking.
- System will boot Windows loading only necessary drivers and system files.

SafeMode

4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable, better place them in quarantine. Once the scan is complete please proceed with the next step.

Step 2 - Double-check with Online Virus Scanner

Another way to remove Trojan Horse Sheur2.gnw without the need to install additional antivirus application is to perform a thorough scan with free online virus scanner that can be found on websites of legitimate anti-virus and security provider.

5. Go to Online Virus Scanner list and run a virus scan. This may require plug-ins, add-on or Activex object, please install if you want to proceed with scan.

Online Scan

6. After completing the necessary download, your system is now ready for online virus scanning.
7. Select an option in which you can thoroughly scan the computer to make sure that it will find and delete entirely all infections not detected on previous scan.
8. Remove or delete all detected items.
9. When scanning is finished you may now restart the computer in normal mode.

Step 3 - Automatic Removal of Trojan Horse Sheur2.gnw files and registry entries

In order to completely remove the threat, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected machine.

27 Comments

  1. Ken

    How do I remove the SHeur2.gnw trojan and get my desktop back? I have used AVG it sees the trojan but won’t remove it to the vault. The trojan is in my userinit.exe file.

    Thanks.

  2. ChrisReid

    If Windows is blocking the file from running at boot and the computer seems to be stalling/not starting up, you can ‘manually’ get your desktop back. When you’re looking at the blank screen, hit control+alt+delete and click New Task on the Applications task manager pane. Then type C:Windowsexplorer.exe and hit enter. Your computer will be usable again, but be cautious as you are running virus infected system obviously. I have the same issue and am hoping someone develops a fix soon.

  3. Ilaya

    Seems like a new virus. I also got it just recently… what a christmas gift. :(

  4. electronic

    Do this. Open the cd with xp service pack2 and copy the file userinit.ex_ to c:.
    then write
    expand c:userinit.ex_ c:userinit.exe and press enter.
    The size of a new file mast be 25-30kb.
    then copy the file and open c:windowssystem32
    delete the old file userinit.exe(size =70-80kb) and copy here the new.
    Then restart the computer.
    The computer is now open but the virus ( i dont now the name) it is inside your computer but is sleeeping. If i lern the name and renoval tool i posted here.
    Good christmans.
    George

  5. wooler

    Has anyone found a fix for this virus yet?????

  6. Henry

    Same problem, mine also seemed to come with generic8.hpc as well. AVG found it and said it was fixed, but the problems aren’t resolved even though it can’t find it a second time. It won’t let AVG update, or go to its website… I also notice that I can’t log onto other antivirus websites. The people that create these should be shot in public – starting at the feet and working upwards from there – perhaps just one shot per hour or so – with a clock in front of them – that is a few seconds slow – following each shot by a splash of some sort of hot pepper sauce – then…drawn from a hat… a suggested punishment from one who has had a computer infected by the virus.

    My daughter was seriously sick last night and I was trying to get online to find information, and I find some new virus that someone created to get in my way and possibly threaten her life? Creative new death sentences should be mandatory in the future as these people add nothing to the world at all, and are worth less than anything I can think of. As for cruel and unusual, the punishment wouldn’t be cruel because anything you could think of to do to these people is less painful then they deserve, and if you quickly and frequently use creative punishment, then it wouldn’t be unusual, would it?

  7. Steve

    Have the same thing. Knew I had a virus as Comcast sent me a email telling me they shut down my SMTP(25) port as it appeared I was infected and sending spam. Used TCPVIEW and lo and behold there were about a dozen open connections to vairous mail servers. AVG scan didnit find anything, a couple other online services found nothing. THis morning I saw Resident shield picked up svchst.exe accessing a file A0162702.exe in my system restore dir. I have found info on removing variants, but not sure if they are going to work for this one. I agree with previous poster about torturing these kiddies….I wouoldnt use a gun though….I think skinning alive and leaving them in a pile of fire ants would be much more appropriate!

  8. elie akl

    i have avg anti-virus and i got ‘trojan horse backdoor ‘virus.
    how i can remove this threat?

  9. weirdmay

    i have an avg anti-virus too, i was trying to uninstall it cause it really doesn’t remove any virus at all. the problem now is that it doesn’t work —- can’t uninstall it even though i tried the add/remove from the control pannel. I HOPE that there will be a website that TRULY download free antiviruses software and really works!!!

  10. Claudia

    Death penalty to fkn’ virus creators , I AGREE, i’ve got the
    Sheur2 Q8Q or something like that and it’s driving me nuts I can’t find any site telling how to remove it , please anybody coming to a solution email me thanks in advance

  11. reddvinylene

    Please add your complaints to AVG website and perhaps someone will fix it for us sooner!

  12. ConcernedGamer

    I discovered the Trojan Horse SHeur2.YLQ problem on my computer today during its normal scan. After looking around this seems to be a new strand as I can find nothing when searching for the YLQ variation, and I am not sure if previous fixes for other strains will work.

    This being a backdoor trojan I am concerned if I got this from one of the many gaming sites I visit or what. I most certainly don’t want to lose any of my account information therefore I am playing on another PC now. Can anyone offer any enlightenment so I can get back to using my gaming PC?

  13. Al

    I am now the pruod owner of Sheur2.YDO all over my computer!
    I am trying to find a removal for it. Am running XP w/SP2
    Can N E 1 Help!
    Thanks

  14. Mr, G

    I just got this Sheur2.ZCU this morning as well as some other trojans and this is disabling my firewall as well as the antivirus…and later on the wireless internet connection was gone too.

    I am unable to remove this trojan horse virus…
    As soon i as i try to remove the virus, i get a cmpletely blue screen with some text in the left corner of my screen and then it turns completely black and right after that, my computer restarts itself, this happened twice.
    I am running windows xp home edition.

    I really can use some help please.

    Thanks in advance.

  15. Mr. lOVE

    Oh my god!!!!
    Who can for me one software anti kill it?????

  16. jeff

    TURN OFF SYSTEM RESTORE! Download Malwarebytes (get the free version)(Also update anti-virus if you can), boot your computer in the safe mode(with XP Home if you never booted in safe mode, pick the administrator account after booting into the safe mode, and just press enter for the password). and run the program (Malwarebytes), then boot regular and run again (both scans should be the full scan not the quick one. If you get no hits update antivirus ans use it to scan. Next download and run Spybot S & D – it is good in finding the name of the .dll file that maybe creating the problem. If it find the rogue dll try to delete it in regular and/or safe mode, If unsuccessful google “take ownership of a file+. and follow instructions. once you get that last .dll you should be ok

  17. ben

    simple guys. if you have an internet connection disable it so the trojan horse cannot recieve a command from the attacker. then go to your system restore and restore your system to an earlier date. did it to mine worked just fine

  18. Frustrated

    Found the SHeur strain in my comp too. It is so annoying to be without my start menu and toolbar. Restore did nothing for me. What else is there left for me to do?

  19. ayn

    computer here at work has Sheur.alzn

    we are on a network too. found other info on getting rid of the virus (permanently) which mirrors jeff’s info above. the computer has not had a disk clean up in a while so it’s taking a while, yet i hope for the best!

  20. seeker

    This is why you shouldn’t surf the net as administrator. Make a separate log in to surf with so any future virus can’t change parameters. My AVG says I have it but it has not been able to do any damage.

  21. jagdish

    i have a trojan horse SHeur2.BCBT on my pc….need help to remove it…anyone kind enough?

  22. Mark

    I’m currently working on removing the SHeur2.
    took the harddrive out and scanned it on another computer.
    finding many infected files.
    since I’m not using that hddrives os, I should be able to clean it up.
    I’ll post my results when I’m finished

  23. Anti Spam

    Another SHeur2 file is send trough MSN! The file is called Picture2525.exe and is found on IP 74.86.216.78. I allready contacted the hoster to remove that file and disconnect the user from internet. The infection found with AVG is : Trojan horse SHeur2.CIDT

    It was catched and locked by AVG the minute the file was written on my “safedisk”. Best thing you always must do is only download and safe it. DO NOT DOWNLOAD AND EXECUTE! When you safe the file first, you can scan it with a scanner. If it is infected, it will be locked and can’t infect your computer.

  24. AHOY

    SHeur2 CKNB and SHeur2 CKLX I just tried to open the site with those sweet pics on the FB’s friends for sale…stupid I know… Do you know how to remove that?

  25. Tech guru

    I have found a easy wayto remove this, well. i think it is this, (i realy dont know if they are linked, but i think they are) if you go to the task manager (XP: CTRL+ALT+Delete vista: CTRL+SHIFT+Esc 7: unknown, try ctrl alt delete)

    anyway
    in the task manger, go to prosese’s, and look for a prosses called “YLq”, if its there, rightclick it and click on “open file location”.
    if the file location is locat/temp then just ctrl A and press delete

    if its not temp, highlight the file and any other things that start with YL (or there and round abouts) and press delete, if it says try again, go back to the task manger and press stop proses.. your welcom, i just made your computer a little safer

  26. steve

    havin same problem, been trying to kill it for three days now. mine’s SHeur.CLUO.

  27. Joe

    Removed hard drive from laptop and running both AVG and Malwarebytes from a healthy machine. This seems to be taking care of it but only time will tell

Comments are closed.