Infostealer.gampass infection

By Poi45iop
Jan 27, 2009
Topic Status:
Not open for further replies.
  1. A while ago, my Norton software came up with an Infostealer.gampass infection as a result of it's scans. I have attempted all of the feasible solutions that i have found on the internet, and none seem to work. Sadly, this is a matter seriously affected by time, as my siblings and I need reliable access for studying purposes. There are files named desktop.ini that have been made in assorted places on my harddrive, and the option of visibility for hidden files has been enabled, if this helps identify my problem. I will post logs etc. shortly. Thank you in advance.

    Edit: I am running vista as an OS, and do not wish to uninstall norton. I have also disabled, then re-enabled system restore, not knowing it would delete previous restore points.
  2. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    Logs

    Norton came up with nothing the third time.
  3. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Hi Poi45iop

    Run HJT Select and remove the below
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (file missing

    UPDATE but do not run SAS and MBAM.

    Download SD Fix to Desktop among other things Catchme to look for RootKits.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At this point before continuing below, run both SAS and MBAM Quick scan save logs to desktop for posting when back to normal mode.

    Now continue with SDFix

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.

    Mike
  4. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    I could not run the program, a command prompt appeared briefly, then exited. Same thing when run as an admin.
  5. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK confirm to me all the other programs run OK and you can open a command prompt?

    Download ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Mike
  6. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    Is this to do in safe mode, or normal?
  7. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Run SDFix only in Safe Mode.

    Combofix in either

    Post the combofix log and a fresh HJT log!

    Mike
  8. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    I ran Combofix in normal mode. as a side effect, i was not able to access the internet, though i was connected, until i restarted my computer.
  9. mflynn

    mflynn Newcomer, in training Posts: 2,793

    I do wonder WHY!:)

    Run Combofix again so that I can confirm that those items really did go!

    Boot to Safe Mode only and attempt SDFix again as Combo fix may have broke it loose.

    Mike
  10. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    Combofix in safemode, or normal? (will rebooting affect)

    Ahh, I forgot to add, I have only live protection from windows defender off, is there a Norton program that also interferes with scans?
  11. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Combofix in Normal!

    SDfix only in Safe Mode!

    Mike
  12. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    Sorry, I tend to be overcautious.

    SDfix still did not work, command prompt opens in safemode, but i did not input anything.

    Also, the files named desktop were created Jan 25th 2:15pm Things seem to have been suspiciously edited around that time.

    2009-01-25 14:13 . 2007-04-19 12:51 353,280 --a------ c:\windows\System32\idecoi.dll
    2009-01-25 14:13 . 2007-04-19 13:12 102,696 --a------ c:\windows\System32\drivers\nvstor32.sys

    This is also noted as familiar from my search for a fix for this virus:
    2009-01-02 15:53 . 2009-01-02 15:53 717,296 --a------ c:\windows\System32\drivers\sptd.sys
    c:\users\Poi45iop\AppData\Local\Temp\catchme.dll
  13. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    My IE phishing filter changes from Norton continuously.

    Edit: also found, 2008-08-11 19:52 174 --sha-w c:\program files\desktop.ini
     
  14. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK one more try on the SDFix!

    Delete the download SDFix install from the desktop!

    Browse to c:\SDFix and delete the entire folder.

    Now redownload SDFix and rename it to InstallSDFix. To run it RT click and chose run as Administrator.

    Boot to Safe Mode browse to the SDFix folder and rename RunThis.bat to RunSDFix.bat then run it by RT click and Run as Administrator.

    That don't work we will go another route.

    The files you mention are eithe required or harmless we will get back to them.

    Mike
  15. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    RT?

    I knew that they may have been normal, but they were both edited within minutes of the appearance of the desktop.ini files.

    my internet stopped without warning again :(

    And it only now occur to me to post the contents of a desktop.ini file: (exclude quotes)
    "

    [.ShellClassInfo]
    LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799
    "
    (one on my desktop)
    "
    [.ShellClassInfo]
    LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21781
    "
    (one in program files)
    There are more, but those are the easiest to find

    Edit: in downloads folder:
    "
    [.ShellClassInfo]
    LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21798
    IconResource=%SystemRoot%\system32\imageres.dll,-184
    "
  16. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK then boot to Safe Mode networking

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.
    Code:
    @echo off
    cd\
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    
    sc stop TDSSserv.sys
    sc delete TDSSserv.sys
    :: Above sc commands first stops then deletes service if it exists
    ::
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
    ::
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
    ::The above reg commands first unloads the reg keys then deletes these keys.
    ::
    Attrib -h -s -r tdss*.* /s
    del  tdss*.* /f /q /s
    :: The above two lines first clears protective attributes then 
    :: deletes all files on Drive beginning with the name tdss
    
    :: Remove AntiVirus2009
    attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
    del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q
    
    rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
    
    attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
    rd /s/q "c:\Program Files\Antivirus 2009"
    
    attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
    attrib -h -s -r c:\WINDOWS\system32\scui.cpl
    attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
    
    del c:\WINDOWS\system32\ieupdates.exe /f /q
    del c:\WINDOWS\system32\scui.cpl /f /q
    del c:\WINDOWS\system32\winsrc.dll /f /q
    
    reg delete HKLM\SOFTWARE\swearware /f
    reg delete HKCU\Software\Wget /f
    reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f
    
    reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
    reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
    echo Finshed ripping out Antivirus 2008-9
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    exit
    exit
    Update then run SAS then Click Preferences then Repairs
    Then counting down from top as 1, do the following entries to repair.

    Do Numbers 6, 11, 12, 13,18, 19 and 24!

    Reboot to normal report status of all including files on desktop.

    Mike
  17. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OHHH I think I know where the files on the desktop are from.

    It may be that a zip or something extracted to the desktop or a program installed directly on the desktop instead of a folder.

    Create TMP folder on the desktop and drag and move not copy, all these into it. Do not delete any of them yet.

    Once they are all in TMP then reboot to see if something complains.

    Mike
  18. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    Gahh,

    I could not run SDFix.
    I deleted one of the desktop.ini files in safemode.
    Once out of safemode, all of my firewalls were off.
    I tried to turn them on but Norton doesn't seem to.
    The internet disconnected again.
    I ate dinner.
    Internet failed again.
    3rd time it worked
    desktop.ini file appeared for a sec. Then disappeared.
    old anti spyware program "PC Tools Spyware Doctor" ran a scan, found stuff, including files in the combofix folder. false positive?

    Should i try cmd method or tmp first?
  19. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    There seem to be many of the desktop files, to the point where it may not be entirely associated with the virus.
  20. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Jeeze

    Leave that do the other part of that post. The copy/paste operation and the SAS repair numbers.

    Mike
  21. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    KK, apparently SDFix is only compatible with XP, i have vista >.> which it has said. In many of the logs.
  22. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Yes I knew it did not run on most but it runs om my Vista Ultimate and a couple of other of my clients.

    Just do the copy/paste and SAS repairs by the numbers.

    And to get me a deeper view of your system download http://oldtimer.geekstogo.com/OTViewIt.exe

    Run it select Scan All users leave Use Whitelist checked

    Do not click cleanup!

    Click Run Scan give it time it will open 1 of 2 logs. Paste the one that opens then the one that will be minimized.

    Mike
  23. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    The program stops responding when it reaches CertPropSvc

    Edit: works now but CertPropSvc is listed as a possibly infected file in other threads.
  24. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Are you speaking of OTViewit?

    OK well now that may mean it will not run with Vista or your combination of of firewall virus and malware protections. I could not confirm that it would or would not.

    What are the results of the copy/paste and SAS fixes by the numbers.

    Mike
  25. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    It is working now, SAS didnt do anything at all. and copy/paste seemed to fail:

    Microsoft Windows [Version 6.0.6001]
    Copyright (c) 2006 Microsoft Corporation. All rights reserved.

    C:\Users\Poi45iop>@echo off
    cd\
    :: Fix associations
    ftype exefile="%1" %*
    exefile="%1" %*
    ftype batfile="%1" %*
    batfile="%1" %*
    ftype cmdfile="%1" %*
    cmdfile="%1" %*
    ftype comfile="%1" %*
    comfile="%1" %*
    ftype scrfile="%1" /S
    scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    inffile=C:\Windows\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    vbsfile=C:\Windows\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    jsfile=C:\Windows\System32\WScript.exe "%1" %*

    assoc .exe=exefile
    .exe=exefile
    assoc .bat=batfile
    .bat=batfile
    assoc .cmd=cmdfile
    .cmd=cmdfile
    assoc .com=comfile
    .com=comfile
    assoc .scr=scrfile
    .scr=scrfile
    assoc .reg=regfile
    .reg=regfile
    assoc .pif=piffile
    .pif=piffile
    assoc .lnk=lnkfile
    .lnk=lnkfile
    assoc .inf=inffile
    .inf=inffile
    assoc .vbs=VBSFile
    .vbs=VBSFile
    assoc .js=JSFile
    .js=JSFile

    sc stop TDSSserv.sys
    [SC] OpenService FAILED 1060:

    The specified service does not exist as an installed service.

    sc delete TDSSserv.sys
    [SC] OpenService FAILED 1060:

    The specified service does not exist as an installed service.

    :: Above sc commands first stops then deletes service if it exists
    ::
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdss
    data"
    ERROR: The parameter is incorrect.
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
    ERROR: The parameter is incorrect.
    ::
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdss
    data" /f
    The operation completed successfully.
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
    The operation completed successfully.
    ::The above reg commands first unloads the reg keys then deletes these keys.
    ::
    Attrib -h -s -r tdss*.* /s
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.