Infostealer.gampass infection

By Poi45iop
Jan 27, 2009
Topic Status:
Not open for further replies.
  1. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    Sorry, should have attached that.
    Here are the OTViewit logs
    First one exceeds limit, will post normally
  2. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    Or not, my browser crashed trying to do it. Is 11MB large for a file like that?
    Shortening length to 30 days
  3. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    here they are
  4. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK I will eval that log and get back in the morning it has been a long day since I began at 6:30 AM. It is now 8:40 PM.

    I am going to dinner then to bed.

    Good night

    Mike
  5. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    I am online.
  6. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    Hello? Are you there?
  7. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Had to run some errands then had dinner!

    OK the first thing, lets deal with these files on Desktop.

    Did you create the folder to put them in?

    If so move (cut) and paste into the folder get them all off the Desktop.

    Reboot see if they come back or if windows misses something and if it does let me know what.

    Let me know!

    BTW I ran SDFix on a clients Vista computer today because I needed to and it ran. But just to see it would not run on 2 other Vistas.

    Mike
  8. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    I believe those may be irrelivant, as i discovered that this virus also enables visibility of "superhiddenfiles" Which i believe those to be.
  9. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    (i had already tested that, nothing "complained")
  10. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Nothing obvious in all that but

    Does the below exist as a file or folder in the Windows folder?
    C:\Windows\½À°Ä ÒÆ*°

    If so get me some info on Size properties etc, then double click it and see if it responds or opens if a folder. Last see if you can cut it and paste it into the folder we made on the desktop.
    ----------------------------------------------------------------------------------------------------------------------
    Lets do some general maintenance/cleanup

    Download AutoRuns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
    Run it let it scan, then when it says ready at bottom left corner click File at top and then Find.

    Type in the find box file not found and hit enter and delete all lines that have file not found.

    There are a bunch of old stuff that M$ thought you might or would need that no longer exist or for computers that are assumed to have SCSI or AMD processors but do not!

    Then look carefully through all the other entries and delete anything that you may have had but uninstalled and thought was gone. If you are sure delete these also.

    Then get RunScanner http://www.runscanner.net/download.aspx
    Click Scan computer
    Double click all File not found Red lines to select, then click Item fixer and remove them. Then click Extra stuff again select all Red lines.

    Then click back to Malware hunting and Click the Item fixer again and remove these. Same as already said on AutoRuns stuff that was assumed to be need but you do not have.

    None of these items can run as the file is missing so most of the improvement you may see comes as a quicker startup as windows no longer searches or tries to load some of these. But some have noticed a faster shutdown also.

    Reboot and recheck with both AutoRuns and RunScanner.

    You can delete the Desktop SDFix install program, then browse and delete the C:\SDFix folder.

    Give me a status report of issues left after this (the files on the Desktop tucked away) and giving no problem even after rebooting. After a few days delete the entire folder.

    So what are the remaining issues

    Mike
  11. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    That folder is legit, but it is written in characters that your computer probably doesnt support

    Both of the links got me a page saying "bad request"
     
  12. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK as long as you know!

    Do the other cleanups and get me the status report.

    Mike
  13. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    The issues are as follows:

    The edited registry keys allowing me to see hidden/superhidden files remain edited, which is a sign the virus is still there
    My computer is slow (bit less than the average computer) though a month ago it had 5 stars for speed in the nornton (cleanup?) program.
    I am unsure as to whether we have actually done anything that had gotten rid of the virus.
    My clock settings are using "army time" eg 19:14
  14. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    "Both of the links got me a page saying "bad request""
  15. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK I fixed the links!

    Mike
  16. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    Trojan.ByteVerify was detected
  17. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Detected by what Norton?

    And what did it do fix,delete, quarantine or what?

    Mike

    EDIT:

    Update then run SAS
    Click Preferences-Repairs
    Then counting down from top do the following entries
    Numbers 6, 8, 11, 12, 13,18, 19, 23 and 24!

    Superhidden files

    Click Start-Run.

    Type in regedit in the box and click OK
    regedit opens, navigate through HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
    Right-click on ShowSuperHidden and select Modify.

    1 to show 0 to hide

    Change the value to 0 and click OK to save your changes.

    Reboot and test report results

    Mike
  18. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    Norton, it autodeleted, sorry, i have to go for the rest of the day. Do you think that progress has been made?
  19. mflynn

    mflynn Newcomer, in training Posts: 2,793

    I am not sure but do you have time to do the edit in my last post.

    Mike
  20. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    Test report results? ill do it now (only have to go before 8:20)
  21. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    without restarting it is now hiding the superhidden files
  22. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK Good, reboot retest and do the Autoruns and RunScanner tomorrow and have a good night.

    Mike

    EDIT:
    You said
    I asked
    You said
    Not to be sorry. We can not stop Virus/Malware from trying to get on the system so be glad Norton did its job and detected and handled it.:)
  23. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    Sorry, I hav'nt been on because of the time pertinent thing i mentioned in my opening post. I may be on tommorow if i have time. I have not given up or solved it
  24. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK I'll try to be here!

    mike
  25. Poi45iop

    Poi45iop Newcomer, in training Topic Starter Posts: 36

    Hopefully this is a good thing, and not a new virus. mbam detected 6 objects, which seemed to have been removed properly. immediately afterward, my computer logged off and shut down, before i could save the log file. Luckily i took a screenshot of the results. The results surprise me, as the programs seem extremely safe. It's website is rated green in WOT and Mcafee site advisor, without any comments warning of Trojans etc.

    mbam detect is an uncompleted scan run on the 2nd, and redkawadetect a completed on the third.

    I have yet to run a second mbam scan, have downloaded http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx to run, will download others like ad-aware, will manage my files to see if anything is odd. will screenshot nortons initial detection details, and will run autoruns and runscanner.

    Is there anything i have forgotten?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.