Infostealer.gampass infection

KK, apparently SDFix is only compatible with XP, i have vista >.> which it has said. In many of the logs.

Yes I knew it did not run on most but it runs om my Vista Ultimate and a couple of other of my clients.

Just do the copy/paste and SAS repairs by the numbers.

And to get me a deeper view of your system download http://oldtimer.geekstogo.com/OTViewIt.exe

Run it select Scan All users leave Use Whitelist checked

Do not click cleanup!

Click Run Scan give it time it will open 1 of 2 logs. Paste the one that opens then the one that will be minimized.

Mike

The program stops responding when it reaches CertPropSvc

Edit: works now but CertPropSvc is listed as a possibly infected file in other threads.

Are you speaking of OTViewit?

OK well now that may mean it will not run with Vista or your combination of of firewall virus and malware protections. I could not confirm that it would or would not.

What are the results of the copy/paste and SAS fixes by the numbers.

Mike

It is working now, SAS didnt do anything at all. and copy/paste seemed to fail:

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\Poi45iop>@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
exefile="%1" %*
ftype batfile="%1" %*
batfile="%1" %*
ftype cmdfile="%1" %*
cmdfile="%1" %*
ftype comfile="%1" %*
comfile="%1" %*
ftype scrfile="%1" /S
scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
regfile="regedit.exe" "%1"
ftype piffile="%1" %*
piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
inffile=C:\Windows\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
vbsfile=C:\Windows\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
jsfile=C:\Windows\System32\WScript.exe "%1" %*

assoc .exe=exefile
.exe=exefile
assoc .bat=batfile
.bat=batfile
assoc .cmd=cmdfile
.cmd=cmdfile
assoc .com=comfile
.com=comfile
assoc .scr=scrfile
.scr=scrfile
assoc .reg=regfile
.reg=regfile
assoc .pif=piffile
.pif=piffile
assoc .lnk=lnkfile
.lnk=lnkfile
assoc .inf=inffile
.inf=inffile
assoc .vbs=VBSFile
.vbs=VBSFile
assoc .js=JSFile
.js=JSFile

sc stop TDSSserv.sys
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

sc delete TDSSserv.sys
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdss
data"
ERROR: The parameter is incorrect.
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
ERROR: The parameter is incorrect.
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdss
data" /f
The operation completed successfully.
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
The operation completed successfully.
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s

Sorry, should have attached that.
Here are the OTViewit logs
First one exceeds limit, will post normally

Or not, my browser crashed trying to do it. Is 11MB large for a file like that?
Shortening length to 30 days

here they are

OK I will eval that log and get back in the morning it has been a long day since I began at 6:30 AM. It is now 8:40 PM.

I am going to dinner then to bed.

Good night

Mike

I am online.

Hello? Are you there?

Had to run some errands then had dinner!

OK the first thing, lets deal with these files on Desktop.

Did you create the folder to put them in?

If so move (cut) and paste into the folder get them all off the Desktop.

Reboot see if they come back or if windows misses something and if it does let me know what.

Let me know!

BTW I ran SDFix on a clients Vista computer today because I needed to and it ran. But just to see it would not run on 2 other Vistas.

Mike

I believe those may be irrelivant, as i discovered that this virus also enables visibility of "superhiddenfiles" Which i believe those to be.

(i had already tested that, nothing "complained")

Nothing obvious in all that but

Does the below exist as a file or folder in the Windows folder?
C:\Windows\½À°Ä ÒÆ*°

If so get me some info on Size properties etc, then double click it and see if it responds or opens if a folder. Last see if you can cut it and paste it into the folder we made on the desktop.
----------------------------------------------------------------------------------------------------------------------
Lets do some general maintenance/cleanup

Download AutoRuns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Run it let it scan, then when it says ready at bottom left corner click File at top and then Find.

Type in the find box file not found and hit enter and delete all lines that have file not found.

There are a bunch of old stuff that M$ thought you might or would need that no longer exist or for computers that are assumed to have SCSI or AMD processors but do not!

Then look carefully through all the other entries and delete anything that you may have had but uninstalled and thought was gone. If you are sure delete these also.

Then get RunScanner http://www.runscanner.net/download.aspx
Click Scan computer
Double click all File not found Red lines to select, then click Item fixer and remove them. Then click Extra stuff again select all Red lines.

Then click back to Malware hunting and Click the Item fixer again and remove these. Same as already said on AutoRuns stuff that was assumed to be need but you do not have.

None of these items can run as the file is missing so most of the improvement you may see comes as a quicker startup as windows no longer searches or tries to load some of these. But some have noticed a faster shutdown also.

Reboot and recheck with both AutoRuns and RunScanner.

You can delete the Desktop SDFix install program, then browse and delete the C:\SDFix folder.

Give me a status report of issues left after this (the files on the Desktop tucked away) and giving no problem even after rebooting. After a few days delete the entire folder.

So what are the remaining issues

Mike

That folder is legit, but it is written in characters that your computer probably doesnt support

Both of the links got me a page saying "bad request"

OK as long as you know!

Do the other cleanups and get me the status report.

Mike

The issues are as follows:

The edited registry keys allowing me to see hidden/superhidden files remain edited, which is a sign the virus is still there
My computer is slow (bit less than the average computer) though a month ago it had 5 stars for speed in the nornton (cleanup?) program.
I am unsure as to whether we have actually done anything that had gotten rid of the virus.
My clock settings are using "army time" eg 19:14

"Both of the links got me a page saying "bad request""

OK I fixed the links!

Mike