TechSpot

Infostealer.gampass problem

By oppoch
Jun 29, 2008
  1. Hi, the other day when I started my laptop, Symantec Antivirus detected over 1000 infostealer.gampass threats under C:\WINDOWS\system32\, most of which are repeated, here are the representatives:
    cedafb.dll
    cliconfgzx.dll
    hhrdxd.dll
    kbdswjr.dll
    mfdesy.dll
    midimapwl.dll
    mndsgsrv.dll
    msobjstl.dll
    oswxdttb.dll
    ozfyebyt.dll
    rfdswc.dll
    tdggrz.dll

    Symantec can only delete a few of them and most of them were left unchanged.
    The system then freezed and I had to force it shut down. After turning it on again, a few more threats were detected and there were several pop-up messages :The application or DLL C:\Windows\System32\abcdefg.DLL is not a valid Windows Image. Please check this against your installation diskette (i don't remember the exact dll file name), which pops up again when I closed it.
    Later I used AVG antivirus to scan it and quarantined some trojan horse PSW.Generic6.pll, downloader.Generic.ufo, PSW.onlinegames.auxa, etc. Since then there are no more pop-up threats and error messages and no obvious symptom except the system is slower. But I am still very concerned since the trojan can steal passwords.

    I am a computer novice and it takes me quite a while to complete the preliminary removal procedures. When I run combofix, I did not see any prompts and it just did its thing and the computer automatically reboot. I am not sure it is done the right way. Anyway here are the logs. Also Panda Antirootkit scan and vundofix did not detect anything.
    Thanks for help in advance.

    ps:my windows is chinese, so there are some chinese characters in the logs, but i guess that's not a problem, right?
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Still quite a bit on there, lets try this, then we can clean up more after, I just want to see how much MBAM can clean on its own

    Also, you only want 1 antivirus on your machine at a time. Please uninstall one or the other AVG or NORTON


    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
     
  3. oppoch

    oppoch TS Rookie Topic Starter

    When I try to run Malwarebytes, it runs for a minute then an error message pops up: run-time error ' 6' overlow and the program closes itself. I tried several times and that remained the same. How should I proceed? And should i run it in normal mode or safe mode? Just now I ran it in normal mode. Is it possible that the error has something to do with my chinese system?
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    You may want to print this out, or save it in a notepad file on your desktop to have while in safe mode

    Download and Install SDFix
    • Download SDFix and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

    ----------------------------------------------------------

    Download ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    -----------------------------------------------------------

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    -------------------------------------------------------------

    Run ATF Cleaner
    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.

    ---------------------------------------------------------------------------------

    Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here


    Attach Report.txt with a fresh hijackthis log
     
  5. oppoch

    oppoch TS Rookie Topic Starter

    No trojans found in the SDfix report and a similar Hijackthis report to the previous one. I wonder did i do anything wrong. Then I realize i may not have disabled all real time protection. I did not run any protection program (i did not see any in the tray) except Symantec(disabled), i thought none is resident. But then i open the task manager, the spybot tea timer is still there in the process. I tried to disable it by unchecking the resident tea timer box but no further prompts and nothing came up, and it is still in the task manager process. Is that a big deal? Do i have to run everything again? I feel a little frustrated now.

    Update:I shut down my laptop in the morning, and now when I turn it back on tea timer is disabled and no longer shows up in the task manager. I then ran SDfix and hijackthis again and the reports seem no different from before tea timer disabled.
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Run CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
     
  7. oppoch

    oppoch TS Rookie Topic Starter

    Here are the new logs.
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Still some on there - we got rid of most of the files however, not all the registry entries were removed. Make sure there is not something protecting them.

    Also I still see some AVG stuff and some Norton stuff on there. Did you uninstall one yet?

    ---------------------------------------------------------------------------------------------

    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
      O2 - BHO: (no name) - {74381DEC-D78B-43E4-BA5D-5244F669EBE4} - C:\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys (file missing)
      O20 - AppInit_DLLs: yzztkmsn.dll,skqncbib.dll,womsoy.dll
      O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
      O21 - SSODL: midimapgj - {4F4F0064-71E0-4f0d-0003-708476C7815F} - C:\WINDOWS\system32\midimapgj.dll (file missing)
      O21 - SSODL: cliconfgzx.dll - {00050005-0005-0005-0005-00050005BB15} - C:\WINDOWS\system32\cliconfgzx.dll (file missing)
      O21 - SSODL: midimapwl - {4F4F0064-71E0-4f0d-0004-708476C7815F} - C:\WINDOWS\system32\midimapwl.dll (file missing)
      O21 - SSODL: kbdswjr.dll - {00120012-0012-0012-0012-00120012BB15} - C:\WINDOWS\system32\kbdswjr.dll (file missing)
      O21 - SSODL: msobjstl.dll - {00170017-0017-0017-0017-00170017BB15} - C:\WINDOWS\system32\msobjstl.dll (file missing)

    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    ------------------------------------------------------------------------------------

    Please download the Killbox by Option^Explicit.

    Note: In the event you already have Killbox, this is a new version that I need you to download.
    • Save it to your desktop.
    • Please double-click Killbox.exe to run it.
    • Select:
      • Delete on Reboot
      • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\Windows\System32\womsoy.dll
      C:\Windows\System32\skqncbib.dll
      C:\Windows\System32\yzztkmsn.dll


    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt.

    If your computer does not restart automatically, please restart it manually.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


    Come back and post a new hijackthis
     
  9. oppoch

    oppoch TS Rookie Topic Starter

    For some reason, when i copy it and choose paste from clipboard, nothing happens, no path showes up in the drop box, if i just right click and paste, only the first one is in there. Is it possible to delete one at a time, when being prompted to reboot, click cancel and only click ok after the third one?

    Also, I have uninstalled avg anti-virus and there is just an empty folder in program files folder. It seems like avg anti-spyware 7.5 is automatically uninstalled as well, with only a few files left in the folder, but I don't need to uninstall the anti-spyware, right?
     
  10. oppoch

    oppoch TS Rookie Topic Starter

    I just did what I said in the message above when I attempted to delete the 3 files in killbox, after reboot I run hijackthis. I am not sure whether they have been deleted or not.
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Good work. Now let's have another go at some of those registry entries

    Disable Norton AntiVirus Service by:

    1. Click Start > Settings > Control Panel.

    2. Double-click Administrative Tools.

    3. Double-click the Services icon.

    4. Search the list of services to find Symantec SPBBC SVC.

    5. Double-click this service to open.

    6. Set the Startup type to Disable.

    7. Click OK to close the service Properties dialog box.

    8. Close the remaining dialogs.

    9. Reboot computer.



    Disable the Norton AntiVirus Auto-Protect feature by:

    1. Right-mouse click the Norton AntiVirus icon in the system tray.

    2. Select Auto-Protect option.

    3. Set the Select the duration option to Until system restart.

    4. Click OK



    Disable Norton AntiVirus Script Blocking feature by:

    1. Right-mouse click the Norton AntiVirus icon in the system tray.

    2. Select Norton AntiVirus Options.

    3. Under System, click Script Blocking.

    4. Make sure Enable Script Blocking option is de-selected.

    5. Click OK.


    ------------------------------------------------------------------

    Run CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
     
     
  12. oppoch

    oppoch TS Rookie Topic Starter

    I could not find exactly Symantec SPBBC SVC. I got my Symantec antivirus from the university website. The program version is 9.0.1.1000. There is a service name Symantec antivirus with description: provide real time virus scanning reporting and management functionality. Is it the one you want me to disable? there are also other services: definition watcher, event manager, setting manager for Symantec antivirus.
     
  13. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Symantec antivirus is the one.
     
  14. oppoch

    oppoch TS Rookie Topic Starter

    I think my symantec antivirus is a simplified version and there is not a Script Blocking feature in it. But I am pretty sure the auto-protect has been disabled. For Combofix, it froze and so was the system the first time I ran it. I re-run it and the report comes up without reboot. I am just a little curious cuz everytime I ran combofix i saw a message in chinese meaning sth like the system can not find the prescribed/assigned/specific file for quite a while and nothing else in the box then suddenly it rebooted or finished with a report.
    Anyway, here are the newest logs.
     
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Just a few left - if this doesn't get them off we will try a different program

    Run CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:
    File::
    
    Registry::
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{eaa21495-29ae-4e50-8ad9-a4f877c1ab85}"=-
    "{189F087F-4378-405F-85FA-37D955AD7A8C}"=-
    "{81AF1CF6-D1C9-4C6A-AC01-EDE54E71945B}"=-
    "{7914E0AA-ECCB-4311-B584-C49538227824}"=-
    
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post Combofix.txt
     
  16. oppoch

    oppoch TS Rookie Topic Starter

    When I tried to run ComboFix, an error message popped up: current date is 2008-07-01 This copy of ComboFix has expired. Please download an updated copy. Then ComboFix was deleted automatically. What should I do now?
     
  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

  18. oppoch

    oppoch TS Rookie Topic Starter

    Unfortunately, ComboFix did not work for me once again.
     
  19. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    ------------------------------------------------------------------------

    Avenger by Swandog

    • Download Avenger by Swandog and unzip it to your Desktop.

      Note: This program must be run from an account with Administrator priviledges.

    • Open the Avenger folder and double click Avenger.exe to launch the programme.
    • Copy the text in the code box below and Paste it into the Input script here: box.
    Code:
    Files to delete:
    
    Registry values to delete:
    hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks | {eaa21495-29ae-4e50-8ad9-a4f877c1ab85}
    hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks | {189F087F-4378-405F-85FA-37D955AD7A8C}
    hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks | {81AF1CF6-D1C9-4C6A-AC01-EDE54E71945B}
    hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks | {7914E0AA-ECCB-4311-B584-C49538227824}
    
    • Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    • Ensure the following:
      • Scan for Rootkits is checked.
      • Automatically disable any rootkits found is Unchecked.
    • Press the Execute key.
    • Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
    • Attach the log back here please. (it can also be found at C:\avenger.txt)
     
  20. oppoch

    oppoch TS Rookie Topic Starter

    Here is the avenger log. Btw, shall I enable Symantec antivirus back on now or not? I haven't when I ran avenger.
     
  21. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Now you should enable any protection you have.

    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.

    -----------------------------------------------------------------------

    OTCleanit! by Oldtimer
    • Download OTCleanIt
    • Click the CleanUp! button.
      • It will go thorugh the list and remove all of the tools it finds and then delete itself (requiring a reboot).

    ---------------------------------------------------------------------------

    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
    1. Set correct settings for files
      • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
      • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
      • If unchecked please check Hide protected operating system files (Recommended)
      • If necessary check "Display content of system folders"
      • If necessary Uncheck Hide file extensions for known file types.
      • Click OK

      clear system restore points

      • This is a good time to clear your existing system restore points and establish a new clean restore point:
        • Go to Start > All Programs > Accessories > System Tools > System Restore
        • Select Create a restore point, and Ok it.
        • Next, go to Start > Run and type in cleanmgr
        • Select the More options tab
        • Choose the option to clean up system restore and OK it.
        This will remove all restore points except the new one you just created.

    2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialize and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

      See this link for a listing of some online & their stand-alone antivirus programs:

      Virus, Spyware, and Malware Protection and Removal Resources

    4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

      For a tutorial on Firewalls and a listing of some available ones see the link below:

      Understanding and Using Firewalls

    6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.This is done in Vista through control panel -> windows updates.
    7. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    here are some additional utilities that will enhance your safety

    • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
      Using Winpatrol to protect your computer from malicious software
     
  22. oppoch

    oppoch TS Rookie Topic Starter

    Thank you so much, Blind Dragon, for spending the time and effort to help me with my problem. I will follow your instruction and hopefully there will be no further issues. This one really gave me enough trouble. So once again thanks a lot for helping to get rid of my headache!
     
  23. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Good luck!
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.