Infostealer.gampass infection

[Poi45iop]

A while ago, my Norton software came up with an Infostealer.gampass infection as a result of it's scans. I have attempted all of the feasible solutions that i have found on the internet, and none seem to work. Sadly, this is a matter seriously affected by time, as my siblings and I need reliable access for studying purposes. There are files named desktop.ini that have been made in assorted places on my harddrive, and the option of visibility for hidden files has been enabled, if this helps identify my problem. I will post logs etc. shortly. Thank you in advance.

Edit: I am running vista as an OS, and do not wish to uninstall norton. I have also disabled, then re-enabled system restore, not knowing it would delete previous restore points.

 

[Poi45iop]

Logs

Norton came up with nothing the third time.

 

[mflynn]

Hi Poi45iop

Run HJT Select and remove the below
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (file missing

UPDATE but do not run SAS and MBAM.

Download SD Fix to Desktop among other things Catchme to look for RootKits.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At this point before continuing below, run both SAS and MBAM Quick scan save logs to desktop for posting when back to normal mode.

Now continue with SDFix

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.

Mike

 

[Poi45iop]

I could not run the program, a command prompt appeared briefly, then exited. Same thing when run as an admin.

 

[mflynn]

OK confirm to me all the other programs run OK and you can open a command prompt?

Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike

 

[Poi45iop]

Is this to do in safe mode, or normal?

 

[mflynn]

Run SDFix only in Safe Mode.

Combofix in either

Post the combofix log and a fresh HJT log!

Mike

 

[Poi45iop]

I ran Combofix in normal mode. as a side effect, i was not able to access the internet, though i was connected, until i restarted my computer.

 

[mflynn]

as a side effect, i was not able to access the internet, though i was connected, until i restarted my computer.

I do wonder WHY!

Run Combofix again so that I can confirm that those items really did go!

Boot to Safe Mode only and attempt SDFix again as Combo fix may have broke it loose.

Mike

 

[Poi45iop]

Combofix in safemode, or normal? (will rebooting affect)

Ahh, I forgot to add, I have only live protection from windows defender off, is there a Norton program that also interferes with scans?

 

[mflynn]

Combofix in Normal!

SDfix only in Safe Mode!

Mike

 

[Poi45iop]

Sorry, I tend to be overcautious.

SDfix still did not work, command prompt opens in safemode, but i did not input anything.

Also, the files named desktop were created Jan 25th 2:15pm Things seem to have been suspiciously edited around that time.

2009-01-25 14:13 . 2007-04-19 12:51 353,280 --a------ c:\windows\System32\idecoi.dll
2009-01-25 14:13 . 2007-04-19 13:12 102,696 --a------ c:\windows\System32\drivers\nvstor32.sys

This is also noted as familiar from my search for a fix for this virus:
2009-01-02 15:53 . 2009-01-02 15:53 717,296 --a------ c:\windows\System32\drivers\sptd.sys
c:\users\Poi45iop\AppData\Local\Temp\catchme.dll

 

[Poi45iop]

My IE phishing filter changes from Norton continuously.

Edit: also found, 2008-08-11 19:52 174 --sha-w c:\program files\desktop.ini

 

[mflynn]

OK one more try on the SDFix!

Delete the download SDFix install from the desktop!

Browse to c:\SDFix and delete the entire folder.

Now redownload SDFix and rename it to InstallSDFix. To run it RT click and chose run as Administrator.

Boot to Safe Mode browse to the SDFix folder and rename RunThis.bat to RunSDFix.bat then run it by RT click and Run as Administrator.

That don't work we will go another route.

The files you mention are eithe required or harmless we will get back to them.

Mike

 

[Poi45iop]

RT?

I knew that they may have been normal, but they were both edited within minutes of the appearance of the desktop.ini files.

my internet stopped without warning again

And it only now occur to me to post the contents of a desktop.ini file: (exclude quotes)
"

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799
"
(one on my desktop)
"
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21781
"
(one in program files)
There are more, but those are the easiest to find

Edit: in downloads folder:
"
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21798
IconResource=%SystemRoot%\system32\imageres.dll,-184
"

 

[mflynn]

OK then boot to Safe Mode networking

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile

sc stop TDSSserv.sys
sc delete TDSSserv.sys
:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s
del  tdss*.* /f /q /s
:: The above two lines first clears protective attributes then 
:: deletes all files on Drive beginning with the name tdss

:: Remove AntiVirus2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"

del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q

rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"

attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"

attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
attrib -h -s -r c:\WINDOWS\system32\scui.cpl
attrib -h -s -r c:\WINDOWS\system32\winsrc.dll

del c:\WINDOWS\system32\ieupdates.exe /f /q
del c:\WINDOWS\system32\scui.cpl /f /q
del c:\WINDOWS\system32\winsrc.dll /f /q

reg delete HKLM\SOFTWARE\swearware /f
reg delete HKCU\Software\Wget /f
reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f

reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed ripping out Antivirus 2008-9
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exit

Update then run SAS then Click Preferences then Repairs
Then counting down from top as 1, do the following entries to repair.

Do Numbers 6, 11, 12, 13,18, 19 and 24!

Reboot to normal report status of all including files on desktop.

Mike

 

[mflynn]

OHHH I think I know where the files on the desktop are from.

It may be that a zip or something extracted to the desktop or a program installed directly on the desktop instead of a folder.

Create TMP folder on the desktop and drag and move not copy, all these into it. Do not delete any of them yet.

Once they are all in TMP then reboot to see if something complains.

Mike

 

[Poi45iop]

Gahh,

I could not run SDFix.
I deleted one of the desktop.ini files in safemode.
Once out of safemode, all of my firewalls were off.
I tried to turn them on but Norton doesn't seem to.
The internet disconnected again.
I ate dinner.
Internet failed again.
3rd time it worked
desktop.ini file appeared for a sec. Then disappeared.
old anti spyware program "PC Tools Spyware Doctor" ran a scan, found stuff, including files in the combofix folder. false positive?

Should i try cmd method or tmp first?

 

[Poi45iop]

There seem to be many of the desktop files, to the point where it may not be entirely associated with the virus.

 

[mflynn]

Jeeze

Leave that do the other part of that post. The copy/paste operation and the SAS repair numbers.

Mike

 

[Poi45iop]

KK, apparently SDFix is only compatible with XP, i have vista >.> which it has said. In many of the logs.

 

[mflynn]

Yes I knew it did not run on most but it runs om my Vista Ultimate and a couple of other of my clients.

Just do the copy/paste and SAS repairs by the numbers.

And to get me a deeper view of your system download http://oldtimer.geekstogo.com/OTViewIt.exe

Run it select Scan All users leave Use Whitelist checked

Do not click cleanup!

Click Run Scan give it time it will open 1 of 2 logs. Paste the one that opens then the one that will be minimized.

Mike

 

[Poi45iop]

The program stops responding when it reaches CertPropSvc

Edit: works now but CertPropSvc is listed as a possibly infected file in other threads.

 

[mflynn]

Are you speaking of OTViewit?

OK well now that may mean it will not run with Vista or your combination of of firewall virus and malware protections. I could not confirm that it would or would not.

What are the results of the copy/paste and SAS fixes by the numbers.

Mike

 

[Poi45iop]

It is working now, SAS didnt do anything at all. and copy/paste seemed to fail:

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\Poi45iop>@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
exefile="%1" %*
ftype batfile="%1" %*
batfile="%1" %*
ftype cmdfile="%1" %*
cmdfile="%1" %*
ftype comfile="%1" %*
comfile="%1" %*
ftype scrfile="%1" /S
scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
regfile="regedit.exe" "%1"
ftype piffile="%1" %*
piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
inffile=C:\Windows\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
vbsfile=C:\Windows\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
jsfile=C:\Windows\System32\WScript.exe "%1" %*

assoc .exe=exefile
.exe=exefile
assoc .bat=batfile
.bat=batfile
assoc .cmd=cmdfile
.cmd=cmdfile
assoc .com=comfile
.com=comfile
assoc .scr=scrfile
.scr=scrfile
assoc .reg=regfile
.reg=regfile
assoc .pif=piffile
.pif=piffile
assoc .lnk=lnkfile
.lnk=lnkfile
assoc .inf=inffile
.inf=inffile
assoc .vbs=VBSFile
.vbs=VBSFile
assoc .js=JSFile
.js=JSFile

sc stop TDSSserv.sys
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

sc delete TDSSserv.sys
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdss
data"
ERROR: The parameter is incorrect.
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
ERROR: The parameter is incorrect.
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdss
data" /f
The operation completed successfully.
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
The operation completed successfully.
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s