#1
Member
Profile: Join Date: May 2008
Posts: 10
Computer Experience:
How do I get rid of Infostealer.Gampass & Downloader??
I really could use some help here. My Norton weekly system scan on Friday found Infostealer.Gampass in an exe that I had run in the past week or so. I am surprised that Norton didn't tell me when I ran it. Anyway, I looked it up on Symantec which pointed me to the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run which indeed had 2 rundll32.exe entries of randomly named dll's which I am assuming are related to the Infostealer.Gampass. I have tried ending the 2 rundll32 processes and then deleting the 2 registry entries and the dll's and 2 other ini files in system32 named yaJluBeg.ini and yaJluBeg.ini2. But they just keep coming back -- 2 new registry entries with the same names with randomly generated dll names. With the 2 rundll32 processes gone, the 2 ini files come back immediately after deleting. SP2 and I use Firefox, IE and Maxthon. Firefox and IE are having problems and are not accessing certain sites (not even timing out). I think I caused this by getting in a hurry when I was running the exe and allowed SpySweeper to install the virus software. SP2 (WinNT 5.01.2600)http://go.microsoft.com/fwlink/?LinkId=69157 http://go.microsoft.com/fwlink/?LinkId=54896 http://go.microsoft.com/fwlink/?LinkId=54896 http://go.microsoft.com/fwlink/?LinkId=69157 UPS Status.lnk = ?http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZU http://symantec.atgnow.com/sdccommon...ad/tgctlsi.cab http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe http://www.therealyellowpageslive.net/live/ezinit.cab http://www.symantec.com/techsupp/asa/SymAData.cab http://fpdownload2.macromedia.com/ge...sh/swflash.cab https://www-secure.symantec.com/tech...ActiveData.cab http://driveragent.com/files/driveragent.cab UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
Last edited by dmcmillen; 12th May 2008 at 14:41 .
Didn't find the information you thought to find?Similar Threads
#2
Member
Profile: Join Date: May 2008
Posts: 10
Computer Experience:
Here's my Deckard dss.exe results
Deckard's System Scanner v20071014.68SP2 (WinNT 5.01.2600)dss .exehttp://go.microsoft.com/fwlink/?LinkId=69157 http://go.microsoft.com/fwlink/?LinkId=54896 http://go.microsoft.com/fwlink/?LinkId=54896 http://go.microsoft.com/fwlink/?LinkId=69157 UPS Status.lnk = ?http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZU http://symantec.atgnow.com/sdccommon...ad/tgctlsi.cab http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe http://www.therealyellowpageslive.net/live/ezinit.cab http://www.symantec.com/techsupp/asa/SymAData.cab http://fpdownload2.macromedia.com/ge...sh/swflash.cab https://www-secure.symantec.com/tech...ActiveData.cab http://driveragent.com/files/driveragent.cab UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
#3
Staff
Profile: Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,524
Computer Experience:
Hi David, and welcome to WindowsBBS here , saving the file to your desktop.this link for your applicable programs.Close all open programs and windows Double click combofix.exe and follow the prompts.
It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
#4
Member
Profile: Join Date: May 2008
Posts: 10
Computer Experience:
Notes & ComboFix Log
Hi noahdfear,cpu , I had to manually kill the Norton apps and ComboFix continued and gave log file.- BM9f4f2aa4/svtvfans is back in registry ..CurrentVersion\Run again (did not load because did not find file in system32 dir which I had moved) WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! TCP "= 1947:TCP :HASP SRM http://www.gmer.net
#5
Staff
Profile: Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,524
Computer Experience:
Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;CFScript.txt All Files (*.*)
Code:
File::
C:\WINDOWS\system32\cmynqbtm.dll
C:\WINDOWS\system32\qshnymyp.exe
C:\WINDOWS\system32\htdfprdn.dll
C:\WINDOWS\system32\svtvfans.dll
C:\WINDOWS\system32\dwpsbxji.dll
C:\WINDOWS\system32\vuhfuuli.exe
C:\WINDOWS\system32\rgupnoxn.dll
C:\WINDOWS\system32\qvjmeqon.dll
C:\WINDOWS\system32\tlkbnpas.dll
C:\WINDOWS\system32\sudoedhg.exe
C:\WINDOWS\system32\qfvlrvls.dll
C:\WINDOWS\system32\kbnmvlto.exe
C:\WINDOWS\system32\arijbajm.dll
C:\WINDOWS\BM9f4f2aa4.xml
Rootkit::
C:\WINDOWS\system32\ndrpfdth.ini
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"=-
"MSConfig"=-
"9c7c1938"=-
"BM9f4f2aa4"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM9f4f2aa4]
Driver::
TAPBIND Close all other windows and programs . Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.
#6
Member
Profile: Join Date: May 2008
Posts: 10
Computer Experience:
Question??
Dave,The following are also gone: C:\WINDOWS\BM9f4f2aa4.txt
#7
Staff
Profile: Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,524
Computer Experience:
Since you've already dealt with the rest, use the following as described above to create a CFScript.txt and run it.
Code:
File::
C:\WINDOWS\BM9f4f2aa4.xml
Rootkit::
C:\WINDOWS\system32\ndrpfdth.ini
Driver::
TAPBIND Post the new log along with a fresh HijackThis log.
#8
Member
Profile: Join Date: May 2008
Posts: 10
Computer Experience:
ComboFix Log (HiJackThis in next reply)
Dave,WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2006-06-06 10:21:45 221295]TCP "= 1947:TCP :HASP SRM http://www.gmer.net See next reply for HiJackThis log
#9
Member
Profile: Join Date: May 2008
Posts: 10
Computer Experience:
HiJackThis Log
Here's the HiJackThis log. I was unable to post in previous reply because of post length.SP2 (WinNT 5.01.2600)http://go.microsoft.com/fwlink/?LinkId=69157 http://go.microsoft.com/fwlink/?LinkId=54896 http://go.microsoft.com/fwlink/?LinkId=54896 http://go.microsoft.com/fwlink/?LinkId=69157 UPS Status.lnk = ?http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZU http://symantec.atgnow.com/sdccommon...ad/tgctlsi.cab http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe http://www.therealyellowpageslive.net/live/ezinit.cab http://www.symantec.com/techsupp/asa/SymAData.cab http://fpdownload2.macromedia.com/ge...sh/swflash.cab https://www-secure.symantec.com/tech...ActiveData.cab http://driveragent.com/files/driveragent.cab UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
#10
Staff
Profile: Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,524
Computer Experience:
Looks good David. The LSA key and it's subkeys, values and data are responsible for, among other things, validating user logon. The GBG subkey is a default key. Best to leave that area of the registry alone. custom excludes file to help diffuse some of the bugs, and still recommend using it with version 1.55, although a number of the issues are reported as being addressed. I have used 1.55 a few times on various machines without incident, and without the custom excludes file.ATF Cleaner by Atribune and save it to your Desktop.Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of: Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin
The rest are optional - if you want it to remove everything check "Select All".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.
Reboot Kaspersky WebScanner Scan Now and Accept the agreement. You will be promted to install an ActiveX component from Kaspersky, Click Yes .The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:Scan using the following Anti-Virus database: Extended (if available otherwise Standard) Scan Archives
Click OK
Now under select a target to scan:
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button:
Save the file to your desktop.
#11
Member
Profile: Join Date: May 2008
Posts: 10
Computer Experience:
1st part of Kapersky Log (HiJackThis to follow in next reply)
Dave -- Sorry to split this up but size restriction is 35k chars. Most of what Kapersky caught was already quarantined. What was interesting was that while Kapersky was running, Norton deleted 7 of the files I had already quarantined in David's Potential Bad Stuff before or while Kapersky was processing. MS Home Solutions/Justin/14 Aug 2004 06:32 from Justin Allen:Event Incentives!!!.html Suspicious: Trojan-Spy.HTML.Fraud.gen skippedSee next reply for rest of log (due to size restriction)
#12
Member
Profile: Join Date: May 2008
Posts: 10
Computer Experience:
2nd part of Kapersky log
Here's the 2nd part of Kapersky log
#13
Member
Profile: Join Date: May 2008
Posts: 10
Computer Experience:
HiJackThis Log
Logfile of Trend Micro HijackThis v2.0.2SP2 (WinNT 5.01.2600)http://go.microsoft.com/fwlink/?LinkId=69157 http://go.microsoft.com/fwlink/?LinkId=54896 http://go.microsoft.com/fwlink/?LinkId=54896 http://go.microsoft.com/fwlink/?LinkId=69157 UPS Status.lnk = ?http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZU http://symantec.atgnow.com/sdccommon...ad/tgctlsi.cab http://www.kaspersky.com/kos/eng/par...an_unicode.cab http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe http://www.therealyellowpageslive.net/live/ezinit.cab http://www.symantec.com/techsupp/asa/SymAData.cab http://fpdownload2.macromedia.com/ge...sh/swflash.cab https://www-secure.symantec.com/tech...ActiveData.cab http://driveragent.com/files/driveragent.cab UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
#14
Staff
Profile: Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,524
Computer Experience:
Delete the following, as well as all other files I previously mentioned which you had moved to your Potential Bad Stuff folder.ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.
#15
Member
Profile: Join Date: May 2008
Posts: 10
Computer Experience:
Looks like we're clean!
Hi Dave,cpu and disk activity by ssu.exe (Spysweeper), lucoms~1.exe (Symantec LiveUpdate), LUCallBackProxy.exe (usually more than 1 process -- Symantec Update), and MS processes csrss.exe (client/server) and services.exe. Mostly it's the Symantec and Spysweeper stuff. That's one reason I'm interested in the Kaspersky anti-virus, although I also run Norton's Save and Restore so I would still be stuck with their auto update process.
All times are GMT +1. The time now is 05:41 .
