InfoStealer.Gampass???

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions. If something does not run, write down the info to explain to us later but keep on going. Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide

 

You need to attach it in a second message as stated in the READ & RUN ME instructions which said

I don't know if you noticed or not but you have many many more problems than InfoStealer.Gampass. Your antivirus was missing a lot of problems.

 

Uninstall the below old versions of Sun Java:
Java(TM) 6 Update 2
Java(TM) 6 Update 3

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKCU\..\Run: [system34] C:\WINDOWS\SoftwareProtection\Windows External Security Update.exe
O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll

Also I strongly recommend that you also fix the LimeWire startups. Only run this when you want to use it. Do not always have it running!
O4 - S-1-5-18 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

We have a little more cleaning to do.



Now we need to use ComboFix again.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now double click the same fixME.reg patch you saved to your Desktop last time and allow it to be added to your registry.

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.


NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it.


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Actually it would be better to click OK but we don't need the procdll.txt file now anyway, so don't worry about it.

You have a few more files to remove. Rather than making up a longer fix with ComboFix, let's see if you can just simply delete the below files:

C:\WINDOWS\system32\comremo.dll
C:\WINDOWS\system32\ezcron.dll
C:\WINDOWS\system32\myasemt.dll

Let me know if you can get them deleted. Reboot afterwards and make sure that they have not come back. Let me know the results and also tell me how things are working.

 

While I'm not sure the infection is the cause of your freezing, we still are not done with removal. Some items have still come back and I'm going to give you a new fix. This fix will include things that may arlready be removed. But I want to keep them in the fix just in case they have returned since you posted your last logs.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay this particular trojan can be annoying to remove because it creates many, many files and registry keys and the files constantly change names. We need to find all of the files and registry keys. I'm going to give a bigger fix further down that includes all the ones I know of at this time. They may not all be on your PC, but it does not hurt to check anyway.

First I want to try and fix the error you were getting while running GetLogs.bat. It is looking like we may need the procdll.txt file after all.

Please install the .NET Framework software from Microsoft by clicking the Download button in the below link and then running the dotnetfx.exe file once it is downloaded.

http://www.microsoft.com/Downloads/details.aspx?FamilyId=262D25E3-F589-4842-8157-034D1E7CF3A3&displaylang=en


Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O20 - AppInit_DLLs: ezcron.dll myasemt.dll fackwir.dll caotxb.dll comremo.dll googleons.dll welycz.dll jsnoer.dll ceshleo.dll joliom.dll
O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.
After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.




Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP
C:\Documents and Settings\Burak\Local Settings\Temp


Now copy the bold text below to notepad. Save it as fixIT.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now run ATF Cleaner again like you did back in message # 8!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).







Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Sorry about that. I meant to edit that out of the Avenger part and add a separate patch for that. I'm going to edit the previous Avenger fix and add the registry patch to it, so start again with the Avenger piece and contine.

 

Was it the same exact error message or a different error message?

How did you attach them in the past? Just do it the same way. Also make sure that you are attaching new logs and not the same old logs. Look for error messages in the Manage Attachments window to see what they say if getting any errors. These messages are not real obvious.

 

What browser are you using? Try another browser like if IE is not working. Or if already using FireFox, try IE..

We don't post email address in the public forum because spambots will pick them up and we don't want any more spam. Also we don't work via emails since it requires more work for us connecting to something else to download the emails and then they actually have to get added to the forum by us so that the thread is more complete and more helpful to anyone ever having a similar problem. However I will send you a PM with an email address you can use so we can get this finished up.

 

You're welcome. I attached your logs to your last message. Let's continue with your cleanup.

Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe by double clicking on it.
• Click the Make Writeable? button.
• Click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Now re-run Spybot and run the Immunize feature to reimmunize.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (file missing)
O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (file missing)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixOLG.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run ATF Cleaner

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Run the fix in message # 15 down to and including the ATF Cleaner step.

Then run the fix from message # 7 but start at the step with HijackThis and continue thru to the end of that fix and attach the new logs from Avenger and MGlogs.zip. Note that the HijackThis line for AppInit_DLLs may not look the same as given in message # 7 but fix what you do see. NOTE: I have modified the Avenger fix again to include new items that I know about for this infection. So make sure you use the new info in the Avenger fix and not the same fix you did last time.

Does your Symantec software have its own firewall built-in?

Are there other user accounts on this PC that are getting used?