Need help removing Infostealer.Gampass

Hello, I just joined and I am hoping you can help me remove this annoying Virus.

About 2 weeks ago, my Symantec Endpoint told me I had both Infostealer.Wowcraft and Infostealer.Gampass on my computer. Then it told me it deleted both of them. Then about a week later, it told me my computer was infected again with Infostealer.Gampass. It deleted it, then two seconds later it found it again. Again it deleted it, and kept finding and deleting every few seconds. Very annoying.

I followed the steps on their Website to no avail and even called them but their initial suggestion didn't work, so I am coming to you.

I spent the last few hours doing all the things mentioned in your Cleaning Procedure etc and downloading and scanning and running the tools.

1) SAS found 3 things it deleted
2) Spybot found nothing
3) MBAM found nothing
4) Not sure what combo fix found, but it made a log
5) MGTools made a log

After a reboot, Symantec is still complaining about the Virus, unfortunately. I will attach all the logs. Please help me

 

Here is the last attachment.... the MG Tools generated ZIP file.

 

Thanks for the reply

Yes, this computer is part of a network so I have a domain login and local logins. I had about 4 different local accounts. I don't need them anymore, so I deleted them all from "User Accounts" maintenance, except for the Admin account. I also deleted the corresponding folders under "c:\documents and settings". This should speed up my scans and hopefully make it easier for you to find the problem. So I scanned my local admin account and my network account.

HEALTHLINE\rsolem:
SAS results: Scanning is complete. No harmful software was detected!
MBAM results: No malicious items were detected.

Local machine\Administrator:
SAS results: 7 items found (log attached)
MBAM results: No malicious items were detected.

Symantec finds the Virus in several different locations with various filenames. Here are the paths:
c:\windows\system32\

c:\documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\J7W24IRU

c:\documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine

I removed Java yesterday with Add/Remove programs. I am suprised to see it is still there. When I try to "remove" it now it says "You already have this version of the JRE installed. Please uninstall the product through your add/remove programs utility before reinstalling." Very weird because that is exactly what I AM doing: removing it via add/remove programs. So some part of Java is still lingering it seems.

I disabled Symantec End Protection by right clicking the shield in the Tray and selecting "disable". However RTVSCAN.EXE was still running when I looked at the active processes. I shut that one down by going into the "Services" under control panel and shutdown all services that started with "Symantec". However, every now and again the auto-protect window pops up saying it found the security risk. So I don't know how to truly disable Symantec.

I downloaded and ran AVENGER. It seemed to work great. It deleted the files. I was also happy to see windows complaining on startup that C:\WINDOWS\system32\SystemHper.dll was missing, since so far I have not seen the Virus run into any problems.

I downloaded and installed Java Runtime with no problem.

I ran GetLogs.Bat and regenerated the ZIP file for you. It is attached as well.

 

Thanks, this is going great! I deleted all the files in the Quarantine and I ran ATF-Cleaner. With my computer on for several hours, Symantec never complained! This is great. I even ran a full scan, 0 risks found. I rebooted and tried another full scan, again 0 risks found. This is wonderful =)

There is only one little issue left, and that is when I reboot my computer, I get this error message:

Error loading C:\WINDOWS\system32\SystemHper.dll
The specified module could not be found

So it looks like AVENGER got rid of that virus file, but something is still trying to load it. Do you want me to repost a log?

Thanks again, even if I never get that error fixed, it is no big deal.

 

I don't have any extra toolbars, but I have an Adobe Reader plugin, and a plugin for accessing Microsoft project, so I didnt think they were related.

I actually ran HijackThis and saw the entry for SystemHper.dll:

O4 - HKLM\..\Run: [SystemHelp] RUNDLL32.EXE C:\WINDOWS\system32\SystemHper.dll, Install

I "fixed" it, and now my computer reboots without any errors

I also remembered that my old Java didn't Uninstall properly, so I went into the registry and deleted the keys I could find dealing with Java J2SE. Then I searched my hard-drive for J2SE related files and deleted them as well. I am happy to say, J2SE no longer appears under Add/Remove programs.

So I think I am all set!! You have been a TREMENDOUS help. Just to give you an idea of your awesomeness, here is a list of failed attempts to remove the Virus:

1) Symantec Endpoint could not get rid of it.
2) I spent several hours googling, and downloading tools but it didn't get rid of it.
3) I followed Symantec's website suggestion on how to remove this exact Virus, it didn't work.
4) I had two different IT guys spend hours trying to get rid of it, didnt work.
5) I called Symantec and tried their suggestion -- again, this new suggestion didn't work.
6) Finally I came to you, and you got it right away -- amazing

I just want to say thanks TimW :-D

 

I have uninstalled the tools and everything looks good.

I actually decided to keep ATF-Cleaner; that's a pretty neat tool to cleanup temp files from all over the place.

Take Care and thanks again!