Ran Vista Precedure and still have infostealer

Discussion in 'Malware Help (A Specialist Will Reply)' started by Shakeebones, Jun 10, 2010.

  1. Shakeebones

    Shakeebones Private E-2

    I came across this virus about 2 weeks ago and ran norton after having one of my gamer accounts hacked. I ran a comprehensive check on Norton it found an infostealer.gamapp along wth a downloader and after the scan i thought it was resolved. Once the first scan was complete i instantly did another and it found the same files and virus.

    I then came to this forum and followed the vista cleaning process of malware. witch the instructions were very helpful and easy to follow i was hoping the tutorial would rid me of this virus but it appears to still be active ill post my logs from the scans.

    Thanks for the help in advance and i hope i can get this resolved with your help and knowledge.
     

    Attached Files:

    Last edited: Jun 10, 2010
    Shakeebones, Jun 10, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to tell me exactly what keeps reappearing. The full path to the file. Also, please put ComboFix directly on your desktop, not here:
    "Running from: c:\users\Tristan\Downloads\ComboFix.exe"
     
    TimW, Jun 10, 2010
    #2
  3. Shakeebones

    Shakeebones Private E-2

    Hello Tim,
    I dont know an easyway to list the items norton keeps finding it doesnt allow me to copy/paste out of the "more info" link so ill type them out manually. Listing the ones that are found as viruses. there are many cookies that are listed but id assume there is a way to just get rid of those once the main viruses are gone.

    Trojan Horses

    Registry Entry: HKEY_USERS\S-1-5-21-1783909342-1521306808-2032239999-1000\Software\Microsoft\Windows\CurrentVersion\Run->SfKg6wIPu
    File: c:\users\tristan\appdata\roaming\microsoft\windows\kqotirk.exe

    File: c:\users\tristan\appdata\local\temp\winbrec.exe

    Infostealer.gampass

    Registry Entry: HKEY_USERS\S-1-5-21-1783909342-1521306808-2032239999-1000\Software\Microsoft\Windows\CurrentVersion\Run->WinButler
    File: c:\users\tristan\appdata\roaming\winbutler\winbutler.exe

    File: c:\users\tristan\documents\limewire\saved\radiohead - slow down.mp3

    Downloader.MisleadApp

    File: c:\users\tristan\appdata\roaming\winbutler\winbuninstaller.exe

    then listed as a security risk appears AntispywareProXP this wasnt there on some of my first scans with norton when i first obtained the virus. i beleive this is the Super AntiSpyware program i downloaded for the vista procedure.

    Also i moved combo fix to the desktop must have ran it out of the shorcut thinking it was the main .exe file do u need me to do a new log with this on my desktop?

    thanks again for your time
     
    Shakeebones, Jun 10, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    MBAM and SAS appear to have removed them. Go ahead and re-run both and attach the new logs.
     
    TimW, Jun 10, 2010
    #4
  5. Shakeebones

    Shakeebones Private E-2

    Ran SaS and Mbam again and posting the logs. looks very minimal on infected files.

    i notice when i open malwarebytes quarintine i see the files that i listed on the previous post in the quarintine. would this cause the files to still show up in my norton scan?

    if so then if i delete the quarintined files they should be gone for good and norton wont pick up on it?
     

    Attached Files:

    Shakeebones, Jun 10, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    All that was picked up was tracking cookies, which are not a real problem.
    Yes, and they should be listed as being in the MBAM quarantine folders.
    Yes, that should be the case.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:

     
    TimW, Jun 11, 2010
    #6
  7. Shakeebones

    Shakeebones Private E-2

    thanks much for your help i seem to have resolved the issue with ur knowledge and the help from the guide.

    Much appreciated
     
    Shakeebones, Jun 11, 2010
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Safe surfing. :)
     
    TimW, Jun 11, 2010
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds