Virus Found! Infostealer.Gampass

Discussion in 'Malware Help (A Specialist Will Reply)' started by fishging, Jun 22, 2008.

  1. fishging

    fishging Private E-2

    Symantec is popping this warning every time I open Mozilla. It started about 2-3 days ago

    Scan type: Realtime Protection Scan
    Event: Virus Found!
    Virus name: Infostealer.Gampass
    File: C:\WINDOWS\SYSTEM32\dbi102.dll
    Location: C:\WINDOWS\SYSTEM32
    Computer: MAIN
    User: Corey
    Action taken: Clean failed : Quarantine failed : Access denied
    Date found: Sat Jun 21 22:11:53 2008

    I have tried to delete the file, but it says its in use. I have run READ & RUN ME FIRST. Below are the logs.
     

    Attached Files:

    fishging, Jun 22, 2008
    #1
  2. fishging

    fishging Private E-2

    Here is the fourth file. The zip
     

    Attached Files:

    fishging, Jun 22, 2008
    #2
  3. abri

    abri MajorGeek

    Hi fishging,
    Welcome to Major Geeks!

    In the below instructions, I'm having you remove the MySyncCell toolbar. It's an open-to-debate item.


    1) Go to add/remove programs and uninstall the below:

    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment, SE v1.4.2_03
    Java 2 Runtime Environment, SE v1.4.2_05
    Java 2 Runtime Environment, SE v1.4.2_06
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5

    2) Reboot after uninstalling the above.

    3) Install the current version of Sun Java from: Sun Java Runtime Environment

    4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


    5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:


    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R3 - URLSearchHook: (no name) - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
    R3 - URLSearchHook: mySyncCell Toolbar - {d46d0a6c-fab1-45a4-997e-030450e41de5} - C:\Program Files\mySyncCell\tbmySy.dll
    O2 - BHO: mySyncCell Toolbar - {d46d0a6c-fab1-45a4-997e-030450e41de5} - C:\Program Files\mySyncCell\tbmySy.dll
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O20 - AppInit_DLLs: dbi102.dll

    Do the following belong to programs you know or want to keep? If not, please fix them as well.

    O3 - Toolbar: mySyncCell Toolbar - {d46d0a6c-fab1-45a4-997e-030450e41de5} - C:\Program Files\mySyncCell\tbmySy.dll

    Does the following programs need to load at startup? If not, please fix them as well.

    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

    After you click fix, just close hijackthis.

    6) Next I would like to have you use ComboFix to remove some files.


    • Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

DRIVER::
dbi102

FILE::

C:\WINDOWS\SYSTEM32\dbi102.dll

REGISTRY::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d46d0a6c-fab1-45a4-997e-030450e41de5}]

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below


    Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.

    7) Now run CCleaner at the default setting with the Windows tab as the top one.

    8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


    Let me know how things are running now?

    abri
     
    abri, Jun 22, 2008
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds