08-11-2010 07:02 AM
I can't get rid of Infostealer. The window pops up that says that two files were contaminated with a trojan/virus. The first is rundll.exe and Norton's can get rid of it, but the second file, services.exe, can't be removed. I have disabled the restore, picked up the latest defs, gone into safe mode and performed a full scan. After many hours, the scan says there are no infections found. I reboot to get out of the safe mode, and within a minute or two, I get the same popup that says that Infostealer is back. When I pull up the entire history, the infostealer is flagged much earlier, not when it popped up after restart.
So, has the virus/trojan been removed? The full scan gave no infections. If it is removed, how do I get the popup to not keep showing up saying I've got a virus that wasn't removed every time I reboot so I don't get an ulcer?
Thanks in advance for your advice.
08-11-2010 11:12 AM
Can you give us a screen print of unresolved threats in your history. If there is an entry there, click on it to highlight it and then click on more details.
Also the same for resolved threats or quarantine if something has been quarantined.
You can paste the screen print to Paint, save it to desktop and insert it by using the little green tree browser in the reply editor. It would be advisable to see what it is reporting before offering a suggestion.
08-12-2010 09:39 AM
Hi Delphinium --
I tried to send a pdf attachment, and this forum won't allow it. Only .txt .log etc. Didn't spot the green tree you referenced, either.
Can I send you a private email outside, the forum, with the screen images? The .pdf file is about 700-800Kb. I put the pdf file on a thumb drive an am using another, clean computer to go online.
Thanks for your interest and help,
08-12-2010 09:58 AM
You will need to paste the screen print into Paint and save to your desktop as a JPEG or PNG file. PDF doesn't work.
If you find the smilie in the reply editor menu bar, look two spaces to the right and you will find a green icon. Use that to locate the JPEG and attach.
Hope that helps.
08-12-2010 11:27 AM
Hi dephinium --
The images overwrote the text; thus this two part email.
I am guessing that winm.dll is the culprit. It infects/creates rundll.exe (not rundll32.exe an operating system program) which in turn infects services.exe. The later shows up in the Task Manager, and can't be shut down or trashed -- its protected. Clever, these @#$%^&*. For the first time, just yesterday, I got the "bloodhound" entry. Note that that is in the restore directory. Not sure who drops that.
Anyway, I hope this is able to give you some insight. I wish I could boot the system outside of the HD boot sector, and then kill these files, and replace the system.exe file with a clean one. Have you ever tried it, and how would you do that?
Thanks again for listening to my problems,
08-12-2010 11:29 AM
That worked very nicely, that time. Infostealer has in the past been the Norton identification of a rootkit infection.
Since Norton has been prevented from removing or deleting the files due to risk to your machine, I recommend you visit one of these free malware removal forums to have it remediated.
Bleeping Computer is one of the best but they are also backed up at the moment with similar infections. There may be a lengthy wait. The others are also capable of fixing the problem.
08-13-2010 04:38 PM
Hi delphinium --
Just wanted to say thanks for your help. I got it removed, finally, but with a lot of aggravation. I used an outside tool with restore off and in safe mode. It still left the process, services.exe, still running with a virus in it. I then downloaded Norton Power Eraser and it was able to kill services.exe. Unfortunately, services.exe is an essential M/S process, and after the removal, the computer wouldn't boot. Had to get out the mini-version of the OS that came with the computer (Win XP Pro) and reloaded/repaired the OS. In the process, it caused some other software not to run, so I had to reload a couple of major programs. But they are up and running now. Oh yes, when I got it to reboot, Norton quarantined another system file, cmd. But a scan after all this, showed that it is clean again (I think.)
I do have a question of you, since you monitor this board alot. Since the current Norton's didn't kill this virus, and didn't offer additional software to kill it nicely, does Norton even know it exists? Is some other poor soul, who went to some site or logged into a stranger wifi site, going to get zapped? How can I get Norton/symantec's attention as to this virus/trojan? By the way, the other software was Malwarebyte's Anti-Malware. It named the virus/trojan as Trojan.Banker, while Norton called it Infostealer, which appears to be a generic name. Anyway. Wasn't all that happy about Norton's aid for removal -- really appreciated you and the forum, though -- but at least it flagged the bad guy. But $100 for a removal fee for me, a retired guy, is really steep.
Again, thanks all your help.
08-14-2010 11:32 AM
The thing is that Norton is not allowed to remove rootkits for exactly what happened to your machine. In many cases the rootkit is affecting the files that were found rather than one of the files affecting the other. It would be the over-written system file that was directing the behaviour of the others in order to gain access to the net among other things.
Most antivirus engines can't fix rootkits or repair them. They do delete them which can, depending on the file involved, make the system unbootable. In your case, you had the tools and the know how to fix the damage, but your description of what happened is more than most users can fix.
If you had gone to the suggested forums, they would have run scans to identify the infected file, swapped it out with an uninfected version, and then cleaned up the leftovers with a couple of other scanners. Really quite painless, and especially for those who do not have system discs, backups, or images.
It is much less messy than the method you used, which is why we don't recommend it. We have seen too many people with a doorstop instead of a computer.
Malwarebytes is very handy to have on board, but will not identify the TDL3/TDL4 rootkits at all because it also can't fix them. It is very common to see a machine with a rootkit come back with a clean MBAM scan.
I'm glad that you came out on top. Just be careful to run scans for a while and keep an eye on your Intrusion prevention for blocks.
08-14-2010 01:10 PM
Hi delphinium --
Thanks for taking the time to explain what happened. For sure, I plan to keep a copy of your msg about the go-to forums in case I or a friend have a similar problem in the future. I guess I was lucky that I didn't really screw up my computer.
Again, thanks for your comments, efforts, and patience.