Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infostealer.gampass Problem


  • Please log in to reply
7 replies to this topic

#1 cocoharley

cocoharley

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:43 PM

Posted 21 December 2007 - 11:27 AM

I have a HUGE problem. My computer has been infected with Infostealer.gampass about two weeks ago and the situation has gotten worse as I tried different ways (different malware removal programs and different suggestions found at different forums) to get rid of it. I've always been very very careful when it comes to my computer and have multiple anti-spyware programs running on my computer at all times. The only other person allowed to touch my computer is my husband and he has his own computer, so he doesn't use mind that often. I think my computer got infected after I visited this Chinese website: hxxp://www.yymp3.com By the way, the operating system is Windows XP Home Edition.

Anyhow, right after I downloaded an audio clip from that website, I received multiple alerts from Symantec Antivirus regarding a virus/trojan named Infostealer.Gampass and that a few files had been infected. A few of the files were able to be quarantined but the others were left alone. I tried to delete those manually but those files could no longer be found. I didn't think it was a big deal as that sometimes happens with temporary files. I ran another scan and everything seemed fine. Or so I thought. I also clicked on the link for the virus/trojan and on Symantec's website, it stated that the risk level for the virus/trojan was very low (a 1).

The next time I started my computer, I ran into multiple problems:
1) Windows Security Center wouldn't detect the antivirus program anymore and kept saying it was out of date even though it was not.
2) I kept getting error messages that said, "C:\WINDOWS\system32\xia6.exe is not a valid win32 application." (and also xia 2, xia4, and xia 6) When I closed them, I was asked if I wanted to report the problem to Microsoft (like if my IE or Microsoft Office documents had crashed).
3) Symantec antivirus popped up at least 7 times and listed those SAME viruses/trojans that were supposedly undetected the last time after clean up, but when I tried to delete them, at least half of them could not be located. Some of them problematic files include:
- sms1s[1].exe
- sms3s[1].exe
- sms4s[1].exe
- sms5s[1].exe
- host1.exe
- host2.exe
- host4.exe
- host5.exe
4) It showed that new programs were installed and when I clicked on the "Start" button, over half of my existing programs were highlighted and shown as newly installed.
5) When I tried to go to any website that required sign-ins (such as Yahoo Mail and Hotmail), I'd get the security certificate message.

At that point, I started looking up more information regarding this Infostealer.Gampass trojan. It appeared that it was a pretty new trojan and not many websites and forums had a lot of information about it. Furthermore, other people whose computer had been infected by this trojan were displaying different symptoms than what I've experienced, so there was no quick and easy solution - everybody said to try something different.

A few of the things that I've tried to do and failed (probably because of the infection) was to create a registry back-up and to go to task manager. The commands don't work anymore.

I've tried scanning and removing the trojan with the following programs:
- Symantec Antivirus
- Lavasoft Ad-Aware
- AVG Anti-Virus
- Spybot Search and Destroy
- SUPERAntiSpyware
- CounterSpy
- Avast! Antivirus

All these programs detected and removed what they found, but upon start-up, all the problems that existed were still there, sometimes a few more files were found by Symantec, sometimes a few less. I've tried scanning in safe mode as well and a few of the programs even did pre-boot scans.

I tried to install Multi-AV as well but that program wouldn't run on my computer.

I've also tried installing the trial versions of McAfee and Sophos products, but installation kept failing for both. I've contacted technical support for both. That was a week ago. McAfee has not even given me any response. Sophos responded and said installation failed probably because of an existing virus and gave me some other options.

Sophos told me to go into safe mode command prompt and provided step-by-step instructions to scan and remove viruses. At the end, it said, "Failed to open log file 'c\remove.log'." I scrolled up and copied some items that didn't look quite right to me:

"Could not open C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat"

"Could not open C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG"

"Could not open C:\WINDOWS\system32\config\SYSTEM.LOG"

"Could not open C:\WINDOWS\system32\drivers\sptd.sts"

">>> Virus 'Mal/Behav-043' found in file C:\Program Files\Internet Explorer\NS\Sy-win7z.Jmp Disinfection failed"

">>> Virus 'Mal/Behav-043' found in file C:\WINDOWS\system32\xia11.exe
Disinfection failed"

And then I couldn't get out of cmd.exe and had to use ctrl-alt-del to shut down my computer.

The next time I started my computer, it loaded in safe mode command prompt again! Nothing I've done so far would bring it out of that mode and load Windows again. I've tried "exit" and "win" but what that does is just closing cmd.exe and then all I see is a black background with "Safe Mode" on the four corners.

I've tried pushing F8 at the next startup, but it would not list the normal options at all. The only option that was listed was "Windows XP Home Edition" and nothing else! So now I can't do anything at all.

Please help! :thumbsup:

Mod Edit: Disabled active link to malware site.

Edited by quietman7, 21 December 2007 - 02:39 PM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:43 PM

Posted 21 December 2007 - 02:41 PM

Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the backdoor Trojan has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS - "When should I re-format?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. If you can't perform a step, then skip and continue with the next. In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 cocoharley

cocoharley
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:43 PM

Posted 01 January 2008 - 06:52 PM

Thanks for your response. My biggest problem at the moment is that I cannot even get out of safe mode command prompt. Please refer to the last part of my initial post for the different ways I've tried unsuccessfully to boot my computer in the normal way to run on Windows XP.

I have already changed all my passwords using a different computer the day after my computer was infected and have not used my computer to log in to anything since then.

As mentioned in the last part of my initial post, my last trojan cleaning attempted landed me in safe mode command prompt, which I could not get out of... :thumbsup:

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:43 PM

Posted 02 January 2008 - 07:38 AM

You have posted about the same issue at several security forums. In two of those forums you have not responded back to the latest offer of assistance. As already has been stated elsewhere, you are wasting the time of volunteers by trying to get so many helpers involved in your problem. In addition, this causes confusion and makes it difficult to provide the assistance you require.

If you want further assistance here, then advise the other security forums so they can close out the applicable threads. You were advised to do the same at one other forum but have yet to respond back with your intentions. If you do not reply back, then we will close this thread.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 cocoharley

cocoharley
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:43 PM

Posted 02 January 2008 - 10:29 PM

Well... I first posted on December 21 at 3 different forums and after that, I was not able to access a computer until yesterday. One forum still had not responded. Another suggested I seek help from other forums that have more expertise on this issue, so that was why I was posting at different forums. And at this forum, I wasn't even sure I'd still get a response after so long.

As much as I'd like to have access to and sit in front of a borrowed computer 24/7 (with my own computer completely screwed up now), I am sorry I am not able to do so, so I am terribly sorry I have not responded to the posts made today until this moment. I have already responded to the posts you mentioned if you'd like to go and double check. Anyhow, I did not know this would cause such a problem with everyone. It's not like I want five different people to tell me to do five different things all at once. If I'd wanted to waste people's time I'd have used a different login ID at different forums.

I'm sensing I won't be getting help or understanding here, so I'll try my luck elsewhere. Thank you for your time.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:43 PM

Posted 02 January 2008 - 11:40 PM

Its not that no one wants to assist you, its a matter of sticking at one place and working with there to resolve your problem. When you post at several different forum sites, you will get varying instructions from each which can cause confusion. Further, each helper that is assisting you may know not that you are following instructions elsewhere adding to more confusion.

Now your telling everyone that you are going to go elsewhere because your sensing no one wants to help you when that is not the case. There are only a limited number of helpers at each forum and we are all volunteers helping folks with malware infections as time permits.

From what you describe it sounds like you were instructed to use MSConfig to access (force) safe mode while there was malware on your system. Some types of malware can delete or alter the safeboot key in the registry resulting in the inability to reboot fully into safe mode or back to normal mode.

...If a situation like this has happened to you it is possible to fix this problem by renaming your boot.ini file. The first step would be to use a boot disk to start your computer. If your computer does not have a floppy disk, then you can typically boot off the Windows CD that came with your computer in order to access the Windows Recovery Console...Once booted to a command prompt, you would simply rename your C:\Boot.ini file to another name like C:\Boot.ini.bak. The command to rename the file at the command prompt is:

ren C:\Boot.ini Boot.ini.bak

Once the file is renamed, you can then remove the boot disk and reboot your computer to get back to normal mode. When booting up after the rename, do not be surprised if you see an error stating that you do not have a valid Boot.ini file. When you get back to normal Windows mode, you can then rename C:\Boot.ini.bak to C:\Boot.ini file and run Msconfig again to remove the /safeboot flag.

Problems that can occur by forcing Safe Mode (scroll down)

If you don't have an emergency boot floppy, you may be able to use one created on another PC running Windows XP but there's no guarantee that it will boot your machine.

If this method does not give you access to your machine, then a repair or clean install is the next step but you will need your XP CD.

"Langa Letter: XP's No-Reformat, Nondestructive Total-Rebuild Option"
"How to perform a Repair Install".

If you don't have your XP CD you can download a Recovery Console ISO file and burn it as an image to a disk to get a bootable CD which will startup the Recovery Console for troubleshooting and fixing purposes. This is especially useful for those with OEM systems with factory restore partitions or disks but no original installation CD. Also read Creating A Windows XP Recovery Console CD Image.

Note: You may have a recovery disk instead. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific recovery disk or recovery partition for performing a clean factory restore. Essentially, they will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. You will lose all data and have to reinstall all programs that you added afterwards. This includes all security updates from Microsoft.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 cocoharley

cocoharley
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:43 PM

Posted 03 January 2008 - 05:51 PM

Thanks for your response. No, seriously, I am getting help from one forum currently. And it seems like they're taking me in the same direction you'd be taking me. I only have access to one other computer (my husband's laptop) but it's running on Vista. I have my authentic XP CD which I bought two years ago when I rebuilt my computer, so it's not an OEM system.

I do understand what you're saying about sticking to one forum. I definitely do not want contradicting instructions to complicate the matter any further. I wasn't trying to be rude or to cause any trouble, and I'm sorry if I came across that way. It's just that this matter has been bugging me for almost a month now and my computer is my LIFE - I have almost 150GB of information on it and I sometimes spend more time on my computer than I do with my husband, so I feel like I've lost a limb or something, and I was very very anxious to get the matter resolved as soon as possible!

Anyhow, I typed in "explorer.exe" as instructed by the other forum, and now the start button has popped up! :thumbsup: So I'm awaiting further instructions from them. Hopefully they'll be able to help me. If not, I'll come back here or go to another forum. One at a time, I promise.

Thanks again for your help.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:43 PM

Posted 03 January 2008 - 06:09 PM

Your welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users