Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infostealer.gampass Infection


  • Please log in to reply
15 replies to this topic

#1 2energize

2energize

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 21 May 2008 - 12:07 AM

Hey there,

I have Windows XP that is infected with Infostealer.gampass.

I have Nortons paid edition, AVG Free Edition and Lavasoft Ad-aware free version.

My system has been acting up for quite some and became worse about 2 days ago. Some of the odd things it's doing is... cascading internet web pages, portions of toolbars disappearing, system start up extremely slow, can't close programs, task manager can't close programs, says I don't have firewall protection on when it is on, have to shut down at the tower instead of the start menu, and constant 'clicking' while on the internet (it sounds like it's trying to change web pages or maybe redirecting).

I've ran the detection software on a daily basis and it kept coming up empty-handed until yesterday. Nortons found the infostealer.gampass virus. Norton wasn't able to clean or quarantine the infection.

I looked up the virus on the internet and found it is bad news. I ran Norton again to see if I could find any more info and Nortons couldn't find it. It hasn't been able to find it since. None of the software has detected it since.

I downloaded HJT and followed the recommendations. I removed the programs listed on the Rogue list and restarted all the programs on start up. I ran a HJT report and would like to post it here in hopes someone can help me clear up my system.

One other thing. I'm no expert on computers or HJT or I wouldn't be here, but I noticed on the HJT report it shows netzero as some type of search and start page. I don't have netzero. MSN is my start page.

Thanks for the help!

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:10 AM

Posted 21 May 2008 - 06:02 AM

Let's see if we can get a second opinion on that infection? Run this scan and fix with MBAM please

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062

PLease hold off on the HJT for now till we get some details

Edited by DaChew, 21 May 2008 - 06:03 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#3 2energize

2energize
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 21 May 2008 - 09:38 AM

Thanks for your prompt response.

I downloaded the anti-malware and followed the instructions. The detector found MyWebSearch and removed it. I don't see where it found the infostealer.gampass.

Here is a copy of the malware log:

Malwarebytes' Anti-Malware 1.12
Database version: 774

Scan type: Quick Scan
Objects scanned: 38153
Time elapsed: 12 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 2energize

2energize
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 21 May 2008 - 09:53 AM

Just wanted to add a couple of things.

According to my research; Infostealer.gampass is a virus that steals your passwords. It's pretty new virus and there isn't a lot of information out there on how to get rid of it.

Symantec lists it as a low level threat. However, everybody else lists it as a critical threat. The virus was made to steal your password from you online games, but it's also capable of stealing your password for your bank accounts, credit cards, emails, etc..

They know it is coming from a site called Gamespot (not to be confused with Gamestop). According to virus fighters, you don't have to do anything but go to that site to get it (their forum seems to be the main infector).

I don't do online games, so I didn't get it that way. The only thing I did was go to Gamespot's webiste to look up some prices on electronics. I don't know if there are any other sites as dangerous. The article only listed Gamespot as the source.

So beware. Apparently just typing the name in and looking through the site is enough to give you the virus.

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:10 AM

Posted 21 May 2008 - 10:08 AM

http://www.siteadvisor.com/sites/gamespot....FF&aff_id=0

do you have a log from norton's that will give us a clue?

Please Run the PCPitstop Full Tests, here:
http://www.pcpitstop.com/pcpitstop/default.asp
Register and create a password
Accept the ActiveX component to allow your machine to run the Full Tests
Registering and accepting the ActiveX are both SAFE and FREE.
Full Tests is the first item in the left hand column of that page.

The Full Tests take less than 5 minutes for most machines.
Once you have your Results, please post the TechExpress Link back here into this thread for review.
TechExpress is the last item on the list in the yellow box in upper right area of any Results page.
Post the entire URL link information back here into this Forum thread.

Caution: During the testing of Video Adapter, a variety of patterns, shapes, colors and text are “flashed” onto the users monitor screen. In the many thousands of daily uses of the PCPitstop Full Tests over several years, two individuals who suffer epilepsy experienced discomfort and temporary dizziness when viewing the flashing patterns.
If you know that you are susceptible to photo driven seizure, look away from your screen during the Video Adapter testing sequence.

this site is one I got from an old jedi msmvp for trying to sort the malware vs windows problems
Chewy

No. Try not. Do... or do not. There is no try.

#6 2energize

2energize
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 21 May 2008 - 01:58 PM

Here's the link to Tech Express

http://www.pcpitstop.com/techexpress/default.asp

I'm not sure how to copy and paste from Nortons. I tried to highlight and right click, but it doesn't give me a copy/paste option. So I'll type the info in for you.


Nortons shows the infostealer.gampass virus and it's

File name = xclean_micro[1].exe
Action taken = Left Alone
File type = File
Status = Infected
Scan type = Realtime
Location = Documents\Settings\Greg\local...

I found a tracking cookie in the temp folder for Gamespot. I blocked the site through Internet Explorer for now. I can unblock it if you need me to. I haven't deleted any of the files or cleared the temp folder. I'll wait to hear from you.

There is another virus that had been quarantined 2(x). It is A0057867.EXE. Both of these files are in quarantine. They were located in C:\System Volume Information\_rest...

Thanks

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:10 AM

Posted 21 May 2008 - 02:19 PM

http://www.siteadvisor.com/sites/xblock.co...FF&aff_id=0

you need to clean up past infections out of system restore

and you aren't running 2 active AV programs at the same time are you?

Edited by DaChew, 21 May 2008 - 02:28 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#8 2energize

2energize
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 21 May 2008 - 03:16 PM

I downloaded McAfee Site Advisor a little earlier and ran it.

As for 2 AV's. I orignally only had Nortons. I added AVG a couple of days ago. Is that a bad thing?

And... How do I clean up past infections in system restore?

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:10 AM

Posted 21 May 2008 - 03:30 PM

http://www.bleepingcomputer.com/forums/ind...st&p=822482
Chewy

No. Try not. Do... or do not. There is no try.

#10 2energize

2energize
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 21 May 2008 - 10:28 PM

Ok, I did the cleanmgr thing and set a new restore point. I then updated Nortons and ran a new scan... things have changed. I don't know if the changes are good, bad, or indifferent.. but here they are...


Nortons Virus Vault
Infostealer.gampass virus (No Change)
File name = xclean_micro[1].exe
Action taken = Left Alone
File type = File
Status = Infected
Scan type = Realtime
Location = Documents\Settings\Greg\local...

A0057867.EXE (Both Files)
File Name = Downloader
Action Taken = Quarantined (Has Changed to Left Alone)
File Type = File
Status = Infected
Scan Type = Realtime
Location = C:\System Volume Information\_rest...

I done some research and found out how to view Nortons scan history in notepad. I looked at the files and I don't see where it shows the date of the scan... I know it's coded in there somewhere... I just don't know where or how. It's interesting...there's a lot of files that Norton couldn't open to scan... some are regular programs and some are files in the temp folders.

So where to next?

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:10 AM

Posted 22 May 2008 - 04:54 AM

I am still working in the dark here, the tech express link didn't work, if you go back there your test should be saved

http://virusscan.jotti.org/

Location = Documents\Settings\Greg\local... xclean_micro[1].exe

what does Jotti say about thie file?


we seem to be spinning our wheels here

Edited by DaChew, 22 May 2008 - 04:58 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#12 2energize

2energize
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 22 May 2008 - 02:20 PM

Sorry about the bad link... try this one

http://www.pcpitstop.com/pcpitstop/Summary...?conid=20345402

I tried to find the file to upload to Jotti and I can't locate it. Nortons says it's still in Document/Settings/Greg/Local...
But when I go there I can't find a file that seems related to it. I don't get it!
This is :thumbsup:

#13 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 22 May 2008 - 02:45 PM

I downloaded McAfee Site Advisor a little earlier and ran it.

As for 2 AV's. I orignally only had Nortons. I added AVG a couple of days ago. Is that a bad thing?

And... How do I clean up past infections in system restore?

(sorry to butt in Da Chew) yes it is; you should have only ONE installed antivirus program on any computer

if you have not already done so you need to REMOVE AVG antivirus program, fully update the Norton, reboot and run a full scan with norton to see what has been 'overlooked' while you have had the TWO antivirus programs on there :thumbsup:

#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:10 AM

Posted 22 May 2008 - 03:02 PM

go to the tech express email a friend page

there will be a link created

http://www.pcpitstop.com/techexpress.asp?id=EGSMXXXTNDGSVNB9

you can PM me the link if you want to analyze
Chewy

No. Try not. Do... or do not. There is no try.

#15 2energize

2energize
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 23 May 2008 - 08:19 AM

Thanks ruby1 for the info. I"ll remove AVG when I leave this forum and follow through with Nortons.

DaChewy I'll go in and see what I can do at Tech Express.

Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users