Infostealer.gampass can't get rid of it :(

[whyme]

Hello there, I am in a bind due to the fact that I am about to deploy to Iraq and I have gotten the infostealer.gampass bug and am unable to get rid of it. I have tried the steps in the steps listed from a Symantec guide but that seems to only get rid of the bug for a single day then it comes back... PLEASE help me as soon as you can so I can get rid of this before I deploy.. Thanks

 

[evilfantasy]

Welcome to Tech Spot.

Download HijackThis.
Double-click on the installer you just downloaded.
Click on the "Install" button to install.
It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
Please do not change the default install location.
Upon install, HijackThis should open for you.

Close HijackThis and rename it.
Go to C:\Program Files\Trend Micro\HijackThis.exe
Right click on HijackThis.exe and select Rename
Type in crusty.exe and press enter.

Next click on the "Do a system scan and save a log file" button.
HijackThis will scan and then a log will open in notepad.
In the top left of the notepad window click "File" > "Save As" name it hijackthis and then save it to the Desktop.
Please save the log as a text (.txt) file or .log
In your post, add the log as an Attachment
.
* Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

 

[evilfantasy]

How to add logs as an attachment.

Then start your new posting at TechSpot by clicking on New Thread
(or use Post Reply in an existing thread).

Scroll down until you see a button Manage Attachments. Click on that and a popup-window opens.
Click on the Browse button, find the HijackThis.log file, or whatever file you`re trying to attach on your PC and doubleclick on it.

Now click on the Upload button in the popup. When done, click on the Close this window button.
Finish your message-text, then click on Submit Message. Please Note: you can attach more than one file to a post by repeating the above steps.

 

[whyme]

Hijack this

Done, I hope

 

[evilfantasy]

OK, first, pick ONE antivirus and uninstall the other two. Multiple AVs can cause conflicts and is not necessary.

=====

Open HijackThis and select "Do a system scan only"

Place a check mark next to:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Now click "Fix checked"

Let me look around and see what I can find on the Infostealer.

 

[whyme]

Done as you said

 

[evilfantasy]

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
2. When finished, it will produce a log for you.
3. Attach that log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause your computer to stall

 

[whyme]

done again

 

[evilfantasy]

I'm not seeing any malware in the logs.

What exactly are the warnings you are getting.

 

[whyme]

Every day I recieve a message from Symantec saying that a threat was found called infostealer.gampass and it "cleans" it but it reproduces itsself many times each second for quite a while. I followed the information on Symantec's site http://www.symantec.com/security_response/writeup.jsp?docid=2006-111201-3853-99&tabid=3 and it got rid of the problem, but then the next day the same exact things happens again. It has been happening for 5 days now and I can't seem to "keep it gone"

 

[evilfantasy]

Lets run CounterSpy. This is a trial version but has full scanning and removal functions during the evaluation. You can uninstall it after the scan is done. It is an exceptional tool. There are a lot of instructions but it only takes a second to set up and start scanning.

Let me know if it finds anything.


PLease download, install, update and run CounterSpy

CounterSpy is a 15 day full featured evaluation

Download CounterSpy V2

1. Double click the installer on the desktop
2. After Counterspy is installed and you have restarted your computer (if prompted), double-click the icon on
your desktop to begin the install.
3. The Getting Started setup wizard opens. The wizard will guide you through the initial steps needed to configure CounterSpy.
** When the Activate Now prompt appears just click Next

To scan you computer
1. Click System Scan on the main page. The System Scan page opens.
2. Set the scan options on the left side of the page. We recommend selecting Full System scan.
3. Click Scan Now. CounterSpy starts scanning your computer. After the scan is complete, the
CounterSpy System Scan Results summary window opens.
4. Review the summarized information, then click View Results. You return to the System Scan
results page.

To take action against a security risk
1. Select a security risk.
2. Make a selection from the Recommended Action drop down menu next to it and select [/b]Remove[/b]
** Select Remove in all menus
3. Check the Create restore point option. This will create the Windows backup (useful in case something goes wrong). Then press Take Action
4. Now CounterSpy will ask you to confirm your actions. Press Yes within the window that appeares. This will start the removal process.
5. The program may need to reboot your computer. Clicking Yes if prompted is highly recommended.

To manage the quarantined spyware
* CounterSpy maintains a backup of quarantined items.
* To access the Quarantine click on the View menu, select Spyware Scan and then choose the Manage Spyware Quarantine option.
* To remove certain item from the quarantine, place a checkmark next to it and click Permanently remove all checked items. (use this option)
* To restore an item click on the Un-quarantine all checked items link. (un-quarantine is only to be used if the computer is not running correctly due to items being removed by counterspy)

* Clicking on the Check all items link will put a checkmark next to each item. Clicking on Un-check all items will deselect all quarantined threats.

* CounterSpy will ask you to confirm your action. If you want to restore or delete an item, you must reply positively by pressing the Yes button.

* Exit CounterSpy

 

[whyme]

Ok, did as you said and it found 1 file infected, 1 registry infected and 24 cookies infected

 

[evilfantasy]

Can you see if there are any legible names of the items that were found.

* CounterSpy maintains a backup of quarantined items.
* To access the Quarantine click on the View menu, select Spyware Scan and then choose the Manage Spyware Quarantine option.

 

[whyme]

I tried to do that, but there isn't an option "Spyware Scan" when I go to view there is System Scan then manage quarantine, but when clicked it says it is empty. I look at the results of the last scan and these were the two files, minus the cookies.


Details: Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers. Registry entries detected
HKEY_USERS\S-1-5-21-329068152-412668190-1801674531-1003\SOFTWARE\WGET and Trojan.HideWindow Trojan

 

[evilfantasy]

Well hopefully that was the offending file.

You can keep Counterspy and scan again tomorrow or whenever. It won't work after the 15 days are up.

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit Enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again


Let me know if it pops up again and we will look further.

 

[whyme]

Sorry to be such a pain, but how exactly do I hide file extensions/system hidden files and such?

 

[evilfantasy]

It is all automated when you put in the combofix /u then press enter.

We never had to unhide them so it is no worry.

 

[whyme]

Ok thank you sooooo much. Just two last questions if I may. Why is it that Symantec would find the program once a day, but never when I actually ran a scan through it (also AVG and Avast wouldn't find anything either)? What should I do if it happens again tomorrow?

 

[evilfantasy]

Why is it that Symantec would find the program once a day, but never when I actually ran a scan through it

Good question. The scans we ran should have picked it up somewhere but they didn't. When I was looking around on the web, Symantec seemed to be the only program that has a problem with it. So.........?

AVG and Avast wouldn't find anything either

Honestly I trust AVG and Avast more then I do Symantec. It could be a false positive. Even though we did clean up some bad entries. Antivirus doesn't know the difference between good and bad, so therefore if something happens thst it sees as suspicious then it will report it. Thats where false positives come from.

What should I do if it happens again tomorrow?

Get rid of Symantec, lol. It really isn't the best. AVG or Avast are all I will use.

 

[whyme]

Should I purchase the Counterspy? I just did some research and it seems to be a really good program.

 

[evilfantasy]

It is up to you, it really is an exceptional antispyware program and offers realtime protection. If I were to purchase antispyware then that would certainly be the one. The price isn't bad either.

 

[whyme]

Ok I think I am going to buy it. I assume by your previous post that I should only run that on my computer then. Also if I have any problems tomorrow then I will post again with info. Most important though, THANK YOU SOOOOO MUCH for helping me so fast and making it easy for me to fix my problem... YOU ROCK

 

[evilfantasy]

Be sure to get it from the makers site http://www.sunbelt-software.com/Home-Home-Office/CounterSpy/

It wouldnt hurt to run a scan with another program every so often. Superantispyware or AVG Antispyware <--Different from the Antivirus.

No problem on the help, if it pops up again then post here so I will get an email and know you posted back.

Safe surfing......