Infostealer.Gampass infection

By Vonlake
Oct 11, 2009
  1. Hello,

    I encountered this vicious problem today when Norton Antivirus keep poppin-up the window about this virus "Infostealer.Gampass". Norton claimed to quarantined it succesfully, but after it keep coming I decided to follow 8-step instructions -thread.
    And yes, Anti-Malware and Superantispyware did found infected files on my computer.

    I attach the log files to this post.
    I appreciate your help to make sure that my computer is clean from malware and viruses :).

    Attached Files:

  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,233   +234

    I see you are running Internet Explorer 6. This tells me that you are missing some important Windows Updates, both critical and hardware updates like IE8. Run Windows Update manually and chose "custom" keep running Windows Update until all updates are applied. After you complete this, your computer will be much more secure
  3. Vonlake

    Vonlake TS Rookie Topic Starter

    As far as I know I have downloaded the newest updates to my windows and I haven't used IE for years. Im using Mozilla. But thanks for noticing me, I'll check if I've missed some updates.
  4. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,233   +234

    Yes, even though you don't use IE, it is part of Windows security, so it is important that you keep it updated...
  5. Vonlake

    Vonlake TS Rookie Topic Starter

    Seems like I had old version of IE. I updated it to the newest IE version (rest of the windows had newest updates).
  6. Vonlake

    Vonlake TS Rookie Topic Starter

    Im getting some annoying ad popups on my computer and screen saying: "Your computer has malware/spyware infection! press OK to scan your computer".

    Im starting to get bit worried, could someone check my logs to see whats wrong?
  7. WinXPert

    WinXPert TS Guru Posts: 445

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Vonlake, give me a little time- I am reviewing the logs now.

    I will EDIT this post with instructions and you won't get another notice of reply- please check back in a little while.

    While updating is good, it's not going to remove any malware on the system- that's kind of like closing the gate after the horse is out!

    Edit 1: in the meantime, don't use system restore. There is malware in the resore points. I will have you remover them at the end of cleaning.
  9. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,233   +234

    "While updating is good, it's not going to remove any malware on the system- that's kind of like closing the gate after the horse is out!"... This is true Bobbye. Many Windows PC users have no clue what Windows Updates are for, in the first place. Applying proper Windows Updates can solve hardware issues, make Windws run smoother and increase Windows security... No matter how much we try to help posters/members here at techspot, some are never going to get it.

    I know Vonlake's Hijackthis log is full of "nasties"... Looks like he partakes in on-line gaming and may have IP redirector troubles too
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please disable real Time Protection temporarily:

    Spybot Search & Destroy TeaTimer
    There are two ways to disable TeaTimer: try this one first:
    • Right click the TeaTimer icon in the system Tray [​IMG]
    • Then click Exit Spybot-S&D Resident
    • One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.

    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)


    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    R3 - Default URLSearchHook is missing

    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
    \Please attach the Combofix report in the next reply.
    Update and run full system scan with Norton AV. Save the log and attach it in the next reply.
    Rescan with HijackThis and PASTE the log (Ctrl V) into the nex reply.

    I want to see how much Combofix captures before adding additional programs.

    NOTE:If you do have a password stealer (PWS) you should change all of your passwords and monitor any online finacial transactions.
  11. Vonlake

    Vonlake TS Rookie Topic Starter

    Ok here is the hijackthis log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:30:35, on 16.10.2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Creative\Shared Files\CTDevSrv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\MagicDisc\MagicDisc.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
    O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SoftAuto.exe] "C:\Program Files\Creative\Software Update 3\SoftAuto.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Shorten URL -
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra button: Lisää tämä blogiin - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Lisää tämä blogiin tuotteessa Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: RaptisoftGameLoader -
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) -
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
    O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) -
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) -
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
    O23 - Service: Creative Centrale Media Server (CTUPnPSv) - Creative Technology Ltd - C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe
    O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

    End of file - 9622 bytes

  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good job- thank you. Is there some reason you did not disabled TeaTimer in Spybot?

    Norton scan also shows aborted after about one hour- reason? I'd like to bring your attention to the following:
    P2P Warning:
    [I notice that you have BitTorrent, uTorrent and Limewire which are all P2P programs. P2P (person to person) programs are also called 'file sharing' programs. In earlier computer days, these programs did not have much threat. But as they progressed, so did the dangers of using them.

    I suggest that you uninstall them for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    You also have globally open ports for BitComet. This presents a danger to your system and I recommend that you use your firewall to disable them.

    If you choose not to remove them, please do not use any of the programs while we are cleaning. If you do, we will withdraw support.

    You have some very old programs. You should check these and either remove them or be sure they all have the most current updates. They are all from 2001:
    Since the Norton scan wasn't complete, I'd like you to run the following online scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    As long as the Backdoor.Losfondup is just in the System Restore, you're okay if you don't use that feature. I will have you set a new clean restore point and drop all of the old restore points when the system is clean.

    Since these problems began several days ago, have you noticed any changes in your system? If yes- are they good or bad and what are they?

    Attach the Kaspersky scan log. Depending on that, I will decide what is the best next step.
  13. Vonlake

    Vonlake TS Rookie Topic Starter

    Hello, took some time to reply.

    I though I disabled TeaTimer? Also I uninstalled uTorrent and Limewire when I was followin the 8-step instructions.

    Bitcomet? I didn't know that I have that one on my computer, I though I had removed it ages ago.

    About the Norton scan, it was complete, im sure. It didn't found any threats on my computer. Im doing the ESET antivirus scan at the moment, I will attach the log file to my post after its ready.

    About the changes on my computer, nothing really has happened except Norton does not pop these warning windows anymore, so everything seems to be like normal.

    What is this Kaspersky?

    Edit1: I checked my computer and didn't Bitcomet installed and I have no idea how to block those globally open ports.
    Edit2: I've attached the ESET logfile now.
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry about that! Kaspersky is another online scan- I inadvertently types that name in instead to Eset Nod32.

    Okay, Nod found a Trojan Downloader. The Norton scan log that you left said the scan as aborted. Please run a full system scan with Norton, save and attach new log.

    Also, rescan with HJT and paste new log in next reply.
  15. Vonlake

    Vonlake TS Rookie Topic Starter

    Sorry, took some time to answer

    Ok, I've attached norton scan log and hijackthis log to my post.

    Norton did not found any viruses, and about the trojan that eset antivirus found, I got bit worried about it and located the infected file and deleted it manually. Was this not good thing to do?
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, looks good. Just need you to verify this file due to the different language:
    O9 - Extra button: Lisää tämä blogiin - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

    There are two entries like this. Program is okay, just need you tot ell me the blog name is okay.

    Has the priginal problem been reolved? Are you have an problem contine related to malware? If not, we can start cleaning up:
    Remove all of the tools we used and the files and folders they created
    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes.

    If you are prompted to Reboot during the cleanup, select Yes.

    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one. More details and screenshots for Disk Cleanup in Windows Vista can be found here.

    If you need any additional help, please let me know.

    Edit: Forgot to tell you to Empty the Recycle Bin

    Also, check this Domain: O8 - Extra context menu item: Shorten URL -

    I was cleaning up my cookies and saw several for this linking "shopco". If it's not one you've set, have HJT remove it.
  17. Vonlake

    Vonlake TS Rookie Topic Starter

    "O9 - Extra button: Lisää tämä blogiin" means: "Extra button: Add this to blog" in finnish so I believe its safe.

    The original problem has gone away I think. Antivirus hasn't found anything and Norton does not spam that pop-up window about that virus.
    I haven't noticed that any of my passwords, which I use on various web sites and online games, have not changed or compromised. Also nothing weird hasn't happened on my computer.

    But anyway im very glad that you helped me with this. So thank you very much :)
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you for the update. you're very welcome. Let us know if we can help in the future.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...