TechSpot

Infostealer.gampass {VERY NERVOUS} please help

By smitnlit
Mar 31, 2007
  1. This morning I logged on my system and got a High Risk alert from Norton that WON'T even come off my desktop that there is Infostealer.gampass in my
    C:\windows\system32\mpps.dll file
    I followed the tech guidelines and nothing came up in spybot and nothing came up in Antirootkit. I've attached my Hijackthis Log. I have no idea how this got on my system other than an email attachment and suddenly my private email was made public somewhere.
    If anyone could help, I would GREATLY GREATLY appreciate it.
    I'm running Windows XP.
    Maryann
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of smitnlit only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. smitnlit

    smitnlit TS Rookie Topic Starter Posts: 25

    Also, let me know the results of the AVG Antirootkit scan;
    Hi Howard!

    The Antirootkit scan came back with nothing and The AVG scan I stopped because the estimated time was 9 hours and I want to try to get this fixed today if possible. What is the combo kit? I don't see that listed in the intructions?
    Did you look at the Hijack logo
    Maryann

    sorry --- "Did you look at the Hijack log?"

    Can you tell I'm panicking?
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, I did look at your HJT log and your system is infected with several nasties, including the Trojan.Downloader-Gen/Win.Process.

    You need to follow the instructions I gave you and post the requested logfiles.

    Regards Howard :)

    This thread is for the use of smitnlit only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. MetalX

    MetalX TechSpot Chancellor Posts: 1,388

    Wait all 9 hours if you need to. Then howard will be able to help you better... and howard is the master of malware removal ;)
     
  6. smitnlit

    smitnlit TS Rookie Topic Starter Posts: 25

    Ok Howard. It may be a while before I'm back if that AVG scan takes 9 hours.
    Thanks.
    Maryann
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`m sorry it`s going to take a while, but we really need to make sure we don`t miss anything.

    Regards Howard :)

    This thread is for the use of smitnlit only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. smitnlit

    smitnlit TS Rookie Topic Starter Posts: 25

    Howard,
    I started the AVG scan yesteday at 2:00 pm. It's now 8:15 am and still seems to be going. I don't want to touch it because it says that it will interrupt it if you touch the keyboard but this is quite a while. Do you think it's idling? It did pick up Win32 Adware Gen in the Startup menu. I'm not sure what that is. Maybe that's what caused the Norton message when I start the computer. Anyways, how long does this scan typically run? It doesn't seem to be doing anything new. It's at the same place it was when I went to sleep yesterday. Nothing new picked up.
    What are your suggestions?
    Maryann
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Something`s not right. Stop it and follow the rest of the instructions. Post a fresh HJT log as well as a Combofix log.

    Regards Howard :)

    This thread is for the use of smitnlit only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. smitnlit

    smitnlit TS Rookie Topic Starter Posts: 25

    Ok - Here are the logs
    The message from AVG was
    c:\Documents and settings\maryann\start menu\programs\startup\powereg\schedule.exe\ is infeced by Win32: adware-gen[adw]
    (not sure if I did powerreg correct or if it is power reg)
    Maryann
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Viewpoint
    Viewpoint Manager

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ViewMgr.exe
    PowerReg Scheduler.exe
    mppds.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O1 - Hosts: 218.64.72.238 www.jjjjyyyy.com

    O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe

    O4 - Startup: PowerReg Scheduler.exe

    O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab

    O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Viewpoint<Delete the entire folder.
    C:\WINDOWS\mppds.exe
    PowerReg Scheduler.exe<Search your system for this file and delete all instances found.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log as well as an AVG Antispyware log(if you can).

    Regards Howard :)

    This thread is for the use of smitnlit only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. smitnlit

    smitnlit TS Rookie Topic Starter Posts: 25

    Howard,
    In case I haven't said it, THANK YOU VERY MUCH!! I really appreciate all your help. :giddy:
    Here is the new log for HJT. I couldn't find
    01 Hosts: 218
    04 - HKLM\... Run [mppds}
    but was able to delete the other three
    Also, I could not find mppds.exe
    I did find Power Register on an EXTERNAL hard drive I have connected, and I deleted it.

    I think this came in in the past week. I had a private email that suddenly became public this past week and I got email from EVERYWHERE. I'm going to have to make some changes to my email accounts. Unfortunately, I get attachments all day long that I have to open. Do you have any recommendations?

    Here is my HJT log.
    Maryann

    By the way. AVG is finding the adware WITHIN Hijack This??? Anyways, when it detected it, I deleted it. Not sure if that was the corect thing to do. It says Current Scannter Status: Infected
    Once it found the adware INSIDE Hijack this.

    Howard I finally got a scan of my whole system for you with the antivirus program. I don'tknow where to find the .log file to post though. It did find 24 adware things and deleted all of them.
    Maryann
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`m sorry for the delay in getting back to you.

    Please can you post a fresh HJT log and an AVG antispyware log.

    Regards Howard :)

    This thread is for the use of smitnlit only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. smitnlit

    smitnlit TS Rookie Topic Starter Posts: 25

    Hi Howard,
    I did get the AVG to work-BOY that's good software. I am going to have to pay to keep it. It blows NOrton away.
    I THINK this is what you are looking for (WARNING.log)
    It said it was able to DELETE all the infected files 24 to be exact.
    Maryann
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    What programme did you use to get the log file you posted, because that`s not an AVG Antispyware log. See the instructions HERE.

    Regards Howard :)

    This thread is for the use of smitnlit only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. smitnlit

    smitnlit TS Rookie Topic Starter Posts: 25

    Sorry, I'm all confused. That was the AVAST program results. I'm running the other one now.
    Maryann
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    lol, I see now.

    Don`t forget to attach a fresh HJT log after you`ve finished the AVG Antispyware scan.

    Regards Howard :)

    This thread is for the use of smitnlit only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  18. smitnlit

    smitnlit TS Rookie Topic Starter Posts: 25

    Wow, I think i need to switch over to all these recommended programs for good.
    Here are the reports you asked for. It did pick up stuff. Two HIGH alert things.
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    All items in your AVG Antispyware log say "No Action Taken". That`s because you didn`t tell AVG Antispyware to quarantine the results. See HERE for instructions.

    Your HJT log is clean.

    However, it appears you`re still running some bits of Symantec/Norton. See this post HERE for instuctions on how to remove Symantec/Norton.

    Post a fresh HJT log as well as another AVG Antispyware log, once done.

    Regards Howard :)

    This thread is for the use of smitnlit only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  20. smitnlit

    smitnlit TS Rookie Topic Starter Posts: 25

    Ahhh...ok. So you think I should get rid of ALL of Norton? It does other things too though other than the virus protection. Here are my logs.
    I'm sooo impressed with the virus program though that was recommended here.
    Maryann
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Delete the following bold File.

    J:\Program Files\Yahoo!\YPSR\Quarantine\ppq68.tmp

    Then, delete all files in AVG Antispyware quarantine.

    Yes, I think you should get rid of Norton, It`s a real resource hog and isn`t that good at killing viruses either. Post a fresh HJT log once you`ve got rid of Norton.

    Regards Howard :)

    This thread is for the use of smitnlit only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  22. smitnlit

    smitnlit TS Rookie Topic Starter Posts: 25

    Then, delete all files in AVG Antispyware quarantine.
    I thought I did that already. All actions have already been applied.
    If not, How do I delete them. I'm getting more confused.
    Maryann
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Run AVG Antispyware and click on the infections button. Click the select all button, followed by the finally remove button.

    Regards Howard :)

    This thread is for the use of smitnlit only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  24. smitnlit

    smitnlit TS Rookie Topic Starter Posts: 25

    Hey Howard! RU around today?
     
  25. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes mate, I`m still around.

    What seems to be the problem?

    Regards Howard :)

    This thread is for the use of smitnlit only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...