Pls Help : Repeated infostealer.gampass alerts by NIS 2005

[Nishoe]

Hi there,
I started receiving a Norton Alert with the following content:
Virus Alert
High Risk
Norton Antivirus has detected and removed a virus from your computer.
Object Name: C:\Document~1\....\Locals~\temp\ms.exe
Virus Name Infostealer.Gampass
Action Taken: The file was automatically deleted.

Though NIS deletes the virus it keeps dropping in over and over again. I have noticed that the alert shows up only when I am the online mode of IE. Is it incidental? I don't know.
I have IE version 6.0.2900.2180.xpsp_sp2_rtm.040803-2158

I also the online system check from symantec which did not detect any inappropriate object. I have also run Ashampoo Antispyware and cleared everything.

Yet the alert's there everytime I use IE, popping up every 30 seconds or so. I can use Firefox and Opera without any problems.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of Nishoe only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sghiznaneck]

You may have paid for Norton, and your subscription may still be valid, BUT my suggestion is to drop it. I was an avid Norton subscriber for many years, but over the past 5 months, I dropped it and downloaded Avast anti virus software and Comodo firewall. I tried AVG, but it conflicted with my system and appeared to lock up on startup.

 

[Nishoe]

Hey howard and sghizneneck,
Thanks for your replies...
Howard, I will do the things you want me to. I just did a HJT log and am attaching it.
I really don't want to uninstall NIS unless you strongly advise me to coz I have had it's protection for ages without much hassles... only until now hehehe
Thanks a lot.

 

[howard_hopkinso]

Your system has a very nice collection of malware, which needs to be got rid of.

Follow the instructions I gave you and post the requested log files, once done.

Regards Howard

This thread is for the use of Nishoe only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Nishoe]

Hehehe.... Thanks for letting me know and in a humorous way...
I'll give you the logs in a day or so since the list of the things I have to do is immense. And besides, I have a slow dial-up internet.
Thanks again.... will get back.

Hey Howard,
Hasn't Ad-aware personal edition been discontinued momentarily?
Is there anything I should do instead of using ad-aware?
Thanks for your help, Howard.

Another problem howard.
The spybot download does not complete. I tried with firefox and bitcomet... both say download complete and stop after a while without actually having completed the download. The filesize is also much smaller than it should be.
I tried 4 mirrors without any avail.
What do I do?
Thanks.

Dear Howard,
I am just before the "boot to safe mode" stage and here are the 2 logs.
Thanks again and again....

 

[howard_hopkinso]

Ad-Aware se personal is still very much available.

Download LSPFix from http://cexx.org/lspfix.htm
1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
3. Check the "I know what I am doing" checkbox.
4. Select (highlight) all instances of 'ldmedia3.dll' in the left column under "Keep".
5. Click the arrow >> so it goes over to the right column under "Remove".
6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
7. Restart your computer

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Audio Adapter (VGADown)

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

avp.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKCU\..\Policies\Explorer\Run: [333] C:\Syswm1h\svchost.exe

O4 - HKCU\..\Policies\Explorer\Run: [tx] C:\SysTx1\svchost.exe

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O10 - Unknown file in Winsock LSP: c:\windows\system32\ldmedia3.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\ldmedia3.dll

O23 - Service: Audio Adapter (VGADown) - Unknown owner - C:\WINDOWS\avp.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\avp.exe
c:\windows\system32\ldmedia3.dll
C:\SysTx1<Delete the entire folder.
C:\Syswm1h<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Try downloading and running Ad_Aware se and SS&D again.

Post a fresh HJT log.

Regards Howard

This thread is for the use of Nishoe only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Nishoe]

Hi,
I have done everything you mentioned. And the problem was resolved before I followed your last post. The previous instructions activated the windows firewall and left norton firewall disabled. I think this was the solution.
However, I continued with the instructions in the last step too. Most of the files and keys you asked to delete or fix weren't there already.
Thanks a lot Howard....
I appreciate everything you have done to help me.
Cheers!

 

[howard_hopkinso]

No problem mate.

I`d still like to see a fresh HJT log, just to make sure it`s clean.

Regards Howard

This thread is for the use of Nishoe only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Nishoe]

Thanks Howard

Hi again,
Here is the hijackthis log.
I was wondering if I should still uninstall norton and use AVG and zone alarm instead. I didn't try turning norton firewall back on and disabling windows firewall. I must say I am curious, though. What do you think... is it worth it to quench my curiosity? hehehe
Thanks again for all your help Howard.
Cheers! :haha:
Nishoe

 

[howard_hopkinso]

Your HJT log is clean.

I recommend you get rid of Symantec/Norton and use a different firewall/antivirus programme.

See this post HERE for Symantec/Norton removal.

Here`s a list of programme I recommend, some of which you already have.

AVG free or Avast antivirus programmes.

Zonealarm or Kerio free firewall programmes.

Spybot Search & Destroy.

Ad-Aware se personal.

Spyware Blaster.

AVG Antispyware.

Ccleaner.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Nishoe only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Nishoe]

Hello Howard,
Hope you are doing good. After a bit of thinking I have decided to leave Norton behind and explore one of your recommendations. But I am unsure which to choose from the pair of antiviruses and firewalls you've mentioned.
What do I install from AVG free and Avast, and ZoneAlarm and Kerios?
And is Kerios available now?
Cheers!

 

[howard_hopkinso]

Personally, I use AVG free and Zonealarm and have had no problems whatsoever.

However, Avast and kerio are both very good programmes. It really is down to personal preference.

Whatever you choose, it`s going to be better than that resource hogging Symantec/Norton crap.

Regards Howard

This thread is for the use of Nishoe only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.