TechSpot

Pls Help : Repeated infostealer.gampass alerts by NIS 2005

By Nishoe
Mar 24, 2007
  1. Hi there,
    I started receiving a Norton Alert with the following content:
    Virus Alert
    High Risk
    Norton Antivirus has detected and removed a virus from your computer.
    Object Name: C:\Document~1\....\Locals~\temp\ms.exe
    Virus Name Infostealer.Gampass
    Action Taken: The file was automatically deleted.

    Though NIS deletes the virus it keeps dropping in over and over again. I have noticed that the alert shows up only when I am the online mode of IE. Is it incidental? I don't know.
    I have IE version 6.0.2900.2180.xpsp_sp2_rtm.040803-2158

    I also the online system check from symantec which did not detect any inappropriate object. I have also run Ashampoo Antispyware and cleared everything.

    Yet the alert's there everytime I use IE, popping up every 30 seconds or so. I can use Firefox and Opera without any problems.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of Nishoe only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. sghiznaneck

    sghiznaneck TS Maniac Posts: 403

    You may have paid for Norton, and your subscription may still be valid, BUT my suggestion is to drop it. I was an avid Norton subscriber for many years, but over the past 5 months, I dropped it and downloaded Avast anti virus software and Comodo firewall. I tried AVG, but it conflicted with my system and appeared to lock up on startup.
     
  4. Nishoe

    Nishoe TS Rookie Topic Starter

    Hey howard and sghizneneck,
    Thanks for your replies...
    Howard, I will do the things you want me to. I just did a HJT log and am attaching it.
    I really don't want to uninstall NIS unless you strongly advise me to coz I have had it's protection for ages without much hassles... only until now hehehe
    Thanks a lot.
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system has a very nice collection of malware, which needs to be got rid of.

    Follow the instructions I gave you and post the requested log files, once done.

    Regards Howard :)

    This thread is for the use of Nishoe only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. Nishoe

    Nishoe TS Rookie Topic Starter

    Hehehe.... Thanks for letting me know and in a humorous way...
    I'll give you the logs in a day or so since the list of the things I have to do is immense. And besides, I have a slow dial-up internet.
    Thanks again.... will get back.

    Hey Howard,
    Hasn't Ad-aware personal edition been discontinued momentarily?
    Is there anything I should do instead of using ad-aware?
    Thanks for your help, Howard.

    Another problem howard.
    The spybot download does not complete. I tried with firefox and bitcomet... both say download complete and stop after a while without actually having completed the download. The filesize is also much smaller than it should be.
    I tried 4 mirrors without any avail.
    What do I do?
    Thanks.

    Dear Howard,
    I am just before the "boot to safe mode" stage and here are the 2 logs.
    Thanks again and again.... :)
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ad-Aware se personal is still very much available.

    Download LSPFix from http://cexx.org/lspfix.htm
    1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
    2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
    3. Check the "I know what I am doing" checkbox.
    4. Select (highlight) all instances of 'ldmedia3.dll' in the left column under "Keep".
    5. Click the arrow >> so it goes over to the right column under "Remove".
    6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
    7. Restart your computer

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Audio Adapter (VGADown)

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    avp.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O4 - HKCU\..\Policies\Explorer\Run: [333] C:\Syswm1h\svchost.exe

    O4 - HKCU\..\Policies\Explorer\Run: [tx] C:\SysTx1\svchost.exe

    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

    O10 - Unknown file in Winsock LSP: c:\windows\system32\ldmedia3.dll

    O10 - Unknown file in Winsock LSP: c:\windows\system32\ldmedia3.dll

    O23 - Service: Audio Adapter (VGADown) - Unknown owner - C:\WINDOWS\avp.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\avp.exe
    c:\windows\system32\ldmedia3.dll
    C:\SysTx1<Delete the entire folder.
    C:\Syswm1h<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Try downloading and running Ad_Aware se and SS&D again.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Nishoe only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. Nishoe

    Nishoe TS Rookie Topic Starter

    Hi,
    I have done everything you mentioned. And the problem was resolved before I followed your last post. The previous instructions activated the windows firewall and left norton firewall disabled. I think this was the solution.
    However, I continued with the instructions in the last step too. Most of the files and keys you asked to delete or fix weren't there already.
    Thanks a lot Howard....
    I appreciate everything you have done to help me.
    Cheers!
    :)
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No problem mate.

    I`d still like to see a fresh HJT log, just to make sure it`s clean.

    Regards Howard :)

    This thread is for the use of Nishoe only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. Nishoe

    Nishoe TS Rookie Topic Starter

    Thanks Howard

    Hi again,
    Here is the hijackthis log.
    I was wondering if I should still uninstall norton and use AVG and zone alarm instead. I didn't try turning norton firewall back on and disabling windows firewall. I must say I am curious, though. What do you think... is it worth it to quench my curiosity? hehehe
    Thanks again for all your help Howard.
    Cheers! :haha:
    Nishoe
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    I recommend you get rid of Symantec/Norton and use a different firewall/antivirus programme.

    See this post HERE for Symantec/Norton removal.

    Here`s a list of programme I recommend, some of which you already have.

    AVG free or Avast antivirus programmes.

    Zonealarm or Kerio free firewall programmes.

    Spybot Search & Destroy.

    Ad-Aware se personal.

    Spyware Blaster.

    AVG Antispyware.

    Ccleaner.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Nishoe only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. Nishoe

    Nishoe TS Rookie Topic Starter

    Hello Howard,
    Hope you are doing good. After a bit of thinking I have decided to leave Norton behind and explore one of your recommendations. But I am unsure which to choose from the pair of antiviruses and firewalls you've mentioned.
    What do I install from AVG free and Avast, and ZoneAlarm and Kerios?
    And is Kerios available now?
    Cheers! :)
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Personally, I use AVG free and Zonealarm and have had no problems whatsoever.

    However, Avast and kerio are both very good programmes. It really is down to personal preference.

    Whatever you choose, it`s going to be better than that resource hogging Symantec/Norton crap.

    Regards Howard :)

    This thread is for the use of Nishoe only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...