Trojans and Infostealer.Gampass

Status
Not open for further replies.
B

brendonj

Posts: 15   +0
Hello all. Not to long ago, Norton discovered Infostealer.Gampass on my computer. I was able to quarantine and remove the file, but shortly thereafter, I scanned to find a Trojan Horse in a "Unsupported file" that I never remember downloading. The file is
serial.generator.5.1.updated.exe and is located in C:\recycler\s-1-5-21-148247... the numbers go on and on. I emptied my recycle bin, however it was still there. I am downloading AVG since I am told it surpasses Norton, and I will have a Hijack This log up soon.
In addition to that, I have been having problems with winlogon.exe. I checked my access logs in Norton and lo and behold, it had been accessed by
(www . qzone8 . cn (80)) as Norton put it. I will sometimes get an error message when logging in to my profile in XP that winlogon.exe has experienced an error and must close, and my computer will reboot. This isn't always the case, however, since I am using the computer right now. I assume the registry is messed up. I used google to look at this url (without going on the page of course) and in the summary of the website that is given it said Infostealer.Gampass!
I read the forum post on whether to clean or format, and decided that cleaning would be the better option (if possible).

Please Help!!!
Brendon Johnson
 
Hi brendonj,

Welcome to Techspot!

My name is Blind Dragon and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point.

Please have a read here-> Is your system infected? Read this before Cleaning or Formatting

If you decide to clean your system please follow these Viruses/Spyware/Malware, preliminary removal instructions and post back in this thread with the requested logs. There should be at least 3.

1)MBAM log
2)SAS log
3)Hijackthis log (last step)

This thread is for the use of brendonj only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Edit: posted at same time - but those errors will go away while we clean its just from these
O20 - Winlogon Notify: Fly - C:\WINDOWS\SYSTEM32\smart.dll
O20 - Winlogon Notify: Love - C:\WINDOWS\SYSTEM32\LoveFly.dll
 
I am running MBAM right now. So far, it has only found one infected file. I am downloading SAS and the registry fix that kimsland suggested. I will attach my logs ASAP.

Edit: The tool is saying: Default Gina in use. DLL in use: MSGINA.DLL (standard).
I presume this is good news? The repair option is not available.
 
It will be soon :grinthumb


Edit: Comparison of Norton to SAS: # of tracking cookies found:
Norton: 21
SAS: 90... no wait... 143... keeps going up... 323... 345... 433... 501... 559... 663... 666 (creepy)
 
Not for me. It came with my internet, and that was the only reason I was using it. It's actually a pain to remove! I have to download tools to remove it.
 
Very thorough indeed!
Edit: MBAM scans veeeerrrryyyy veeeerrrrrrrryyyyy slowly. It's been an hour and a half and its only 128000 files along. Might be awhile on those logs.
 
Huh! I forgot to say run CCleaner first, that way it doesn't scan stuff you don't want anyway. Anyway run that still.

Also this:

Clear system restore points

  • Clear your existing system restore points and establish a new clean restore point:
    • Go to Start > All Programs > Accessories > System Tools > System Restore
    • Select Create a restore point, and Ok it.
    • Next, go to Start > Run and type in cleanmgr
    • Select the More options tab
    • Choose the option to clean up system restore and OK it.
    This will remove all restore points except the new one you just created.

After that, let me know how the computer is running
Actually restart first
 
Here is the new HJT log. I haven't run CCleaner yet. What should I do about the keylogger? I removed 2 trojans when I scanned using MBAM. Would either of those been the keylogger?
Edit: I ran CCleaner. Itremoved 23.7 Mb of stuff! If I need to post a new HJT log because of this, let me know!
 
OTMoveit2 by OldTimer
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    [b]C:\WINDOWS\system32\LoveFly.dll
C:\WINDOWS\system32\smart.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Fly
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Love
Purity[/b]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

---------------------------------------------------------------------------

jav.png
Update your Java Runtime Environment

  • First try going to Start -> Control Panel -> double click Java
  • Select the Update Tab at the top of the Java console
  • Click the Check for Updates button at the bottom
  • If it finds the newer version (Java 6 Update 7) Follow the on screen instructions (uncheck the yahoo toolbar option)
  • After it installs the newest version Go back to Control Panel -> Add/remove programs (programs and features in vista)
  • Uninstall any older versions of Java

--------------------------------------------------------------------------------

After, run me a fresh hijackthis and attach it along with the OTMoveit2! log
 
Here you go! Thank you so much for spending all of this time!
Edit: I would also like to add that the winlogon error is gone!
 
Thank goodness! I don't think I have the heart to tell my friends, but all of their online game accounts were being stolen and hacked, including mine, which I was able to regain partial control over. They all used my computer. I am uninstalling Norton now and getting AVG internet security. Computer is running slightly slower than usual, but I account that to the uninstalling of Norton. Thanks so much!
Edit: I cannot afford AVG Internet Security, so I was wondering if Zone Alarm is a good firewall program to use. As far as virus protection, I was going to use either Avast! or AVG until I have enough money to get AVG's full version.
 
No I have not, and I downloaded Avast and Zone Alarm. I was doing a boot scan with Avast when it found that damned trojan in lovefly.dll.tmp ...can I delete it? It said it was unable to repair. I also found the trojan in a couple temporary files which is weird saying I used CCleaner to empty all of that. I think someone still has access to my computer. When I finish then scan, I guess Zone Alarm will tell me.
Edit: The scan is on hold untilk I tell it what to do about the lovefly.dll.tmp file
 
I found the comparitives and it appears that Avira did extremely well. I may switch to that after I get the Trojan problem resolved.
 
Status
Not open for further replies.

Similar threads

M
Virus warning popup
Replies
1
Views
539
Mark Fuller
M
E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
475
eriksnyman1
E
O
Syngate - what is it and why has it shown up on my laptop?
Replies
2
Views
293
Nelson28
N

Latest posts

Back