Please advise, I think I have infostealer.Gampass hidden in system

By flavor ยท 13 replies
Jun 26, 2008
  1. hi, norton scan showed up infostealer.gampass last week. it deleted 1 but said 1 could not be removed and was in C:/RECYCLER. googled it, which led me to here, went through the spyware,malware removal instructions(steps 1-15 hope i did it right), most of the scans came back clean, couple of .zlob trojans found in adaware, but on the whole nothing much else apart from a few tracking cookies. i have the logs as required. would like someone to check them out to see if i am still infected as it can hide very well apparently so am still worried. thanx in advance.:suspiciou
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
      O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
      O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe
      O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.


    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
  3. flavor

    flavor TS Rookie Topic Starter

    thanks for replying!

    firstly thank you Blind Dragon for taking the time to take a look at this, greatly appreciated. i have done as you requested and had hijackthis fix the above mentioned entries and done the online scan( i hope, as i'm not really clued up with all things PC) please find log attached. Also i can't open internet explorer, a brief white window 3/4 size of screen flashes onscreen then disappears, (whats that all about?) so had to do scan through firefox and also norton was on. hope this has not affected scan. i'm sorry if i've not followed your instructions accurately. once again thanx and regards, flavor.
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I think your IE issue has to do with Norton - do you know why there was a startup entry telling IE to load when you boot your computer and take you to the norton removal tool webpage?

    Basically the online scan is a 2nd opinion as I did not see much in your logs

    I forgot to mention earlier to empty your recycle bin, but looks like that was done already.

    Kaspersky only shows a false positive on one of the tools we used, so it doesn't see anything left either.

    Once we get your IE worked out I will post instructions for cleaning up and securing your system
  5. flavor

    flavor TS Rookie Topic Starter

    a bit of virus removal background info, useful? i'm not sure

    thanx Blind Dragon. so fingers crossed the virus has gone. i've just found the virus name and location as found by norton scan, i'd jotted down but misplaced, here it is even if it is a bit late-[nod32_patch.exe]inside of[c:\recycler\s-1-5-21-116428450-3983321212-2161338791-1006\dcll.rar]. does that mean norton found it but couldn't delete it because it had already been deleted but was in the place where deleted stuff goes after being emptied from the recycle bin. sorry for not being technical.also if you can put my mind at rest in regards to a site which had manual instructions for removal of infostealer.Gampass. it included rogue registry lines to delete which i did and seemed to work but also some 4 registry lines that showed correct values to compare mine to. 3/4 were as shown but last line had different value. i didn't change my value as i wasn't sure, but this put a doubt in my mind and so with further enquiries have ended up in your expert hands. i have attached page, the line in question is -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "0". in my registry the checked value is "1", what should the correct value be please?
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    That's just a setting for windows explorer - the registry value will change with your settings

    So if you open windows explorer (double click my computer) or (hold the windows key and press E)

    Go to tools -> Folder Options -> view tab

    depending what you select under show hidden files will change the registry entry between 0 and 1.

  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.


    OTCleanit! by Oldtimer
    • Download OTCleanIt
    • Click the CleanUp! button.
      • It will go thorugh the list and remove all of the tools it finds and then delete itself (requiring a reboot).


    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
    1. Set correct settings for files
      • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
      • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
      • If unchecked please check Hide protected operating system files (Recommended)
      • If necessary check "Display content of system folders"
      • If necessary Uncheck Hide file extensions for known file types.
      • Click OK

      clear system restore points

      • This is a good time to clear your existing system restore points and establish a new clean restore point:
        • Go to Start > All Programs > Accessories > System Tools > System Restore
        • Select Create a restore point, and Ok it.
        • Next, go to Start > Run and type in cleanmgr
        • Select the More options tab
        • Choose the option to clean up system restore and OK it.
        This will remove all restore points except the new one you just created.

    2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialize and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

      See this link for a listing of some online & their stand-alone antivirus programs:

      Virus, Spyware, and Malware Protection and Removal Resources

    4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

      For a tutorial on Firewalls and a listing of some available ones see the link below:

      Understanding and Using Firewalls

    6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.This is done in Vista through control panel -> windows updates.

    7. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware

    8. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    here are some additional utilities that will enhance your safety

    • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to which is your local computer
    • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
      Using Winpatrol to protect your computer from malicious software
  8. flavor

    flavor TS Rookie Topic Starter

    once again thanx for taking the time and trouble to help me. i will follow your latest instructions as soon as. so is that goodbye infostealer:haha: and goodbye Blind Dragon:( ? hope not (on the 2nd one only). you are a saviour to all us technological troglodytes. keep up the good work Blind Dragon!:wave:
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Hopefully will see you around. Maybe in other sections of the forums

    If you have any more issues with this let me know.


  10. flavor

    flavor TS Rookie Topic Starter

    hi, Blind Dragon, on the virus side of things everything seems fine, multiple scans with various programs show all clear, but internet explorer not loading, not a major problem, as i use firefox unless i a prog/site specifically requires iexplorer, would removing it totally be fine? i could always re-install later couldn't i ? the other thing is i noticed earlier during removal steps somewhere along the line my music folder had emptied, wasn't too bothered as i had backed it up recently and emptied most of it for disk-space saving reasons. but now the dust has settled, went into my pictures folder and same thing has happened, all pics have vanished, luckily a search found quite a few hidden away, but some are still missing, i suppose i should be glad i got most pics(mainly of my kids) back, are all these just unavoidable side effects of purging a system of nasties, or was it something i did wrong? i suppose i should be glad i still have a pc and also should get into the habit of regularly backing up valuable stuff. if you can give me a reason why you think this disappearing act has occurred it would help me in my crash course of understanding all things pc. i know you are very busy helping others, so if and when you get a chance, Blind Dragon, Once again Thank YOU for everything.:grinthumb
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Well, maybe you can help me a little bit now. Where did you find the pictures hidden?

    - the reason I ask is because I don't think it was anything you did - I have suspicion that it was the infection as you are the 2nd person in last 2 days to tell me of this happening with a similar infection. If I can understand exactly what is happening a little better we may be able to correct it and prevent it.
  12. flavor

    flavor TS Rookie Topic Starter

    hi, a few were in my documents\psp8files but most of them were in:- C:\Documents and Settings\myname\Local Settings\Application Data\Ahead\.thumbnails\normal, found through search including hidden folders, but my relief was short lived as i realised these are only thumbnails which when enlarged distort. i suppose i could try to convert thumbnails into normal pics, but that's another problem for another day. browsing techspot, i've come across various similar situations and picture recovery tools mentioned like ZAR and other ways to even recover deleted pics from memory cards( this was where nearly all my pics originated, but according to various posts this depends more on luck) you've already saved me once, what d'ya reckon about getting these pics back, please dont hesitate to ask for more info, thanx and regards Blind Dragon.:confused:
  13. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I will keep trying to figure something out. But we may be out of luck

    I would suggest you invest in an external drive specifically for storing documents/pictures - things that can't be replaced.

    You can get 500 GB for around $100 - that should store 100,000 photos or so
  14. flavor

    flavor TS Rookie Topic Starter

    no worries Blind Dragon, thanx for all the help you've provided so far, look forward to talking to soon somewhere within techspot, regards flavor.:wave:
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...