hi, norton scan showed up infostealer.gampass last week. it deleted 1 but said 1 could not be removed and was in C:/RECYCLER. googled it, which led me to here, went through the spyware,malware removal instructions(steps 1-15 hope i did it right), most of the scans came back clean, couple of .zlob trojans found in adaware, but on the whole nothing much else apart from a few tracking cookies. i have the logs as required. would like someone to check them out to see if i am still infected as it can hide very well apparently so am still worried. thanx in advance.:suspiciou
Please advise, I think I have infostealer.Gampass hidden in system
- Thread starter flavor
- Start date
- Status
Blind Dragon
Posts: 3,774 +4
Remove bad HijackThis entries
-----------------------------------------------------------------------------------
Run Kaspersky Online AV Scanner
Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
- Run HijackThis
- Click on the System Scan Only button
- Put a check beside all of the items listed below (if present):
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/se...0000049.000000b9&c=00000082.00000049.000000d4
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
- Close all open windows and browsers/email, etc...
- Click on the "Fix Checked" button
- When completed, close the application.
-----------------------------------------------------------------------------------
Run Kaspersky Online AV Scanner
Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
- Read the Requirements and limitations before you click Accept.
- Allow the ActiveX download if necessary.
- Once the database has downloaded, click Next.
- Click on "My Computer"
- When the scan has completed, click Save Report As...
- Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
- Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
thanks for replying!
firstly thank you Blind Dragon for taking the time to take a look at this, greatly appreciated. i have done as you requested and had hijackthis fix the above mentioned entries and done the online scan( i hope, as i'm not really clued up with all things PC) please find log attached. Also i can't open internet explorer, a brief white window 3/4 size of screen flashes onscreen then disappears, (whats that all about?) so had to do scan through firefox and also norton was on. hope this has not affected scan. i'm sorry if i've not followed your instructions accurately. once again thanx and regards, flavor.
firstly thank you Blind Dragon for taking the time to take a look at this, greatly appreciated. i have done as you requested and had hijackthis fix the above mentioned entries and done the online scan( i hope, as i'm not really clued up with all things PC) please find log attached. Also i can't open internet explorer, a brief white window 3/4 size of screen flashes onscreen then disappears, (whats that all about?) so had to do scan through firefox and also norton was on. hope this has not affected scan. i'm sorry if i've not followed your instructions accurately. once again thanx and regards, flavor.
Blind Dragon
Posts: 3,774 +4
I think your IE issue has to do with Norton - do you know why there was a startup entry telling IE to load when you boot your computer and take you to the norton removal tool webpage?
Basically the online scan is a 2nd opinion as I did not see much in your logs
I forgot to mention earlier to empty your recycle bin, but looks like that was done already.
Kaspersky only shows a false positive on one of the tools we used, so it doesn't see anything left either.
Once we get your IE worked out I will post instructions for cleaning up and securing your system
Basically the online scan is a 2nd opinion as I did not see much in your logs
I forgot to mention earlier to empty your recycle bin, but looks like that was done already.
Kaspersky only shows a false positive on one of the tools we used, so it doesn't see anything left either.
Once we get your IE worked out I will post instructions for cleaning up and securing your system
a bit of virus removal background info, useful? i'm not sure
thanx Blind Dragon. so fingers crossed the virus has gone. i've just found the virus name and location as found by norton scan, i'd jotted down but misplaced, here it is even if it is a bit late-[nod32_patch.exe]inside of[c:\recycler\s-1-5-21-116428450-3983321212-2161338791-1006\dcll.rar]. does that mean norton found it but couldn't delete it because it had already been deleted but was in the place where deleted stuff goes after being emptied from the recycle bin. sorry for not being technical.also if you can put my mind at rest in regards to a site which had manual instructions for removal of infostealer.Gampass. it included rogue registry lines to delete which i did and seemed to work but also some 4 registry lines that showed correct values to compare mine to. 3/4 were as shown but last line had different value. i didn't change my value as i wasn't sure, but this put a doubt in my mind and so with further enquiries have ended up in your expert hands. i have attached page, the line in question is -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "0". in my registry the checked value is "1", what should the correct value be please?
thanx Blind Dragon. so fingers crossed the virus has gone. i've just found the virus name and location as found by norton scan, i'd jotted down but misplaced, here it is even if it is a bit late-[nod32_patch.exe]inside of[c:\recycler\s-1-5-21-116428450-3983321212-2161338791-1006\dcll.rar]. does that mean norton found it but couldn't delete it because it had already been deleted but was in the place where deleted stuff goes after being emptied from the recycle bin. sorry for not being technical.also if you can put my mind at rest in regards to a site which had manual instructions for removal of infostealer.Gampass. it included rogue registry lines to delete which i did and seemed to work but also some 4 registry lines that showed correct values to compare mine to. 3/4 were as shown but last line had different value. i didn't change my value as i wasn't sure, but this put a doubt in my mind and so with further enquiries have ended up in your expert hands. i have attached page, the line in question is -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "0". in my registry the checked value is "1", what should the correct value be please?
Blind Dragon
Posts: 3,774 +4
That's just a setting for windows explorer - the registry value will change with your settings
So if you open windows explorer (double click my computer) or (hold the windows key and press E)
Go to tools -> Folder Options -> view tab
depending what you select under show hidden files will change the registry entry between 0 and 1.
So if you open windows explorer (double click my computer) or (hold the windows key and press E)
Go to tools -> Folder Options -> view tab
depending what you select under show hidden files will change the registry entry between 0 and 1.
Blind Dragon
Posts: 3,774 +4
Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
-----------------------------------------------------------------------
OTCleanit! by Oldtimer
---------------------------------------------------------------------------
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
here are some additional utilities that will enhance your safety
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
-----------------------------------------------------------------------
OTCleanit! by Oldtimer
- Download OTCleanIt
- Click the CleanUp! button.
- It will go thorugh the list and remove all of the tools it finds and then delete itself (requiring a reboot).
---------------------------------------------------------------------------
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
- Set correct settings for files
- Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
- Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
- If unchecked please check Hide protected operating system files (Recommended)
- If necessary check "Display content of system folders"
- If necessary Uncheck Hide file extensions for known file types.
- Click OK
clear system restore points
This is a good time to clear your existing system restore points and establish a new clean restore point:- Go to Start > All Programs > Accessories > System Tools > System Restore
- Select Create a restore point, and Ok it.
- Next, go to Start > Run and type in cleanmgr
- Select the More options tab
- Choose the option to clean up system restore and OK it.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Change the Download signed ActiveX controls to Prompt
- Next press the Apply button and then the OK to exit the Internet Properties page.
- Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources
- Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
- Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls
- Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.This is done in Vista through control panel -> windows updates.
- Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware
- Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
here are some additional utilities that will enhance your safety
- IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
- MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
- Google Toolbar <= Get the free google toolbar to help stop pop up windows.
- Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software
once again thanx for taking the time and trouble to help me. i will follow your latest instructions as soon as. so is that goodbye infostealer:haha: and goodbye Blind Dragon
? hope not (on the 2nd one only). you are a saviour to all us technological troglodytes. keep up the good work Blind Dragon!:wave:
? hope not (on the 2nd one only). you are a saviour to all us technological troglodytes. keep up the good work Blind Dragon!:wave:
Blind Dragon
Posts: 3,774 +4
Hopefully will see you around. Maybe in other sections of the forums
If you have any more issues with this let me know.
Regards,
BD
If you have any more issues with this let me know.
Regards,
BD
hi, Blind Dragon, on the virus side of things everything seems fine, multiple scans with various programs show all clear, but internet explorer not loading, not a major problem, as i use firefox unless i a prog/site specifically requires iexplorer, would removing it totally be fine? i could always re-install later couldn't i ? the other thing is i noticed earlier during removal steps somewhere along the line my music folder had emptied, wasn't too bothered as i had backed it up recently and emptied most of it for disk-space saving reasons. but now the dust has settled, went into my pictures folder and same thing has happened, all pics have vanished, luckily a search found quite a few hidden away, but some are still missing, i suppose i should be glad i got most pics(mainly of my kids) back, are all these just unavoidable side effects of purging a system of nasties, or was it something i did wrong? i suppose i should be glad i still have a pc and also should get into the habit of regularly backing up valuable stuff. if you can give me a reason why you think this disappearing act has occurred it would help me in my crash course of understanding all things pc. i know you are very busy helping others, so if and when you get a chance, Blind Dragon, Once again Thank YOU for everything.:grinthumb
Blind Dragon
Posts: 3,774 +4
Well, maybe you can help me a little bit now. Where did you find the pictures hidden?
- the reason I ask is because I don't think it was anything you did - I have suspicion that it was the infection as you are the 2nd person in last 2 days to tell me of this happening with a similar infection. If I can understand exactly what is happening a little better we may be able to correct it and prevent it.
- the reason I ask is because I don't think it was anything you did - I have suspicion that it was the infection as you are the 2nd person in last 2 days to tell me of this happening with a similar infection. If I can understand exactly what is happening a little better we may be able to correct it and prevent it.
hi, a few were in my documents\psp8files but most of them were in:- C:\Documents and Settings\myname\Local Settings\Application Data\Ahead\.thumbnails\normal, found through search including hidden folders, but my relief was short lived as i realised these are only thumbnails which when enlarged distort. i suppose i could try to convert thumbnails into normal pics, but that's another problem for another day. browsing techspot, i've come across various similar situations and picture recovery tools mentioned like ZAR and other ways to even recover deleted pics from memory cards( this was where nearly all my pics originated, but according to various posts this depends more on luck) you've already saved me once, what d'ya reckon about getting these pics back, please dont hesitate to ask for more info, thanx and regards Blind Dragon.
Blind Dragon
Posts: 3,774 +4
I will keep trying to figure something out. But we may be out of luck
I would suggest you invest in an external drive specifically for storing documents/pictures - things that can't be replaced.
You can get 500 GB for around $100 - that should store 100,000 photos or so
http://www.newegg.com/store/SubCategory.aspx?Subcategory=414
I would suggest you invest in an external drive specifically for storing documents/pictures - things that can't be replaced.
You can get 500 GB for around $100 - that should store 100,000 photos or so
http://www.newegg.com/store/SubCategory.aspx?Subcategory=414
- Status
Similar threads
Latest posts
-
US TikTok ban could begin next year as Biden signs law, but legal battle looms- dirtyferret replied
-
Logitech thinks the computer mouse needs an AI upgrade- kimo1 replied
-
Seagate's new Mozaic 3+ HAMR hard disk drives can last longer than conventional PMR HDDs- Squid Surprise replied
