Trojans and Infostealer.Gampass

By brendonj ยท 29 replies
Aug 4, 2008
  1. Hello all. Not to long ago, Norton discovered Infostealer.Gampass on my computer. I was able to quarantine and remove the file, but shortly thereafter, I scanned to find a Trojan Horse in a "Unsupported file" that I never remember downloading. The file is
    serial.generator.5.1.updated.exe and is located in C:\recycler\s-1-5-21-148247... the numbers go on and on. I emptied my recycle bin, however it was still there. I am downloading AVG since I am told it surpasses Norton, and I will have a Hijack This log up soon.
    In addition to that, I have been having problems with winlogon.exe. I checked my access logs in Norton and lo and behold, it had been accessed by
    (www . qzone8 . cn (80)) as Norton put it. I will sometimes get an error message when logging in to my profile in XP that winlogon.exe has experienced an error and must close, and my computer will reboot. This isn't always the case, however, since I am using the computer right now. I assume the registry is messed up. I used google to look at this url (without going on the page of course) and in the summary of the website that is given it said Infostealer.Gampass!
    I read the forum post on whether to clean or format, and decided that cleaning would be the better option (if possible).

    Please Help!!!
    Brendon Johnson
  2. brendonj

    brendonj TS Rookie Topic Starter

    Here is my log, hope it clears something up!
  3. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Check the Shell value for Winlogon in your registry. Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    should show:

    Shell REG_SZ explorer.exe

    Or download this tool:
    This utility checks for the correct GINA value in the Registry and will allow you to restore it, if its incorrect.

    Also have a look at:

    New Preliminary Removal Instructions
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Hi brendonj,

    Welcome to Techspot!

    My name is Blind Dragon and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point.

    Please have a read here-> Is your system infected? Read this before Cleaning or Formatting

    If you decide to clean your system please follow these Viruses/Spyware/Malware, preliminary removal instructions and post back in this thread with the requested logs. There should be at least 3.

    1)MBAM log
    2)SAS log
    3)Hijackthis log (last step)

    This thread is for the use of brendonj only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

    Edit: posted at same time - but those errors will go away while we clean its just from these
    O20 - Winlogon Notify: Fly - C:\WINDOWS\SYSTEM32\smart.dll
    O20 - Winlogon Notify: Love - C:\WINDOWS\SYSTEM32\LoveFly.dll
  5. brendonj

    brendonj TS Rookie Topic Starter

    I am running MBAM right now. So far, it has only found one infected file. I am downloading SAS and the registry fix that kimsland suggested. I will attach my logs ASAP.

    Edit: The tool is saying: Default Gina in use. DLL in use: MSGINA.DLL (standard).
    I presume this is good news? The repair option is not available.
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    I hope Norton is all gone too ;)
  7. brendonj

    brendonj TS Rookie Topic Starter

    It will be soon :grinthumb

    Edit: Comparison of Norton to SAS: # of tracking cookies found:
    Norton: 21
    SAS: 90... no wait... 143... keeps going up... 323... 345... 433... 501... 559... 663... 666 (creepy)
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    And Norton is pay for :confused:

    I'd pay to remove it :)
  9. brendonj

    brendonj TS Rookie Topic Starter

    Not for me. It came with my internet, and that was the only reason I was using it. It's actually a pain to remove! I have to download tools to remove it.
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

  11. brendonj

    brendonj TS Rookie Topic Starter

    Very thorough indeed!
    Edit: MBAM scans veeeerrrryyyy veeeerrrrrrrryyyyy slowly. It's been an hour and a half and its only 128000 files along. Might be awhile on those logs.
  12. brendonj

    brendonj TS Rookie Topic Starter

    Logs, get your logs here!
  13. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Huh! I forgot to say run CCleaner first, that way it doesn't scan stuff you don't want anyway. Anyway run that still.

    Also this:

    Clear system restore points

    • Clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.

    After that, let me know how the computer is running
    Actually restart first
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    By the way you are infected with a keylogger - used for stealing passwords
  15. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    It may be a good idea to do another HJT Log
    Hopefully BD has time to check it if you do :)
  16. brendonj

    brendonj TS Rookie Topic Starter

    Here is the new HJT log. I haven't run CCleaner yet. What should I do about the keylogger? I removed 2 trojans when I scanned using MBAM. Would either of those been the keylogger?
    Edit: I ran CCleaner. Itremoved 23.7 Mb of stuff! If I need to post a new HJT log because of this, let me know!
  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    OTMoveit2 by OldTimer
    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Fly
      HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Love
    • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt2
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


    [​IMG]Update your Java Runtime Environment

    • First try going to Start -> Control Panel -> double click Java
    • Select the Update Tab at the top of the Java console
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 7) Follow the on screen instructions (uncheck the yahoo toolbar option)
    • After it installs the newest version Go back to Control Panel -> Add/remove programs (programs and features in vista)
    • Uninstall any older versions of Java


    After, run me a fresh hijackthis and attach it along with the OTMoveit2! log
  18. brendonj

    brendonj TS Rookie Topic Starter

    Here you go! Thank you so much for spending all of this time!
    Edit: I would also like to add that the winlogon error is gone!
  19. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Damn files are gone at last :)

    How's the computer running?

    Also the AVG?
  20. brendonj

    brendonj TS Rookie Topic Starter

    Thank goodness! I don't think I have the heart to tell my friends, but all of their online game accounts were being stolen and hacked, including mine, which I was able to regain partial control over. They all used my computer. I am uninstalling Norton now and getting AVG internet security. Computer is running slightly slower than usual, but I account that to the uninstalling of Norton. Thanks so much!
    Edit: I cannot afford AVG Internet Security, so I was wondering if Zone Alarm is a good firewall program to use. As far as virus protection, I was going to use either Avast! or AVG until I have enough money to get AVG's full version.
  21. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    AVG internet security ? Oh !

    I thought you just meant AVG Free

    I don't like Internet Securities much anymore

    The firewall can be ZoneAlarm Free

    Actually I'm aware that BlindDragon likes Avira free Antivirus

    Have you actually purchased AVG IS ?
  22. brendonj

    brendonj TS Rookie Topic Starter

    No I have not, and I downloaded Avast and Zone Alarm. I was doing a boot scan with Avast when it found that damned trojan in lovefly.dll.tmp ...can I delete it? It said it was unable to repair. I also found the trojan in a couple temporary files which is weird saying I used CCleaner to empty all of that. I think someone still has access to my computer. When I finish then scan, I guess Zone Alarm will tell me.
    Edit: The scan is on hold untilk I tell it what to do about the lovefly.dll.tmp file
  23. brendonj

    brendonj TS Rookie Topic Starter

    I found the comparitives and it appears that Avira did extremely well. I may switch to that after I get the Trojan problem resolved.
  24. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    yes delete all instances of it
  25. brendonj

    brendonj TS Rookie Topic Starter

    I missed it the first time, so I'm scanning it again. Will you take a look at new logs afterwards?
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...