Infostealer.Gampass problem!

I have a HUGE problem. My computer has been infected with Infostealer.gampass about two weeks ago and the situation has gotten worse as I tried different ways (different malware removal programs and different suggestions found at different forums) to get rid of it. I've always been very very careful when it comes to my computer and have multiple anti-spyware programs running on my computer at all times. The only other person allowed to touch my computer is my husband and he has his own computer, so he doesn't use mind that often. I think my computer got infected after I visited this Chinese website: <snip> By the way, the operating system is Windows XP Home Edition.

Anyhow, right after I downloaded an audio clip from that website, I received multiple alerts from Symantec Antivirus regarding a virus/trojan named Infostealer.Gampass and that a few files had been infected. A few of the files were able to be quarantined but the others were left alone. I tried to delete those manually but those files could no longer be found. I didn't think it was a big deal as that sometimes happens with temporary files. I ran another scan and everything seemed fine. Or so I thought. I also clicked on the link for the virus/trojan and on Symantec's website, it stated that the risk level for the virus/trojan was very low (a 1).

The next time I started my computer, I ran into multiple problems:
1) Windows Security Center wouldn't detect the antivirus program anymore and kept saying it was out of date even though it was not.
2) I kept getting error messages that said, "C:\WINDOWS\system32\xia6.exe is not a valid win32 application." (and also xia 2, xia4, and xia 6) When I closed them, I was asked if I wanted to report the problem to Microsoft (like if my IE or Microsoft Office documents had crashed).
3) Symantec antivirus popped up at least 7 times and listed those SAME viruses/trojans that were supposedly undetected the last time after clean up, but when I tried to delete them, at least half of them could not be located. Some of them problematic files include:
- sms1s[1].exe
- sms3s[1].exe
- sms4s[1].exe
- sms5s[1].exe
- host1.exe
- host2.exe
- host4.exe
- host5.exe
4) It showed that new programs were installed and when I clicked on the "Start" button, over half of my existing programs were highlighted and shown as newly installed.
5) When I tried to go to any website that required sign-ins (such as Yahoo Mail and Hotmail), I'd get the security certificate message.

At that point, I started looking up more information regarding this Infostealer.Gampass trojan. It appeared that it was a pretty new trojan and not many websites and forums had a lot of information about it. Furthermore, other people whose computer had been infected by this trojan were displaying different symptoms than what I've experienced, so there was no quick and easy solution - everybody said to try something different.

A few of the things that I've tried to do and failed (probably because of the infection) was to create a registry back-up and to go to task manager. The commands don't work anymore.

I've tried scanning and removing the trojan with the following programs:
- Symantec Antivirus
- Lavasoft Ad-Aware
- AVG Anti-Virus
- Spybot Search and Destroy
- SUPERAntiSpyware
- CounterSpy
- Avast! Antivirus

All these programs detected and removed what they found, but upon start-up, all the problems that existed were still there, sometimes a few more files were found by Symantec, sometimes a few less. I've tried scanning in safe mode as well and a few of the programs even did pre-boot scans.

I tried to install Multi-AV as well but that program wouldn't run on my computer.

I've also tried installing the trial versions of McAfee and Sophos products, but installation kept failing for both. I've contacted technical support for both. That was a week ago. McAfee has not even given me any response. Sophos responded and said installation failed probably because of an existing virus and gave me some other options.

Sophos told me to go into safe mode command prompt and provided step-by-step instructions to scan and remove viruses. At the end, it said, "Failed to open log file 'c\remove.log'." I scrolled up and copied some items that didn't look quite right to me:

"Could not open C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat"

"Could not open C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG"

"Could not open C:\WINDOWS\system32\config\SYSTEM.LOG"

"Could not open C:\WINDOWS\system32\drivers\sptd.sts"

">>> Virus 'Mal/Behav-043' found in file C:\Program Files\Internet Explorer\NS\Sy-win7z.Jmp Disinfection failed"

">>> Virus 'Mal/Behav-043' found in file C:\WINDOWS\system32\xia11.exe
Disinfection failed"

And then I couldn't get out of cmd.exe and had to use ctrl-alt-del to shut down my computer.

The next time I started my computer, it loaded in safe mode command prompt again! Nothing I've done so far would bring it out of that mode and load Windows again. I've tried "exit" and "win" but what that does is just closing cmd.exe and then all I see is a black background with "Safe Mode" on the four corners.

I've tried pushing F8 at the next startup, but it would not list the normal options at all. The only option that was listed was "Windows XP Home Edition" and nothing else! So now I can't do anything at all.

Please help! :cry

 

Hi cocoharley!
Welcome to Major Geeks!

Sometimes things are too much and sometimes not enough. Please make sure you have ONLY ONE resident antivirus program running. Uninstall all the rest. Since Symantec is the most difficult to uninstall, I would leave it on for the time being.

After you do that, please go to the READ & RUN ME FIRST and follow those instructions you have not yet done. If you've already run Spybot, you don't have to run it again. If you have a log from Counterspy, please attach it with your next post.

Make sure you have updated versions of everything. When you ran Counterspy, did you have it FIX everything it found? If you did, you can skip the AVG-Antispyware 7.5.

When you finish, please attach the requested logs, which will be the Counterspy log, Combofix and MGlogs.zip.

Thanks.
abri

 

Hi abri,

Sorry for not responding sooner. It was difficult to get online without my own computer and especially during the holiday season.

Anyhow, my biggest problem at the moment is that I cannot even get out of safe mode command prompt. Please refer to the last part of my previous post for the various methods that I've tried to get out of safe mode but without success...

 

Hi cocoharley!

I want to make sure I understand your logon situation. As you describe it, you can get into Safe Mode, but the cmd prompt window will not close and you cannot get to the Start button of Safe Mode? Can you boot up to Safe Mode and click on Ctrl Alt Del to get the Control Panel to come up?

abri

 

I am STUCK in safe mode. I could close the command prompt window, but after that, all I could see is a black background with "Safe Mode" on all four corners.

When I restart the computer using Ctrl-Alt-Del, it just starts up again in command prompt safe mode. It doesn't matter that I press F8 - the only option I get is which boot device to choose, so regardless of what I try to do, I always end up in safe mode.

Anyhow, I posted at another forum also (after I posted here the second time as I wasn't sure you'd still respond to me as it's been a while since I'd first posted), as I was anxious to get this problem resolved, and they were starting to help me figure out the problem. They found out today that I'd also posted here and said they couldn't help me if I was getting help somewhere else... I don't know what to do anymore. :cry I don't want to get anyone mad. I still really need help. So I think I'll see what they can come up with. Would it be possible to come back and post here if they decide they can't help me?

 

I am not in the regular safe mode where I see the desktop and the start button. I am in the safe mode command prompt (DOS).

 

which operating system are you using?

 

Windows XP Home Edition. I think there may be something wrong with the OS already. Even before I got stuck in safe mode, I was unable to utilize ctrl-alt-del from regular mode and was unable to backup my registry. And I've tried to do a system restore from safe mode based on the suggestion from a different forum, but it appeared that all my restore points have been wiped out.

 

Not trying to double post here, but I couldn't figure out how to edit my last post. Anyhow, I've updated my situation at other forums telling them that I'm getting help here now, as most of them were pretty ticked off that I'd posted at more than one forum. So, I'm only asking for help from this forum now. Hope to hear back from you soon. Thanks!

 

Thank goodness! You're one of the only two experts I've "talked" to that know exactly where I'm stuck at!

Anyhow, I typed in "explorer.exe" and a Desktop message popped up:

"Windows is running in safe mode.

This special diagnostic mode of Windows enables you to fix a problem which may be caused by your network or hardware settings. Make sure these settings are correct in Control Panel, and then try starting Windows again. While in safe mode, some of your devices may not be available.

To proceed to work in safe mode, click Yes. If you prefer to use System Restore to restore your computer to a previous state, click No."

Now... I've already mentioned that I've already tried system restore but that didn't work. When I tried "%systemroot%\system32\restore\rstrui.exe" in command prompt, I received the following error message from System Restore:

"System Restore has been turned off and cannot be turned on in Safe Mode. To turn on System Restore, restart in Normal mode and then run System Restore again."

So I'm not sure if I should click Yes or No.

 

I clicked Yes and the start button popped up! Now what should I do?

Yes, I have my XP CD. I bought it about two years ago when I rebuilt my computer.

 

I did as you instructed. It restarted and loaded in the normal mode.

Now, what do I do about the pesky trojan?

 

I am not sure where else I should post this question so I'll just post it here. I've followed the Malware Removal Guide and am getting everything ready so I could post the required logs. My only problem is that no matter what I do, I could not get AVG Anti-Spyware to generate any logs! When I click on the Reports tab, it just says "No reports available" and the "Save report as" button is not clickable. I selected "Automatically generate report after every scan" and unselected "Only if threats were found" prior to scanning as instructed.

 

Alright... hope I'm doing this right. I'm attaching the ComboFix.txt file and MGlogs.zip file.

By the way, not sure if this is relevant or not, but ever since we've fixed the problem of being stuck in safe mode command prompt, my computer is no longer displaying most of the symptoms described in my first post (problems 1-5). However, prior to scanning with the four recommended tools, Symantec Antivirus notified me of the discovery of different types of malware (none of which were the original one) and Super AntiSpyware kept blocking one that kept trying to change my homepage, but after the four scanning and removal processes, I'm no longer getting any notifications.

 

How do I remove IE plugins?

Counterspy is the trial version, which I used to scan and remove malware prior to posting at this forum.

Btw, the following just popped up from Symantec Antivirus as I was reading your post:

Downloader (host5.exe -temporary files, host3.exe - temporary files, IEXPLORE32.Sys - program files)
W32.Fubalca (host1.exe - temporary files, host3.exe - temporary files)

All multiple counts.

EDIT: This is so annoying. Right after I've posted, I received 12 notifications from Symantec Antivirus about the W32.Fubalca!html risk (different random file names) in my temporary internet files folder. It's just like getting multiple pop-ups!

 

Are plugins the same as add-ons? I saw one that I assumed would be problematic - IEXPLORE32.sys, but it's not one that I can delete. Of the long list of items, some cannot be deleted, only disabled.

EDIT: Alright... I've disabled most of the add-ons one by one and removed a few. Most of them are not removable. Anyhow, attached is the new log. I keep getting pop-ups from Symantec regarding new types of malware, it seems. When should I turn my enable my antivirus and antispyware programs again?

 

Sorry, I forgot to do anything with the registry file before running theMGTools, so I've done that and am attaching another log, in case it makes a difference.

 

Okay. I've done everything you've told me to do. I'm not quite sure what to look for now. Things just never quite feel the same again! I don't feel safe anymore...

Anyhow, what do I do about the plug-ins I've disabled? Is it safe to enable them again?

Thanks!

 

I disabled all the plug-ins.

 

Everything seems to be working fine now. I just re-enabled all my plug-ins but I deleted some that I can't remember. I suppose if I need them again I'll be asked to download them? Anyhow, thank you so much for your help! I really appreciate it! Now my life goes back to normal.

I have one last question though. For some reason, after the whole malware ordeal, my music folders now look the way it is in the attachment (I took a screen capture of one folder as an example). I've always chosen to make hidden files visible so that I could find them if I needed to, and I remember only seeing them in the programs folder. I don't remember ever seeing any hidden files except for Thumbs.db in any of my regular document folders. Is this something that is a result of the malware infection and cleaning process (some settings being changed) or do you think it is something independent of the malware infection and cleaning process (something to do with Windows Media Player)? I don't remember changing any settings in WMP within the last couple of months. And I don't prefer to make my hidden files invisible.

 

Yeah... those pesky album art files. It's strange how they appeared out of nowhere. I'll look around in the software section.

Thanks again!

 

It's me again. I don't know if I should be very concerned or not... Anyhow, everything has been great since the cleaning. I scan my computer regularly with various anti-malware and antivirus programs that were recommended by this forum and nothing alarming had turned up. But today, I ran Symantec Antivirus at startup, and it found 219 infected files!!! The risks identified were: Infostealer.Gampass and W32.Fubalca!html. I don't see any other symptoms that I had seen previously and it looks like all the infected files had been successfully cleaned, deleted, or quarantined. Am I in trouble again? I've been REALLY careful since the last time!

 

Hmm... good question. Like I've said, I've been REALLY careful especially since the last time. Even in the past, I've always been more careful (and knowledgeable) than anybody else that I know. So I don't know why... I don't remember opening any e-mail attachments lately and am pretty sure I have not clicked on any links sent through messenger/chat programs for the longest time. I typically delete e-mails with attachments since they're mostly forwards from people. I don't visit game sites or porn sites, or any sites that typically have a lot of pop-ups. I am at work from 8 to 5 and that's when I go online the most and open the most number of attachments, of course, all on my computer at work. I don't use my computer at home as much as I did when I was in grad school.

Anyhow, I don't have McAfee Site Advisor installed. Is it free? I have installed so many programs already on my computer that I'm starting to look like I'm paranoid. I have probably over 80% of the programs recommended by this site installed on my computer! Maybe I should switch to a different antivirus program? But I suppose I should first figure out how to prevent infection in the first place...

 

E-mail scanner? I don't think I have one. I've installed the Site Advisor. Not liking the toolbar though - it takes up a whole row and I can't move it up or down...

 

I use mostly web-based e-mail like Yahoo, Hotmail, and Gmail. I use Novell GroupWise for work. I am using Internet Explorer 7. The McAfee SiteAdvisor that I had installed looked like the one in the attachment.

 

I tried that, but it wouldn't work. I tried adding the menu bar and was able to move the SiteAdvisor toolbar left and right after that, but not up or down. Thanks though.