Infostealer gampass, Windows won't open anymore

I have huge problem.

Earlier today I started to download a mp3-file which unfortunately include a virus, the Infostealer gampass virus

As I have several antivirus programs active on my computer, both Norton and Avira informed me that I was infected with an Infostealer gampass-virus. Norton started auto deleting the files, located in the windows/temp directory, and Avira asked me what action I wanted to take. I order Avira to delete the files as they were infected.

After the first wave of virus messages where dealt with I turned off the System Restore, and started a full system scan using Norton. When Norton was finished it reported zero infected files, perhaps because the Norton had deleted files before I started the scan. However after the scan was finished I got a couple of more virus infection messages, the same as before but different files of course, and now it had spread to the Docs & Settings directory as well. I then did a scan using Searchbot(or something similar) Search and Destroy, they found a few minor problems such as adware, which I suspect were present before Infostealer infected my PC. These were of course removed.

I then started Hijackthis and looked at the results form the scan. Nothing seemed suspicious, but I am no expert. I then used a cleaner program to delete all the temp files.I did another system scan, which found nothing. I then opened the Norton quarantine and order it to delete the ca 20 files, among them Infostealer and Downloader, which I gathered from the forums were related.

I then rebooted my system. However as Windows XP Home Ed. started and opened windows, I just got a glimpse of my Desktop background before it jumped back to the windows login screen. Since I am the only one who uses this computer there is only one user account which is not password protected, I therefore never have to log in. Thus I was a bit surprised. Back in the login screen I saw my username and clicked it so that windows could open properly. Under the username it said "Starting login, getting settings…" etc. Then for a millisecond I saw my desktop background again before it jumped out and back to the user login page for windows. Under my username it said: "Logging off, saving settings…" etc. I was a bit perplexed, so I rebooted my PC again, this time in Safe Mode, but the same thing happened. This time however there were two users, mine and Admin. Tried both users but got the same results as before. Rebooted again and told the machine to use "restore last successful settings", or something like it. This didn't help either. So now I don't know what to do.

Can anyone help? It would be much appreciated.

 

http://www.majorgeeks.com/images/grenade.gifWelcome to MajorGeeks.com!http://www.majorgeeks.com/images/grenade.gif

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

• READ & RUN ME FIRST. Malware Removal Guide

• If something does not run, write down the info to explain to us later but keep on going.

• Do not assume that because one step does not work that they all will not.

Notes:

1. If you run into problems trying to run theREAD & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

 

Hi bjgarrick.

Thank you for helping me.

I’ve read the links in your post, unfortunately the steps and advice they give are a bit premature as I can’t even access Windows. As explained in my last paragraph, as I login I can only se my desktop background without any icons for a second before Windows is logging me out again. This happens whether I use Normal or Safe Mode start-up procedures. I suspect the virus has altered my boot.ini or something similar to prevent me from opening Windows, but that’s just me guessing, and I am not an IT-expert.

 

Sorry for the double post.

 

Before we can begin any scans/removal we need to get Windows running. Do you have your Windows XP disc? If so, we may need to perform a Repair install to replace/repair any corrupt or missing files.

This particular infection only drops a few files and make a few minor registry changes, nothing that should cause the issue you're talking about.

 

OK, I probably did something wrong whilst I was trying to remove the virus myself.

Yes, I do have a Windows XP disc. It’s made specifically for a second computer I have, but that probably doesn’t matter.

How do I proceed?

 

Before you start this repair, please read these steps very carefully so you will not miss anything. After you have completed reading it, print it so you will have it as a reference.

1. Boot the computer using the XP CD. You may need to change the boot order in the system BIOS so the CD boots before the hard drive. Check your system documentation for steps to access the BIOS and change the boot order.
   
2. When you see the "Welcome To Setup" screen, you will see the options below
   • This portion of the Setup program prepares Microsoft Windows XP to run on your computer
     
   • To setup Windows XP now, press ENTER.
     
   • To repair a Windows XP installation using Recovery Console, press R.
     
   • To quit Setup without installing Windows XP, press F3.
3. Press Enter to start the Windows Setup. do not choose "To repair a Windows XP installation using the Recovery Console, press R", (you Do Not want to load Recovery Console). I repeat, do not choose "To repair a Windows XP installation using the Recovery Console, press R".
4. Accept the License Agreement and Windows will search for existing Windows installations.
5. Select the XP installation you want to repair from the list and press R to start the repair.
6. Setup will copy the necessary files to the hard drive and reboot. Do not press any key to boot from CD when the message appears. Setup will continue as if it were doing a clean install, but your applications and settings will remain intact.
7. After setup has completed the repair, your computer will reboot and then start the setup wizard. Just go thru this normally. If you get the add User Account screen click IGNORE or your accounts will be removed. After you have completed this repair and setup windows you may need to reinstall Service Pack 2 and any other updates for WinXP.

Once this has been completed, let me know if Windows is running properly and stable enough to finish the cleaning.

If Windows loads properly then run ComboFix again and attach that new log along with new logs from MGTools.exe.

 

Unfortunately this didn’t work out the way it was suppose to.

Step 1 trough 5 went without any problems. I thought step 6 went well too, but apparently not, and step 7 never happened.

During the last stages of the setup, about 15 min left of installation and installing network components, I got an error message. I thought it was insignificant as the PC wasn’t connected to the internet. The message was:
“C:\Windows\System32\inetcomm.dll could not be loaded as it wasn’t installed or was damaged.”
I clicked OK, and the installation continued without any problems.

With 1 minute left of the “Finishing Installation”, it rebooted. I don’t think it said “Installation Complete” at that moment, so I wondered if it was a glitch or if indeed it was finished. As the computer started up again I got as far as the black Windows screen starting up Windows XP. Then, I presume, I got what is called the BSOD. On the blue screen it said the computer had aborted the start-up and terminated any operations due to a critical error and to prevent any damage to my computer. It suggested that I run CHKDSK/ F to check for any damage to my HD. The error code at the bottom was:

STOP 0x0000007B (0xF789E63C, 0xC0000034, 0x00000000, 0x00000000)

 

Did you see on the BSOD anything about "INACCESSIBLE_BOOT_DEVICE"??

Let's try the below...

1. Insert the Windows XP CD-ROM into your CD-ROM or DVD-ROM drive, and then restart your computer.
   
   
2. When you receive the "Press any key to boot from CD" message, press a key to start your computer from the Windows XP CD-ROM.
   
   
3. When you receive the "Welcome to Setup" message, press R to start the Recovery Console.
   
   
4. If you have a dual-boot or multiple-boot computer, select the installation that you have to use from the Recovery Console.
   
   
5. When you are prompted, type the administrator password, and then press ENTER.
   • Note: If you do not have one, just press ENTER.
   
   
6. At the command prompt, type chkdsk /f and then press ENTER.
   
   
7. Once it has completed, type exit, and then press ENTER to quit Recovery Console.

Once you have exited the console and rebooted let me know how everything is and if you're able to get into normal mode.

 

I didn’t see “inaccessible_boot_device”, or anything similar in the BSOD.

Anyways, I follow the seven steps you wrote down, but the end result was the same. I got the exact same BSOD as before.

I first ran just “chkdsk”, and it told me the volume was worked fine, and told me to add /f if I wanted to do a proper check. I did. After I ran chkdsk /f the first time, the PC reported that the volume had an error. I watched the chkdsk as it ran, when it was at 75% I looked away for a moment, and suddenly the chkdsk was finished. Unsure if it had aborted because of the error or actually completed the chkdsk, I ran another chkdsk and followed closely. This time, after it had finished, it reported that the volume was fine and without errors. Thus I exited, and it rebooted. The first time I rebooted I chose Normal Mode, and got the BSOD. Rebooting into Safe Mode yielded the same result.

 

Provide me with the EXACT error message, possible even a image so I can see everything it contains.

You can also try running my previous post again but this time try the command chkdsk /r

 

I ran chkdsk /r as requested. When it got to 75% it jumped back to 50% and very slowly worked up to 75% again, indicating that the HD might be damaged. However, the report did not mention any problems. I rebooted, alas it didn’t help, I got the exact same BSOD as before.


The BSOD message:

The Computer has encountered a problem, and Windows has shut down to prevent damage.

Restart the computer if this is the first time this has happened.

If not:
Run a virus scan. Remove any recently installed HD, or HD drivers. Make sure the HD is configured correctly, and has shut down properly. Run chkdsk /f to search for any errors on the HD, and reboot.

Technical info:

*** STOP (then the code mention earlier)

 

Go into the BIOS and make sure the HDD is visible here. If it is visible, then it sounds like the drivers are not loading for the mobo to see the HDD properly. If your drive controller is not natively supported you will need to boot from the Windows disc and press F6 to specify a controller driver and then go thru the repair again.

Since this doesn't appear to be malware related, at this point I recommend the Software or Hardware forum to get Windows running. Once you get Windows running we can procede in the scanning/removal of any baddies.

Keep me updated!

 

Yes, you’re probably right; it doesn’t appear to be malware related. Hopefully they can help me in the Hardware or Software fora.

Thank you for your help so far, I’ll be back if I manage to get Windows running again without formatting my HD.

 

You're Welcome!

Keep me informed and come back here to get your system cleaned up once you get it running properly.