Infostealer.gampass and Hacktool

Please help! I have been infected by 2 viruses, both came in most likely
through visiting a download site. My Norton AV picked up Infostealer right
after I downloaded WINRAR. Hacktool might have come from a friendly FTP
site. I scanned and found 5 files infected. Two Hacktool-infected files were
repaired but one was not, and Infostealer was not repairable at all. Three
files are:
Windows\\system32\\dlyy.dll
Windows\\rundl132.exe
Temp\ti7u2zkm.dll

This is a new barrage of viral attack on my computer, since I have been very
careful on my email side. No trojan horse was able to get in for a long time.
This one is a real surprise and I can not depend on my AV software, although
it reports to me what I've got. I need stepwise instructions to get rid of
the virus.

Renz wrote:
> Please help! I have been infected by 2 viruses, both came in most likely
> through visiting a download site. My Norton AV picked up Infostealer right
> after I downloaded WINRAR. Hacktool might have come from a friendly FTP
> site. I scanned and found 5 files infected. Two Hacktool-infected files were
> repaired but one was not, and Infostealer was not repairable at all. Three
> files are:
> Windows\\system32\\dlyy.dll
> Windows\\rundl132.exe
> Temp\ti7u2zkm.dll
>
> This is a new barrage of viral attack on my computer, since I have been very
> careful on my email side. No trojan horse was able to get in for a long time.
> This one is a real surprise and I can not depend on my AV software, although
> it reports to me what I've got. I need stepwise instructions to get rid of
> the virus.

Those files are malware and that's why they can't be repaired. Go
through these general malware removal steps systematically -
http://www.elephantboycomputers.com/...moving_Malware

Include scanning with either Sysclean or Multi_AV, plus AVG Anti-Spyware
(formerly Ewido - http://www.ewido.net/en/) and follow instructions to
do all scans in Safe Mode.

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the link above (not here, please).

If the procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a professional computer
repair shop (not your local version of BigStoreUSA). The only
alternative to going through the malware removal tediously and
systematically, probably with online help from an HJT forum, and taking
the machine to a real professional is to back up your data and do a
clean install of Windows. It's your call. Please be aware that not all
local shops are skilled at removing malware and even if they are, your
computer may be so infested that Windows will need to be
clean-installed. Have all your data backed up before you take the
machine into a shop.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

From: "Renz" <Renz@discussions.microsoft.com>

| Please help! I have been infected by 2 viruses, both came in most likely
| through visiting a download site. My Norton AV picked up Infostealer right
| after I downloaded WINRAR. Hacktool might have come from a friendly FTP
| site. I scanned and found 5 files infected. Two Hacktool-infected files were
| repaired but one was not, and Infostealer was not repairable at all. Three
| files are:
| Windows\\system32\\dlyy.dll
| Windows\\rundl132.exe
| Temp\ti7u2zkm.dll
|
| This is a new barrage of viral attack on my computer, since I have been very
| careful on my email side. No trojan horse was able to get in for a long time.
| This one is a real surprise and I can not depend on my AV software, although
| it reports to me what I've got. I need stepwise instructions to get rid of
| the virus.

I truly believe these are Trojans and not viruses.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

"David H. Lipman" wrote:

> From: "Renz" <Renz@discussions.microsoft.com>
>
> | Please help! I have been infected by 2 viruses, both came in most likely
> | through visiting a download site. My Norton AV picked up Infostealer right
> | after I downloaded WINRAR. Hacktool might have come from a friendly FTP
> | site. I scanned and found 5 files infected. Two Hacktool-infected files were
> | repaired but one was not, and Infostealer was not repairable at all. Three
> | files are:
> | Windows\\system32\\dlyy.dll
> | Windows\\rundl132.exe
> | Temp\ti7u2zkm.dll
> |
> | This is a new barrage of viral attack on my computer, since I have been very
> | careful on my email side. No trojan horse was able to get in for a long time.
> | This one is a real surprise and I can not depend on my AV software, although
> | it reports to me what I've got. I need stepwise instructions to get rid of
> | the virus.
>
> I truly believe these are Trojans and not viruses.
>
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
> FireWall to allow it to download the needed AV vendor related files.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode.
> This way all the components can be downloaded from each AV vendor's web site.
> The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file. http://www.ik-cs.com/multi-av.htm
>
> Additional Instructions:
> http://pcdid.com/Multi_AV.htm
>
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
> Hi,

Thank you for the answers from you guys, but you seem to offer standardized
solutions that tend to favor certain websites. I read similar answer for
other threads. It did get very complex trying to follow your instructions.

Lukily, the Norton AV has redeemed itself after I checked the definition of
Infostealer.gampass and followed the removal instructions given by them.
They did not define the difference between a virus and a Malware (does not
concern me at all). The procedure just lists 7 steps:
1.Disable system restore until infection is eliminated.
2.Update the virus definition ( infostealer.gampass discovered on 11/16/2006)
3.Run a full system scan on Safe Mode and delete all files detected.( 3
files listed and unable to repair). Those 3 files did not disappear rihgt
after delete key was clicked. I was sort of disappointed. Reboot the system
in regular mode, but the virus alert still showed up. I thought, by golly, I
really have to go through the instrution given by Malke next morning. In the
next morning, I was really delighted to find the virus has been wiped out.
4.Delete any value added to the registry. ( Unsure how important it is, I
need to perform regedit and navigate to the subkey)
5. Edit the Win.ini file.
6. Edit the System.ini file ( Need to edit C:\windows\system.ini, I don't
know why though).
7. To clear the temporary internet file folders, if required.

I enter these steps in case someone else gets hit by infostealer.gampass
and Hacktool.root.

Renz

>

From: "Renz" <Renz@discussions.microsoft.com>


|
| Thank you for the answers from you guys, but you seem to offer standardized
| solutions that tend to favor certain websites. I read similar answer for
| other threads. It did get very complex trying to follow your instructions.
|
| Lukily, the Norton AV has redeemed itself after I checked the definition of
| Infostealer.gampass and followed the removal instructions given by them.
| They did not define the difference between a virus and a Malware (does not
| concern me at all). The procedure just lists 7 steps:
| 1.Disable system restore until infection is eliminated.
| 2.Update the virus definition ( infostealer.gampass discovered on 11/16/2006)
| 3.Run a full system scan on Safe Mode and delete all files detected.( 3
| files listed and unable to repair). Those 3 files did not disappear rihgt
| after delete key was clicked. I was sort of disappointed. Reboot the system
| in regular mode, but the virus alert still showed up. I thought, by golly, I
| really have to go through the instrution given by Malke next morning. In the
| next morning, I was really delighted to find the virus has been wiped out.
| 4.Delete any value added to the registry. ( Unsure how important it is, I
| need to perform regedit and navigate to the subkey)
| 5. Edit the Win.ini file.
| 6. Edit the System.ini file ( Need to edit C:\windows\system.ini, I don't
| know why though).
| 7. To clear the temporary internet file folders, if required.
|
| I enter these steps in case someone else gets hit by infostealer.gampass
| and Hacktool.root.
|
| Renz
|

These are Trojans not viruses. Since you didn't tajke me seriously and didn't scan with
additional scanners, you may STILL be infected.

The reason I package four anti virus scanners from 4 different vendors is vecause one may
catch what another may miss.

Because you indicated you ONLY used Norton, you may still be infected with something Norton
has missed.

I *strongly* urge you to scan using the Multi AV Scanning Tool.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm