• 所有社区 - 中文
    • 所有社区 - 中文
    • 论坛
    • 创意
    • 博客
高级

不是您要找的? 咨询专家!

此论坛帖文需要解决方案。
好评0

Infostealer.Gampass(was I really infected?)

Hi, 

Windows 10 64bit  Home

A Norton 360 scan gave the following information: 

Filename: 00018650.tmp
Threat name: Infostealer.Gampass    This tmp file was in this folder c:\programdata\norton\

On computers as of 
Not Available

Last Used 
11/24/2015 at 7:21:47 PM

Startup Item 
No

Launched 
No

Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.

Source: External Media

File Actions

File: C:\WINDOWS\SysWOW64\lpk32.dll->C:\WINDOWS\SysWOW64\ lpk.dll Remove Failed
File: C:\WINDOWS\SysWOW64\ws3help.dll->C:\WINDOWS\SysWOW64\ ws2help.dll Remove Failed
File: C:\WINDOWS\SysWOW64\ws2helpXP.dll->C:\WINDOWS\SysWOW64\ ws2help.dll Remove Failed
File: C:\WINDOWS\SysWOW64\wimedump.dll->C:\WINDOWS\SysWOW64\ ws2help.dll Remove Failed
File: C:\WINDOWS\SysWOW64\dllcache\wshtcpip.dll->C:\WINDOWS\SysWOW64\ wshtcpip.dll Remove Failed
Infected file: c:\programdata\norton\00018650.tmp Removed     (The file is in quarantine)
____________________________


File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available

This is a new computer and I don't have any external media connected(I assume this means CD/DVD or Flash Drive)

I am not sure what the Removed Failed part means. Does it mean that it was blocked from making change? Meaning the first part is what it was trying to change to and the second part is what is actually on my computer. I looked in the SysWOW64 folder and I just found the lpk.dll and ws2help.dll.  I didn't find lpk32.dll, ws3 help.dll, ws3helpXP.dll or wimedump.dll. I could not find the dllcache folder at all. It may be there but I did not see it.

Earlier in the day(11-24-15) I was on IMDB.COM and REDDIT.COM (I was on reddit.com looking for info on another security issue- Locate icon on my taskbar.

I also noticed in my firewall logs that SIHClient.exe was granted custom access to the internet. I did not allow this. Could this file have caused this problem? Any help would be appreciated. Thanks

标签: Infection

回复

好评0

Re: Infostealer.Gampass(was I really infected?)

Hi. SIH is for Silent Install Helper for Windows Updates.

It might be worth going to one of the free malware removal forums we recommend, so an expert volunteer can check your system.

http://www.bleepingcomputer.com/forums/ (link is external)
http://www.geekstogo.com/forum/ (link is external)
http://www.cybertechhelp.com/forums/ (link is external)
http://www.whatthetech.com/ (link is external)

Pick one, and stay with that helper until your system is declared clean. Do NOT try any self fixes.

Windows 10 Home X 64
好评0

Re: Infostealer.Gampass(was I really infected?)

Hi,

Thanks for the response. I was hoping to get specific information from Norton users as I am using a Norton product and this a Norton Forum. The people on those forums mentioned I am sure will do a great job helping if there is a problem but I am not sure I have one. That is why I put "was I really infected" in the description.

Norton removed the file to quarantine and said no further action was need. Norton considers the issue resolved. I was questioning the actions that Norton reported the file (Filename: 00018650.tmp) had taken. See Below:

File Actions

File: C:\WINDOWS\SysWOW64\lpk32.dll->C:\WINDOWS\SysWOW64\ lpk.dll Remove Failed
File: C:\WINDOWS\SysWOW64\ws3help.dll->C:\WINDOWS\SysWOW64\ ws2help.dll Remove Failed
File: C:\WINDOWS\SysWOW64\ws2helpXP.dll->C:\WINDOWS\SysWOW64\ ws2help.dll Remove Failed
File: C:\WINDOWS\SysWOW64\wimedump.dll->C:\WINDOWS\SysWOW64\ ws2help.dll Remove Failed
File: C:\WINDOWS\SysWOW64\dllcache\wshtcpip.dll->C:\WINDOWS\SysWOW64\ wshtcpip.dll Remove Failed
Infected file: c:\programdata\norton\00018650.tmp Removed     (The file is in quarantine)

The last line shows that Norton removed the file. It was placed in quarantine. The lines above that show specific files that were changed or there was an attempt to change. I am not sure. The remove failed remarks confuse me as to what happened. Did this File: 00018650.tmp actually do anything? Given the information presented I was hoping someone would be able to say " Yes, changes were made you have a problem" or "No, changes were not made". Then I could try to resolve it from there if I do have a problem. I also have a question about the 00018650.tmp being in the c:\programdata\norton folder. Is that common? Could It be a false positive from a bad live update file? These are all specific questions that I feel need to be answered here on the Norton forum before I do anything else.

Here is a little more information that I didn't include in my first post. I am using Norton Security Suite(Comcast version). I have the premium(paid) version of Malwarebytes along with the free version of their Anti exploit program.

As I mentioned in my first post I was online in the morning of November 24th until about 7:30 am(No alerts from Norton).  After I came home from work from I turned the computer on again about 7:15 pm. I did not go online.  After I came back to the computer about 8:00 pm I saw the alert from Norton about the 00018650.tmp file and Threat name: Infostealer.Gampass.  It said the file was:  (see below)

Last Used 
11/24/2015 at 7:21:47 PM

Startup Item 
No

Launched 
No

The 00018650.tmp file was in the c:\programdata\norton folder.   

There is also no option to delete the file from quarantine. Is this normal? This why I feel I need information specific to how Norton works

Thanks

Edit: I forgot to mention I have done full system scans with Norton and Malwarebytes and no problems were reported.

好评0

Re: Infostealer.Gampass(was I really infected?)

Hi. That's why I suggested a visit to a malware forum as we are users like you and not trained in malwarfe removal.

Having said that @yank is our Comcast expert and may have some other advice for you, pertaining to that product's use.

Or you can check the Comcast info here.  https://support.norton.com/sp/en/us/norton-security-suite/current/info?i...

Windows 10 Home X 64
好评0

Re: Infostealer.Gampass(was I really infected?)

Typo ! Of course, that should be malware removal !

Btw, this is an old threat that's been around for years.

https://www.symantec.com/security_response/writeup.jsp?docid=2006-111201...

Windows 10 Home X 64
好评1 Stats

Re: Infostealer.Gampass(was I really infected?)

I agree with F4E, if in doubt, ask and permit the malware removal experts make sure your system is clean.  As it appears to be a Trojan, attempted self-remediation is not advised, as even if it appears it is removed, you are not sure if it was removed or just went dormant - ready to return whenever it desires.

The malware removal sites F4E suggested have trained individuals who have gone through extensive training and continue to stay on top of the latest threats and their remediation methods.  

 Us Guru's are Norton customers, the same as you are and volunteer our time to assist other users.  We are not qualified in malware removal, but are capable of supplying the guidance necessary for users to get their systems checked/cleaned if the user suspects malware/virus infection.

BTW, had this post been made on the Comcast Forum, the suggestions to visit a malware remove site would have been the same.

My suggestion, visit one of the sites F4E suggested and do not attempt any further self-remediation. 

This thread is closed from further comment. Please visit the forum to start a new thread.