TechSpot

Laptop keeps getting infected, even after format and re-install

By marioxb
Nov 3, 2009
  1. I'm actually using a library laptop while my laptop (Acer Aspire One) is currently being formatted and having Windows XP Pro with Service Pack 3 installed via an external DVD-rom drive for about the 10th time now. Every time I re-format and re-install, the viruses/spyware whatever keep coming back! I've used Spybot, Ad-Aware, the full version of Spware Doctor with anti-virus and the free version of Malware Bytes anti-malware. They just keep coming back! I don't know what to do! For the first time I even followed all of the steps here:

    http://www.techspot.com/vb/topic31474.html

    after a fresh install. When I created a limited account, I could not do anything. It would take FOREVER for the desktop to load in the limited account, and when it finally did, I couldn't do anything. The desktop had no icons and I couldn't run anything. I pressed Ctrl, Alt, Delete and the task manager showed LOTS of svchost.exe and iexplore.exe processes running. So many that it was impossible to end them all.

    So I switched back to the admin account and went online, only to look up why I couldn't access the limited account. I never found any useful help. Before long, my pc was infected again. Like before, one of the first things I noticed was some stupid fake program/virus called Security Tool. Then I couldn't open Firefox anymore. I tried logging into safe mode. I got a BSOD saying there were viruses and the computer rebooted. I tried again and again, same result. So I went back into the admin account to try and install some anti virus/spyware programs. Now I couldn't even install or run ANY programs! This is why I'm here now.

    The problem laptop next to me has finally finished formatting and installing and I'm looking at the desktop with only the Recycle Bin icon and a bubble (from Microsoft) noting that Antivirus software might not be installed. Nothing has been installed yet. I'm now going to install Hijack This and post a log here before I do anything else. I'm afraid to go online with it, even just to install Spybot S&D (it always wants to look for stuff online during the install), before you guys advise me.
     
  2. rf6647

    rf6647 TS Maniac Posts: 829

    I find it curious that the HJT log is not reporting any services.
    Additionally, please comment on the following running process appearing in HJT
    Code:
    C:\Documents and Settings\_DONT_USE_\Application Data\U3\0876020A80101216\LaunchPad.exe
    I am guessing that you have a flash drive plugged in or the slip streamed load created user = '_DONT_USE_'.
    I experienced an application named similar to 'U3' that was bound to a "free" flash drive.

    I would consider a fresh install from the sp2 slip stream version.
     
  3. marioxb

    marioxb TS Rookie Topic Starter

    Yeah there's a SanDisk 4GB USB flash drive plugged in. That's where I installed Hijack This from. I named the admin account (not the one from safe mode) DONT_USE as once I create limited accounts, my wife and I won't accidently use the admin account.

    SP2 huh? Why? Are there problems with SP3? I don't have a sp2 slip stream version CD.
     
  4. rf6647

    rf6647 TS Maniac Posts: 829

    I have been away from this forum for a long time - reconnecting with the tools is a slow process.

    HJT uses a 'white list' approach to reporting findings in the log. Hence, the HJT log does not report '023' services associated with Windows basic operation. Therefore, your SP3 load is not suspect of causing infections.

    This is the 10th rebuild you say. Look at the protections you've chosen and your method to build a secure, malware-free system. I feel comfortable protecting my computer with ZoneAlarm (firewall) and Avira (antimalware, real time). While you rebuild, home networks should be considered as a possible source of re-infections. Computers in the home network are not trusted during the rebuild - use ZoneAlarm to block communications. Some of the folk lore considers the possibility of hacked routers circumventing firewall protection.

    Understand that P2P file sharing applications poke holes in the firewall. Their use makes protecting the computer almost impossible. U3 is a legit vendor for applications associated with a branded flash drive. However, I question their methods with respect to the firewall.

    Good luck with the rebuild. Use this forum to share handy hints leading to success or missed oportunities leading re-infection.
     
  5. aqua

    aqua TS Rookie Posts: 57

    if i were you..forget about reformat...you need to wipe out the hard drive out,,look for dban,
    read about it,,,boot from cd,,,have a fresh reinstall..
    wait but first download a copy of free avast or avira....reinstall OS install antivirus,,then go online for updates.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    mario, if you still need help, please follow the steps in the Virus and Malware Removal HERE>

    When you have finished, PASTE in a FULL log from HijackThis.

    Attach the logs from Malwarebytes and Superantispyware.

    NOTE: you are referring to both a laptop and a desktop. IF you have problems with both, they each need to be on a separate thread.
     
  7. marioxb

    marioxb TS Rookie Topic Starter

    No sorry it's just the one laptop. When I said "desktop" in my initial post, I was referring to the virtual "desktop", as in Documents and Settings/mario/desktop.

    Anyway, I'm currently preforming the 8 steps and I think I actually found the problem! I had some files on my SD cards/ USB sticks that Avira tells me were infected with w32/parite and w32/virut.gen.

    Some of these files were actually from the Acer website, so I assumed there was no possible way they could be harmful. They were driver files that somehow got infected along the way. I would install them every time after the fresh install and I think that's part of what kept giving the swine flu to the laptop.

    After the 8 steps, I will post logs and keep you all informed as to my status. Thanks a lot guys!
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Mario, please do the following to check for Virut:

    Virut is a Polymorphic File Infector that infects .EXE and .SCR files. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

    And I can say anything better or different than what you can read here:
    http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html


    Change all of your passwords and monitor any online transactions. Most of us recommend a reformat/reinstall when a Virut infection is confirmed. There's no point in wasting time trying to remove it and further infecting the system.

    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • c:\windows\system32\userinit.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
    Also scan these,

    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe


    Please attach the results of that scan in your next reply.
     
  9. marioxb

    marioxb TS Rookie Topic Starter

    Here's all three. Yay! Nothing found!

    VirSCAN.org Scanned Report :
    Scanned time : 2009/11/07 09:19:59 (CST)
    Scanner results: Scanners did not find malware!
    File Name : userinit.exe
    File Size : 26112 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : a93aee1928a9d7ce3e16d24ec7380f89
    SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
    Online report : http://virscan.org/report/1d7a5c3bebcf4a8617c1d59db1330b04.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20091107070122 2009-11-07 3.98 -
    AhnLab V3 2009.11.07.00 2009.11.07 2009-11-07 0.89 -
    AntiVir 8.2.1.61 7.1.6.203 2009-11-06 0.33 -
    Antiy 2.0.18 20091105.3216324 2009-11-05 0.12 -
    Arcavir 2009 200911061352 2009-11-06 0.03 -
    Authentium 5.1.1 200911061734 2009-11-06 1.17 -
    AVAST! 4.7.4 091106-2 2009-11-06 0.01 -
    AVG 8.5.288 270.14.52/2485 2009-11-07 0.30 -
    BitDefender 7.81008.4482047 7.28781 2009-11-07 3.90 -
    CA (VET) 35.1.0 7107 2009-11-05 9.13 -
    ClamAV 0.95.2 9996 2009-11-06 0.01 -
    Comodo 3.12 2866 2009-11-06 0.71 -
    CP Secure 1.3.0.5 2009.11.07 2009-11-07 0.04 -
    Dr.Web 4.44.0.9170 2009.11.06 2009-11-06 6.51 -
    F-Prot 4.4.4.56 20091106 2009-11-06 1.18 -
    F-Secure 7.02.73807 2009.11.06.11 2009-11-06 8.98 -
    Fortinet 2.81-3.120 11.31 2009-11-06 0.20 -
    GData 19.8747/19.542 20091107 2009-11-07 5.50 -
    ViRobot 20091106 2009.11.06 2009-11-06 0.41 -
    Ikarus T3.1.01.74 2009.11.06.74468 2009-11-06 3.96 -
    JiangMin 11.0.800 2009.11.06 2009-11-06 4.20 -
    Kaspersky 5.5.10 2009.11.06 2009-11-06 0.10 -
    KingSoft 2009.2.5.15 2009.11.6.22 2009-11-06 0.58 -
    McAfee 5.3.00 5794 2009-11-06 3.36 -
    Microsoft 1.5202 2009.11.06 2009-11-06 6.28 -
    Norman 6.01.09 6.01.00 2009-11-06 4.01 -
    Panda 9.05.01 2009.11.06 2009-11-06 1.99 -
    Trend Micro 8.700-1004 6.608.06 2009-11-06 0.03 -
    Quick Heal 10.00 2009.11.06 2009-11-06 1.39 -
    Rising 20.0 21.54.44.00 2009-11-06 0.94 -
    Sophos 3.00.1 4.46 2009-11-07 2.93 -
    Sunbelt 5491 5491 2009-11-05 1.74 -
    Symantec 1.3.0.24 20091106.003 2009-11-06 0.05 -
    nProtect 20091106.02 6111738 2009-11-06 9.09 -
    The Hacker 6.5.0.2 v00063 2009-11-06 0.74 -
    VBA32 3.12.10.11 20091106.1612 2009-11-06 1.99 -
    VirusBuster 4.5.11.10 10.113.9/2003541 2009-11-06 2.47 -

    VirSCAN.org Scanned Report :
    Scanned time : 2009/11/07 09:29:44 (CST)
    Scanner results: Scanners did not find malware!
    File Name : explorer.exe
    File Size : 1033728 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 12896823fb95bfb3dc9b46bcaedc9923
    SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f
    Online report : http://virscan.org/report/3bace88c5d2edd58f75b1e0ccb9d1a50.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20091107070122 2009-11-07 3.87 -
    AhnLab V3 2009.11.07.00 2009.11.07 2009-11-07 0.93 -
    AntiVir 8.2.1.61 7.1.6.203 2009-11-06 0.39 -
    Antiy 2.0.18 20091105.3216324 2009-11-05 0.12 -
    Arcavir 2009 200911061352 2009-11-06 0.07 -
    Authentium 5.1.1 200911061734 2009-11-06 2.19 -
    AVAST! 4.7.4 091106-2 2009-11-06 0.05 -
    AVG 8.5.288 270.14.52/2485 2009-11-07 0.31 -
    BitDefender 7.81008.4482088 7.28783 2009-11-07 3.91 -
    CA (VET) 35.1.0 7107 2009-11-05 8.03 -
    ClamAV 0.95.2 9996 2009-11-06 0.17 -
    Comodo 3.12 2866 2009-11-06 0.71 -
    CP Secure 1.3.0.5 2009.11.07 2009-11-07 0.11 -
    Dr.Web 4.44.0.9170 2009.11.06 2009-11-06 6.77 -
    F-Prot 4.4.4.56 20091106 2009-11-06 2.11 -
    F-Secure 7.02.73807 2009.11.06.11 2009-11-06 0.12 -
    Fortinet 2.81-3.120 11.31 2009-11-06 0.28 -
    GData 19.8747/19.542 20091107 2009-11-07 5.38 -
    ViRobot 20091106 2009.11.06 2009-11-06 0.41 -
    Ikarus T3.1.01.74 2009.11.06.74468 2009-11-06 3.98 -
    JiangMin 11.0.800 2009.11.06 2009-11-06 4.48 -
    Kaspersky 5.5.10 2009.11.07 2009-11-07 0.07 -
    KingSoft 2009.2.5.15 2009.11.6.22 2009-11-06 0.54 -
    McAfee 5.3.00 5794 2009-11-06 3.41 -
    Microsoft 1.5202 2009.11.06 2009-11-06 6.30 -
    Norman 6.01.09 6.01.00 2009-11-06 4.01 -
    Panda 9.05.01 2009.11.06 2009-11-06 2.55 -
    Trend Micro 8.700-1004 6.608.06 2009-11-06 0.03 -
    Quick Heal 10.00 2009.11.06 2009-11-06 1.62 -
    Rising 20.0 21.54.44.00 2009-11-06 1.18 -
    Sophos 3.00.1 4.46 2009-11-07 2.93 -
    Sunbelt 5491 5491 2009-11-05 1.82 -
    Symantec 1.3.0.24 20091106.003 2009-11-06 0.08 -
    nProtect 20091106.02 6111738 2009-11-06 8.06 -
    The Hacker 6.5.0.2 v00063 2009-11-06 0.70 -
    VBA32 3.12.10.11 20091106.1612 2009-11-06 2.09 -
    VirusBuster 4.5.11.10 10.113.9/2003541 2009-11-06 2.70 -

    VirSCAN.org Scanned Report :
    Scanned time : 2009/11/07 09:32:47 (CST)
    Scanner results: Scanners did not find malware!
    File Name : svchost.exe
    File Size : 14336 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 27c6d03bcdb8cfeb96b716f3d8be3e18
    SHA1 : 49083ae3725a0488e0a8fbbe1335c745f70c4667
    Online report : http://virscan.org/report/2046af85b65a77a18c8a7e285acef88c.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20091107070122 2009-11-07 4.05 -
    AhnLab V3 2009.11.07.00 2009.11.07 2009-11-07 0.92 -
    AntiVir 8.2.1.61 7.1.6.203 2009-11-06 0.33 -
    Antiy 2.0.18 20091105.3216324 2009-11-05 0.12 -
    Arcavir 2009 200911061352 2009-11-06 0.03 -
    Authentium 5.1.1 200911061734 2009-11-06 1.20 -
    AVAST! 4.7.4 091106-2 2009-11-06 0.00 -
    AVG 8.5.288 270.14.52/2485 2009-11-07 0.31 -
    BitDefender 7.81008.4482088 7.28783 2009-11-07 3.94 -
    CA (VET) 35.1.0 7107 2009-11-05 6.74 -
    ClamAV 0.95.2 9996 2009-11-06 0.01 -
    Comodo 3.12 2866 2009-11-06 0.71 -
    CP Secure 1.3.0.5 2009.11.07 2009-11-07 0.04 -
    Dr.Web 4.44.0.9170 2009.11.06 2009-11-06 6.55 -
    F-Prot 4.4.4.56 20091106 2009-11-06 1.20 -
    F-Secure 7.02.73807 2009.11.06.11 2009-11-06 0.10 -
    Fortinet 2.81-3.120 11.31 2009-11-06 0.51 -
    GData 19.8747/19.542 20091107 2009-11-07 5.43 -
    ViRobot 20091106 2009.11.06 2009-11-06 0.41 -
    Ikarus T3.1.01.74 2009.11.06.74468 2009-11-06 3.98 -
    JiangMin 11.0.800 2009.11.06 2009-11-06 5.01 -
    Kaspersky 5.5.10 2009.11.07 2009-11-07 0.07 -
    KingSoft 2009.2.5.15 2009.11.6.22 2009-11-06 0.52 -
    McAfee 5.3.00 5794 2009-11-06 3.37 -
    Microsoft 1.5202 2009.11.06 2009-11-06 6.79 -
    Norman 6.01.09 6.01.00 2009-11-06 4.01 -
    Panda 9.05.01 2009.11.06 2009-11-06 7.27 -
    Trend Micro 8.700-1004 6.608.06 2009-11-06 0.03 -
    Quick Heal 10.00 2009.11.06 2009-11-06 1.30 -
    Rising 20.0 21.54.44.00 2009-11-06 1.05 -
    Sophos 3.00.1 4.46 2009-11-07 2.95 -
    Sunbelt 5491 5491 2009-11-05 1.97 -
    Symantec 1.3.0.24 20091106.003 2009-11-06 0.06 -
    nProtect 20091106.02 6111738 2009-11-06 9.60 -
    The Hacker 6.5.0.2 v00063 2009-11-06 1.25 -
    VBA32 3.12.10.11 20091106.1612 2009-11-06 1.97 -
    VirusBuster 4.5.11.10 10.113.9/2003541 2009-11-06 2.38 -
     
  10. marioxb

    marioxb TS Rookie Topic Starter

    Oops, double post. Sorry...
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Hum, that doesn't make sense. Please go to the link I left in Post #2 for the malware removal steps. Run Malwarebytes and Superantispyware, follow with new scan in HijackThis. Include logs as follows.

    Handling logs and Reports:

    The only log that needs to be pasted in the reply is the HijackThis log.

    All other logs and reports can be attached unless your helper asks otherwise.

    I don't have enough information to do anything with. The first HJT logs is no good. If you have to, download the programs to flash drive, then install and run on problem computer. I'd rather them in Normal Mode if possible.

    NOTE: If Avira has quarantined any entries, Please delete them, then empty the recycle bin
     
  12. marioxb

    marioxb TS Rookie Topic Starter

    OK, I emptied the recycle bin and deleted all of the quarantined items. I then did the entire 8 step process. Avira, Mbam and SAS found nothing. I think I'm all good now! Here's the hjt log:
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Mario, when I would like to see the logs from Malwarebytes and Superantispyware.

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Follow with Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Attach reports and logs.

    Since you appears that the system gets reinfected after reinstalls, it's likely that some file or folder that you are putting back on the system has malware.
     
  14. marioxb

    marioxb TS Rookie Topic Starter

    I know. To quote myself from eariler,

    Avira had deleted these infected driver files and I haven't had a problem since. I re-downloaded the problem drivers and now they don't contain viruses. I'm downloading combofix now..

    Here's the online scan result:
    [​IMG]

    Attached are the other 3 log files.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry, I missed the driver comment first time around.

    Please do the following:
    TFC (Temp File Cleaner)
    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    Empty the Recycle Bin

    Then rescan with HijackThis. If it's okay, I'll have you remove the cleaning tools and set new restore point.
     
  16. marioxb

    marioxb TS Rookie Topic Starter

    OK, used TFC and emptied the recycle bin. Here's the new log:
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Reopen HijackThis to 'do system scan only.' Check the following if present

    C:\DOCUME~1\_DONT_~1\LOCALS~1\Temp\RtkBtMnt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')


    Close all Windows except HJT and click on "Fix Checked."

    Remove all of the tools we used and the files and folders they created

    [*] Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    [​IMG]


    [*] DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes.

    If you are prompted to Reboot during the cleanup, select Yes.

    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    If I can be of further help, please let me know.
     
  18. marioxb

    marioxb TS Rookie Topic Starter

    Thanks a lot! Only the last two items were still present in HijackThis.
     
  19. kritius

    kritius TS Guru Posts: 2,084

    These will never show when doing a system scan in HijackThis, they are only present in the repost as they aare running processes
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...