Virus returning after fresh install of XP

[c8ddymon]

Hi everyone, I am new to techspot, but I have been having a huge virus problem lately so I did some research and found you guys. The problem I am having right now is with the infostealer.gampass virus. Last week, some how my dad got the virus on his computer, and Norton anti-virus said it could not delete the file. I then proceeded to format the computer, after formatting, I installed SP1, SP2, and used autopatcher for all of my other updates. When I was finished, I installed Norton again and after it installed, while I was receiving new updates, it started scanning and it found the infostealer.gampass virus as well as win32.popwin virus. There is a secondary hard drive connected to the computer so I thought maybe the virus made its way to the second hardrive and came out again when I installed the new copy of windows. I disconnected the harddrive and formatted the computer again. I installed norton, ran a scan and everything was fine. I then installed SP1, SP2 and autopatcher. Upon completion, I ran live update for norton, and again it came up with the viruses. I really do not know what it is. I do not know if the copy of autopatcher I have has been tampered with, or if it's the Norton. I read online somewhere that there are viruses that can co-exist in other areas of the computer, such as the CMOS battery or the Master Boot records. Is this true? If so, how can I resolve my problem? This has been a terrible headache thus far and it is still continuing. Some processes that were running, that I did not think belonged were:
MsIMMs32.exe
pohqlw.exe
kvsc3.exe
pykftz.exe
mppds.exe

Also, I ran norton in safe-mode and came up with these viruses..there are 23, and Norton says it has removed them this time, but I do not want to do anything else before I consult with you guys:
00011937.exe
00011946.exe
00011974.exe
00011987.exe
00011992.exe
00011999.exe
00012346.exe
00012353.exe
00012383.dll
00012386.exe
00012389.exe
00012577.exe
00012583.exe
400DD9D4.ddl
auto.exe
K11934313494.exe
K11934340674.exe
LYLOADER.exe
LYMANGR.DLL
mh6018[1].exe
tl0619[1].exe
tl0619[2].exe
I am using Windows XP 2002.
Please help in any way that you can! This virus is driving me crazy. Thank you all in advance for taking your time in reading this.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of c8ddymon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[siiix]

Solution

solution #1:

use XP servicepack2 (instead of patching) or media center (or better) after formating hard drive

solution #2 (not the best sulution)

after formating hard drive install old XP WITHOUT being on the intrenet, before you even think about going online install from file or disk service pack2 OR virus protection and firewall

do not even plug in the nic cable !

note: you go online for a milisecond with old xp with out protection you have your virus back

solution #3:
i dont think there is one
-------------------

why:
XP and XP SP1 have a vournability that and a few other viruses use to replicate them self, if someones computer is infected the virus willl scan random IP's and when find a coresponding XP it will integrate it self imediately, usualy this takes anything from 1 second to 30 minutes from the time you go online... consider how many millions of PC's are infected and they all scan who knows how many IP's / second

my advice trow out that old XP or SP1 its not worth the trouble, if you will be using SP2 or later there is not even much of a need for firewall or virus protection.. the security seems to improved quite a bit

 

[c8ddymon]

Hey everyone! I just want to apologize first that I have not followed up with this post for a long while because I have been extremely busy with school. I have completed all the steps required of me to begin the process of fixing this mess.

siiix, thanks for your comment. Do you know where I can get SP2? as a download file so that I can install right away? I don't have SP2 in my version of XP so that is one of the main reasons why I chose to use the patcher: AutoPatcher_WinXP_May07_x86_ENU_Core(2).

Ok so when I started the computer again, Norton again found the viruses and stated that they removed everything. Then I proceeded with following the cleaning steps and after the step with searching with SmitFraudFix, I restarted the computer and Norton again picked up a downloader and the troubling infostealer.gamepass virus again. These were the files it detected and removed.
CB05E4E6.dll
downloader
ckmihb.dll
infostealer.gamepass

When i ran combofix, it found a few .exe files so hopefully that helps solve it. When I ran the Panda rootkit, it came up with 0 infections.
I have attatched the logfiles of combofix,avg anti-spyware, and hijackthis. Please let me know whether or not my computer is finally safe for use! Thanks in advance to anyone who will be helping me with this!

Symptoms:
1) virus comes back after installing auto patcher and norton anti-virus, even after formatting my hard drive
2) after the virus makes itself known to Norton, a trouble with opening my hard drive occurs. When I click my computer > C:, it doesn't open up my c drive, instead it asks me what I want to use to open it. This problem has now been fixed since completing all the steps =)

Is there any way to tell how the virus came to be? This is my parents computer, and they said that they have not done anything. Adobe Reader was just updated before the virus came here, but I do not think its from that. I do not know if this is a possibility or not, but I was afraid that the virus was somehow in my parents internet line so that any computer connected to their cat5 cable will be infected. Is this at all possible? I have set up a backup computer for them and so far nothing is wrong, so I just want to make sure. But I will be sure to run AVG on all my systems!

Thanks

(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)

One little correction. This is how much school has made me forget everything =(. I do have a copy of XP SP2, I think I trtied to ask if there is any way that I can get the other update files for XP SP2. Thanks!

 

[momok]

Hi,

You may wish to copy and paste these instructions on notepad for easier reference later.

1. Go to start > type "services.msc" and press enter. Search for the following services and right click to disable them. Then Right click > Properties to set the startup type to "disabled".
   
   142DAD8C
   6014C6BE
   
   
2. Run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
   
   O23 - Service: 142DAD8C - Unknown owner - C:\WINDOWS\system32\8BF4F306.EXE (file missing)
   O23 - Service: 6014C6BE - Unknown owner - C:\WINDOWS\system32\39B4DBA.EXE (file missing)
   
   
3. Whilst still in HijackThis, go to "Main Menu" and click on "Open the Misc Tools section". Click on the "Misc Tools" button and then "Delete an NT service..." Type the following into the prompt box and press OK after each entry.
   142DAD8C
   6014C6BE
   Close HJT.

Thereafter, please post a fresh HJT log from normal mode as an attachment into this thread.


Regards,
momok =)

This thread is for the use of c8ddymon only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[c8ddymon]

Thanks momok! I am busy right now, but I will do this as soon as possible and post up a fresh log from HJT! Out of curiosity what do those changes mean/do? and will a clean report from HJT represent a completely clean system? I am just really worried because the virus was an information stealing trojan. And is it possible for my parents internet line to be stuck with the virus? or did it just come back because it found a way to store themselves in some part of the hard drive that does not become affected by formatting? In other words, how did it keep coming back? Thank you so much for the help thus far! Thanks everyone!

c8ddymon

 

[momok]

Hi,

The changes simply remove bad entries leftover from the infection. The other logs (ComboFix and AVG) show a relatively cleaned system, which you should be grateful for. Often times the preliminary removal instructions don't almost clean out the infection totally.

The infection in question (from your AVG log) shows it resided in your system restore values. But that has been fixed. I'm not sure where else it resided as I do not know or am able to view the file paths that your Norton/Antivirus cleaning fixed. Also, although Norton claims to be able to remove it, I highly doubt its capability in cleaning the infection. The fact that it returns simply means the cleaning was not thorough, which allowed the virus to regenerate files on your system. (Norton is also widely known otherwise as "crap" here)

Although your parents have claimed they have done nothing, it is still very likely that it is through their actions online that brought about the infection.

I also notice no firewall on that system. I strongly urge you to get one ASAP.

 

[momok]

Thread closed due to lack of response. Should the original starter require it to be reopened, please PM a mod.
(Edit: thread reopened on request)

 

[c8ddymon]

Hey momok,
hopefully this will get through, so I am going to post the new hijack this log. Also, in regards to having no firewall, isn't Norton Internet Worm Protection considered as a firewall? It told me to turn off the windows firewall because it will conflict with it.

thanks again for the help!

C8ddymon

P.S. if virus is stored in system restore, it will still come back after a fresh install?

 

[momok]

Hi,

Your HijackThis log is clean. With regards to Norton, I have my own reservations, but you are free to decide on its use. Do note however, that there are plenty of excellent firewall choices that suit various user needs which are free on the web, such as Comodo, Kerio and ZoneAlarm.

If there are nasties lurking in system restore, any time you restore to that infected point it is likely you will get infected again. Thus, you should do the following.

1. Please download and run CCleaner via step 9 of the instructions HERE.
   
   
2. Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)
   
   
3. Turn off system restore (XP/ME only). Learn how to do that HERE.
   This will remove all the remaining nasties from your old restore points.
   
   
4. After that turn system restore back on.
   This would have created a new safe and clean restore point for your system.
   
   
5. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
   May I recommend you to read this article.
   This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
momok =)

This thread is for the use of c8ddymon only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[c8ddymon]

Thanks momok!

Thanks for all the help you have provided me with for this situation. I truly truly appreciate it! I will definitely stick with the zonealarm firewall. Do you think or know by any chance whether or not the auto-patcher contains a virus? Like did it show up anywhere that another virus came to be after I installed the autopatcher? Well thanks again for everything momok!

C8ddymon

 

[CCT]

Next time your Dad goes and gets a penecillin resistant virus, ZERO FILL the drive, don't just format.

 

[momok]

I'm not sure about the auto-patcher. But chances are if you downloaded it from a legitimate site, it should be safe.

 

[c8ddymon]

Hey everyone!
Thanks, I will remember to zero fill, I was thinking about it this time, but didn't get around to it. I have maxtor's cd that zero fills, but it doesn't always work. Any other programs that can zero fill?

c8ddymon