Infected w/ trojan. How "full" should a full scan be?

By edsilver
Apr 9, 2009
Topic Status:
Not open for further replies.
  1. Hello! I have four computers. At least one of them was found to be infected with trojan yesterday. Below are some basic info. I'm trying to decide what to do next, and was wondering if you could kindly give me some advice and guidance.

    - Computer #1. Has two internal drives. Drive A has three partitions. 1st: the system; 2nd: documents + a folder with programs that do not need installation to run; 3rd: music and video. Drive B has millions of html, text, and image files for a research project.
    - Computer #2. One single partition drive with system and documents.
    - Computers #3 and #4. Both have two internal drives: System drive + a drive with millions of html, text, and image files for a research project.
    - All the computers are on the same LAN. I frequently use Windows Remote Desktop to access one computer from another.
    - I use mapped network drives, flash USB drives, and external hard drives to move files among the four computers. They also share the same set of external backup drives.

    I noticed an unexpected IE popup on Computer #1 yesterday. So I did complete scans to Drive A in Safe Mode w/o Internet. Ad-Aware SE found Win32.TrojanPWS.Agent and Win32.Adware.Cydoor in a system restore point, and removed them. Windows Defender found nothing. Spy-bot S&D found some minor things. SAV found Backdoor.Trojan in VRDPlus.dll (belongs to Video Redo Plus) and removed it. After restart, SAV found Downloader.Trojan in ..\WINDOWS\System32\dsound3dd.dll but said access denied. Restarted to Safe mode again, scanned dsound3dd.dll with SAV but found nothing wrong. Deleted it anyway.

    At the same time, I did Ad-Aware, Windows Defender, Spy-bot S&D, and SAV scans to the whole drive on Computer #2 and the system drives on Computers #3 & #4. The only problem found was Win32.Backdoor.Hupigon on #2.

    Now I'm going to go through the 8-step procedure on #1, but have some questions before doing that: It says we need to do a "full scan" to the system, which in those programs means a complete scan on all the drives in the computer. But I was wondering:
    1. Do I have to scan non-system internal hard drives on the same computer? For example, Drive B on computer #1? May I just disconnect it during the scan? (Given the large number of files on that Drive B, it may take a very long time to scan.)
    2. Are complete scans on the other three computers necessary, given that they are connected and used in a way described above (Remote Desktop, drive mapping, sharing external drives, etc.)?
    3. How about the external drives? Do I have to scan all of them too?

    Also, if the problem on computer #1 is serious, I'm ready to do a reinstall. But the same questions remain for the "clean" install:
    4. When formatting the hard drive, should I just format the system partition, or the whole drive that has the system partition, or all the internal drives on the same computer?
    5. If I have to format the entire system drive (which has separate partitions containing documents and such), I need to copy out the documents, media files, and possibly software installation packages to external drives and then move them back after the new installation of Windows. Will that be a problem, i.e., will the malware stuff hide in those files and come back to reinfect the new system?

    I'm sorry for the long post. I know the above may just be really stupid questions, but I was confused and hope you experts could kindly offer some advice. Thank you!

    Edit: I've replaced SAV with Symantec Endpoint. May I use that in place of the recommended anti-virus software, or better not? Thanks!
  2. mflynn

    mflynn Newcomer, in training Posts: 2,793

    All the programs you have mentioned are Lame compared to the dynamic Duo of MBAM and SAS.

    Starting with the worst case get us MBAM and SAS Quick Scans and a HJT scan. Will worst case connect to windows update or is it redirected.

    Depending on what worst case finds we may can the advise on the others but whats the deal leave the others scanning after hours or during lunch. Believe me it is a lot easier to clean an infection than an infestation!

    Mike
  3. edsilver

    edsilver Newcomer, in training Topic Starter

    Thanks for your reply, Mike! I'll do the quick scans and post the logs. Windows update seems working fine.

    I did MBAM and SAS Quick Scans and HJT scans to three of the computers. The logs are attached. (Since there're 12 log files, I packed them in a zip file and hope this is ok.) Thank you for your help!
    Note1: I noticed HJT logs are a little different when scanned in Safe Mode from when in normal mode, so I'm including both for each computer.
    Note2: When doing HJT scan on computer #2 in Safe Mode, there was an error as seen in the jpg attachment. The scan was done w/o network connection, so I didn't submit the error report to Trend Micro.
    Note3: I'm running a full Avira scan on computer #4. Currently at around 10% completion after 9.5 hours. But since it's not linear, not sure how long it will take to go through the 8 steps. Will post the results once done.

    Attached Files:

  4. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Good morning Ed

    I assume computer #1 is worst case.

    I believe you have already cleaned the worst issues (Backdoor.Trojan in VRDPlus.dll) and (Win32.Backdoor.Hupigon).

    You seem experienced so I am going to give condensed instructions. If you need more info then get back to me.

    All the below apply to all computers.

    Run HJT Scan only and select and Fix all lines listed below
    Any line that has (file missing) and/or (no file) at the END of the line, ONLY at the end.Plus the below
    any of these that have nothing after the dash at end of line example below
    O16 - DPF: {342999A3-728D-4DF6-BB81-CDD1A743096A} -

    Run Quick scans with MBAM and SAS again until they come up clean post the logs with additional found items not necessary to post clean logs.

    Avira is my choice and most on this board even tho free. But multiple Virus scanners expecially if one of them is a Norton/Symantec product is not recommended. They may clash and cause errors and slowdown. You end up with less protection.

    If you remove Norton you will need to run 3 Removal/Cleanup tools after normal uninstall, so let me know.

    As I mentioned earlier MBAM and SAS are far ahead of Adaware and Spybot BUT the Immunize function of SpyBot is worth having it but update and run the Immunize.

    I am going to post my Thead closing now since it contains additional Disk/Temp/Registry cleanups and additional suggestions for protections.

    In this case it does not mean we are finished. So..


    Thread Closing-------------------------------------------------------------------

    Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

    Remove ComboFix
    Start-Run
    type
    combofix /u
    Hit enter or click OK.

    Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    Save to desktop.

    This will remove all the tools we used to clean your computer.

    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

    If prompted to Reboot click, Yes.
    OTCleanit will delete itself when finished, If not delete it by yourself.

    -------------------------------------------------------------------------------------
    Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

    KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
    Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
    -------------------------------------------------------------------------------------
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "Cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    -------------------------------------------------------------------------------------
    ERUNT
    Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

    ERUNT http://www.larshederer.homepage.t-online.de/erunt/
    Yes! Even if you use system restore and other backups Registry and Images.
    -------------------------------------------------------------------------------------

    Every two weeks or so, run MBAM and SAS until clean.

    They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

    If they find something they can not clean, then get back to us.

    Additionally run CCleaner. ATF-Cleaner and KCleaner.
    ----------------------------------------------------------------------------------------
    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to be used with and to co-exist with other Virus scanners.

    Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

    It's like looking at it with 2 sets of eyes and from a different angle.

    It works like some Firewalls do to learn what is good/bad.

    After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

    As it queries you about the prompt to help you determine to approve or not you can google it with one click.

    http://www.threatfire.com/Download/
    -------------------------------------------------------------------------------------
    Look at http://www.javacoolsoftware.com/spywareblaster.html

    Run SpyBot occasionally and use the Immunize function.
    http://www.safer-networking.org/en/download/

    I highly recommend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

    Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

    A Disk Scan (chkdsk) and Defrag are in order.

    Mike
  5. edsilver

    edsilver Newcomer, in training Topic Starter

    HJT logs and questions

    Thank you very much, Mike!

    I've run HJT on computers #1,#2,& #3 and fixed things as you advised.

    [Question1] I've done the 8-step procedure with Full scans to computer #2, which had the Win32.Backdoor.Hupigon infection. MBAM and SAS both said it's clean. Avira also said it's clean, with two warnings such that C:\pagefile.sys and C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll could not be opened. I'm attaching the final HJT log. Could you help check the HJT log to see if this computer #2 is now good to go?

    [Question2] I've done MBAM and SAS Quick scans to computers #1 and #3. Neither MBAM nor SAS found anything on either computer. I'm attaching the final HJT logs. Could you help check if these two computers look ok?

    Yes, computer #1 was the worst case, where Backdoor.Trojan was found in VRDPlus.dll. [Question3] I used to use Video Redo Plus to edit video files. How likely the edited video files are affected/infected? (I noticed SAS defaults not to scan files larger than 4MB, so I guess there shouldn't be problems but think it's better to ask for expert opinion.) Or, more generally, do trojans hide in files other than .dll and .exe (e.g., audio/video files, html files, text files, and image files)? This may decide whether I need to do Full scans to computer #1 and #3 and to all my external drives; all these have a very large number of html, text, and multimedia files.

    Thank you for the explanation about the antivirus and antispyware programs! I'll replace the Adaware and Spybot duo with MBAM and SAS in routine scanning but keep Spybot's Immunize function active. I have one question regarding real-time protection against spyware though. I noticed MBAM and SAS don't have real-time protection feature in their free versions. So: [Question4] Is the real-time protection in Windows Defender or Spybot's TeaTimer good? If yes, which of these two is better (I guess I'd better use only one)? If no, could you recommend some free software that does a good job on this? Or do I just have to pay for such protection?

    I want to completely remove the Symantec anti-virus program. I've done the normal uninstall via Add/Remove Programs. [Question5] Could you point me to the 3 Removal/Cleanup tools?

    [Question6] May I ask: when doing scans, which environment is the best -- normal mode, Safe Mode, or Windows Live CD/USB?

    [Question7] Could you recommend changes to the default settings in MBAM and SAS for stricter detection? Or generally the default settings are sufficient?

    Thanks a lot! I really appreciate your help!
  6. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Q1 This is normal for the PageFile, but not for C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll but that does not mean it is infected. In this case to be sure is a time to scan in Safe mode!

    So Q6 when it will not run in Normal or in a case like this run in Safe Mode but normal mode otherwise.

    Q4 Teatimer and Windows Defender are OK but I recommend Comodo BOClean http://www.comodo.com/boclean/boclean.html Much smarter and less intrusive.

    Q5 Remove Norton
    Norton is hard to remove fully and properly and can cause non apparent issues and performance issues until properly cleaned.

    Norton removal tool (use this to cleanup after a normal uninstall or if it will not uninstall)
    http://majorgeeks.com/Norton_Removal...NRT_d4749.html

    Then SymRegFix ftp://ftp.symantec.com/public/english_us_canada/tutorials/SymRegFix.exe

    To download using Internet Explorer. Click the following link to download the file:

    SYMMSICLEANUP.reg ftp://ftp.symantec.com/public/english_us_canada/linked_files/tsgen/SYMMSICLEANUP.reg
    Save the file to the Windows desktop.

    To download using Firefox. Right-click the following link and then click Save Link As to download the file:

    SYMMSICLEANUP.reg [ftp://ftp.symantec.com/public/english_us_canada/linked_files/tsgen/SYMMSICLEANUP.reg

    then
    Use same instructions for IE or FF to get the below.

    IE: MSIFIX.bat ftp://ftp.symantec.com/public/english_us_canada/linked_files/tsgen/MSIFIX.bat

    FF: MSIFIX.bat ftp://ftp.symantec.com/public/english_us_canada/linked_files/tsgen/MSIFIX.bat

    Run all above in order presented.

    Q7 Before you scan with either MalwareBytes or SuperAntiSpyWare do the Extra Configs below these have become most important lately

    SuperAntispyware extra config

    After installed double-click the icon on your desktop to run it.

    Update the program definitions.

    Click the Preferences button.

    Then Scanning Control.

    In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

    MalwareBytes extra config

    After update but before running
    Click settings and confirm all are Checked.

    Mike
  7. edsilver

    edsilver Newcomer, in training Topic Starter

    Thank you for the detailed instructions and advice! I'm following these to do a couple more rounds of scans. So far so good.

    As for the C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll lock, I did do that scan in Safe Mode. But to be sure, I re-did the full scan in Safe Mode again, and Avira reported the same thing. Right after the scan, I tried to delete the entire $NtUninstallQ828026$ folder, and strangely, Windows didn't say a word, and the entire folder was deleted with no problem. Then I restarted to Safe Mode and did another full scan. This time Avira didn't show the warning message, so I guess it should be ok then.

    While being hit by trojans is an unfortunate event, it's fortunate to have experts like you kindly extending the much-needed helping hands. Thanks very much for your help!
  8. mflynn

    mflynn Newcomer, in training Posts: 2,793

    You are so welcome.

    I will consider this my closing for now.

    You may think you are finally free of Norton after all the above!
    To get more Norton/Symantec do a windows search using Advanced settings to search system hidden and subfolders.
    Paste
    norton*.*;syman*.*;liveup*.*
    into the search bar delete all found.
    Then download and install RegSeeker http://www.hoverdesk.net/freeware.htm
    Click its Find in Registry and one at a time search for
    norton
    symantec
    liveupdate

    Delete all found but make sure the liveupdate refers to Norton!

    ----------------------------------------------------------------------------------------------------------------------------------------------------

    Removing unneeded services can increase performance but can also be a security improvement as it may remove a Malware entry point!

    Of the below if you are using a Domain Controller on your LAN you will need to keep Netlogon. It should be obvious that Remote Registy is a possible security threat.

    Considering that..

    Clean and tweak services

    In services stop and disable all of the below just to get them out of the way for now for trouble shooting purposes.

    Nothing is un-installed or deleted only disabled from running!

    They can be put back anytime later but I would not, as none of them are needed by most home users and very few business users. Basically stuff M$ thought you should have.

    Disabled uses no memory (RAM) and no CPU cycles.
    Manual uses the RAM but a small amount of CPU.
    Auto and not started they use even more RAM and CPU.
    Auto and started even more RAM and CPU ..

    Now in this case we disabling for trouble shooting purposes. But when we finish if you leave them all off until it is noticed that you need one (not likely for 99%) then it can be enabled.

    Leaving these all off, then becomes a performance tweak/boost as they free some RAM and CPU cycles! Special note. If you are going to pick and choose then be aware that the small amount of RAM and CPU cycles of each one individually is not significant but as a group it is! So if you need most of them (or just think you do because you don't) then just as well enable them all)!

    Distributed Link Tracking Client
    Distributed Transaction Coordinator
    DNS Client
    Fast User switching
    Health Key and Certificate Management Service
    Indexing service
    Messenger
    Net logon
    Net.TCP Port Sharing
    NetMeeting Remote Desktop Sharing
    IPsec services
    QoS RSVP
    Remote Registry
    Uninterruptable power supply
    Universal Plug and play
    Web Client
    Windows media player Network Sharing

    IF you are using a wired network card and "NOT" using wireless on this computer then you can
    also disable

    Wireless Zero configuration

    Wireless Zero configuration is only used on computers with a wireless NIC like a Laptop. Do not disable Wireless Zero configuration on a Laptop. Has nothing to do with other wireless hardware like wireless routers etc.

    In short if this computer has a CAT 5 or 6 cable and no ability to connect wirelessly if that cable is unplugged, then you can disable Wireless Zero configuration.

    This is not to be confused with Wired Auto Config do not disable that!.

    This will do it for you (ignore errors as it may try to turn off something already off or non existant)

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.
    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

    Code:
    @echo off
    sc config Alerter start= disabled
    sc stop Alerter
    
    sc config AeLookupSvc start= disabled
    sc stop AeLookupSvc
    
    sc config ClipBook start= disabled
    sc stop ClipBook
    
    sc config Dfs start= disabled
    sc stop Dfs
    
    sc config FastUserSwitchingCompatability start= disabled
    sc stop FastUserSwitchingCompatability
    
    sc config TrkWks start= disabled
    sc stop TrkWks
    
    sc config TrkSvr start= disabled
    sc stop TrkSvr
    
    sc config DNSCache start= disabled
    sc stop DNSCache
    
    sc config ERSvc start= disabled
    sc stop ERSvc
    
    sc config HidServ start= disabled
    sc stop HidServ
    
    sc config PolicyAgent start= disabled
    sc stop PolicyAgent
    
    sc config CiSvc start= disabled
    sc stop CiSvc
    
    sc config IsmServe start= disabled
    sc stop IsmServ
    
    sc config kdc start= disabled
    sc stop kdc
    
    sc config LicenseService start= disabled
    sc stop LicenseService
    
    sc config Messenger start= disabled
    sc stop Messenger
    
    sc config Netlogon start= disabled
    sc stop Netlogon
    
    sc config NetTcpPortSharing start= disabled
    sc stop NetTcpPortSharing
    
    sc config mnmsrvc start= disabled
    sc stop mnmsrvc
    
    sc config NetDDE start= disabled
    sc stop NetDDE
    
    sc config NetDDEdsdm start= disabled
    sc stop NetDDEdsdm
    
    sc config NtLmSsp start= disabled
    sc stop NtLmSsp
    
    sc config SysmonLog start= disabled
    sc stop SysmonLog
    
    sc config RSVP start= disabled
    sc stop RSVP
    
    sc config SSDPSRV start= disabled
    sc stop SSDPSRV
    
    sc config upnphost start= disabled
    sc stop upnphost
    
    sc config WMPNetworkSvc start= disabled
    sc stop WMPNetworkSvc
    
    sc config WmiApSrv start= disabled
    sc stop WmiApSrv
    
    sc config WmdmPmSN start= disabled
    sc stop WmdmPmSN
    
    sc config RemoteRegistry start= disabled
    sc stop RemoteRegistry
    
    sc config RemoteAccess start= disabled
    sc stop RemoteAccess
    
    sc config SCardSvr start= disabled
    sc stop SCardSvr
    
    sc config TlnSvr start= disabled
    sc stop TlnSvr
    
    sc config UPS start= disabled
    sc stop UPS
    
    sc config WebClient start= disabled
    sc stop WebClient
    
    sc config DNSCache start= disabled
    sc stop DNSCache
    
    sc config RpcSs start= Automatic
    sc start RpcSs
    
    sc config RpLocator start= Automatic
    sc start RpcLocator
    
    sc config MSIServer start= Automatic
    sc start MSIServer
    exit
    exit
    Extra security programs to consider.
    XPY http://xpy.whyeye.org/2008/12/04/xpy-0109-and-vispa-029/
    SecureIt http://www.sniff-em.com/secureit.shtml
    HardenIt http://www.sniff-em.com/hardenit.shtml
    and
    XP-AntiSpy http://www.xp-antispy.org/index.php/lang-en

    Good luck,
    Mike
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.