Infected w/ trojan. How "full" should a full scan be?

Good morning Ed

I assume computer #1 is worst case.

I believe you have already cleaned the worst issues (Backdoor.Trojan in VRDPlus.dll) and (Win32.Backdoor.Hupigon).

You seem experienced so I am going to give condensed instructions. If you need more info then get back to me.

All the below apply to all computers.

Run HJT Scan only and select and Fix all lines listed below
Any line that has (file missing) and/or (no file) at the END of the line, ONLY at the end.Plus the below
any of these that have nothing after the dash at end of line example below
O16 - DPF: {342999A3-728D-4DF6-BB81-CDD1A743096A} -

Run Quick scans with MBAM and SAS again until they come up clean post the logs with additional found items not necessary to post clean logs.

Avira is my choice and most on this board even tho free. But multiple Virus scanners expecially if one of them is a Norton/Symantec product is not recommended. They may clash and cause errors and slowdown. You end up with less protection.

If you remove Norton you will need to run 3 Removal/Cleanup tools after normal uninstall, so let me know.

As I mentioned earlier MBAM and SAS are far ahead of Adaware and Spybot BUT the Immunize function of SpyBot is worth having it but update and run the Immunize.

I am going to post my Thead closing now since it contains additional Disk/Temp/Registry cleanups and additional suggestions for protections.

In this case it does not mean we are finished. So..


Thread Closing-------------------------------------------------------------------

Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.

Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.

Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.

-------------------------------------------------------------------------------------
Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "Cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------
ERUNT
Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

ERUNT http://www.larshederer.homepage.t-online.de/erunt/
Yes! Even if you use system restore and other backups Registry and Images.
-------------------------------------------------------------------------------------

Every two weeks or so, run MBAM and SAS until clean.

They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

If they find something they can not clean, then get back to us.

Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to be used with and to co-exist with other Virus scanners.

Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

It's like looking at it with 2 sets of eyes and from a different angle.

It works like some Firewalls do to learn what is good/bad.

After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

As it queries you about the prompt to help you determine to approve or not you can google it with one click.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot occasionally and use the Immunize function.
http://www.safer-networking.org/en/download/

I highly recommend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

A Disk Scan (chkdsk) and Defrag are in order.

Mike

HJT logs and questions

Thank you very much, Mike!

I've run HJT on computers #1,#2,& #3 and fixed things as you advised.

[Question1] I've done the 8-step procedure with Full scans to computer #2, which had the Win32.Backdoor.Hupigon infection. MBAM and SAS both said it's clean. Avira also said it's clean, with two warnings such that C:\pagefile.sys and C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll could not be opened. I'm attaching the final HJT log. Could you help check the HJT log to see if this computer #2 is now good to go?

[Question2] I've done MBAM and SAS Quick scans to computers #1 and #3. Neither MBAM nor SAS found anything on either computer. I'm attaching the final HJT logs. Could you help check if these two computers look ok?

Yes, computer #1 was the worst case, where Backdoor.Trojan was found in VRDPlus.dll. [Question3] I used to use Video Redo Plus to edit video files. How likely the edited video files are affected/infected? (I noticed SAS defaults not to scan files larger than 4MB, so I guess there shouldn't be problems but think it's better to ask for expert opinion.) Or, more generally, do trojans hide in files other than .dll and .exe (e.g., audio/video files, html files, text files, and image files)? This may decide whether I need to do Full scans to computer #1 and #3 and to all my external drives; all these have a very large number of html, text, and multimedia files.

Thank you for the explanation about the antivirus and antispyware programs! I'll replace the Adaware and Spybot duo with MBAM and SAS in routine scanning but keep Spybot's Immunize function active. I have one question regarding real-time protection against spyware though. I noticed MBAM and SAS don't have real-time protection feature in their free versions. So: [Question4] Is the real-time protection in Windows Defender or Spybot's TeaTimer good? If yes, which of these two is better (I guess I'd better use only one)? If no, could you recommend some free software that does a good job on this? Or do I just have to pay for such protection?

I want to completely remove the Symantec anti-virus program. I've done the normal uninstall via Add/Remove Programs. [Question5] Could you point me to the 3 Removal/Cleanup tools?

[Question6] May I ask: when doing scans, which environment is the best -- normal mode, Safe Mode, or Windows Live CD/USB?

[Question7] Could you recommend changes to the default settings in MBAM and SAS for stricter detection? Or generally the default settings are sufficient?

Thanks a lot! I really appreciate your help!

Q1 This is normal for the PageFile, but not for C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll but that does not mean it is infected. In this case to be sure is a time to scan in Safe mode!

So Q6 when it will not run in Normal or in a case like this run in Safe Mode but normal mode otherwise.

Q4 Teatimer and Windows Defender are OK but I recommend Comodo BOClean http://www.comodo.com/boclean/boclean.html Much smarter and less intrusive.

Q5 Remove Norton
Norton is hard to remove fully and properly and can cause non apparent issues and performance issues until properly cleaned.

Norton removal tool (use this to cleanup after a normal uninstall or if it will not uninstall)
http://majorgeeks.com/Norton_Removal...NRT_d4749.html

Then SymRegFix ftp://ftp.symantec.com/public/english_us_canada/tutorials/SymRegFix.exe

To download using Internet Explorer. Click the following link to download the file:

SYMMSICLEANUP.reg ftp://ftp.symantec.com/public/english_us_canada/linked_files/tsgen/SYMMSICLEANUP.reg
Save the file to the Windows desktop.

To download using Firefox. Right-click the following link and then click Save Link As to download the file:

SYMMSICLEANUP.reg [ftp://ftp.symantec.com/public/english_us_canada/linked_files/tsgen/SYMMSICLEANUP.reg

then
Use same instructions for IE or FF to get the below.

IE: MSIFIX.bat ftp://ftp.symantec.com/public/english_us_canada/linked_files/tsgen/MSIFIX.bat

FF: MSIFIX.bat ftp://ftp.symantec.com/public/english_us_canada/linked_files/tsgen/MSIFIX.bat

Run all above in order presented.

Q7 Before you scan with either MalwareBytes or SuperAntiSpyWare do the Extra Configs below these have become most important lately

SuperAntispyware extra config

After installed double-click the icon on your desktop to run it.

Update the program definitions.

Click the Preferences button.

Then Scanning Control.

In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

MalwareBytes extra config

After update but before running
Click settings and confirm all are Checked.

Mike

Thank you for the detailed instructions and advice! I'm following these to do a couple more rounds of scans. So far so good.

As for the C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll lock, I did do that scan in Safe Mode. But to be sure, I re-did the full scan in Safe Mode again, and Avira reported the same thing. Right after the scan, I tried to delete the entire $NtUninstallQ828026$ folder, and strangely, Windows didn't say a word, and the entire folder was deleted with no problem. Then I restarted to Safe Mode and did another full scan. This time Avira didn't show the warning message, so I guess it should be ok then.

While being hit by trojans is an unfortunate event, it's fortunate to have experts like you kindly extending the much-needed helping hands. Thanks very much for your help!

You are so welcome.

I will consider this my closing for now.

You may think you are finally free of Norton after all the above!
To get more Norton/Symantec do a windows search using Advanced settings to search system hidden and subfolders.
Paste
norton*.*;syman*.*;liveup*.*
into the search bar delete all found.
Then download and install RegSeeker http://www.hoverdesk.net/freeware.htm
Click its Find in Registry and one at a time search for
norton
symantec
liveupdate

Delete all found but make sure the liveupdate refers to Norton!

----------------------------------------------------------------------------------------------------------------------------------------------------

Removing unneeded services can increase performance but can also be a security improvement as it may remove a Malware entry point!

Of the below if you are using a Domain Controller on your LAN you will need to keep Netlogon. It should be obvious that Remote Registy is a possible security threat.

Considering that..

Clean and tweak services

In services stop and disable all of the below just to get them out of the way for now for trouble shooting purposes.

Nothing is un-installed or deleted only disabled from running!

They can be put back anytime later but I would not, as none of them are needed by most home users and very few business users. Basically stuff M$ thought you should have.

Disabled uses no memory (RAM) and no CPU cycles.
Manual uses the RAM but a small amount of CPU.
Auto and not started they use even more RAM and CPU.
Auto and started even more RAM and CPU ..

Now in this case we disabling for trouble shooting purposes. But when we finish if you leave them all off until it is noticed that you need one (not likely for 99%) then it can be enabled.

Leaving these all off, then becomes a performance tweak/boost as they free some RAM and CPU cycles! Special note. If you are going to pick and choose then be aware that the small amount of RAM and CPU cycles of each one individually is not significant but as a group it is! So if you need most of them (or just think you do because you don't) then just as well enable them all)!

Distributed Link Tracking Client
Distributed Transaction Coordinator
DNS Client
Fast User switching
Health Key and Certificate Management Service
Indexing service
Messenger
Net logon
Net.TCP Port Sharing
NetMeeting Remote Desktop Sharing
IPsec services
QoS RSVP
Remote Registry
Uninterruptable power supply
Universal Plug and play
Web Client
Windows media player Network Sharing

IF you are using a wired network card and "NOT" using wireless on this computer then you can
also disable

Wireless Zero configuration

Wireless Zero configuration is only used on computers with a wireless NIC like a Laptop. Do not disable Wireless Zero configuration on a Laptop. Has nothing to do with other wireless hardware like wireless routers etc.

In short if this computer has a CAT 5 or 6 cable and no ability to connect wirelessly if that cable is unplugged, then you can disable Wireless Zero configuration.

This is not to be confused with Wired Auto Config do not disable that!.

This will do it for you (ignore errors as it may try to turn off something already off or non existant)

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt. All may not apply so ignore errors.


Extra security programs to consider.
XPY http://xpy.whyeye.org/2008/12/04/xpy-0109-and-vispa-029/
SecureIt http://www.sniff-em.com/secureit.shtml
HardenIt http://www.sniff-em.com/hardenit.shtml
and
XP-AntiSpy http://www.xp-antispy.org/index.php/lang-en

Good luck,
Mike