Backdoor.Hupigon trojan

[Teresa.J]

Well, I found out what the a-squared was referring to when I had a closer look and realised that even though I'd removed my usb flash drive the icon in the task bar was still there saying I could safely remove hardware! derr!

Before I started on the clean up I also uninstalled google toolbar because I had installed Firefox so don't need IE.

I've run CCleaner again, then followed proceedure for Rootkit Revealer and finally ran hijackthis.

I've attached the files and look forward to confirmation of a clean bill of health.. fingers crossed !

 

[kimsland]

Nothing in Rootkit (except Acer update - ok)

HJT No sign of Malware infection, except this ongoing issue:

O23 - Service: a-squared Free Service (a2free) - Unknown owner - F:\A2USB\a2service.exe (file missing)

Is A-Squared installed ?

 

[momok]

O23 entries must be fixed by going through Run > services.msc and then manually disabling the start up. Alternatively, use the HijackThis 'delete NT service' option.

 

[xxdanielxx]

momok we can use a bat file to delete the services. Teresa.J use this then post a fresh hijackthis log

We need to get rid of one of the services running on your machine. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

@echo off
sc stop HAWBMVSH
sc delete enter HAWBMVSH
sc stop TLMELV
sc delete enter TLMELV
del service.cmd and exit

Save it to your desktop as File name: service.cmd
Save as type: All Files

Once done, double click service.cmd to run it. A command window will open briefly, then close. This is quite normal.
now post a fresh hjt log

you should run sdfix to check if there are anymore trojans. Download it from the link below then reboot into safe mode then go to C:\SDFix\ then run RunThis.bat
when it reboots let it go to normal mode not safe mode. Attach the log once it is done

http://www.bleepingcomputer.com/files/sdfix.php

 

[Teresa.J]

I had to go into services.msc to disable a-squared. I couldn't find it in Add/Remove and a search of all files and folders including hidden did not come up with anything. It must have been run from my friend's daughter's flash drive. The icon is still appearing in the task bar after every reboot saying it's safe to remove hardware!

I've attached the SDfix report and a new HJT report.

I also went back into services.msc and HAWBMVSH, TLMELV and a-squared are still there but all are showing 'disabled' under the 'Startup type' column.

 

[kimsland]

Try Revo Uninstaller
To remove those programs (now disabled in Services.msc)

 

[Teresa.J]

Revo Uninstaller is a very thorough program but it will not let me delete those 3 dodgy services nor does it find a-squared as a program to uninstall and a search didn't find HAWBMVSH or TLMELV.

(Even running the code that xxdanielxx suggested didn't delete those files)

I also couldn't find instances of those three in "Junk files Manager" or "Autorun Manager" either.

If they're disabled in services doesn't that mean that they won't run and therefore system is safe?

 

[kimsland]

Services

Actually disabled in services is good because they won't run
But this is not ideal, because if you ever re-install, or even use an updated program that checks for these services; the new install program may fault.

I use a program call MyUninstaller, which may help find and resolve the issue

In some cases it's a matter of checking online for uninstaller tools like Norton has for instance, for their product. Or sometimes even re-installing the program and then un-installing it fully again.

Services are located in registry (start->run->regedit) here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\service name

Even a small utility like ServiWin may help locate not required services

MS has an excellent one called PsService But I can't get to download (I think it was reporting false positives by Antivirus softwares)

There's also some good reading here on Services

You can also use a little tool called AddRemoveCleaner for any leftovers in Add/Remove Programs too

Edit:

I found a really good one here called Service Controller Xp
.

 

[Teresa.J]

Thanks kimsland, I've deleted the registry folders of those 3 services, rebooted and they've now disappeared from the services.msc

I've also had a good read of the security articles and have disabled the Remote Access Services. I'll also have a look at their router login page to make sure it's not still set at admin username and password.

Good work guys. Thanks heaps for all your help. I'll return the pc now and will keep in touch with my friend to check on how things are going.

Cheers
Teresa :wave:

 

[kimsland]

Remote Access Auto Connection Manager
Creates a connection to a network when a program requests a remote address. This service may be required for your internet connection. If things cease to function after disabling this service, put it to automatic. Note: you may require this service for some direct cable or DSL providers and connections, depending on how they implement their logon process. If your Dial-up, cable or DSL internet access no longer functions properly with this service disabled, place this service into automatic. If you use a hardware gateway or router, this service is not required.

Remote Access Connection Manager
This service is required if you use Internet Connection Sharing. If things cease to function after disabling this service, put it to automatic. Note: you may require this service for some direct cable or DSL providers and connections, depending on how they implement their logon process. If your Dial-up, cable or DSL internet access no longer functions properly with this service disabled, place this service into automatic. If you use a hardware gateway or router, this service is not required.

Remote Desktop Help Session Manager
Manages and controls Remote Assistance.
If you do not want or need to use this feature, disable it. In an idle state, this service sucks up 3.4 MB to 4 MB of RAM.

Remote Registry
This feature is not available on Windows XP Home. This is one of those not needed services. One of the first I disable. If you are paranoid about security, disable this service. Even if you are not or do not care, disable it anyway.

Remote Procedure Call (RPC)
This service is rather vital. Practically everything depends on this service to be running. This is also the only service that you cannot disable via the Services MMC. Previously, if you disabled this service in Windows 2000, your computer would become unbootable. What I am trying to tell you is leave this service on automatic and absolutely DO NOT disable it in msconfig. If, for whatever reason, the service became disabled and you can no longer boot your system, please read the information available on BlackViper.com for a way to fix it.