Help! cant remove Trojan VB NQM Backdoor HugiponZPC

[Kasedie]

Help please i posted on here before but i think it was too vague
i have my sisters HP 530 laptop running windows xp pro sp3

The decal says vista but it was bought second hand with xp running no backup cd and only 512 memory so it cant run vista

it boots up ok but none of the documents can be opened the message returns 'the file is not available'

Iwould not mind a reformat but when i inserted my xp cd it loaded windows setup then went to a blue screen advising to check for viruses and hardware problems i also discovered that windows setup did not discover the 'c' drive but loaded to the recovery 'd' drive which seems to be in tact. There is also a 'e' partition called 'os_tools'

i cannot uninstall any programs as there is no control panel

i used my flash drive to load dds and gmer to the desktop and the malware in my heading was immediately transfered to it in a folder called pictures this folder is present on all partitions and cannot be removed the norton on the laptop is outdated and seems to be damaged. avg may also have been loaded

DDS says the comand prompt has been disabled by administrator when i log on in safe mode the flash drive is not detected and all the programs freeze when i try to update norton

gmer runs but comes back clean and the log file is empty not sure i did it right

is there any other info i could have furnished i would be happy to oblige
thanks in advance

[Kasedie]

bump please

[Ried]

Hello Kasedie and welcome,

Quote:

i also discovered that windows setup did not discover the 'c' drive but loaded to the recovery 'd' drive which seems to be in tact.

Truly, this is your quickest and best solution. Loading the Recovery Partition will bring the computer back to the state it was in when first purchased by original owner - 'out of the box' so to speak.

Of course, you would then need to immediately go to Windows Update and download and install all Critical Updates.

If the Recovery Partition does not load, we can try to work around the issues you're having.

Quote:

i used my flash drive to load dds and gmer to the desktop and the malware in my heading was immediately transfered to it in a folder called pictures this folder is present on all partitions and cannot be removed the norton on the laptop is outdated and seems to be damaged. avg may also have been loaded

What have you done about your infected flash drive? Best to just reformat it since you will transfer the infection to any computer you plug this into. If there is info on it that you do not want to lose, then let me know and we'll try to disinfect it--but--we would want to do that via this infected computer (since it's already infected) so we don't infect yet another computer. If that is the route you want to take, then do not invoke the Recovery Partition yet.

Please let me know what you want to do here.

[Kasedie]

Thanks very much for the reply Ried

Quote:

Truly, this is your quickest and best solution. Loading the Recovery Partition will bring the computer back to the state it was in when first purchased by original owner - 'out of the box' so to speak

I would like to load the recovery partition but the decal says windows vista and there is only 512 memory installed, i was told vista needs at least 1G

i have a legal copy of windows home xp i would like to install but i encountered problems trying a clean boot

The flash drive was cleaned by BitDefender free edition v10 that is on the desktop i'm using now that is how i found the name of the infections

[Ried]

First, let's ensure your usb stick is malware free for the safety of any system you plug it into.

Download Flash_Disinfector.exe and save it to your desktop.


Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of the tool.


Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.

• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

----------------------------

Keep the flash drive inserted and run another online scan.

It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

===============================

I find it odd that Vista is installed on a system with only 512. But you also said it loads as Windows XP....Strange situation.

Quote:

DDS says the comand prompt has been disabled by administrator when i log on in safe mode the flash drive is not detected and all the programs freeze when i try to update norton

Have you tried running dds.com from Safe Mode?

[Kasedie]

Thanks Reid.
I am presently working in safe modfe but dds still does not run

Quote:

I find it odd that Vista is installed on a system with only 512. But you also said it loads as Windows XP....Strange situation.

i think vista was erased and xp installed so vista may only be on the recovery partition D. The E partition(os_tools) is 1.5G in total and has 3 folders; boot, sources, and SMRTNTKY in addition to the 'pictures' folder which i think is the virus. There is also a file 'HP_WINRE'

anyway enough of my amature chatter here is the kaspersky scan result

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 25, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, January 25, 2009 06:52:44
Records in database: 1692802
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 68706
Threat name: 6
Infected objects: 31
Suspicious objects: 0
Duration of the scan: 01:21:20


File name / Threat name / Threats count
C:\Documents and Settings\Admin\Application Data\csrss.exe Infected: Trojan-Spy.Win32.Ardamax.fq 1
C:\Documents and Settings\Admin\Local Settings\carbon.exe Infected: Trojan-Spy.Win32.Ardamax.fq 1
C:\Documents and Settings\Admin\Local Settings\Temp\3tlrd15.sys Infected: Worm.Win32.AutoRun.des 1
C:\Documents and Settings\Admin\Local Settings\Temp\cmctva4c.dll Infected: Worm.Win32.AutoRun.des 1
C:\Documents and Settings\Admin\Local Settings\Temp\fg44wimd.sys Infected: Worm.Win32.AutoRun.des 1
C:\Documents and Settings\Admin\Local Settings\Temp\li3t.sys Infected: Worm.Win32.AutoRun.des 1
C:\Documents and Settings\Admin\Local Settings\Temp\megq.dll Infected: Trojan-GameThief.Win32.OnLineGames.yuj 1
C:\Documents and Settings\Admin\Local Settings\Temp\xkmel.sys Infected: Worm.Win32.AutoRun.des 1
C:\Documents and Settings\Admin\Local Settings\Temp\xm2uyw.sys Infected: Worm.Win32.AutoRun.des 1
C:\Documents and Settings\Admin\My Documents\Songs from mp3\PICTURES.exe Infected: Trojan-Spy.Win32.Ardamax.fq 1
C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Microsoft Startup Controller.exe Infected: Trojan-Spy.Win32.Ardamax.fq 1
C:\Documents and Settings\Admin\Start Menu.rar Infected: Trojan-Spy.Win32.Ardamax.fq 1
C:\Documents and Settings\Administrator.PAL.000\Application Data\csrss.exe Infected: Trojan-Spy.Win32.Ardamax.fq 1
C:\Documents and Settings\Administrator.PAL.000\Local Settings\carbon.exe Infected: Trojan-Spy.Win32.Ardamax.fq 1
C:\Documents and Settings\Administrator.PAL.000\Start Menu\Programs\Startup\Microsoft Startup Controller.exe Infected: Trojan-Spy.Win32.Ardamax.fq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ADC0000\4FDCB938.VBN Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CDC0000\4FFC4E10.VBN Infected: Email-Worm.Win32.Brontok.q 1
C:\MSInfnd.exe Infected: Backdoor.Win32.Hupigon.bdei 1
C:\PICTURES.exe Infected: Trojan-Spy.Win32.Ardamax.fq 1
C:\Program Files\Common Files\Microsoft Shared\MSInfo\MSInfnd.exe Infected: Backdoor.Win32.Hupigon.bdei 1
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\reg32.exe Infected: IRC-Worm.Win32.Small.dh 1
C:\WINDOWS\db4d\lsass.exe Infected: Trojan-Spy.Win32.Ardamax.fq 1
C:\WINDOWS\db4d\services.exe Infected: Trojan-Spy.Win32.Ardamax.fq 1
C:\WINDOWS\system32\_MSInfnd.exe Infected: Backdoor.Win32.Hupigon.bdei 1
D:\MSInfnd.exe Infected: Backdoor.Win32.Hupigon.bdei 1
D:\PICTURES.exe Infected: Trojan-Spy.Win32.Ardamax.fq 1
D:\RECYCLER\S-1-5-21-117609710-1659004503-682003330-1003\Dd1.exe Infected: Trojan-Spy.Win32.Ardamax.fq 1
D:\RECYCLER\S-1-5-21-117609710-1659004503-682003330-1003\Dd2.exe Infected: Trojan-Spy.Win32.Ardamax.fq 1
D:\RECYCLER\S-1-5-21-117609710-1659004503-682003330-1003\Dd3.exe Infected: Trojan-Spy.Win32.Ardamax.fq 1
E:\MSInfnd.exe Infected: Backdoor.Win32.Hupigon.bdei 1
E:\PICTURES.exe Infected: Trojan-Spy.Win32.Ardamax.fq 1

The selected area was scanned.

[Ried]

Alright, let's attack this.

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named, next to ComboFix.exe.






---------------------------------------------------------------------

• Drag the setup package onto ComboFix.exe and drop it.
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
  
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt for further review.

[Kasedie]

thanks for the prompt reply Ried

I have done as instructed above but i got a date error message then combofix shut down

i have tried to set the date but that function is restricted as well

i checked the bios bot there is no option there to set the date

[Ried]

What date is the machine set to?

Try running it from Safe Mode. If you still get that message about the date, ok the prompt, then wait a couple seconds and see if ComboFix will continue running anyway.

[Kasedie]

i am working in safe mode at the moment

the date says thursday december 25 2008

the blue screen just closes out it does not run

[Ried]

grrr. No, it won't run with the machine set to that date.

Are you sure there is no option to set the date in the bios? What bios is this?

[Kasedie]

the bios version says 1.36 its a hp 530
i am also seing something called disk sanitizer would this allow me to clean the harddrive abnd start fresh?.

[Ried]

That's not the name of the BIOS on that system. It would be something like Phoenix, AMD, AMI, Award. Reboot the machine and tap F1 to enter the BIOS.

Let's back-track a bit. Earlier you said you tried to use your Windows XP disc and had trouble. Were you trying to do a Repair Install?


Yes, HP's Disk Sanitizer will wipe your hard drive clean.

[Kasedie]

i was trying to do a clean boot with a xp home disk

F 10 does rom based setup f1 doesnt work

when i tried the clean boot it did not show the partitions like i'm used to it just automatically loaded to the d drive then went to a stop error screen

i am wondering if sanitizer would find the c partition

[Ried]

Disk Sanitizer is going to wipe out the entire hard drive--partitions included.

Try F2 to enter BIOS

If all else fails, you can reformat the hard drive yourself. You'll find a good guide here

[Kasedie]

Hey thanks for all the help been a bit busy this week will format the disk after i can get setup to recognise it but that's another forum

[Ried]

Thanks for touching base with me.

Yes, that issue most certainly is better handled by the folks in Windows XP support.

After you've installed Windows, be sure to visit Microsoft to download and install all Critical Updates.

If your sister is in need of an Antivirus, there are several very good free ones out there. AviraPersonalEdition, Avast, AVG.

To help protect her computer in the future, I recommend that she get the following free programs:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.

Download the latest version of Spybot - Search & Destroy 1.5

Run Spybot and click on the 'Search for Updates' button. Install any updates that are available.

• Now click Mode menu and choose 'Advanced Mode'.
• Click on Immunize to your left.
• Next, click the Immunize button on top to Immunize your computer - you need to do this each time there is an update.
• Click 'Check for Problems' and fix all the entries, which are indicated in RED.