Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Baz8755 on March 29, 2010, 01:51:55 PM
-
I regularly scan my PC once a fortnight and last scanned it a day or 2 ago.
However a scheduled scan started today and it is claiming that all my monthly ghost images dating back to the beginning of the year are infected with "Win32:Hupigon-ONX [Trj]". Could this possilbly be a false positive as I cannot understand how they could all have suddenly become infected with no other warnings from Avast?
Cheers
Baz
-
Hello,
you can send us (virus@avast.com) the file and put "False positive" to subject.
Milos
-
The file is 2GB in size so not really easy to email
I am getting really confused now as my scan log clearly shows that I did a full system scan at 11:48 on 28/03/2010 and it was all clear.
I then took my monthly Ghost image of my C: drive straight after and placed it on the D: drive. The D: drive already contained a couple of previous ghost images which would have been scanned as clean.
This morning using VPS file 100329-1, 29/03/2010 the scans are reporting all the ghost images as infected with "Win32:Hupigon-ONX [Trj]" virus.
The Virus database history shows that this definition was included in VPS 100311-1, 11/3/2010.
However here's the twist, I just fired up a virtual PC that has not updated since VPS 100313-2, 13/3/2010 and scanned one of the infected files and it also finds the virus.
So either this virus has somehow managed creep past Avast in the past 24 hours and infect several Norton ghost .GHS files or something weird is going on with the detection of this virus.
-
Why don't you do another ghost-file - a smaller one, that can be send via mail.
Check that "custom"-file if it shows the same behaviour, which IMHO it should.
You can then send that file to alwil, they will work it out and remove the FP - and I think it is an FP.
-
I am just going to copy the infected(?) file onto a virtual machine and run an online scan to make sure it is a FP.
Not sure that I can create a custom file as I use ghost 2003 and backup the entire disk, this backup creates several 2GB .GHS files and only one or two of the set of 13 show as infected
Eg.
Set 1
D:\Ghost Images\Most Recent\18122009\18122001.GHS" is infected by "Win32:Hupigon-ONX [Trj]" virus
D:\Ghost Images\Most Recent\18122009\18122003.GHS" is infected by "Win32:Hupigon-ONX [Trj]" virus
D:\Ghost Images\Most Recent\18122009\18122005.GHS" is infected by "Win32:Hupigon-ONX [Trj]" virus
D:\Ghost Images\Most Recent\18122009\18122008.GHS" is infected by "Win32:Hupigon-ONX [Trj]" virus
D:\Ghost Images\Most Recent\18122009\18122010.GHS" is infected by "Win32:Hupigon-ONX [Trj]" virus
Set 2
D:\Ghost Images\Most Recent\28032010\28032008.GHS" is infected by "Win32:Hupigon-ONX [Trj]" virus
Set 3
D:\Ghost Images\Most Recent\11032010\11032008.GHS" is infected by "Win32:Hupigon-ONX [Trj]" virus
So the chances of producing a small image and it being flagged as a virus are quite low :(
-
I have just scanned the one of the files with 2 online scanners (Housecall and ESET) and both have come up clean
-
Hello,
all files detected as "Win32:Hupigon-ONX [Trj]" that comes to us as false positive are .pdf, .jpg, .css, .mp3, etc. which have pasted some code with signes of digital signature which is weird.
Milos
-
Malware bytes also shows clean.
Also just performed a scan on my wifes PC and it too shows the same issues with .GHS files on her PC.
-
What about an FTP upload? Start in the evening, before bedtime... when you get up in the morning, it's done.
-
FTP should be OK if Milos wants to give me an address
-
ftp://ftp.avast.com/incoming (ftp://ftp.avast.com/incoming)
-
Sending 220210.gho now, estimated 9Hrs 23 Mins.
This is part of a ghost image from my sandbox PC which is a minimal build. It was built from clean and then ghosted, every time the machine is used the ghost it written back to ensure a clean starting point. This machine has been kept isolated from the rest of my machines but the latest scan of its ghost images shows the same infection.
99.9% certain it is an FP
-
Uploaded, please let me know if OK
-
We'll have to wait for a Mod to check the upload. 8)
-
Uploaded, please let me know if OK
Hello,
the file has size: 2 147 481 103 bytes.
Milos
-
The file is 2GB in size so not really easy to email
I am getting really confused now as my scan log clearly shows that I did a full system scan at 11:48 on 28/03/2010 and it was all clear.
I then took my monthly Ghost image of my C: drive straight after and placed it on the D: drive. The D: drive already contained a couple of previous ghost images which would have been scanned as clean.
This morning using VPS file 100329-1, 29/03/2010 the scans are reporting all the ghost images as infected with "Win32:Hupigon-ONX [Trj]" virus.
The Virus database history shows that this definition was included in VPS 100311-1, 11/3/2010.
However here's the twist, I just fired up a virtual PC that has not updated since VPS 100313-2, 13/3/2010 and scanned one of the infected files and it also finds the virus.
So either this virus has somehow managed creep past Avast in the past 24 hours and infect several Norton ghost .GHS files or something weird is going on with the detection of this virus.
Hello,
thank you for sending file.
The malware could be there before the VPS 100311-1, 11/3/2010, but the file was not accessed, so it wasn't scanned.
If the malware was removed by avast! there still physically exists clusters with data containing the malware signature and are backed up by ghost. So if avast! don't report any malware on the drive, you can rewrite whole unused space on the drive by some data to rewrite the malware signatures and then the new images created by ghost should be also clean.
Milos
-
Milos, does it help to determin the cause?
-
Milos, does it help to determin the cause?
What do you mean by the word "it"?
Milos
-
It = the uploaded file.
Does it help you to determin if it is a FP or an infection?
-
I still doubt it's an infection as I have now seen this warning on ghost files on 3 independant machines.
Machine 1 : My main machine
This was the one that 1st alerted me to the issue and it is regularly full scanned once a month prior to ghosting.
This machine found infections in 6 ghost image files dating back to december last year.
This machine did find a virus in the internet cache about a month ago.
Until a month or 2 ago has been running CA Antivirus.
Now uses Zonealarm and Avast.
Machine 2: Wifes PC
Again regularly scanned, light user. Only ghosted a month or 2 ago.
This machine has never reported any infections.
Until a month or 2 ago has been running CA Antivirus.
Now uses Zonealarm and Avast.
Machine 3: Sandpit PC
Minimal build, literally clean install up to XP Pro SP3.
Used as test bed and always restored back to clean fully patched ghost image (the image supplied).
This machine is the least likely to ever show any history of infection as it is always resotred from image after use.
This machine has never reported any infections.
Until a month or 2 ago has been running AVG Antivirus.
Now uses Zonealarm and Avast.
As the ghosts are taken from machines that are all scanning clean how can their be any viruses in the ghost images?
-
It = the uploaded file.
Does it help you to determin if it is a FP or an infection?
Hello,
this looks like already arrived damaged files, but in this case 17x in one file.
Milos
-
I do not understand that post...
What is 17 times in that file?
-
As the ghosts are taken from machines that are all scanning clean how can their be any viruses in the ghost images?
Hello,
Even if the malware was removed, there still physically exists clusters on partition not linked to any existing file, but to the deleted files, with data containing the malware signature and are backed up by ghost.
Milos
-
I do not understand that post...
What is 17 times in that file?
17 same malware signatures.
Milos
-
But as I have already said, to remove the infection first of all something must have found it. This virus has never been found on any machine ever so how can it have been removed?
Also I have just done another full scan of my machine and it shows clean, including the so called infected .GHS files. However an ondemand scan of the file still flags as infected
So I am still confused
1) Have any of the machines ever been infected. If so how come nothing ever reported
2) Are any of the machines still infected?
3) How come full system scan says clean but on demand file scan says not
4) If as you say their are still clusters with a signature in how can I remove these clusters.
5) Could these 17 signatures be the ones held within avast by any chance (ie it's find its own definitions)?
6) What does Win32:Hupigon-ONX actually do?
Also I have just been reading about Norton Ghost 2003 (which is what I used) and as far I can tell it does not copy unused clusters. Something I suspect to be true as watching what it copies and the resultant image size would seem to suggest. Add to that the fact that the image files are compressed so any virus signatures will probably be scambled.
-
Hello,
1) maybe avast! didn't have the detection when the infection comes
2) I don't know -- run the scan -- all extensions, packers, ...
3) It depends what is scanned in "full system scan" -- extensins, packers, ...
4) I mentioned that:
... you can rewrite whole unused space on the drive by some data to rewrite the malware signatures ...
5) Only if it is some memory dump, but I think that the signatures are crypted in memory too. When I saw the malware sigantures in submited files it was not avast!'s own definitions.
6) I don't know, maybe the author of the detection.
Milos
-
I just got four of these on my MacBook Pro in my Windows XP Virtual Machine - I deleted them because they would not go into the virus safe. However when I did it also took out the entire Windows XP install on my VM. What is the story with these? You can't move them as AVAST just crashes when you try to and delete even says it didn't delete them yet on the panel it shows them deleted.
-
I have just deep scan 2 of my 3 machines, Thorough, packers, all files etc... and they have shown completely clean with exception of the Ghost files.
As I have already stated absolutely none of my machine have EVER report this infection. The theory that it must have been cleaned prior to the ghost file creations and must exist in a cluster somewhere does not make sense as nothing have ever cleaned this virus off the machines and it only appears to exist in the ghost images taken, one of which was taken a day or two ago.
If someone wants to tell me how I can blank out unused clusters then I will and then take another ghost, I am willing to bet that the ghost image will still scan as infected for 2 reasons.
1) The machines have NEVER been found to be infected so therefore could not have been cleaned leaving behind unused clusters with the signature.
2) Ghost 2003 from what I have read does NOT copy unused clusters to a backup image file.
I would therefore strongly suggest that the signature that Avast is using for this virus is producing false positives.
Do I sound a little aggrevated, too right as I have wasted 2 valuable days of my vacation trying to get to the bottom of an infection I firmly belive does not and has not ever existed on my network.
Baz
-
All appears very quiet, no repsonses to my request.........
-
Baz8755: I just tried to draw the attention of the mods to this thread again. However - it's Easter. So hang in there a little.
Your effort is much appreciated, thx a lot!
-
Baz8755: I just tried to draw the attention of the mods to this thread again. However - it's Easter. So hang in there a little.
Your effort is much appreciated, thx a lot!
Thanks,
One further thing to add, I have just uninstalled Avast from my test PC and installed Avira and AVG and ran full scans with each, they too did not find any infection on the machine or in the ghost images. I am now in the process of restoring the so called infected ghost image as it is an image with avast installed.
Until this issue is resolved I have added my ghost image directory to my scan exclusion list
Baz
-
Actual I went back to the OP because I wondered about the infection and on what was on threat scale
so google --> Win32:Hupigon-ONX [Trj] - screenshot shows the page scrolled down to the following entry -
About | Adware Spyware Remover
win32 hupigon aqy Your security and peace of mind is worth spending a little time to prevent ...... Most trj downloader.nqb adware encodes last downl ...
adwarespyware-remover.com/about/ - Cached
hxxp://adwarespyware-remover.com/about/
Avast alerts! with a block on this site - detektor wont read it - Unmasked Parasites passed it so far
I haven't got time to go there but the block on the site is in iexplore - wont show the page (screenshot)
I installed Foxit as well but not a good experience since Ask toolbar came up as well
Ask toolbar also blocked the above site :o but I've uninstalled Foxit for the time being
avast calls the site at malware. I haven't followed up on Unmasked Parasites yet.
http://www.unmaskparasites.com/security-report/
oops key slipped - there's the screenshots now
you will see the address in the Object line of the block image - I dont know that address at all
- is that in this case an iexplore third party alerting avast to the site (guess)
-edited
-
For what its worth, I deleted the files as I said and it took out the entire virtual machine folder contents. I have since reinstalled the folder contents from scratch ie WinXP and FP2003 and ran the avast scan again on that folder and nada - so this leads me to believe that a) either the infection is in SP3 which I havent' reinstalled yet (unlikely) or b) this really was a virus and it hit me using Safari on the mac and found my VM windows files as I rarely use the windows browser for anything and the install was pretty much brand new.
-
If you had anything to do with this Win32:Hupigon-ONX [Trj] isn't very nice
Ardware Spyware Remover may be blocked as PUP type. There are other blocks for this and similar type websites.
Or malware - link to site is not reading as stable
-
Mkis,
Although I did not believe that Ghost 2003 backed up all the clusters you suggested I still decided to do a little experiment.
On my test machine I completely filled up the C: drive with temporary files and then deleted them all, defragmented and did a full scan disk.
I then took a ghost image of the drive and scanned it. It come up clean this time and I was beginning to think you may have been right.
However I did exactly the same thing on my main machine and unfortunately it is still showing that the ghost image has the virus even though, thorough scans and rootkit scans all still show the C: drive as completely clean. Also as I have already mentioned ghost 2003 appears to use compression as it backs up a disk that is 34GB used to files totalling 22GB so any virus data may well be corrupted.
Given that all the A/V products I have now tried scan the ghost image as clean I am still confused as to why Avast is finding a problem.
Also just of interest do we know when the virus was actually created (not included in signature database) as I have a ghost image created December 2009 that Avast believes to contain the signature
Baz.
-
:o
I have the exact same situatuion as Baz8755. Only difference is, I am using Norton Ghost 10 for my backups. Starting after my April 1st update ( April Fools Day ) to the iAVS, now all (3) my NG 10 backups flag with this trojan. So maybe some helpful info I have. With Avast I deleted the 3 NG backups. Then I uninstalled NG 10, did an aggressive registery cleaning, then, with my firewall I blocked all access to the internet, then I reinstalled NG 10. Then I ran NG 10. It popped a window up saying "Internal program error" (probably because of no internet access). But I continued on and saved my first back up, no problem. Then I shut NG 10 down and ran it again , this time there was no pop up window with internal program error. I saved my other 2 backups with no problems. I closed NG 10. I allowed internet access. The avast iAVS may have updated, I can't remember, well yes it would have updated since April 1st. I scanned these 3 new back ups and there was NO trojan detected (nothing). So it must have either been the new iAVS update or it is because I installed NG 10 with out giving it internet access during install and while running. The reason I tryed this is because I thought maybe NG is getting infected from it's host server.
I hope this may help in some way.
Happy Easter to all Benny G
-
avast is still alerting on this site - hxxp://adwarespyware-remover.com/about/
@ Baz - I have no idea about yr Norton Ghost, nor have I offered any suggestions, let alone about clusters
However - have you ever had Win32:Hupigon-ONX [Trj] on yr computer or moved to the virus chest?
you may still have a record of this on yr computer, despite that the file may be deleted.
-
Mkis,
As far as I am aware I have never had this virus, on the very rare occassion I get a virus I restore from a previous ghost image to ensure the machine is as clean as possible, as the site you are refering to could easily be mistyped for adaware (a Lavasoft product) then it may be possible that I could have gone there once by mistake but I certainly have not had any virus warnings of infections.
My virus chest (according to Avast) is empty but could you tell me where it is stored and I will check the folders.
As I said in my previous post, it would be interesting when this virus first appeared on the net to see if the ghost image dated December 2009 could ever of had a copy contained within it.
Baz.
-
There is another example Baz. This person has also never had the virus on their computer.
So looking less like (in fact not to be) a record that has persisted from a previous time, and more like a false positive.
http://forum.avast.com/index.php?topic=58206.msg490507#msg490507
-
Hi everybody,
For me this devilish (or unexisting trojan) is also appearing in a scan of images, made by drive image xml,
I tried doing that booting with Bart PE. it also finds it.
I must add that it now finds a CRC check, I guess that wouldnt be the case
with raw imaging.
It seems that a file of AVAST, in windows/temp/_avast5_/ is "corrupt" so says a boot on chkdsk, unfortunatly the problem is recreated after
chkdsk corrects the problem. I havent done another chkdsk, but driveimage xml, still find a redundecy check error.
To go back with that story, after having Avira telling me I had a hidden object he could not deal with, I reinstalled XP, and amazingly after
booting with the MS boot install xp pro, My two hard drives, got the MBR wiped out, in the new istall drive, XP did the job of suppressing, and I guess some malware took care of the other. Interesting to prform these recoverys, but I'd sure be happy to get back my computer.
on this page http://www.protectorplus.com/download/downloadnow.htm
you can download this: cleanhupigon.exe
But might as well chase a dream .....
In all case feels nice to not be alone with this problem
Steph
-
Hi Steph
I'm posting a reference to a worm that seems has been active since Jan 2010, and despite that the likelihood of you having got it on yr system is low. The only relevance here is that you got yr MBR wiped out after re-install.
Zimuse worm
http://www.eset.eu/encyclopaedia/win32-zimuse-a-trojan-startpage-g-generic-1729691-threat-sysvenfakp-based-maximus
Removal tool - if you can, I think load to floppy disk and use that way
http://www.eset.eu/download/ezimuse-remover
If zimuse involved, I cannot see why scan should return Hupigon detection unless there is some similarity in signatures, and fact that zimuse itself is very difficult to detect. Also from what I gather zimuse has capability to delete its entry detail while also writing to other detectable drives. This may include virtual images of drives.
While may not be relevant, would not be able to excuse myself if in fact turned out to be relevant.
-
Hi Mkis, and others,
First I'd like to say I found a way to get rid of that false positive Hupigon trj, found in images of archives...
Actually pretty easy, and logical, simply defrag the disk, since the sectors will be rewritten (or change), the "ghost" signature should eventually vanish!!
I guess copying files filled with "non blank", multiples of 512 Byte files (clustersize), filling yr drive,defrag, then wiping, can do the trick, also with some defrag soft U can reorder the files, by name, date etc....
Another try could be zipping, and unzipping.
To be didactic, bear in mind that when you create a file the system will only write the "used data" ,the OS will attribute a multiple of a cluster size, (512-bytes in NTFS). So if your file is a small 50-byte text file, you actually have 512-50=462-bytes left, that's where those signatures probably lay.
What bafflz me in this story is that a tool to make an drive image should actually be reading less of the hard drive to make an image, and place it contiguously in an archive. Seems logical no?
Well, any how this the proof, it does not. Thing is, after you delete the archive you could get back that signature, I guess it's better to shred it with some software.
Second, concerning Zimuse worm
I checked
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"Dump" = "%programfiles%\Dump\Dump.exe"
and
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_MSTART\0000\Control]
"*NewlyCreated*" = 0
"ActiveService" = "MSTART"
----
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_MSTART\0000]
I have none of those, thks for info thow.
-
I have now successfully got all my ghost images to scan clean.
To solve the problem I uninstalled adaware (lavasoft). I then completely filled the disk with data, scandisked and defragged, deleted the extra data and scandisked and defragged again. I then took ghost images.
This has worked on all 3 machines that showed infections of ghost images.
As I have said before, none of the machines have ever reported the infection and have always scanned clean and the oldest image that had with the infection dated back to December 2009.
So I am still not sure what Avast was finding or where it came from.
Baz
-
perhaps some conflict with lavasoft adaware - would not be unusual
plus yr ghost imaging is Norton spec (may have some conflict, so erratic readings)
- either way, you could have two or more dogs fighting over the same bone
- avast needs to make some call - so calls a definition appropriate to imaging, which is hupigon
I say perhaps because I dont really know
- but worse case scenario is an infection - care is needed in case of situation where there is an actual infection
-in the above case, probably best some call was made, because seems almost certain case of snafu (systems normal all f*dged up)
and now you know systems normal
-
I posted in this thread:
http://forum.avast.com/index.php?topic=58206.0
about how I am having a similar problem. I tried Baz's procedure - fill the disk, chkdisk, defrag, delete the extra files, chkdisk, defrag, rerun Windows Backup. I'm still getting the Hupigon-ONX detection in the backup .vhd file. I'm getting frustrated...this has taken me days to accomplish and I was really hoping it would work for me. It's no good having a disk image if I can't trust it.
-
I still have this false positive. It keeps deleting my backups! When will they fix this??!
-
We have seen what this bug tends to lay its signature in;
(.tib) Acronis image
(.gho) Norton Ghost image
(.xml, .dat) Drive image XML
(.vdi) Virtual Disk Images
Which leads me to think that there is a common file between them that has been compromised.
For us at the shop, this bug is most definately NOT a false positive. We have recently caught this little guy in the PAGEFILE.SYS and/or the HIBERFIL.SYS on the root of the system drive. The signature indeed disappears from backup images when you run a defrag on the infected area. It also disappears when you simply copy the file to a portable medium. The signature isnt attaching itself to the file directly. It is storing the signature in the tail end of used sectors or in sectors marked as blank. Since these sectors are either marked completely blank or are in an arean where no data is expected by the system, they do not get scanned and cannot be normally seen. This is why when you defrag or move the file the signature doesnt follow it. W32.Hupigon-ONX [trj] is a symptom not the disease. We have yet to absolutely verify the source of the problem, however, there is some speculation that Hupigon and its variants have a developement kit from which these threats are developed.
My question to the Avast team is;
The Avast! Bart CD identifies this bug in the pagefile.sys, hiberfil.sys, and the backup images. Why does Avast! Proffessional Edition not do the same thing (Boot time scan or otherwise)? It might not be able to make changes to the sys files but it darn sure should be able to see the signature moving.
-
BTW....very important....We are currently using version 4.8 of Avast Pro Edition.
-
My question to the Avast team is;
The Avast! Bart CD identifies this bug in the pagefile.sys, hiberfil.sys, and the backup images. Why does Avast! Proffessional Edition not do the same thing (Boot time scan or otherwise)? It might not be able to make changes to the sys files but it darn sure should be able to see the signature moving.
Hello,
I think, that pagefile.sys, hiberfil.sys are in exclusions (but not in Bart CD).
Milos
-
They are indeed exclusions. However they are not optional exclusions. Is there no way to force Avast! Pro 4.8 check these files while in the operating environment or at least in a BTS? I took a look at Avast! 5 and apparently it does have exclusion options that will allow one to scan them. Unfortunately 5 is, or at least was, relatively unstable.
-
Once again, why'd you EVER scan such thing? Takes ages, absolutely unproductive. If you think that your pagefile is infected (don't see how exactly), then just disable it temporarily. Ditto for the hibernation file.
-
The reason I would most definately want to scan it is because the infection signature could inadvertantly dump off into the page file or malicious instructions could be set into the hibernate file. Either way, if one or both of them flag then it is cause for further inspection. The only way you can get them to flag is by doing a scan using Avast!s Bart CD. However, if these files flag positive it would only indicate that they are the symptoms of a larger problem. The executable that set the signatures in these files is still missing. It could possibly be masquerading as a windows system file (i.e. calc.exe, find.exe, shutdown.exe), although I highly doubt it at this point. My guess is some driver or library maybe carrying the infector.
-
Well, folks... go, reformat, restore a clean image.
10 Immutable Laws of Security (http://technet.microsoft.com/en-us/library/cc722487.aspx)
Help: I Got Hacked. Now What Do I Do? (http://technet.microsoft.com/de-de/library/cc512587(en-us).aspx)
P.S. Scanning pagefile is absolutely pointless, As said, you disable it and it's gone. You disable hibernation, the file's gone. Heck, you can delete it from Linux.
-
Of course after setting the page file to delete on shut down and disabling hibernate, one would then most likely turn page file back on. After all, it takes about 5 to 10 just to shut down with the deletion of page file. Sooner or later the page file gets infected again, which means you still have a bug. I believe these signatures are caused by something else that has yet to be detected.
There are many different infections that exist in memory that get dumped off and reread from the pagefile. While it probably isnt good for persistance beyond reboot (infecting hibernate may circumvent this...idk), it will allow persistance while sitting in an environment.
-
Of course after setting the page file to delete on shut down and disabling hibernate, one would then most likely turn page file back on. After all, it takes about 5 to 10 just to shut down with the deletion of page file. Sooner or later the page file gets infected again, which means you still have a bug. I believe these signatures are caused by something else that has yet to be detected.
Getting pagefile mysteriously "infected" over and over again doesn't sound like a false positive. As said, your course of action here it to wipe the drive (including MBR) and restore a known clean image (no, none of those you have detected by Avast) or - failing that - just reinstall from scratch. If you still get the issue after that, now that's something worth investigation. But to keep backing up a potentially infected system and keep complaining about the images being detected as infected really doesn't make much sense. You need a trustworthy machine to work with, not one that "mysteriously" gets infected all the time, meaning you can have whatever rootkit running there completely undetected.
-
Im not sure if you are making that statement for my benefit or if you are referencing the others on this thread. Never the less, allow me to explain a little more about my particular situation and why I am asking about Avast! Pro 4.8 and the scanning of the pagefile.sys and hyberfil.sys.
I currently work as a computer repair technician in a shop with other technicians. We troubleshoot and repair hardware and software problems on a daily basis with a decent volume of machines. Recently we started to experiment with using bootable cd-rom environments to affect malicious software scans on our customers machines. This lead us to Avast! and their Bart CD. Using this tool we have begun to see an overwhelming increase in pagefile.sys and hyberfil.sys files flagging positive for a number of different infections. The one that concerns me is this Win32:Hupigon-ONX [Trj] signature that we began picking up attached to various drive images as mentioned above. This signature is also showing up in the pagefile.sys and hyberfil.sys of the same machines we are finding flagged backup images. In our experience it usually shows up with something else flagging in the opposite file although not all the time. One signature I remember seeing in hyberfil.sys when Win32:Hupigon-ONX [Trj] was in the pagefile.sys was Win32/Trojandownloader.bredolab.AA.
All that being said, Im not wondering 'why is it that backup images get reinfected every time we backup infected drives?'. Im wondering why is it that the windows installed Avast! Pro 4.8 software doesnt scan or flag these files for the signatures with either a direct scan or a boot time scan --AND-- can it be forced by some means to scan them with a boot time scan?
Or are we just going to have to dis on our old friend v4.8 and move everyone up to 5?
Again the afore mentioned stability issue with v5 still haunts me.
-
When you are in business WangMandingo, why is it so important for you to make so much extra work for yrself and yr colleagues? You dont have to do all this extra work, and as far as I can see you are doing yr clients a disservice by loading yr business up with this kind of indulgences. Almost as if yr taking on these issues like you are doing a thesis in the subject matter. And avast 4.8, for goodness sake!
And now bredolab!
Pardon me for saying, but you appear to have a consuming wish to be haunted.
-
You boys are getting me worried now :'(
Having performed the fill/defrag procedure I mentioned earlier none of my subsequent ghost images have been flagged as infected.
But now you are saying there may still be some undetected infection lurking :o
Should I be worried, whay can I do?
Baz
-
What do you think Baz? Perhaps some kind of summation is in order.
I would say definitely an environment issue related to imaging instruction set(s), but seemingly not universal, as occurrences across the board (all systems) are intermittent. And given also that when there is an occurrence, instances can be constant and coherent.
Hard to see that issue involves a bona fide infection. My opinion.
I would stick to a call that I made earlier in the thread, (and without venturing further).
'avast needs to make some call - so calls a definition appropriate to imaging, which is hupigon'
-
I will guarantee there is no bonifide infection on my WHS server or in the backup image of the Windows 7 64 bit machine. Both machines were built from scratch and installed with fresh new copies of Windows. I performed a backup on the first day of installation - 2 weeks ago. Then I scanned the WHS server with Avast WHS edition and it "found" a trojan and deleted most of my other backup images too. If I just backup my other Windows XP PC's there is no trojan found. Only when I backup the W7Pro 64bit - a fresh brand new copy.
This false positive has been around WAAAAAY too long. It should have been fixed a long time ago and it better be fixed soon or i'm taking Avast off.
-
And it's absolutely fine for you guys to believe whatever it is that helps you sleep at night. As far as my case, it is indeed an infection. All I need to know is whether or not Avast! 4.8 can be forced to scan the pagefile.sys and hyberfil.sys in a boot time scan. Or does this functionality not exist in 4.8 and we should move our people to 5.0. We can't allow this thing to spread any further. If we don't make an effort to stop it, computer illiterate individuals will never have the understanding to even begin to defend themselves.
-
Avast have lost thier way .... I have been a user for years and years, I have this infuriating Win32:Hupigon-ONX problem with WHS 4.8 (which in my opinion will NEVER be updated) Avast 5 is slow and cumbersum ... Support make no sense in any replies (if you get a reply) they send .... I will wait to expire and move elswhere. SADLY ::)
-
OK. I may have found a way to get Avast 4.8 to scan the pagefile.sys. Instead of opening avasts main interface you have to open the ON-Access scanner dialog. Select more details the select Standard shield from the list on the left. Once selected click the customize button in the right hand portion of the dialog. When the settings window pops up select the advanced tab. In the bottom portion of the advanced tab should be a list of excluded files. Remove the PageFile reference from the list. I still dont know if this will catch anything but it is a way of removing the exception.
-
Found this forum via Google, and have been using avast for a couple years.
I just deleted my second backup in two months' time, due to this SAME EXACT ISSUE. All of these questions/concerns could have come from me.
For instance, neither Malwarebtyes nor Microsoft Security Essentials indicates this multi-Gigabyte backup file is/has a Trojan. Only when I run a full scan does avast tell me there's a problem, and only with my backups.
Once done here I shall promptly create another backup - god forbid my hard drive crash and I'm left with nothing due to an avast glitch.
No further convincing required here. I'm done with avast.
..!..
-
Originally Avast was automatically deleting my backups - how horrible if something had happened to my original PC's and I had no backups. Anyways, I've changed the setting to only report, and every single week Avast lets me know there is Hupigon trojan in my data files, but at least it doesn't delete it anymore.
My subscription ends in July so I'll keep it until then. It's not doing any harm anymore - just reminding me what a crappy product Avast is :-\
-
It is a bug for sure. Where backups are being run, differential I assume, or other, it doesn't matter the bug seems evident with various backup products. I dont actually do that (backup schedule), but others on the forum do. I think wait to see that is possible for avast to correct with their update, or if the error needs to be sorted out elsewhere, or their is incompatibility, unoperability, and so on...
My opinion is avast is reading (maybe raw data) an discepancy/inconsistency and and calling Hupigon because has to do with backup.
Is a near miss. Probably shows a bug. The OP Baz had a battle with it. And not insurmountable.
-
I'm having this problem too with all my VMwares and Virtual PC's. I can't say for sure I don't have this Win32:Hupigon-ONX virus. But maybe it has to do with 32 bits and 64 bits systems. Who has this problem and runs a 64 bits operating system?
I'm running Windows 7 64 bit on a 64 bit machine.
-
Hello,
I've read this and another threads about this trojan. Please, give me some explanations since I am not proficient with virtual machines and similar.
Today's scan of my computer (using Avast 4.8 ) showed that 3 out of 10 VMware VMDK files of one virtual machine are infected with Win32:Hupigon-ONX [Trj].
Both, VM and desktop run under XP.
I skipped to delete them because I have important data inside VM. Did I understand well, this means that my VM machine, not desktop computer, is infected? If so, is it safe to work on desktop computer without running VM?
What should I do? Is it safe to run VM and copy files I need to my desktop computer? Files are not executable.
Would running of VM transfer trojan to desktop computer?
I don't know much about the way VMs work.
When I run it internet connection is usually on, because of communication with desktop computer. On my virtual machine I don't browse the internet and it's bit strange to get infected.
I need urgent help! It would take a lot of time to remove this VM and install new one. Unfortunately, I didn't back up it first time I made it. Other thing is that I can't restore current state without some data I have on VM at the moment.
Thanks for replies in advance!
-
@bobs2
seems almost certain that you another with false positive (FP) reading.
avast calls Hupigon in attempt to categorize the reading of a query concerning backup image (in yr case, VM image)
but I don't know what actual query is or whether issue relates to a single, definable error situation
most times it seems that there is the call that avast makes (hupigon), and no further details.
So it is good practice to ensure that you do actual have FP. And that you do not have a real detection of hupigon.
with the real hupigon, the infection is in some way sent to a host (in yr case, to the VM).
this from f-secure -
Propagation
Hupigon doesn't have any automatic mechanisms to spread itself. It must be sent by its author via e-mail, through a website, or even via Instant Messengers (IM) such as Yahoo, MSN, ICQ, and Skype.
http://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml
-
After defraging my harddrive I don't have any infections anymore.
-
???
Hello All,
I also found this thread via Google, and have a problem with detection of this 'problem'. Unfortunately I am no closer to understanding this topic than when I began reading about it last week. Is there a recommended 'official' way of responding o the Avast prompt for action? I tried moving it to the chest, but got an error that says my disc is full. This problem came up after a series of events that began before july 4th. I will post everything that I have found and done since that date, as it may provide some insights for more knowlegable users than I, and then maybe we can figure it out - that is, if this is not yet well understood. I know that I certainly do not understand what is happening, and I desperately need my main system back!
stand by for details;
and thank you in advance for any help you may be able to provide.
Jim
-
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
What avast version are you using 4.8 or 5.0 ?
The disk is full message is a bit of a red herring, it is that the size of the chest (which is limited) is either not big enough (unlikely) or more likely the file detected exceeds the maximum size of file to send. Both of these values can be modified in the avast settings, Chest. Though first answer the question as I suspect this is a large file like hyberfil.sys which is mentioned in this topic.
-
I have a dual boot setup with XP 32 on C & Win 7 64 on H
I have the latest Avast Free on both (5.0.594)
Win 7 was a clean build (TechNet download), fully MS patched, with Avast & Comodo Firewall applied ASAP in build process.
If XP loaded & doing a full scan, Avast reports that H:\hiberfil.sys has Threat:Win32:Hupigon-ONX [Trj]
hiberfil.sys is 2.99GB so e-mailing to Avast not practical.
This is not reported if Win 7 loaded & using Avast nor if using SuperAntiSpyware or MalwareBytes from XP
From reading the feedback here, Googling & my own analysis, I am 99% sure that this is a False Positive from Avast.
The commonality seems that scanning a 64 bit partition/VM/backup from another partition/CD Boot throws up the error. Likely due to it not being recognised\excluded when scanning other than the active partition.
I recommend Avast replicate this setup to test & sort this FP.
Apart from this, I am very happy with Avast & have no problems recommending it to others.
-
Did another scan today Win32:Hupigon-ONX is showing up again in my recent Norton Ghost image file.
Surely it's time to sort this out?
-
I have now successfully got all my ghost images to scan clean.
To solve the problem I uninstalled adaware (lavasoft). I then completely filled the disk with data, scandisked and defragged, deleted the extra data and scandisked and defragged again. I then took ghost images.
This has worked on all 3 machines that showed infections of ghost images.
As I have said before, none of the machines have ever reported the infection and have always scanned clean and the oldest image that had with the infection dated back to December 2009.
So I am still not sure what Avast was finding or where it came from.
This is an old thread. Please open up a new thread under the Virus and Worms section of this forum and you can cut and paste this url thread http://forum.avast.com/index.php?action=post;quote=491870;topic=57768.30;num_replies=73;sesc=eda6a3e30b62e578ca52f09a026b0cf5 (http://forum.avast.com/index.php?action=post;quote=491870;topic=57768.30;num_replies=73;sesc=eda6a3e30b62e578ca52f09a026b0cf5) into your new post as a reference. Thank you.
-
Hello,
I see there's been some talking about this Win32:Hupigon-ONX [Trj] subject so I rather put my question here, than make a new topic.
I recently faced this very same infection alert with doing full virus scan via Avast. It reports the file being highly infected with this very specific kind of Trojan. But is this a real threat or a false alarm since the file is being in Avast's folders. File location is C:/ProgramData/AVAST Software/Avast/ng/NGBase/Snapshots and full filename is snapshot_{1d35d8b8-b359-11e3-b1fd-806e6f6e6963}.dat - this dat file is 1,7 GB.
I have tried to do what avast suggests after scanning, so repair automatically and/or deleting the file but nothing happens. Is it safe and should I manually remove this file, if it isn't a false report from avast? Malwave scan doesnt give any alarms about infected files.
-
@k3mpo you are posting in a 5 year old topic
Report virus and False positive problems in Viruses and Worms forum section