Author Topic: Win32:Hupigon-ONX [Trj]  (Read 63881 times)

0 Members and 1 Guest are viewing this topic.

Offline Baz8755

  • Full Member
  • ***
  • Posts: 122
Re: Win32:Hupigon-ONX [Trj]
« Reply #30 on: April 01, 2010, 10:05:08 PM »
Baz8755: I just tried to draw the attention of the mods to this thread again. However - it's Easter. So hang in there a little.
Your effort is much appreciated, thx a lot!

Thanks,

One further thing to add, I have just uninstalled Avast from my test PC and installed Avira and AVG and ran full scans with each, they too did not find any infection on the machine or in the ghost images. I am now in the process of restoring the so called infected ghost image as it is an image with avast installed.

Until this issue is resolved I have added my ghost image directory to my scan exclusion list

Baz
Windows 8.1, i7 12GB RAM 500GB SSD, Avast Free

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1620
Re: Win32:Hupigon-ONX [Trj]
« Reply #31 on: April 02, 2010, 07:22:54 PM »
Actual I went back to the OP because I wondered about the infection and on what was on threat scale

so google --> Win32:Hupigon-ONX [Trj] - screenshot shows the page scrolled down to the following entry -

About | Adware Spyware Remover
win32 hupigon aqy Your security and peace of mind is worth spending a little time to prevent ...... Most trj downloader.nqb adware encodes last downl ...
adwarespyware-remover.com/about/ - Cached


hxxp://adwarespyware-remover.com/about/

Avast alerts! with a block on this site - detektor wont read it - Unmasked Parasites passed it so far

I haven't got time to go there but the block on the site is in iexplore - wont show the page (screenshot)
I installed Foxit as well but not a good experience since Ask toolbar came up as well
Ask toolbar also blocked the above site  :o  but I've uninstalled Foxit for the time being

avast calls the site at malware. I haven't followed up on Unmasked Parasites yet.

http://www.unmaskparasites.com/security-report/

oops key slipped - there's the screenshots now

you will see the address in the Object line of the block image - I dont know that address at all
- is that in this case an iexplore third party alerting avast to the site (guess)

-edited
« Last Edit: April 02, 2010, 08:25:07 PM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline Steved45

  • Newbie
  • *
  • Posts: 2
Re: Win32:Hupigon-ONX [Trj]
« Reply #32 on: April 03, 2010, 02:31:05 PM »
For what its worth,  I deleted the files as I said and it took out the entire virtual machine folder contents.  I have since reinstalled the folder contents from scratch ie WinXP and FP2003 and ran the avast scan again on that folder and nada - so this leads me to believe that a) either the infection is in SP3 which I havent' reinstalled yet (unlikely) or b) this really was a virus and it hit me using Safari on the mac and found my VM windows files as I rarely use the windows browser for anything and the install was pretty much brand new.   

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1620
Re: Win32:Hupigon-ONX [Trj]
« Reply #33 on: April 03, 2010, 05:08:50 PM »
If you had anything to do with this   Win32:Hupigon-ONX [Trj]  isn't very nice


Ardware Spyware Remover may be blocked as PUP type. There are other blocks for this and similar type websites.

Or malware - link to site is not reading as stable
« Last Edit: April 04, 2010, 03:00:27 PM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline Baz8755

  • Full Member
  • ***
  • Posts: 122
Re: Win32:Hupigon-ONX [Trj]
« Reply #34 on: April 04, 2010, 02:31:54 PM »
Mkis,

Although I did not believe that Ghost 2003 backed up all the clusters you suggested I still decided to do a little experiment.

On my test machine I completely filled up the C: drive with temporary files and then deleted them all, defragmented and did a full scan disk.

I then took a ghost image of the drive and scanned it. It come up clean this time and I was beginning to think you may have been right.


However I did exactly the same thing on my main machine and unfortunately it is still showing that the ghost image has the virus even though, thorough scans and rootkit scans all still show the C: drive as completely clean. Also as I have already mentioned ghost 2003 appears to use compression as it backs up a disk that is 34GB used to files totalling 22GB so any virus data may well be corrupted.

Given that all the A/V products I have now tried scan the ghost image as clean I am still confused as to why Avast is finding a problem.

Also just of interest do we know when the virus was actually created (not included in signature database) as I have a ghost image created December 2009 that Avast believes to contain the signature

Baz.
Windows 8.1, i7 12GB RAM 500GB SSD, Avast Free

Offline Benny G

  • Newbie
  • *
  • Posts: 2
Re: Win32:Hupigon-ONX [Trj]
« Reply #35 on: April 05, 2010, 06:43:47 AM »

       :o

          I have the exact same situatuion as Baz8755. Only difference is, I am using Norton Ghost 10 for my backups. Starting after my April 1st update ( April Fools Day ) to the iAVS, now all (3) my NG 10  backups flag with this trojan. So maybe some helpful info I have. With Avast I deleted the 3 NG backups. Then I uninstalled NG 10, did an aggressive registery cleaning, then, with my firewall I blocked all access to the internet, then I reinstalled NG 10. Then I ran NG 10. It popped a window up saying "Internal program error" (probably because of no internet access).  But I continued on and saved my first back up, no problem. Then I shut  NG 10 down and ran it again , this time there was no pop up window with internal program error. I saved my other 2 backups with no problems. I closed NG 10. I allowed internet access. The avast iAVS may have updated, I can't remember, well yes it would have updated since April 1st. I scanned these 3 new back ups and there was NO trojan detected (nothing). So it must have either been the new iAVS update or it is because I installed NG 10 with out giving it internet access during install and while running. The reason I tryed this is because I thought maybe NG is getting infected from it's host server.
I hope this may help in some way.
                                                               Happy Easter to all     Benny G

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1620
Re: Win32:Hupigon-ONX [Trj]
« Reply #36 on: April 05, 2010, 07:49:15 AM »
avast is still alerting on this site -  hxxp://adwarespyware-remover.com/about/


@ Baz - I have no idea about yr Norton Ghost, nor have I offered any suggestions, let alone about clusters

However - have you ever had  Win32:Hupigon-ONX [Trj]  on yr computer or moved to the virus chest?
you may still have a record of this on yr computer, despite that the file may be deleted.



Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline Baz8755

  • Full Member
  • ***
  • Posts: 122
Re: Win32:Hupigon-ONX [Trj]
« Reply #37 on: April 05, 2010, 10:12:47 AM »
Mkis,

As far as I am aware I have never had this virus, on the very rare occassion I get a virus I restore from a previous ghost image to ensure the machine is as clean as possible, as the site you are refering to could easily be mistyped for adaware (a Lavasoft product) then it may be possible that I could have gone there once by mistake but I certainly have not had any virus warnings of infections.

My virus chest (according to Avast) is empty but could you tell me where it is stored and I will check the folders.

As I said in my previous post, it would be interesting when this virus first appeared on the net to see if the ghost image dated December 2009 could ever of had a copy contained within it.

Baz.
« Last Edit: April 05, 2010, 01:48:56 PM by Baz8755 »
Windows 8.1, i7 12GB RAM 500GB SSD, Avast Free

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1620
Re: Win32:Hupigon-ONX [Trj]
« Reply #38 on: April 07, 2010, 09:33:09 PM »
There is another example Baz. This person has also never had the virus on their computer.
So looking less like (in fact not to be) a record that has persisted from a previous time, and more like a false positive.

http://forum.avast.com/index.php?topic=58206.msg490507#msg490507
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline Stephcdg

  • Newbie
  • *
  • Posts: 2
Re: Win32:Hupigon-ONX [Trj]
« Reply #39 on: April 08, 2010, 04:37:38 PM »
Hi everybody,

For me this devilish (or unexisting trojan) is also appearing in a scan of images, made by drive image xml,
I tried doing that booting with Bart PE. it also finds it.
 I must add that it now finds a CRC check, I guess that wouldnt be the case
 with raw imaging.
It seems that a file of AVAST, in windows/temp/_avast5_/ is "corrupt" so says a boot on chkdsk, unfortunatly the problem is recreated after
chkdsk corrects the problem. I havent done another chkdsk, but driveimage xml, still find a redundecy check error.

To go back with that story, after having Avira telling me I had a hidden object he could not deal with, I reinstalled XP, and amazingly after
booting with the MS boot install xp pro, My two hard drives, got the MBR wiped out, in the new istall drive, XP did the job of suppressing, and I guess some malware took care of the other. Interesting to prform these recoverys, but I'd sure be happy to get back my computer.

on this page  http://www.protectorplus.com/download/downloadnow.htm
you can download this:   cleanhupigon.exe

But might as well chase a dream .....

In all case feels nice to not be alone with this problem
Steph

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1620
Re: Win32:Hupigon-ONX [Trj]
« Reply #40 on: April 08, 2010, 09:20:21 PM »
Hi Steph

I'm posting a reference to a worm that seems has been active since Jan 2010, and despite that the likelihood of you having got it on yr system is low. The only relevance here is that you got yr MBR wiped out after re-install.

Zimuse worm
http://www.eset.eu/encyclopaedia/win32-zimuse-a-trojan-startpage-g-generic-1729691-threat-sysvenfakp-based-maximus

Removal tool - if you can, I think load to floppy disk and use that way
http://www.eset.eu/download/ezimuse-remover

If zimuse involved, I cannot see why scan should return Hupigon detection unless there is some similarity in signatures, and fact that zimuse itself is very difficult to detect. Also from what I gather zimuse has capability to delete its entry detail while also writing to other detectable drives. This may include virtual images of drives.

While may not be relevant, would not be able to excuse myself if in fact turned out to be relevant.
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline Stephcdg

  • Newbie
  • *
  • Posts: 2
Re: Win32:Hupigon-ONX [Trj]
« Reply #41 on: April 09, 2010, 07:34:28 AM »
Hi Mkis, and others,
First I'd like to say I found a way to get rid of that false positive Hupigon trj, found in images of archives...
Actually pretty easy, and logical, simply defrag the disk, since the sectors will be rewritten (or change), the "ghost" signature should eventually vanish!!
I guess copying files filled with "non blank", multiples of 512 Byte files (clustersize), filling yr drive,defrag, then wiping, can do the trick, also with some defrag soft U can reorder the files, by name, date etc....
Another try could be zipping, and unzipping.
To be didactic, bear in mind that when you create a file the system will only write the "used data" ,the OS will attribute a multiple of a cluster size, (512-bytes in NTFS). So if your file is a small 50-byte text file, you actually have 512-50=462-bytes left, that's where those signatures probably lay.

What bafflz me in this story is that a tool to make an drive image should actually be reading less of the hard drive to make an image,  and place it contiguously in an archive. Seems logical no?
Well, any how this the proof, it does not. Thing is, after you delete the archive you could get back that signature, I guess it's better to shred it with some software.

Second, concerning Zimuse worm
I checked
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"Dump" = "%programfiles%\Dump\Dump.exe"
and
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_MSTART\0000\Control]
"*NewlyCreated*" = 0
"ActiveService" = "MSTART"
----
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_MSTART\0000]
I have none of those, thks for info thow.
« Last Edit: April 10, 2010, 10:05:20 PM by Stephcdg »

Offline Baz8755

  • Full Member
  • ***
  • Posts: 122
Re: Win32:Hupigon-ONX [Trj]
« Reply #42 on: April 11, 2010, 09:34:24 AM »
I have now successfully got all my ghost images to scan clean.

To solve the problem I uninstalled adaware (lavasoft). I then completely filled the disk with data, scandisked and defragged, deleted the extra data and scandisked and defragged again. I then took ghost images.

This has worked on all 3 machines that showed infections of ghost images.

As I have said before, none of the machines have ever reported the infection and have always scanned clean and the oldest image that had with the infection dated back to December 2009.

So I am still not sure what Avast was finding or where it came from.

Baz
Windows 8.1, i7 12GB RAM 500GB SSD, Avast Free

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1620
Re: Win32:Hupigon-ONX [Trj]
« Reply #43 on: April 11, 2010, 10:32:18 AM »
perhaps some conflict with lavasoft adaware - would not be unusual
plus yr ghost imaging is Norton spec (may have some conflict, so erratic readings)

- either way, you could have two or more dogs fighting over the same bone
- avast needs to make some call - so calls a definition appropriate to imaging, which is hupigon

I say perhaps because I dont really know
- but worse case scenario is an infection - care is needed in case of situation where there is an actual infection
-in the above case, probably best some call was made, because seems almost certain case of snafu (systems normal all f*dged up)

and now you know systems normal 
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline KA9194

  • Newbie
  • *
  • Posts: 9
Re: Win32:Hupigon-ONX [Trj]
« Reply #44 on: April 17, 2010, 09:16:44 PM »
I posted in this thread:
 http://forum.avast.com/index.php?topic=58206.0
about how I am having a similar problem.  I tried Baz's procedure - fill the disk, chkdisk, defrag, delete the extra files, chkdisk, defrag, rerun Windows Backup.  I'm still getting the Hupigon-ONX detection in the backup .vhd file.  I'm getting frustrated...this has taken me days to accomplish and I was really hoping it would work for me.  It's no good having a disk image if I can't trust it.