Win32-Hupigon-ONX[Trj] Found In Paragon Image Backup Files?

[DonZ63]

Win 7 x64 SP1 and Avast 6.0.1289    Win XP SP3 and NIS 2011

This is one of weirdest things I have seen in a while.

I have 3 HDDs; one contains WIN 7, the other WIN XP, and the third has two partitions - one for XP image backups and one for Win 7 image backups. All images were create from Paragon Disk Manager Server edition from a bootable WIN PE CD. I have used this CD for years with no problems.

I scanned the partition containing the WIN XP images today and Avast found multiple files all infected with Win32-Hupigon-ONX[Trj]? Now I don't know how image files can be infected? The XP system was clean when I always did my backups. So I thought these must false positives.

So I next scan the Win 7 backup partition that contains image files. Clean. Now I am really worried.

Next I scan my XP drive from WIN 7. It finds some "global" bad guy in the page file. So I delete the page file.

Finally I take an image backup of the XP drive which should be clean. I then scan that image backup and guess what? It finds files infected with Win32-Hupigon-ONX[Trj]. Now how is that possible?

What the heck is Avast doing here?

[DavidR]

In al honesty large backup files which are highly compressed can throw up some weird detections, and it isn't unusual to see Win32:Hupigon on some of these and the pagefile is another.

Unfortunately given the likely size of these files you can't upload them to virustotal (20mb limit) for scanning.

[DonZ63]

I came across multiple threads in this forum about this issue to the effect that Avast will detect any residuals from this Trojan left on the HDD. I had previously deleted all my image backups on the partition in question since they were old anyway. However, I wrote the new image backup back to same partition without first wiping it or writing other data to that partition. I suspect that Avast is detecting residual traces in that partiton.

When I get time I will copy the new backup to another partition and see if it scans clean. If it does, I will have to wipe my XP partition before reusing it.

My opinion here is that Avast might be a bit to intrusive here ....................

[ady4um]

How is Avast getting residuals of previous files? Avast is not scanning "sector-by-sector". It is using the OS and the filesystem. To "see" (contents of) sectors, Avast would need to bypass the OS and the filesystem, just as a "sector-by-sector" image backup or recovery tool would do.

[DonZ63]

Check this out: http://forum.avast.com/index.php?topic=57768.0

[ady4um]

Check this out: http://forum.avast.com/index.php?topic=57768.0

Are you requesting from me to look at it? Are you referring to my previous comment about sectors? Please be clear. Either quote only the relevant parts of previous posts, or use

Code: [Select]

@username, specifying to what exactly your are referring to.

[DonZ63]

Sorry. I was referring to the prior posting as reference.

I did scan my XP drive about a week ago by the way and Avast did find a .tmp.xxxx file that it said was Win32-FakeAlert-OJ[Trj. I sent it to the Virus Chest.

Now how long it was there I don't know so it possibly was also in the image backups. However, the scan of the image files did not reference that Trojan but the Hupigon-ONX

. Does Avast change it classification based on file type? Just kidding