TechSpot

Backdoor.Hupigon trojan

By Teresa.J
Oct 1, 2008
  1. Hi

    I'm fixing a friend's computer. It has three accounts ... my friend, her hubby and her daughter. The problem was reported as some web pages not loading.

    I updated and ran AVG which found Trojan Horse Downloader.Generic 7 and also 11. Her daughter uses Limewire which is probably how the trojans got in. I installed Zone Alarm because they were relying on Windows Firewall.

    I then installed and updated Malwarebytes and while it was scanning AVG popped up with Backdoor.Hupigon which was fixed and deleted. Malwarebytes reported the following:

    Adware.PlayMP3Z
    Adware.Agent
    Trojan.Vundo
    Trojan.FBrowsingAdvisor
    Adware.Mirar

    All were fixed and deleted and I restarted the computer.

    Since then Windows Calculator has been opening randomly and constantly. So, I rebooted into safe mode under the admin a/c and ran AVG and malwarebytes and SuperAntiSpyware but no problems were found. Calculator continued to pop up during the scans. I rebooted into normal mode and within 10 minutes Calculator had opend 102 times. This continued for a few days and then without me changing anything else it just as suddenly stopped.

    I have now followed all the proceedures advised on this site for malware removal and have attached the logs from Malwarebytes, SuperAntiSpyware and Hijackthis.

    Could someone please have a look at these logs to check whether this pc is now 'clean'?

    Thanks
    Teresa
     

    Attached Files:

  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Is calculator still randomly opening?
    I don't see any obvious sign of malware in your log
     
  3. Teresa.J

    Teresa.J TS Rookie Topic Starter Posts: 16

    Hi kimsland

    Well, I've had the pc running all day now and no sign of the calculator popping up.

    Yesterday, the pop ups slowed down to a few an hour but, as I said, none today.

    Looks like all's well then. Fingers crossed and touch wood etc.

    Cheers
    Teresa

    PS I'll be directing my friend and her family to this excellent site. Heaps of info and resources.
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Just tick and fix this one: (using HJT again)
    Thanks for your kind words too :grinthumb
     
  5. SpiritWind

    SpiritWind TS Rookie Posts: 164

    "Backdoor"

    Hi Teresa :

    A Word of Caution when it comes to "Backdoor" Detections ; Best to follow the
    Advice available at www.geekstogo.com/2007/10/03/what-is-a-backdoor-trojan
    supplemented by the Advice of the CERTIFIED "Microsoft Most Valuable
    Professionals" in what is written at http://aumha.net/viewtopic.php?f=26&t=28580 .

    At a minimum, I recommend you use the FREE "Rootkit Revealer" from
    http://technet.microsoft.com/en-us/s.../bb897445.aspx . This program
    provides INFO ONLY and will NOT remove any rootkits . Just PRIOR to running Its
    Scan, "Delete" all the "Temporary Internet Files" on the computer ; should ALSO
    follow the Guidelines of the 1st 2 Threads, started by "namrehto", at
    http://forum.sysinternals.com/forum_topics.asp?FID=15 .
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Oh I see

    Yes I've been on many boards, for many many years
    No I am not "certified malware removalist" although I have lots of experience

    For your information I know of at least two certified malware specialists here at TechSpot, and one of them wrote the Viruses/Spyware/Malware Preliminary Removal Instructions

    So by following that guide, and posting your logs, another member (ie YOU) should not come along and say go elsewhere. Seeming both parties are qualified.

    You can't argue that :p
     
  7. Teresa.J

    Teresa.J TS Rookie Topic Starter Posts: 16

     
  8. SpiritWind

    SpiritWind TS Rookie Posts: 164

    RootkitRevealer Scan

    Hi Teresa :

    Best to have the RootkitRevealer Scan Results interpreted by THEIR Experts on
    the Support Forum at http://forum.sysinternals.com/forum_topics.asp?FID=17 ;
    2 of the 10 Items in the Scan are "commented" on in the 1st Post on that Forum
    ( "HKLM\Security\Policies\Secrets" ) . Based on WHAT they say depends on HOW
    to proceed !? They request you use their "Search" feature inintially and for any
    "Item" not found, then Post in the Forum .

    My purpose in providing those 2 Links was so that you could make a better,
    informed Opinion on HOW best to proceed .
     
  9. Teresa.J

    Teresa.J TS Rookie Topic Starter Posts: 16

    ok ... will get back with results.

    calculator is going mad at the mo. hard to complete a sentence without being interrupted by it.
     
  10. Teresa.J

    Teresa.J TS Rookie Topic Starter Posts: 16

    Hi again,

    I ran Rootkit Revealer and the results were clean, so I reckon there must have been some hiccup in Explorer which was causing Calculator to go mad.

    I've now uninstalled Calculator via the Add/Remove Windows Components utility and everything is running sweet now.

    I rescanned the pc and no negative results, so I'm handing this puppy back to its owners with strict instructions on how to keep it safe and clean, and I placed this site into their bookmarks so they can read those stickies on prevention and maintenance.

    Thanks guys for your help and guidance.
    Cheers
    Teresa :grinthumb
     
  11. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  12. Teresa.J

    Teresa.J TS Rookie Topic Starter Posts: 16

    I agree, kimsland, and that link is what I've bookmarked for my friend. It was by following the 8 steps removal instructions that I actually fixed the problems.

    I've also directed them to http://www.techspot.com/vb/topic31474.html which has a few good tips.

    Thanks
     
  13. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    post a fresh hijackthis log and I can check to see if there is hidden things still there
     
  14. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  15. Teresa.J

    Teresa.J TS Rookie Topic Starter Posts: 16

    Hi xxdanielxx

    Here's the new hijackthis:

    (moderator edit: don't copy and paste your logs. Attach them like you did in earlier posts. Also, use the edit button -> 'Go Advanced' on this post and don't start a new consecutive post after this one.)
     
  16. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Post Removed
     
  17. Teresa.J

    Teresa.J TS Rookie Topic Starter Posts: 16

    ooops sorry! I've attached it now.

    I had already handed back the pc to my friend yesterday. I'm at her place now and she reports that the pc is running a little slower. Not sure why that would be.

    Everything else seems ok.
     
  18. momok

    momok TS Rookie Posts: 2,265

    This is something very fishy. The file turns up zero hits on various search engines.

    I would definitely fix these in HJT. To fix O23 entries:

    Boot into safe mode.

    Go to Run > services.msc
    Search and remove the following services:
    TLMELV
    HAWBMVSH

    Open HJT and fixed the above mentioned entries.

    Boot back into normal mode and run HJT again; post the new log back here.
     
  19. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Please run HJT again and tick and fix these 4 entries
    You may want to run CCleaner again too


    Go here and download and RootKit Revealer. Once downloaded, unzip the files to their own folder and rename RootKitRevealer.exe to Find.exe. The reason for this is that some rootkit trojans can detect this program and hide themselves from it.

    When you have done this, click on Options and make sure that "Hide Standard NTFS Metadata Files" and "Scan Registry" are both checked.

    Before scanning, make sure all other running programs are closed, and no other actions (like a scheduled AV scan) will occur while this scan completes. Do not use your computer during the scan. Click on scan and let it scan your drive (it will take a while so be patient). When it has finished, go to File > Save, save the log and post it in this thread.



    Edit

    Oh momok has replied

    Edit2

    Oh you have already done the Rootkit revealer
    Aren't I going well :/
     
  20. Teresa.J

    Teresa.J TS Rookie Topic Starter Posts: 16

    Hang on guys, shall I follow momok's advice first then kimsland's?

    Oh, and kimsland, when I deleted the 023 - Service: a-squared Free Service (a2free) - Unknown owner - F:\A2USB\a2service.exe (file missing) it caused the pc to boot to spare hard drive. I had to go into bios to direct it to the right one.
     
  21. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes but it says File Missing which is very confusing as to why it would cause an issue with restarting

    I would actually un-install a-squared Free fully
     
  22. Teresa.J

    Teresa.J TS Rookie Topic Starter Posts: 16

    ok, I think I'd better bring the pc back here again. I'll be a couple of hours coz it's my turn to cook tea tonight!
     
  23. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    And remove a-squared

    I'm presently on a-squared forums, trying to work out how a missing file can cause a restart (nearly impossible isn't it :confused:
     
  24. momok

    momok TS Rookie Posts: 2,265

    Yes please, remove those O23 entries as per my instructions
     
  25. Teresa.J

    Teresa.J TS Rookie Topic Starter Posts: 16

    It didn't cause a restart. I had to restart after removing it and that's when I got a black screen.

    I'm just about to hook her pc up now and I'll post results soon.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...