TechSpot

Trojan horse backdoor.hupigon.rcg, Possible infection

By exactprecisions
Oct 10, 2009
  1. Please will someone assist me with this. There was an archive on my machine that was infected with this. The archive was extracted and ran before I installed AVG, Spybot S&D and so therefore wasn't found at the time. Since then I have removed the application that was infected and the archive from my system. Would someone please be so kind as to walk me through the steps as to what I need to do?

    Thank you
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot. I see that you have also posted on another forum and left the log from HijackThis. Please decide where you want to be helped. We work at cross purposes when more than one forum is assisting you.

    If you decide to stay here, please disable TeaTimer before scanning:it can interfere with the changes you'll make on your system.When everything is done and your log is clean again, you can enable it again.

    If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    How to disable TeaTimer during HijackThis Cleanup
    Then, download ResetTeaTimer.bat.
    Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

    When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup

    You should also either uninstall uTorrent or refrain from using it while you are being helped.

    You system IS badly infected. You also run the 64bit operating system- which one? HJT doesn't scan well on that and you will need additional programs. To start here-if you decide to remain here for instructions, please go to this thread and follow the steps: Preliminary Malware Removal

    You will run a new HJT scan AFTER the other 2 programs. When you have finished, please attach the logs from Mbam and SAS and paste the log from HijackThis. We will review the logs and see where the system stands.

    Kindly let us know if you decide to stay with the other forum..
     
  3. exactprecisions

    exactprecisions TS Rookie Topic Starter

    Well I posted on the other forum because I also am using it for assistance learning PHP. I would much rather the assistance here because I have overlooked a lot of your replies and posts. I'm already in the process of obtaining the software and preparing the outputs as guided in a Tutorial you offer here.

    I'm sorry if this caused any problems with anyone. I truly am. I don't want to do anything to upset anyone.

    I am running Windows 7 on 64-bit architecture.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    It can get very confusing to you and can actually harm the system if you follow the directions in two different forums for the same problem at the same time.

    We're going to have to run additional programs- I doubt HJT is the most reliable for your system. But use it for now, okay? IT couldn't even read the name for the OS you had!
     
  5. exactprecisions

    exactprecisions TS Rookie Topic Starter

    Did exactly as I was told to do and here are my logs. I ran CCleaner after AVG and then once again after Malwarebytes, SUPERAntispyware, and when Hijackthis output was made.

    I am really sorry it took me so long to return with the outputs of each.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, I'm going to consult someone about the Windows 7 entries and HJT log. I cannot rely on HJT as it isn't reading the system properly. Since it's the weekend, it might take s bit of extra time, so be patient.

    One thing you can do now is a minor regedit: NOTE: back up the Registry first:
    Mbam shows a find of NoActiveDestopChanges It's just a group policy setting set by Microsoft to disable the Active Desktop feature in Windows 7 until they decide to do whatever with it. It's basically a false positive found by Malwarebytes.

    Follow the screen shot directions HERE to change the value.

    When you have done that, update Mbam and scan again> one or both of the entries it found should be gone. Be sure to check the 'removal' line in Mbam as you did the first time.

    I'll need to see that log and hopefully will have a more suitable program other than HJT to run.
     
  7. exactprecisions

    exactprecisions TS Rookie Topic Starter

    .

    Well I had already removed all traces that were found. I'm sorry that I did that before-hand. However the REGISTRY entries were still present and I changed them accordingly. I am scanning now. I will upload the LOG like you requested. Thank you for your time.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Are you still needing help or has the problem been resolved?
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.