Backdoor.Hupigon trojan

Status
Not open for further replies.
T

Teresa.J

Posts: 15   +0
Hi

I'm fixing a friend's computer. It has three accounts ... my friend, her hubby and her daughter. The problem was reported as some web pages not loading.

I updated and ran AVG which found Trojan Horse Downloader.Generic 7 and also 11. Her daughter uses Limewire which is probably how the trojans got in. I installed Zone Alarm because they were relying on Windows Firewall.

I then installed and updated Malwarebytes and while it was scanning AVG popped up with Backdoor.Hupigon which was fixed and deleted. Malwarebytes reported the following:

Adware.PlayMP3Z
Adware.Agent
Trojan.Vundo
Trojan.FBrowsingAdvisor
Adware.Mirar

All were fixed and deleted and I restarted the computer.

Since then Windows Calculator has been opening randomly and constantly. So, I rebooted into safe mode under the admin a/c and ran AVG and malwarebytes and SuperAntiSpyware but no problems were found. Calculator continued to pop up during the scans. I rebooted into normal mode and within 10 minutes Calculator had opend 102 times. This continued for a few days and then without me changing anything else it just as suddenly stopped.

I have now followed all the proceedures advised on this site for malware removal and have attached the logs from Malwarebytes, SuperAntiSpyware and Hijackthis.

Could someone please have a look at these logs to check whether this pc is now 'clean'?

Thanks
Teresa
 

Attachments

  • hijackthis.log
    7.2 KB · Views: 7
Hi kimsland

Well, I've had the pc running all day now and no sign of the calculator popping up.

Yesterday, the pop ups slowed down to a few an hour but, as I said, none today.

Looks like all's well then. Fingers crossed and touch wood etc.

Cheers
Teresa

PS I'll be directing my friend and her family to this excellent site. Heaps of info and resources.
 
Just tick and fix this one: (using HJT again)
O23 - Service: a-squared Free Service (a2free) - Unknown owner - F:\A2USB\a2service.exe (file missing)
Click to expand...

Thanks for your kind words too :grinthumb
 
"Backdoor"

Hi Teresa :

A Word of Caution when it comes to "Backdoor" Detections ; Best to follow the
Advice available at www.geekstogo.com/2007/10/03/what-is-a-backdoor-trojan
supplemented by the Advice of the CERTIFIED "Microsoft Most Valuable
Professionals" in what is written at http://aumha.net/viewtopic.php?f=26&t=28580 .

At a minimum, I recommend you use the FREE "Rootkit Revealer" from
http://technet.microsoft.com/en-us/s.../bb897445.aspx . This program
provides INFO ONLY and will NOT remove any rootkits . Just PRIOR to running Its
Scan, "Delete" all the "Temporary Internet Files" on the computer ; should ALSO
follow the Guidelines of the 1st 2 Threads, started by "namrehto", at
http://forum.sysinternals.com/forum_topics.asp?FID=15 .
 
Oh I see

Yes I've been on many boards, for many many years
No I am not "certified malware removalist" although I have lots of experience

For your information I know of at least two certified malware specialists here at TechSpot, and one of them wrote the Viruses/Spyware/Malware Preliminary Removal Instructions

So by following that guide, and posting your logs, another member (ie YOU) should not come along and say go elsewhere. Seeming both parties are qualified.

You can't argue that :p
 
kimsland said:
Just tick and fix this one: (using HJT again)


I fixed the file but it caused a bios change which meant it couldn't boot into the OS (looked like bios was trying to access the spare hard drive). That surprised me a bit coz I thought the key referred to F drive. I went into bios and directed it to the correct hard drive.

I then downloaded and installed Rootkit Revealer. I disconnected from the internet, stopped zone alarm, avg and the spyware progs and ran Rootkit. I've attached the file and was hoping someone could look at it for me, please.

I've also read the articles pointed out by SpiritWind and if the problem is unfixable or too dodgy I could get the install discs from my friend and put a fresh install on the spare hard drive. She said that luckily none of the family do their banking or any other sensitive work on their pc - they just use it for hotmail and surfing web. I will get them to change their hotmail passwords using my laptop.

Oh and calculator has started opening randomly again :(
Click to expand...
 
RootkitRevealer Scan

Hi Teresa :

Best to have the RootkitRevealer Scan Results interpreted by THEIR Experts on
the Support Forum at http://forum.sysinternals.com/forum_topics.asp?FID=17 ;
2 of the 10 Items in the Scan are "commented" on in the 1st Post on that Forum
( "HKLM\Security\Policies\Secrets" ) . Based on WHAT they say depends on HOW
to proceed !? They request you use their "Search" feature inintially and for any
"Item" not found, then Post in the Forum .

My purpose in providing those 2 Links was so that you could make a better,
informed Opinion on HOW best to proceed .
 
ok ... will get back with results.

calculator is going mad at the mo. hard to complete a sentence without being interrupted by it.
 
Hi again,

I ran Rootkit Revealer and the results were clean, so I reckon there must have been some hiccup in Explorer which was causing Calculator to go mad.

I've now uninstalled Calculator via the Add/Remove Windows Components utility and everything is running sweet now.

I rescanned the pc and no negative results, so I'm handing this puppy back to its owners with strict instructions on how to keep it safe and clean, and I placed this site into their bookmarks so they can read those stickies on prevention and maintenance.

Thanks guys for your help and guidance.
Cheers
Teresa :grinthumb
 
Hi xxdanielxx

Here's the new hijackthis:

(moderator edit: don't copy and paste your logs. Attach them like you did in earlier posts. Also, use the edit button -> 'Go Advanced' on this post and don't start a new consecutive post after this one.)
 
ooops sorry! I've attached it now.

I had already handed back the pc to my friend yesterday. I'm at her place now and she reports that the pc is running a little slower. Not sure why that would be.

Everything else seems ok.
 
O23 - Service: HAWBMVSH - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HAWBMVSH.exe
O23 - Service: TLMELV - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ava\LOCALS~1\Temp\TLMELV.exe
Click to expand...
This is something very fishy. The file turns up zero hits on various search engines.

I would definitely fix these in HJT. To fix O23 entries:

Boot into safe mode.

Go to Run > services.msc
Search and remove the following services:
TLMELV
HAWBMVSH

Open HJT and fixed the above mentioned entries.

Boot back into normal mode and run HJT again; post the new log back here.
 
Please run HJT again and tick and fix these 4 entries
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O23 - Service: a-squared Free Service (a2free) - Unknown owner - F:\A2USB\a2service.exe (file missing)
O23 - Service: HAWBMVSH - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HAWBMVSH.exe
O23 - Service: TLMELV - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ava\LOCALS~1\Temp\TLMELV.exe
Click to expand...

You may want to run CCleaner again too


Go here and download and RootKit Revealer. Once downloaded, unzip the files to their own folder and rename RootKitRevealer.exe to Find.exe. The reason for this is that some rootkit trojans can detect this program and hide themselves from it.

When you have done this, click on Options and make sure that "Hide Standard NTFS Metadata Files" and "Scan Registry" are both checked.

Before scanning, make sure all other running programs are closed, and no other actions (like a scheduled AV scan) will occur while this scan completes. Do not use your computer during the scan. Click on scan and let it scan your drive (it will take a while so be patient). When it has finished, go to File > Save, save the log and post it in this thread.


Edit

Oh momok has replied

Edit2

Oh you have already done the Rootkit revealer
Aren't I going well :/
 
Hang on guys, shall I follow momok's advice first then kimsland's?

Oh, and kimsland, when I deleted the 023 - Service: a-squared Free Service (a2free) - Unknown owner - F:\A2USB\a2service.exe (file missing) it caused the pc to boot to spare hard drive. I had to go into bios to direct it to the right one.
 
Yes but it says File Missing which is very confusing as to why it would cause an issue with restarting

I would actually un-install a-squared Free fully
 
ok, I think I'd better bring the pc back here again. I'll be a couple of hours coz it's my turn to cook tea tonight!
 
And remove a-squared

I'm presently on a-squared forums, trying to work out how a missing file can cause a restart (nearly impossible isn't it :confused:
 
It didn't cause a restart. I had to restart after removing it and that's when I got a black screen.

I'm just about to hook her pc up now and I'll post results soon.
 
Status
Not open for further replies.

Similar threads

J
Solved Trojan Downloader.generic13 removal
2
Replies
36
Views
9K
Broni
Broni
C
  • Locked
Inactive Running SFC.exe after removing PUP Option Registry Entries
Replies
1
Views
3K
Broni
Broni
K
Solved I may have Trogan.Agent/Gen-backdoor
2
Replies
28
Views
7K
Broni
Broni

Latest posts

Back