I got HexEditor and tried to open the file “XP Home Edition”, can not see the infected files “…000001.vmdk, etc”, HexEditor could not open, I presume since it wants a the actual file inside “XP Home Edition”. So since I really am flying blind, how do I get to thsse files from my MAC or do I have to open up my virtual machine to see them…?
open the image file (*.vmdk) in the hexeditor, and try to locate the mentioned string.
seems you’re heavily mixing emulations and filesystems together, accessing native files from native filesystem from inside virtual machine, and vice versa…
regards,
pc
I tried what you said, I opened HexEditor (MAC version) and tried to open *.vmdk and was told HexEditor could mot open it. …I feel like I am beating my head against a brick wall…
don’t worry,
as i said, it’s probably no infection. the only question is, why is this case encountered here and there - but, it’s necessary to locate the signature then.
there’s also “hexedit” GNU app - no GUI, but tar better functionality (as usually).
I started this thread off so thought useful to comment again on this.
Basically I am still in exactly the same situation as I was 2 months ago :(. I am still getting the messages (over 30 this morning while its doing a scan) saying that I have have the Win32:Hupigon-ONX [Trj] infection in all the .vmdk files of a particular VM. I have never actually had this infection inside the VM and it has had (company enforced) Mcafee protection during this time and IT checked additionally just in case. So I don’t think Zilogs comments about this being the leftovers from an attack inside the vm would apply.
I think as Zilog originally said it is a false positive caused by the Avast looking into the vmdk file as a regular mac file and finding a match by coincidence.
I am very disappointed by Avast because there has been no fix to this after two months. Zilog implied that this could be solved by an update to the virus database. I am not exactly sure whether Zilog works for Avast or is just a volunteer. Either way would be much appreciated if Zilog could use whatever contacts/influence he has to ask for a prompt fix from Avast. It is extremely embarrassing when Avast brings up this message in a meeting when I am sharing my screen. I am going to have to abandon Avast and buy something else which would be a shame as I have used it for a couple of years quite happily before this on my Mac and also use it on several home PC’s.
??? I basically was he same as you, I could not find it or get rid of it. So I just bit the bullet, deleted my Window XP virtual machine from my MAC and started over, I now will NOT be open to the internet when I am using Windows, I don’t have to and so I won’t will live with the versions of my applications as they are.
??? >:( To recap - i had the win32-hupigon-ONX [trj] on all my virtual .vmdk files. i finally just deleted them from my MAC and did a scan, the virus was gone. i then reinstalled my virtual machine and i have NOT connected to the internet for any reason while using my virtual machine.
i just did a scan of my MAC and found that i know have the "win32-hupigon-opb [trj] virus, i have not been connected to the internet when using my virtual machine, so i don’t know how i got this? Why is AVAST finding this and what are they going to do about this issue.
Hallo,
to put it simply - somewhere in the file must be this sequence of bytes: 22 A9 22 C1 75 82 01 0F 11 60 AB 01 0A 02 21 4A A9 CA B2 00 A4 CC CD 20 AF 0A 7D 89 00 AC 87 75
i assume that when scanning this drive from the virtual machine itself (using avast for windows), nothing will be found. Thus, it must be inside some abandoned sectors, or in some file that isn’t normally scanned (pagefile.sys). If you need exact answer, please, locate this sequence.
Probably, this is interefing with some system thing, and we should consider altering the detecting algo a bit for this case - but, please, dive us more information. Virtual files of mine VMWare/Qemu seems to be clean, so it’s something more specific.