I regularly scan my PC once a fortnight and last scanned it a day or 2 ago.
However a scheduled scan started today and it is claiming that all my monthly ghost images dating back to the beginning of the year are infected with “Win32:Hupigon-ONX [Trj]”. Could this possilbly be a false positive as I cannot understand how they could all have suddenly become infected with no other warnings from Avast?
Cheers
Baz
Hello,
you can send us (virus@avast.com) the file and put “False positive” to subject.
Milos
The file is 2GB in size so not really easy to email
I am getting really confused now as my scan log clearly shows that I did a full system scan at 11:48 on 28/03/2010 and it was all clear.
I then took my monthly Ghost image of my C: drive straight after and placed it on the D: drive. The D: drive already contained a couple of previous ghost images which would have been scanned as clean.
This morning using VPS file 100329-1, 29/03/2010 the scans are reporting all the ghost images as infected with “Win32:Hupigon-ONX [Trj]” virus.
The Virus database history shows that this definition was included in VPS 100311-1, 11/3/2010.
However here’s the twist, I just fired up a virtual PC that has not updated since VPS 100313-2, 13/3/2010 and scanned one of the infected files and it also finds the virus.
So either this virus has somehow managed creep past Avast in the past 24 hours and infect several Norton ghost .GHS files or something weird is going on with the detection of this virus.
Why don’t you do another ghost-file - a smaller one, that can be send via mail.
Check that “custom”-file if it shows the same behaviour, which IMHO it should.
You can then send that file to alwil, they will work it out and remove the FP - and I think it is an FP.
I am just going to copy the infected(?) file onto a virtual machine and run an online scan to make sure it is a FP.
Not sure that I can create a custom file as I use ghost 2003 and backup the entire disk, this backup creates several 2GB .GHS files and only one or two of the set of 13 show as infected
Eg.
Set 1
D:\Ghost Images\Most Recent\18122009\18122001.GHS" is infected by “Win32:Hupigon-ONX [Trj]” virus
D:\Ghost Images\Most Recent\18122009\18122003.GHS" is infected by “Win32:Hupigon-ONX [Trj]” virus
D:\Ghost Images\Most Recent\18122009\18122005.GHS" is infected by “Win32:Hupigon-ONX [Trj]” virus
D:\Ghost Images\Most Recent\18122009\18122008.GHS" is infected by “Win32:Hupigon-ONX [Trj]” virus
D:\Ghost Images\Most Recent\18122009\18122010.GHS" is infected by “Win32:Hupigon-ONX [Trj]” virus
Set 2
D:\Ghost Images\Most Recent\28032010\28032008.GHS" is infected by “Win32:Hupigon-ONX [Trj]” virus
Set 3
D:\Ghost Images\Most Recent\11032010\11032008.GHS" is infected by “Win32:Hupigon-ONX [Trj]” virus
So the chances of producing a small image and it being flagged as a virus are quite low 
I have just scanned the one of the files with 2 online scanners (Housecall and ESET) and both have come up clean
Hello,
all files detected as “Win32:Hupigon-ONX [Trj]” that comes to us as false positive are .pdf, .jpg, .css, .mp3, etc. which have pasted some code with signes of digital signature which is weird.
Milos
Malware bytes also shows clean.
Also just performed a scan on my wifes PC and it too shows the same issues with .GHS files on her PC.
What about an FTP upload? Start in the evening, before bedtime… when you get up in the morning, it’s done.
FTP should be OK if Milos wants to give me an address
Sending 220210.gho now, estimated 9Hrs 23 Mins.
This is part of a ghost image from my sandbox PC which is a minimal build. It was built from clean and then ghosted, every time the machine is used the ghost it written back to ensure a clean starting point. This machine has been kept isolated from the rest of my machines but the latest scan of its ghost images shows the same infection.
99.9% certain it is an FP
Uploaded, please let me know if OK
We’ll have to wait for a Mod to check the upload. 8)
Hello,
the file has size: 2 147 481 103 bytes.
Milos
Hello,
thank you for sending file.
The malware could be there before the VPS 100311-1, 11/3/2010, but the file was not accessed, so it wasn’t scanned.
If the malware was removed by avast! there still physically exists clusters with data containing the malware signature and are backed up by ghost. So if avast! don’t report any malware on the drive, you can rewrite whole unused space on the drive by some data to rewrite the malware signatures and then the new images created by ghost should be also clean.
Milos
Milos, does it help to determin the cause?
What do you mean by the word “it”?
Milos
It = the uploaded file.
Does it help you to determin if it is a FP or an infection?
I still doubt it’s an infection as I have now seen this warning on ghost files on 3 independant machines.
Machine 1 : My main machine
This was the one that 1st alerted me to the issue and it is regularly full scanned once a month prior to ghosting.
This machine found infections in 6 ghost image files dating back to december last year.
This machine did find a virus in the internet cache about a month ago.
Until a month or 2 ago has been running CA Antivirus.
Now uses Zonealarm and Avast.
Machine 2: Wifes PC
Again regularly scanned, light user. Only ghosted a month or 2 ago.
This machine has never reported any infections.
Until a month or 2 ago has been running CA Antivirus.
Now uses Zonealarm and Avast.
Machine 3: Sandpit PC
Minimal build, literally clean install up to XP Pro SP3.
Used as test bed and always restored back to clean fully patched ghost image (the image supplied).
This machine is the least likely to ever show any history of infection as it is always resotred from image after use.
This machine has never reported any infections.
Until a month or 2 ago has been running AVG Antivirus.
Now uses Zonealarm and Avast.
As the ghosts are taken from machines that are all scanning clean how can their be any viruses in the ghost images?