Win32:Hupigon-ONX [Trj]

Avast Free Antivirus / Premium Security
21

Hello,
this looks like already arrived damaged files, but in this case 17x in one file.

Milos

22

I do not understand that post…
What is 17 times in that file?

23

Hello,
Even if the malware was removed, there still physically exists clusters on partition not linked to any existing file, but to the deleted files, with data containing the malware signature and are backed up by ghost.

Milos

24

17 same malware signatures.

Milos

25

But as I have already said, to remove the infection first of all something must have found it. This virus has never been found on any machine ever so how can it have been removed?

Also I have just done another full scan of my machine and it shows clean, including the so called infected .GHS files. However an ondemand scan of the file still flags as infected

So I am still confused

  1. Have any of the machines ever been infected. If so how come nothing ever reported
  2. Are any of the machines still infected?
  3. How come full system scan says clean but on demand file scan says not
  4. If as you say their are still clusters with a signature in how can I remove these clusters.
  5. Could these 17 signatures be the ones held within avast by any chance (ie it’s find its own definitions)?
  6. What does Win32:Hupigon-ONX actually do?

Also I have just been reading about Norton Ghost 2003 (which is what I used) and as far I can tell it does not copy unused clusters. Something I suspect to be true as watching what it copies and the resultant image size would seem to suggest. Add to that the fact that the image files are compressed so any virus signatures will probably be scambled.

26

Hello,

  1. maybe avast! didn’t have the detection when the infection comes
  2. I don’t know – run the scan – all extensions, packers, …
  3. It depends what is scanned in “full system scan” – extensins, packers, …
  4. I mentioned that:
... you can rewrite whole unused space on the drive by some data to rewrite the malware signatures ...
5) Only if it is some memory dump, but I think that the signatures are crypted in memory too. When I saw the malware sigantures in submited files it was not avast!'s own definitions. 6) I don't know, maybe the author of the detection.

Milos

27

I just got four of these on my MacBook Pro in my Windows XP Virtual Machine - I deleted them because they would not go into the virus safe. However when I did it also took out the entire Windows XP install on my VM. What is the story with these? You can’t move them as AVAST just crashes when you try to and delete even says it didn’t delete them yet on the panel it shows them deleted.

28

I have just deep scan 2 of my 3 machines, Thorough, packers, all files etc… and they have shown completely clean with exception of the Ghost files.

As I have already stated absolutely none of my machine have EVER report this infection. The theory that it must have been cleaned prior to the ghost file creations and must exist in a cluster somewhere does not make sense as nothing have ever cleaned this virus off the machines and it only appears to exist in the ghost images taken, one of which was taken a day or two ago.

If someone wants to tell me how I can blank out unused clusters then I will and then take another ghost, I am willing to bet that the ghost image will still scan as infected for 2 reasons.

  1. The machines have NEVER been found to be infected so therefore could not have been cleaned leaving behind unused clusters with the signature.
  2. Ghost 2003 from what I have read does NOT copy unused clusters to a backup image file.

I would therefore strongly suggest that the signature that Avast is using for this virus is producing false positives.

Do I sound a little aggrevated, too right as I have wasted 2 valuable days of my vacation trying to get to the bottom of an infection I firmly belive does not and has not ever existed on my network.

Baz

29

All appears very quiet, no repsonses to my request…

30

Baz8755: I just tried to draw the attention of the mods to this thread again. However - it’s Easter. So hang in there a little.
Your effort is much appreciated, thx a lot!

31

Thanks,

One further thing to add, I have just uninstalled Avast from my test PC and installed Avira and AVG and ran full scans with each, they too did not find any infection on the machine or in the ghost images. I am now in the process of restoring the so called infected ghost image as it is an image with avast installed.

Until this issue is resolved I have added my ghost image directory to my scan exclusion list

Baz

32

Actual I went back to the OP because I wondered about the infection and on what was on threat scale

so google → Win32:Hupigon-ONX [Trj] - screenshot shows the page scrolled down to the following entry -

About | Adware Spyware Remover
win32 hupigon aqy Your security and peace of mind is worth spending a little time to prevent … Most trj downloader.nqb adware encodes last downl …
adwarespyware-remover.com/about/ - Cached

hxxp://adwarespyware-remover.com/about/

Avast alerts! with a block on this site - detektor wont read it - Unmasked Parasites passed it so far

I haven’t got time to go there but the block on the site is in iexplore - wont show the page (screenshot)
I installed Foxit as well but not a good experience since Ask toolbar came up as well
Ask toolbar also blocked the above site :o but I’ve uninstalled Foxit for the time being

avast calls the site at malware. I haven’t followed up on Unmasked Parasites yet.

http://www.unmaskparasites.com/security-report/

oops key slipped - there’s the screenshots now

you will see the address in the Object line of the block image - I dont know that address at all

  • is that in this case an iexplore third party alerting avast to the site (guess)

-edited

33

For what its worth, I deleted the files as I said and it took out the entire virtual machine folder contents. I have since reinstalled the folder contents from scratch ie WinXP and FP2003 and ran the avast scan again on that folder and nada - so this leads me to believe that a) either the infection is in SP3 which I havent’ reinstalled yet (unlikely) or b) this really was a virus and it hit me using Safari on the mac and found my VM windows files as I rarely use the windows browser for anything and the install was pretty much brand new.

34

If you had anything to do with this Win32:Hupigon-ONX [Trj] isn’t very nice

Ardware Spyware Remover may be blocked as PUP type. There are other blocks for this and similar type websites.

Or malware - link to site is not reading as stable

35

Mkis,

Although I did not believe that Ghost 2003 backed up all the clusters you suggested I still decided to do a little experiment.

On my test machine I completely filled up the C: drive with temporary files and then deleted them all, defragmented and did a full scan disk.

I then took a ghost image of the drive and scanned it. It come up clean this time and I was beginning to think you may have been right.

However I did exactly the same thing on my main machine and unfortunately it is still showing that the ghost image has the virus even though, thorough scans and rootkit scans all still show the C: drive as completely clean. Also as I have already mentioned ghost 2003 appears to use compression as it backs up a disk that is 34GB used to files totalling 22GB so any virus data may well be corrupted.

Given that all the A/V products I have now tried scan the ghost image as clean I am still confused as to why Avast is finding a problem.

Also just of interest do we know when the virus was actually created (not included in signature database) as I have a ghost image created December 2009 that Avast believes to contain the signature

Baz.

36 
   :o

      I have the exact same situatuion as Baz8755. Only difference is, I am using Norton Ghost 10 for my backups. Starting after my April 1st update ( April Fools Day ) to the iAVS, now all (3) my NG 10  backups flag with this trojan. So maybe some helpful info I have. With Avast I deleted the 3 NG backups. Then I uninstalled NG 10, did an aggressive registery cleaning, then, with my firewall I blocked all access to the internet, then I reinstalled NG 10. Then I ran NG 10. It popped a window up saying "Internal program error" (probably because of no internet access).  But I continued on and saved my first back up, no problem. Then I shut  NG 10 down and ran it again , this time there was no pop up window with internal program error. I saved my other 2 backups with no problems. I closed NG 10. I allowed internet access. The avast iAVS may have updated, I can't remember, well yes it would have updated since April 1st. I scanned these 3 new back ups and there was NO trojan detected (nothing). So it must have either been the new iAVS update or it is because I installed NG 10 with out giving it internet access during install and while running. The reason I tryed this is because I thought maybe NG is getting infected from it's host server.

I hope this may help in some way.
Happy Easter to all Benny G

37

avast is still alerting on this site - hxxp://adwarespyware-remover.com/about/

@ Baz - I have no idea about yr Norton Ghost, nor have I offered any suggestions, let alone about clusters

However - have you ever had Win32:Hupigon-ONX [Trj] on yr computer or moved to the virus chest?
you may still have a record of this on yr computer, despite that the file may be deleted.

38

Mkis,

As far as I am aware I have never had this virus, on the very rare occassion I get a virus I restore from a previous ghost image to ensure the machine is as clean as possible, as the site you are refering to could easily be mistyped for adaware (a Lavasoft product) then it may be possible that I could have gone there once by mistake but I certainly have not had any virus warnings of infections.

My virus chest (according to Avast) is empty but could you tell me where it is stored and I will check the folders.

As I said in my previous post, it would be interesting when this virus first appeared on the net to see if the ghost image dated December 2009 could ever of had a copy contained within it.

Baz.

39

There is another example Baz. This person has also never had the virus on their computer.
So looking less like (in fact not to be) a record that has persisted from a previous time, and more like a false positive.

http://forum.avast.com/index.php?topic=58206.msg490507#msg490507

40

Hi everybody,

For me this devilish (or unexisting trojan) is also appearing in a scan of images, made by drive image xml,
I tried doing that booting with Bart PE. it also finds it.
I must add that it now finds a CRC check, I guess that wouldnt be the case
with raw imaging.
It seems that a file of AVAST, in windows/temp/avast5/ is “corrupt” so says a boot on chkdsk, unfortunatly the problem is recreated after
chkdsk corrects the problem. I havent done another chkdsk, but driveimage xml, still find a redundecy check error.

To go back with that story, after having Avira telling me I had a hidden object he could not deal with, I reinstalled XP, and amazingly after
booting with the MS boot install xp pro, My two hard drives, got the MBR wiped out, in the new istall drive, XP did the job of suppressing, and I guess some malware took care of the other. Interesting to prform these recoverys, but I’d sure be happy to get back my computer.

on this page http://www.protectorplus.com/download/downloadnow.htm
you can download this: cleanhupigon.exe

But might as well chase a dream …

In all case feels nice to not be alone with this problem
Steph