Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hupigon.xta Virus


  • Please log in to reply
8 replies to this topic

#1 stoopid2001

stoopid2001

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 04 August 2007 - 05:05 PM

Hello all,
Today my AVG (free) decided that I have the Hupigon.XTA virus in my tcpip.sys file. Ok sure...I'll buy that, I download some seedy stuff and my wife clicks on stupid thnigs sometimes. The problem I have is when AVG decided to help me out by deleting the tcpip.sys file, blocking me from using the internet. So I coppied the file from my laptop to the infected system, AVG found it again and I ignored it. I tried to replace the file in the Windows/sys32/drivers folder and the progfiles/sp2connectionpatcher folder and the same thing keeps hapening. I cant find any info on the .XTA variant of the Hupigon virus anywhere, maybe I'm the first person to get it or something. Any help or advice would be great.
Thanks in advance
-Stoopid2001

Moderator Edit: Moved topic to the more appropriate forum. ~ Animal

Edited by Animal, 04 August 2007 - 05:11 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:06 AM

Posted 04 August 2007 - 05:21 PM

Submit the file that AVG says is infected to Jotti. Link below:
http://virusscan.jotti.org/

It would be a good idea to also run a couple of more scans. Below are two of the best. Let us know what Jotti and the scans find please.

Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 stoopid2001

stoopid2001
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 04 August 2007 - 07:28 PM

Jotti told me that the file I uploaded was 0 bytes and that it is either malware or a firewall preventing me from uploading. (Probably not Zone Alarm since I was able to upload other files). Super Anti found 399 tracking cookies in safe mode then quarantined/deleted them. Bit defender is running now with an estimated time left in the 3 hour range. I'll report back when it finishes.

#4 buddy215

buddy215

  • Moderator
  • 13,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:06 AM

Posted 04 August 2007 - 07:42 PM

If Bit Defender doesn't remove the malware, post a Hijack This log. Scroll down to #9 and download Hijack This from the link below. Post the log in the Hijack This Forum. DO NOT post it in this forum.

You can stop those third party cookies from ever installing on your computer in IE by following the directions in the link below.
http://www.howtogeek.com/howto/windows-vis...cookies-in-ie7/

Block third party cookies in Firefox.
http://www.elharo.com/blog/privacy/2006/11...s-in-firefox-2/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 stoopid2001

stoopid2001
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 04 August 2007 - 08:57 PM

The Bit Defender removed something called Trojan.Shock.D from an old system restore...but that was it.

#6 buddy215

buddy215

  • Moderator
  • 13,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:06 AM

Posted 04 August 2007 - 10:16 PM

I see you have posted your HJT log. Wait for their reply.

If the Hijack This Team has NOT replied in 5 days after you posted your log, see info in link below.
http://www.bleepingcomputer.com/forums/topic14717.html

Edited by buddy215, 04 August 2007 - 10:20 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 stoopid2001

stoopid2001
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 05 August 2007 - 06:44 PM

Still no reply from the HJT guys, they look busy. I fired up the "infected" cpu today and ignored the virus warning from AVG. Then I ran the AVG update, manually scanned the file and nothing....AVG says its clean. I ran a full system scan and it says clean as well. Now Jotti tells me the file is infected with w32/hupigon.aivc not .XTA like AVG said yesterday(only norman virus control finds it, the others say its clean).

#8 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:10:06 PM

Posted 05 August 2007 - 07:00 PM

This sure looks like a false positive, just wait for your hijack this log to be looked at, and be prepared to post a new one if your helper asks you to.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#9 stoopid2001

stoopid2001
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 05 August 2007 - 08:02 PM

Thats what I was thinking too. Thanks for the help, I'll keep an eye on the HJT log post!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users