Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Backdoor. Hupigon3.xkf


  • Please log in to reply
1 reply to this topic

#1 radovitch

radovitch

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 20 December 2007 - 04:55 PM

AVG anti-virus hit me with this one after a routine scan the other day. The exact infection details it gave were:

File: Partition table (MBR) Change
File: Boot sector of Disk Change
File: Hosts Change
File: Dc16.exe
Path: C:\RECYCLER\S-1-5-21-1085031214-1614895754-725345543-1003\Dc16.exe

It promptly deleted the .exe from the RECYCLE folder at the end of the scan. After a system reboot and another scan ithe trojan itself did not reappear but the information regarding the Partiton Table, Boot Sector and Hosts file change remained. Despite the fact that I've replaced the old Hosts File with a new one with and then rebooted and ran the scan again after first checking to make sure the file was still clean AVG still listed it as a Hosts Change.

The weird thing is that KIS v7, after running all the scans found nothing. The same goes for TH5, and AVG Anto-Rootkit. HJT 2.0 hasn't turned up anything that I can't recognise but then as I'm not an expert in the use of that program I'll let someone better qualified be the judge:

Sorry, but for some unknown I am unable to post the HJT log. Whenever I paste it in here and then hit either the new topic button or the Preview Post all I get to see is this:

0 HTTP/1.1 200 OK Date: Thu, 20 Dec 2007 21:51:24 GMT Server: Set-Cookie: pass_hash=2aace17a50cde88748d825c605b1a973; expires=Thursday, 27-Dec-07 21:51:24 GMT; path=/; domain=bleepingcomputer.com; HttpOnly Set-Cookie: session_id=822b5776e7edd32525205fc91251f579; path=/; domain=bleepingcomputer.com; HttpOnly Set-Cookie: topicsread=a%3A8%3A%7Bi%3A121903%3Bi%3A1198183440%3Bi%3A121900%3Bi%3A1198184291%3Bi%3A14717%3Bi%3A1198183478%3Bi%3A101467%3Bi%3A1198183509%3Bi%3A120613%3Bi%3A1198184006%3Bi%3A34773%3Bi%3A1198186525%3Bi%3A22118%3Bi%3A1198187484%3Bi%3A121824%3Bi%3A1198185431%3B%7D; path=/; domain=bleepingcomputer.com Set-Cookie: modpids=deleted; expires=Wednesday, 20-Dec-06 21:51:23 GMT; path=/; domain=bleepingcomputer.com Content-Encoding: gzip Vary: Accept-Encoding Transfer-Encoding: chunked Content-Type: text/html 2546 ������=isȱ*Yl!odr,Q6"&[[,A $&/?_\$$RGI`4}wx~E.>?9>`FV:{엏֨Y/ЉYn=31"V޶"z;JyjGaVQww׵Qop s:hHFp ,+عiCE܋*SF>džc+yvBQyvs0Xm.M OTp8h9񾱀m# s nkWz"r"w$bfš㍘1<`7<L\Wk7vw5̫U{6,7gEOwm]}z &~ w͐`/GCղ _j@*]ghׂ0NM۲8H.HX0!(фێBv&>wίEO;kCߩ7{=ZMݹCч�5 ,25ZOm )vnc

and more of the same. Pasting a small portion of the log presents no problems but not the complete one.
Can anyone tell me what's going on?
Thanks

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:59 AM

Posted 21 December 2007 - 01:34 PM

It is normal that AVG shows that files, the MBR or Boot record to have changed. These are done during normal maintainance, when you or windows updates files or have had to correct errors on the drive. The only time that you should worry is if they also show as infected.

To get AVG to quit showing them as changed, open the AVG Test Center, click the F3 key on your keyboard and tell it to accept the changes. If it still shows something as changed after this.. delete the file named AVG7QT.DAT in the %ALLUSERSPROFILE%\Application Data\avg7\ folder and AVG will rebuild it the next time it is run.

The %ALLUSERSPROFILE% is different for each version of Windows. The following are the typical locations for XP and Win9x

XP - C:\Documents and Settings\All Users\Application Data\avg7
Win9x -C:\Windows\All Users\Application Data\avg7

Another method suggested by DEStucki to remove the MBR changed alert if the above method didn't help...
Go to the System Area Test settings
Select the "Remove MBR" button to remove the MBR from the list of items in the System Area test list
Click on OK so that the list has been up dated
Now go back into the System Area Test settings and push the "Default" button to put the MBR back in the list.

Changed File Alerts

AVG does not change your HOSTS file but it will alert you that the HOSTS file has changed since the last scan. What security programs are you using? Athough malware can be responsible for alterting the HOSTS file, some security programs like SpySweeper have features that can add entries to your HOSTS file and that action may be detected as a change. If you downloaded and used a custom HOSTS file or made edits that too would trigger a change detection. If you did not make any changes or do not have security programs with these features, then you need to investigate what the changes are.

The HOSTS file should not show as changed unless the user is aware of a program needing a change made to it and is aware that it is being altered. Protection softwares and also Malware's will often change this file so they can affect where a computer goes to on the internet.

This is one reason why the user on this system needs to look at the file to make certain that something didn't change it and if so determine if it is a good or bad change...

General system maintenance can change the file even when it isn't apparent by visual inspection. AVG uses a checksum to compare a file before and after and a minor change or correction to the file could have caused it to appear changed.

Host file changed
Re: C:\WINDOWS\system32\drivers\etc\hosts
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users