Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.hupigon.gen


  • Please log in to reply
19 replies to this topic

#1 KarenCele4511

KarenCele4511

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 16 May 2008 - 06:45 PM

Hello,

I apologize for making another new topic so shortly after my last one, but this issue pertains to a different system and problem altogether. I hope that is okay.

I was looking for something in the registry of my dad's computer at work, and I found a file that looked suspicious to me.

000 = "backdoor.hupigon.GEN"

In the registry key:
HKEY_USERS\S-1-5-21-2301087058-221491900-3559340136-1006\Software\Microsoft\Search Assistant\ACMru\5603

In case it is important, the other items in that key are:
(Default) = (value not set)
001 = "download file"
002 = "beatles wallpaper" (He downloaded a Beatles picture as his desktop, but I haven't a clue where he got it from.)


It is a Dell Dimension 3100 desktop computer, with Windows XP Home Edition and Service Pack 2.

It currently has Norton Antivirus 2006 and Spybot Search & Destroy, both of which have been used regularly for a couple years now.

I also recently downloaded Superantispyware and Malwarebytes on here since they worked so well with my laptop problem at home. I have learned via this site that one shouldn't have too many protection programs running, though, so if you think I should uninstall those two, I will.

I run Spybot nearly every time I come in to work (about 3 times a week) and it generally only finds the odd tracking cookie.

Norton runs on a scheduled scan, at a time when I am not here. Taking a look at the Quarantine list, there are currently 18 items, which I can provide for you if necessary.

I ran Malwarebytes on May 6 and it found 3 instances of Adware.Popcap (which it was able to remove), and then again on May 15, and it found nothing.

I also ran Superantispyware on May 6 and it found "My Way Search Assistant Computers" which had infected 13 items in the registry. They are all currently in quarantine. My next scan on the 15th just found one tracking cookie.

The common link here seems to be the "Search Assistant" as that is the Microsoft folder in which the backdoor.hupigon.GEN file was found.


My dad often uses this computer for eBay so I want to make sure it is safe for him to do so. Any help would be most greatly appreciated!

I should also note, however, that I will not be back into work until Tuesday afternoon so anything that needs to be done on this computer cannot be done until then (I am only here for 15 more minutes).

Thanks!
Karen :thumbsup:

Edited by KarenCele4511, 16 May 2008 - 06:46 PM.


BC AdBot (Login to Remove)

 


m

#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:44 AM

Posted 16 May 2008 - 07:14 PM

that backdoor is a rather old one, when you get a chance look thru some older logs from norton and see what it found
Chewy

No. Try not. Do... or do not. There is no try.

#3 KarenCele4511

KarenCele4511
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 17 May 2008 - 09:33 AM

Thanks, DaChew. I will do that!

In the meantime, should I tell my dad to stay away from eBay, email, etc.?

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:44 AM

Posted 17 May 2008 - 10:18 AM

It sounds like the damage was already done a while back, but without more specific details I can't tell if it's a false positive regarding backdoor trojans or his confidental information has already been compromised

If your current scans aren't picking up anything significant then it's unlikely he's still got an active infection?

let's see what's in quarantine?
Chewy

No. Try not. Do... or do not. There is no try.

#5 KarenCele4511

KarenCele4511
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 17 May 2008 - 11:00 AM

OK, thanks! :flowers:

I'm not back to work until Tuesday afternoon, but I will post a list of the quarantined items then. :thumbsup:

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:44 AM

Posted 17 May 2008 - 11:35 AM

try to let your dad know the only safe files left are txt and jpeg

scr's have been used by malware writters for ages
Chewy

No. Try not. Do... or do not. There is no try.

#7 KarenCele4511

KarenCele4511
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 20 May 2008 - 02:12 PM

Hello,

I am at work now, so here is a list of items in Norton's quarantine, arranged by most recent. (I wasn't sure how to find the log so I'm just typing it by hand.)

Downloader - 04/29/08
saver.exe
Backup of an infected file

Trojan.ByteVerify - 12/20/07
Counter.class
Backup of an infected file

Trojan.ByteVerify - 12/20/07
VerifierBug.class
Backup of an infected file

Trojan.ByteVerify - 12/20/07
Beyond.class
Backup of an infected file

Downloader - 11/13/07
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\9FFKVQLJ\index[1].htm
Backup of an infected file

Downloader - 11/13/07
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\9FFKVQLJ\index[1].htm
Backup of an infected file
(NOTE: this one is 9 seconds earlier than the other one)

Trojan.Pandex - 07/31/07
bsaver.scr
Backup of an infected file

Trojan.Pandex - 07/31/07
bsaver.scr
Backup of an infected file
(NOTE: this one is about an hour earlier than the other one)

Trojan.Packed.13 - 04/12/07
postcard.exe
Backup of an infected file

W32.Mixor.Q@MM - 02/06/07
greeting card.exe
Backup of an infected file

W32.Mixor.Q@MM - 02/06/07
postcard.exe
Backup of an infected file

Trojan.Peacomm - 01/23/07
Postcard.exe
Backup of an infected file

Trojan.Peacomm - 01/23/07
Greeting Card.exe
Backup of an infected file

Trojan.Peacomm - 01/23/07
Video.exe
Backup of an infected file

Trojan.Packed.8 - 01/19/07
Full Story.exe
Backup of an infected file

W32.Mixor.Q@MM - 01/02/07
greeting postcard.exe
Backup of an infected file

W32.Mixor.Q@MM - 01/02/07
greeting postcard.exe
Backup of an infected file
(NOTE: this one is 2 minutes earlier than the other one)

Downloader - 08/02/06
C:\WINDOWS\system32\ddccbbc.dll
Backup of an infected file



Looking at this, it seems that most of them are related to email attachments, correct? I've warned him against opening attachments from people he doesn't know or even ones that seem strange from people he DOES know, and he says that he doesn't. Can he get infected just by receiving the email? With the type of email he has, you have to open a message to delete it. :thumbsup:


Also, there was something I noticed, in regards to the backdoor.hupigon and SearchAssistant, that caught my attention -

I found the same folder (Search Assistant\ACMru\5603) in my registry on my home computer, and I realized that all the entries in it were things that I had searched for under Start->Search. Is it possible that someone just searched for "backdoor.hupigon.gen" on this computer, or could a virus insert itself into that folder anyway?

Please let me know if you need anymore information.

Thank you very much!
Karen :flowers:

Edited by KarenCele4511, 20 May 2008 - 02:13 PM.


#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:44 AM

Posted 20 May 2008 - 02:37 PM

In outlook express under view/layout there's an option to turn on or off the preview pane

some malware has used this in the past but keeping IE/OE updated is critical

isp servers are getting pretty good about stopping email malware

norton's should be scanning it anyway

looks to me like he was also infected as a spam bot

and not so sure he has been keeping up with his hotpatches
Chewy

No. Try not. Do... or do not. There is no try.

#9 KarenCele4511

KarenCele4511
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 20 May 2008 - 02:41 PM

Thank you for the quick reply!

I looked under View/Layout but everything under Preview Pane is greyed out - I can't select anything.

I'm not sure what hotpatches are myself so I'm sure he doesn't - no offense to him, but he really doesn't know very much about computers other than sending email.

If there are some updates that you recommend he get, let me know, and I will try to do them myself while I am here. :thumbsup:

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:44 AM

Posted 20 May 2008 - 02:53 PM

start>windows update

always get the critical ones

He may have already but got caught in the past, I know I have
Chewy

No. Try not. Do... or do not. There is no try.

#11 KarenCele4511

KarenCele4511
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 20 May 2008 - 02:54 PM

Thank you! I will do those updates right now. :thumbsup:

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:44 AM

Posted 20 May 2008 - 03:20 PM

You need to keep your Java up to date , the older versions had some holes to let the bad stuff in.

Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:

Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems and install the update
http://java.sun.com/javase/downloads/index.jsp
Java Runtime Environment (JRE) 6 Update 6 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify
I like to to do the offline installation and save the setup file in case I may need it in the future
Chewy

No. Try not. Do... or do not. There is no try.

#13 KarenCele4511

KarenCele4511
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 20 May 2008 - 05:09 PM

Thank you! I just installed the Java update.

I think I will do that on my laptop, too. I also realized the other day that my laptop only had SP1 so I will get SP2 for it, too. Maybe the bad combo of outdated Java and SP1 was why my laptop was so vulnerable to Vundo/Virtumonde/Smitfraud?

Thanks so much for all the valuable help and information!

Karen :thumbsup:

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:44 AM

Posted 20 May 2008 - 05:23 PM

I ran for a year with sp2 on a clean install with IE6 and never clicked on any dangerous files and tried to stay away from dangerous web sites, I evidently just visited one and the active x scripts started a trojan tiny downloader, a few popups and in a couple of days I had a full blown malware suite installed. It took the better part of a day and a night to clean it up.
Chewy

No. Try not. Do... or do not. There is no try.

#15 KarenCele4511

KarenCele4511
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 20 May 2008 - 05:40 PM

It is really sickening how many dangerous problems there are online :flowers:

I don't think I visited any sites out of the ordinary before I contracted the Vundo et al. problems... The only things out of the ordinary that I remember doing close in time to that were downloading lecture notes off of my university class website, and saving to my desktop some modelling pictures that my friend had put in her Photobucket for me. Hopefully it wasn't either of those things that did it... I just can't imagine what else it could be. :thumbsup:

As for the computer here, there are a few other employees who use it in addition to my dad and I so I have no way of knowing what sites they visit, but I would hope that none of them are using inappropriate sites at work.

Thank you for all your advice and help, and now I will know to be extra vigilant. :trumpet:

Edited by KarenCele4511, 20 May 2008 - 05:42 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users