Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Am Infected With Hupigon Help


  • Please log in to reply
22 replies to this topic

#1 fredsed

fredsed

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 20 August 2008 - 01:45 PM

My system hangs and very slow,everytime i play music or video it crashes with a blue screen

I noticed a strange file called asp.net in some parts of the system

Guys i ran an online panda scan and it shows am infected with hupigon malware but it cannot be disinfected

But before i found out i tried combofix...and after doing its thing it could not find temp00 file to create log.I am on window xp sp2

Edited by fredsed, 20 August 2008 - 01:46 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:45 PM

Posted 20 August 2008 - 02:29 PM

Microsoft ASP.NET is a free technology that allows programmers to create dynamic web applications

http://msdn.microsoft.com/en-us/asp.net/default.aspx

Did Panda provide a specific file name associated with this malware threat and if so, where is it located (full file path) at on your system?

i tried combofix.

Please note the message text in blue at the top of this forum.

You should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 fredsed

fredsed
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 21 August 2008 - 02:42 AM

I am not talking of that asp.net
I think the new hupigon creates files called asp.net i dont know.
Here is someone else complaining.
http://www.experts-exchange.com/Software/I...Q_23400093.html
I am sorry i used combo.i ill always wait for you now.
Panda online scan found the virus in C:\WINDOWS\system32\_asp.net.The name of the virus as Hupigon.AZG
Panadaonline could not delete it.
I think the file name was asp .net

Here is the log.

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-21 09:53:37
PROTECTIONS: 2
MALWARE: 1
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
CA Anti-Virus 8.4.0.24 No Yes
CA Anti-Spyware 9.1.0.9 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
01185375 Application/Psexec.A HackTools No 0 Yes No C:\WINDOWS\PSEXESVC.EXE
;===================================================================================================================================================================================
SUSPECTS
Sent Location +v
;===================================================================================================================================================================================
No C:\WINDOWS\system32\_asp.net +v
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description +v
;===================================================================================================================================================================================
184380 MEDIUM MS08-002 +v
184379 MEDIUM MS08-001 +v
182048 HIGH MS07-069 +v
182046 HIGH MS07-067 +v
182043 HIGH MS07-064 +v
179553 HIGH MS07-061 +v
176382 HIGH MS07-057 +v
176383 HIGH MS07-058 +v
170911 HIGH MS07-050 +v
170907 HIGH MS07-046 +v
170906 HIGH MS07-045 +v
170904 HIGH MS07-043 +v
164915 HIGH MS07-035 +v
164913 HIGH MS07-033 +v
164911 HIGH MS07-031 +v
160623 HIGH MS07-027 +v
157262 HIGH MS07-022 +v
157261 HIGH MS07-021 +v
157260 HIGH MS07-020 +v
157259 HIGH MS07-019 +v
156477 HIGH MS07-017 +v
150253 HIGH MS07-016 +v
150249 HIGH MS07-013 +v
150248 HIGH MS07-012 +v
150247 HIGH MS07-011 +v
150243 HIGH MS07-008 +v
150242 HIGH MS07-007 +v
150241 MEDIUM MS07-006 +v
145501 HIGH MS07-004 +v
141034 HIGH MS06-076 +v
141033 MEDIUM MS06-075 +v
137571 HIGH MS06-070 +v
133387 MEDIUM MS06-065 +v
133386 MEDIUM MS06-064 +v
133385 MEDIUM MS06-063 +v
133379 HIGH MS06-057 +v
129977 MEDIUM MS06-053 +v
129976 MEDIUM MS06-052 +v
126093 HIGH MS06-051 +v
126092 MEDIUM MS06-050 +v
126087 HIGH MS06-046 +v
126086 MEDIUM MS06-045 +v
126082 HIGH MS06-041 +v
126081 HIGH MS06-040 +v
123421 HIGH MS06-036 +v
123420 HIGH MS06-035 +v
120825 MEDIUM MS06-032 +v
120823 MEDIUM MS06-030 +v
120818 HIGH MS06-025 +v
120815 HIGH MS06-022 +v
117384 MEDIUM MS06-018 +v
114666 HIGH MS06-015 +v
108744 MEDIUM MS06-008 +v
108743 MEDIUM MS06-007 +v
108742 MEDIUM MS06-006 +v
104567 HIGH MS06-002 +v
104237 HIGH MS06-001 +v
96574 HIGH MS05-053 +v
93395 HIGH MS05-051 +v
93394 HIGH MS05-050 +v
93454 MEDIUM MS05-049 +v
;===================================================================================================================================================================================

Edited by fredsed, 21 August 2008 - 02:57 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:45 PM

Posted 21 August 2008 - 08:12 AM

Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the _asp.net file and submit (upload) it for scanning/analysis.
-- Post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 fredsed

fredsed
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 21 August 2008 - 08:52 AM

This what i get
0 bytes size received

I could not actually locate the file,so i just pasted C:\WINDOWS\system32\_asp.net

I got the above result

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:45 PM

Posted 21 August 2008 - 09:47 AM

Generally when a file submitted to virustotal or jotti virusscan comes back with "The file you uploaded is 0 bytes", it is very likely a firewall or a piece of malware prohibiting you from uploading this file.

But Panda is identifying the file as suspect, not malware so get another opinion this way.

Please perform an online scan with Kaspersky WebScanner.

Click on Posted Image

You will be promted to install an ActiveX component from Kaspersky, Click Posted Image
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Posted Image
  • Now click on Posted Image
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click Posted Image
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button.
  • Save the file to your desktop.
  • Copy and paste the scan results in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 fredsed

fredsed
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 21 August 2008 - 10:34 AM

I have a slow connection here.
I would for about 6hrs to get a faster connection
am so scared cos my system getting slower by the day

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:45 PM

Posted 21 August 2008 - 11:16 AM

I don't generally recommend deleting files without confirming they are indeed malware related. Have you tried renaming the file in normal or safe mode?

Lets also try another anti-malware scan.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 fredsed

fredsed
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 21 August 2008 - 11:22 AM

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

22:06:24 2008-08-20
mbam-log-08-20-2008 (22-06-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 43106
Time elapsed: 14 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


It did not see anything.
whats next?
I still cannot do the kapersky scan cos of my speed.
But even when i try it says my java could not start.

When i do get a fast connection.
What do i do?

#10 fredsed

fredsed
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 21 August 2008 - 11:23 AM

i scanned only c:
do i scan d: partition i just have my software back ups there.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:45 PM

Posted 21 August 2008 - 11:27 AM

That was a clean log.

Have you tried renaming the file in normal or safe mode?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 fredsed

fredsed
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 21 August 2008 - 11:38 AM

what file are you talking about?
thefile is _asp.net in system32 folder.
When i open the folder.i dont see the file.
apart from what panda online saw..i have no other thing to hold on to.
i dont even know if the asp thing is the problem

#13 fredsed

fredsed
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 21 August 2008 - 11:45 AM

am trying to do the kapersky scan now no matter how slow.
i need this done cos the system is getting worse.
whatever it is killing the system,cos now it is not allowing my antivirus run a scan now.When i try it hangs.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:45 PM

Posted 21 August 2008 - 11:45 AM

i dont even know if the asp thing is the problem

I don't either, that's why I want you to try to rename it.

Reconfigure Windows XP to show hidden files, folders. Double-click on My Computer, go to Tools > Folder Options and click on the View tab. Under Hidden Files and Folders, check "Show hidden files and Folders", uncheck "Hide Protected operating system Files (recommended)", uncheck "Hide file extensions for known file types", then click Apply > OK.

You can use Windows Explorer to navigate to or use Windows Search feature > More advanced options to see if the file(s) are still present. To do this, go to Start -> Search and click For Files or Folders... or just press the Windows key + F key on the keyboard.
  • Click All files and folders.
  • Type in the name of the file under "Search by...criteria." (_asp.net)
  • Click More advanced options and check these options:
    • "Search system folders"
    • "Search hidden files and folders"
    • "Search subfolders"
  • Then click "Search" to look for the file(s).
If you find, the file, right-click on it and choose properties. Let me know what information you see about the file.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 fredsed

fredsed
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 21 August 2008 - 11:52 AM

am doing the find now




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users