Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Hupigon-LIE, Rootkit-CX, Malware-gen


  • This topic is locked This topic is locked
3 replies to this topic

#1 kahotep

kahotep

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 29 October 2009 - 03:57 PM

Hi,

My friend downloaded some music to my computer last night. He also used my computer this morning and he plugged his phone into the USB drive. After he did this Avast! popped up with three to four Virus warnings. He selected the option 'Move to Chest' for each one and restarted the computer. I then turned the computer on and had the same three or four Virus warnings, this time deciding to 'delete' them. After a restart and running an Avast! scan in boot mode, the Virus warnings still appeared. This time I chose to 'Move/Rename'. Restarted once more and still had the Virus warnings, plus a very slow computer - windows explorer crashed a few times, taskbar disappeared, internet was very slow/sometimes dropping out completely. Next step was to run MiniPE off a CD and run Avast! Scandisk, and BartCD Avast scan. Neither of these resolved the problem. So I logged on as administrator in safe mode and did a system restore to yesterday (October 28). Restarted... after a few minutes, the Virus warnings returned. So I downloaded MalwareBytes, ran a scan, found 11 infected files. I removed them. Restarted. The Virus warnings are still there. Totally stumped! Any help will be appreciated.

The Virus warning details, as shown in Avast! are as follows:
Win 32: Vitro
Win 32: Malware-gen
Win 32: Hupigon-LIE [Trj]
Win 32: Rootkit-CX [Trj]

The files I've been able to remember that Avast! mentioned in the warnings were:
system32\A.tmp\[UPX] *
drivers\tcpsr.sys +

*shown in the warning with Hupigon-LIE [Trj]
+shown in the warning with Rootkit-CX [Trj]
==========================================

DDS (Ver_09-10-26.01) - NTFSx86
Run by lippo at 18:53:05.89 on 29/10/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.433 [GMT 0:00]

AV: avast! antivirus 4.8.1351 [VPS 091029-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\MAFWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\hp deskjet 450 printer\ToolBox\mpm.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\lippo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [M-Audio Taskbar Icon] c:\windows\system32\MAFWTray.exe
mRun: [MAFWTaskbarApp] c:\windows\system32\MAFWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [OCAudioIni] c:\program files\one-click audio converter\OCAudioIni.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\myprin~1.lnk - c:\program files\hewlett-packard\hp deskjet 450 printer\toolbox\mpm.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.40.193/xplugLiteDL.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lippo\applic~1\mozilla\firefox\profiles\2cy6w626.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.ffsearching.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\documents and settings\lippo\application data\mozilla\firefox\profiles\2cy6w626.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\documents and settings\lippo\application data\mozilla\firefox\profiles\2cy6w626.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\lippo\application data\mozilla\firefox\profiles\2cy6w626.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\lippo\application data\mozilla\firefox\profiles\2cy6w626.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\lippo\application data\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - hxxp://www.ffsearching.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-29 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-29 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-2-12 24652]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2009-1-29 33792]
R3 MAFW;MAFW;c:\windows\system32\drivers\mafw.sys [2009-3-21 193032]
R3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [2009-6-12 65664]
S2 gupdate1c9861c709096a0;Google Update Service (gupdate1c9861c709096a0);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-4-30 12672]
S3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);c:\windows\system32\drivers\HPZs2k12.sys [2009-2-26 50392]
S3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2009-7-22 28592]
S3 taphss;Anchorfree HSS Adapter;c:\windows\system32\drivers\taphss.sys [2009-9-15 32768]
UnknownUnknown tcpsr;tcpsr; [x]

=============== Created Last 30 ================

2009-10-29 18:34:00 81920 ----a-w- c:\windows\eSellerateControl350.dll
2009-10-29 18:34:00 356352 ----a-w- c:\windows\eSellerateEngine.dll
2009-10-29 18:33:56 0 d-----w- c:\program files\Win32.Backdoor.Hupigon Removal Tool
2009-10-29 17:41:45 0 d-----w- c:\docume~1\lippo\applic~1\Malwarebytes
2009-10-29 17:41:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-29 17:41:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 17:41:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-29 17:41:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 16:58:32 0 d-----w- c:\windows\system32\wbem\Repository
2009-10-29 14:49:37 54156 ---ha-w- c:\windows\QTFont.qfn
2009-10-29 14:49:37 1409 ----a-w- c:\windows\QTFont.for
2009-10-29 14:43:20 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-10-29 14:43:15 0 d-----w- c:\program files\common files\ParetoLogic
2009-10-29 14:41:21 0 d-----w- c:\program files\common files\XoftSpySE
2009-10-29 14:41:17 0 d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE
2009-10-29 14:40:32 0 d-----w- c:\program files\XoftSpySE6
2009-10-29 14:21:00 31744 ----a-w- c:\windows\system32\19.tmp
2009-10-29 14:20:59 26622 ----a-w- c:\windows\system32\18.tmp
2009-10-29 14:11:10 236 ----a-w- c:\windows\system32\10.tmp
2009-10-29 11:30:44 26618 ----a-w- c:\windows\system32\15.tmp
2009-10-29 11:29:34 118 ----a-w- c:\windows\xj43g2xd42.tmp
2009-10-29 11:29:16 280 ----a-w- c:\windows\system32\F.tmp
2009-10-29 10:07:49 0 ----a-w- c:\windows\system32\12.tmp
2009-10-29 09:47:15 280 ----a-w- c:\windows\system32\9.tmp
2009-10-29 08:10:00 26621 ----a-w- c:\windows\system32\D.tmp
2009-10-29 08:10:00 182656 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-10-29 08:09:59 52224 ----a-w- c:\windows\system32\B.tmp
2009-10-29 08:09:51 280 ----a-w- c:\windows\system32\8.tmp
2009-10-29 08:04:41 31744 ----a-w- c:\windows\system32\E.tmp
2009-10-29 08:04:40 26621 ----a-w- c:\windows\system32\C.tmp
2009-10-29 08:04:20 280 ----a-w- c:\windows\system32\7.tmp
2009-10-29 08:04:11 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-10-29 08:04:04 8 ----a-w- c:\windows\system32\DROPPEDFILEOK2.tmp
2009-10-28 09:16:32 0 d-----w- C:\downloads
2009-10-26 12:09:30 0 d-----w- C:\mystery and style
2009-10-10 12:26:00 0 d--h--w- C:\stuff
2009-10-06 14:11:19 0 d-----w- c:\docume~1\lippo\applic~1\BorWare
2009-10-06 11:04:53 0 d-----w- c:\program files\OpenType Tools

==================== Find3M ====================

2009-10-29 18:29:48 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-29 08:10:06 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-09-25 17:20:36 368640 ----a-w- c:\windows\system32\ReWire.dll
2009-09-15 20:04:58 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 09:41:02 28560 ----a-w- c:\windows\fonts\Helvetica-Black-SemiBold.ttf
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-15 03:54:11 1470464 ----a-w- c:\docume~1\lippo\applic~1\oggenc2.exe
2009-08-15 03:53:08 520192 ----a-w- c:\docume~1\lippo\applic~1\lame.exe
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 19:44:46 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:08 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 18:53:50.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahotep

kahotep
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 01 November 2009 - 07:33 AM

Well. No thanks to you guys, this is now resolved. I reinstalled my operating system as I got bored waiting around for a fix. Do you really expect people to sit around for FOUR full days with a messed up computer waiting for a response from you guys? Looks like I'm not the only one too. I've seen some topics where the first response was TWENTY to THIRTY DAYS after the initial topic was posted. And then the responder has the audacity to say if you do not respond to this within THREE days we will close this topic! Unbelievable! If I ever use this forum again I will stipulate that YOU MUST RESPOND TO THIS WITHIN THREE MINUTES OTHERWISE I WILL GO ELSEWHERE. But saying that... It's highly unlikely that I'll ever use this forum again. Bye. :(

#3 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:59 AM

Posted 02 November 2009 - 08:11 AM

Sorry we didn't provide free help in your time frame. As this problem is solved, you topic is closed.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#4 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:08:59 AM

Posted 02 November 2009 - 08:54 PM

Unbelievable! If I ever use this forum again I will stipulate that YOU MUST RESPOND TO THIS WITHIN THREE MINUTES OTHERWISE I WILL GO ELSEWHERE.

Yeah, good luck with that. Here or anywhere. You seem to be operating under the misapprehension that the world owes you something. It doesn't.

But saying that... It's highly unlikely that I'll ever use this forum again. Bye. :(

Forgive me if I don't weep. :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users