Trojan Horse BackDoor. Hupigon3.xkf

AVG anti-virus hit me with this one after a routine scan yesterday. The exact infection details it gave were:

File: Partition table (MBR) Change
File: Boot sector of Disk Change
File: Hosts Change
File: Dc16.exe
Path: C:\RECYCLER\S-1-5-21-1085031214-1614895754-725345543-1003\Dc16.exe

It promptly deleted the .exe from the RECYCLE folder at the end of the scan. After a system reboot and another scan ithe trojan itself did not reappear but the information regarding the Partiton Table, Boot Sector and Hosts file change remained.

I've since installed KIS v7, ran all the scans but they showed nothing? I've Googled this RAT by name and came up with all kinds of horror stories leading up to the only cure being a complete OS reinstallation. I'm not ready to go down that path yet just yet but do need some advice as to how to proceed.

One other thing. My anti rootkit software picked up a hidden driver:
C: WINDOWS System32\drivers\a5m5eobq.SYS
for which Google finds absolutely nothing and I'm wondering if this could be related. The program offers me the choice of deleting it at the same time that it warns me of the possible consequences.
Thanks

 

Do you have Alcohol/Daemon tools installed ?

If so there is a very high probability it is related to the legitimate RK in that software.

As for the rest i am not fammiliar with AVG reporting so cannot comment with any degree of certainty.I do know that RATS as with all malware need a loading point/entry point and withthat using a tool such as Autoruns and verifying the data returned you would be able locate a load point for a RAT if it is present(AVG AV would not delete that value).
http://www.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx

If there is no load value present then you are most likely looking at a False/Positive by AVG on the file in RB.

HTH

 

Thanks for your reply. Yes, I am using Daemon Tools so that clears that up.
I have now downloaded autoruns a program which I can see is definitely not for the uninitiated. Frankly I wouldn't know how to find a loading point/entry point if it was staring me in the face so it looks like I'm going to have to find a tutorial for this program.

 

Here's a small routine that both simplifies the Autoruns output(in quantity of data) and actually utilizes it to its full potential>>>

Run a scan but press ESC to stop it .

Click options .

Check both "verify code signatures" and "hide signed microsoft entries" . This will make the list a lot shorter .

Now press F5 to rerun the scan with the new settings .

Click file , save as and save the log to your desktop .

* if your firewall requests outbound connection for Autoruns(grant it permission) as it is phoning home to the central databse to verify signatures of files

If you post back your log generated i can advise what to do next with the data returned

 

Hello Liquidslam,

Since Wilders no longer offers one on one cleaning services, I'm afraid we're going to have to refer you to one of the security forums that has active Spyware Cleaning services available.

Read the following thread and choose one of the forums listed in it, join there and they should be able to assist you:

https://www.wilderssecurity.com/showthread.php?t=42148
----------------------------

As noted in our long standing Announcement concerning HJT and\or similar logs....

Regards,
Bubba