Trojan Horse BackDoor. Hupigon3.xkf

Discussion in 'malware problems & news' started by Liquidslam, Dec 15, 2007.

Thread Status:
Not open for further replies.
  1. Liquidslam

    Liquidslam Registered Member

    Joined:
    Apr 1, 2005
    Posts:
    15
    AVG anti-virus hit me with this one after a routine scan yesterday. The exact infection details it gave were:

    File: Partition table (MBR) Change
    File: Boot sector of Disk Change
    File: Hosts Change
    File: Dc16.exe
    Path: C:\RECYCLER\S-1-5-21-1085031214-1614895754-725345543-1003\Dc16.exe

    It promptly deleted the .exe from the RECYCLE folder at the end of the scan. After a system reboot and another scan ithe trojan itself did not reappear but the information regarding the Partiton Table, Boot Sector and Hosts file change remained.

    I've since installed KIS v7, ran all the scans but they showed nothing? I've Googled this RAT by name and came up with all kinds of horror stories leading up to the only cure being a complete OS reinstallation. I'm not ready to go down that path yet just yet but do need some advice as to how to proceed.

    One other thing. My anti rootkit software picked up a hidden driver:
    C: WINDOWS System32\drivers\a5m5eobq.SYS
    for which Google finds absolutely nothing and I'm wondering if this could be related. The program offers me the choice of deleting it at the same time that it warns me of the possible consequences.
    Thanks
     
  2. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Do you have Alcohol/Daemon tools installed ?

    If so there is a very high probability it is related to the legitimate RK in that software.

    As for the rest i am not fammiliar with AVG reporting so cannot comment with any degree of certainty.I do know that RATS as with all malware need a loading point/entry point and withthat using a tool such as Autoruns and verifying the data returned you would be able locate a load point for a RAT if it is present(AVG AV would not delete that value).
    http://www.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx

    If there is no load value present then you are most likely looking at a False/Positive by AVG on the file in RB.

    HTH:)
     
  3. Liquidslam

    Liquidslam Registered Member

    Joined:
    Apr 1, 2005
    Posts:
    15
    Thanks for your reply. Yes, I am using Daemon Tools so that clears that up.
    I have now downloaded autoruns a program which I can see is definitely not for the uninitiated. Frankly I wouldn't know how to find a loading point/entry point if it was staring me in the face so it looks like I'm going to have to find a tutorial for this program.
     
  4. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Here's a small routine that both simplifies the Autoruns output(in quantity of data) and actually utilizes it to its full potential>>>

    Run a scan but press ESC to stop it .

    Click options .

    Check both "verify code signatures" and "hide signed microsoft entries" . This will make the list a lot shorter .

    Now press F5 to rerun the scan with the new settings .

    Click file , save as and save the log to your desktop .

    * if your firewall requests outbound connection for Autoruns(grant it permission) as it is phoning home to the central databse to verify signatures of files

    If you post back your log generated i can advise what to do next with the data returned:thumb:
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hello Liquidslam,

    Since Wilders no longer offers one on one cleaning services, I'm afraid we're going to have to refer you to one of the security forums that has active Spyware Cleaning services available.

    Read the following thread and choose one of the forums listed in it, join there and they should be able to assist you:

    https://www.wilderssecurity.com/showthread.php?t=42148
    ----------------------------

    As noted in our long standing Announcement concerning HJT and\or similar logs....
    Regards,
    Bubba
     
Loading...
Thread Status:
Not open for further replies.