DR/Hupigon.dsx.914 dropper virus? (Resolved)

J

johntee

New member
Hi. I had a problem on my Toshiba laptop with a DR/Hupigon.dsx.914 dropper virus. I posted and started getting kind help a few weeks ago from PSKelley at
http://forums.spybot.info/showthread.php?p=318315#post318315
(which has now been archived)
but shortly after we started the process of disinfecting my computer, things rapidly went bad (whether from the virus, or the disinfecting software, or a failing hard drive, I don't know)... When I began running MalwareBytes as suggested, it never got to complete itself, it kept rebooting in the Scan phase (never got to the Fix phase). A short time later, I got the Blue Screen of Death, and Windows XP eventually wouldn't even boot up (even with the Toshiba Recovery CD in there).

Well now I'm back and running with a new hard drive (in case the bootup problems were stemming from a failing drive), and a restored backup from January (so, nice and clean pre-virus). (I use Casper XP for my backups.)

I want to disinfect the old hard drive, so I can safely retrieve the data that's on there since January. So now I'm in the position of being able to run the disinfecting on the old drive attached as an external drive (which I'm hoping may help ease the disinfecting since the operating system will be coming off another drive).

What should I do before I attach the virus-laden drive to the restored PC? I want to be sure I don't immediately infect the restored PC, if possible.
Then hopefully someone can guide me in flushing out the nasties.

Thanks for your help, again!!
John
 
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  1. Please Read All Instructions Carefully
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please do not run any other tools or scans whilst I am helping you
  4. Failure to reply within 5 days will result in the topic being closed.
  5. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly
laechel.gif


Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------


Are you connecting the old drive via USB ?
 
----------------------------------------------------------------------------------------
Step 1

USBNoRisk

Please download USBNoRisk to your Desktop and run it by double-clicking the program's icon
wait a couple of seconds for initial scan to be done
connect all of the USB storage devices to the PC, one at a time, and keep each one connected at least for 10 seconds
if there are more USB storage devices to scan, please take a note about the order in which these were connected
after all the devices are scanned, choose "Save log" option from right-click menu on Monitor tab. That will open the log in Notepad. Please copy/paste the log to forum

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC, e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras, memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

----------------------------------------------------------------------------------------
Step 2

Make sure your old hard drive is connected before the next step

----------------------------------------------------------------------------------------
Step 3

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
  • Kaspersky log
 
USBnorisk log

Hi. Here's the log file from USBnorisk.
Is the crazy circus music normal?? :)

I left USBnorisk running while I did Step 2 and 3 (since you didn't say to close it).


USBNoRisk 2.4 (1 June 2009) by bobby

Started at 7/11/2009 11:42:59 AM

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
C: {27a42570-fe10-11d7-8205-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 27a42570-fe10-11d7-8205-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 7/11/2009 11:43:38 AM

Scanning for connected USB mass storage...
----------------------------------------
E: {67e469a2-6e2d-11de-9673-00038a000015}
Added E:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on E:
----------------------------------------
No Autorun.inf files found on E:
No mountpoint found for E:
Sanitized mountpoint for 67e469a2-6e2d-11de-9673-00038a000015
----------------------------------------

No Desktop.ini files found on E:
----------------------------------------

No mimics found on drive E:
========================================
 
Kaspersky is still running its scan (41% after about 5 hours, but it did get delayed by a "sighting" by my Avira AntiVir Guard software, which had flagged:
A virus or unwanted program was found!
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.DLL
Contains recognition pattern of the ADSPY/Wheaterbug.A adware or spy ware.

I chose DENY ACCESS, and it continued the scan.

(I don't think Kaspersky flagged that (maybe because I clicked Deny Access) -- the Threat Names count stayed at 2, and the Infected Objects count stayed at 4.)

I'll post the log once it's done, but I suspect it will be tomorrow or very late tonight...
Thanks!
John
 
hmmm, not sure what to make of this...
I let Kaspersky continue its scan, and after 10 hours it was at at least 53% through. It had gotten all the way through the C:\ drive, and had started on the E:\ external USB drive, which is largely the same as C: except E: has several recent months of changes.

At one point while I was away from the computer, it rebooted. I checked the System Event Log and found the following:

  • Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free. Source = EventLog. EventID = 6009.
  • then: The Event log service was started. Source = EventLog. EventID = 6005.
  • then: The computer has rebooted from a bugcheck. The bugcheck was: 0x10000050 (0xe62bf294, 0x00000000, 0x804f408a, 0x00000002). A dump was saved in: C:\WINDOWS\Minidump\Mini071209-01.dmp.
    Source = Save Dump. EventID = 1001.
I tried to open the .dmp file in WordPad, but it showed unintelligible characters. I don't know if you could retrieve something from it that would help you figure out what happened.

During Kaspersky's scan, my Avira AntiVir Guard program gave 3 messages --
  1. C:\Program Files\AWS\Weatherbug\Transporter.DLL, which contained ADSPY/Wheaterbug.A virus pattern.
  2. C:\Windows\cpbrkpie.ocx, which contained ADSPY/Coupon.H virus pattern.
  3. E:\Program Files\AWS\Weatherbug\Transporter.DLL, which contained ADSPY/Wheaterbug.A virus pattern.

I wasn't able to find any log file with the Kaspersky results. It had found 2 Threat Names, and 4 Infected Objects (pretty early on in the scan, because those numbers stayed the same for the bulk of the scan time.)

Thanks!
John
 
katana said:
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Click to expand...

Please run the Kaspersky scan again, but do the drives separately.
Scan C: post the report
Then scan E: and post the report

That should speed things up.
 
well, it happened again --
About 49 minutes into Kaspersky's scan of just the C:\ drive, it rebooted and in the System Event Log I see the same message (although with different offset addresses than last attempt):
The computer has rebooted from a bugcheck. The bugcheck was: 0x0000004e (0x00000099, 0x00000000, 0x00000000, 0x00000000). A dump was saved in: C:\WINDOWS\Minidump\Mini071209-03.dmp.

Is this virus-related? The laptop with brand new hard drive + backup from January had seemed stable previously (although I didn't use it much), before I hooked up the USB with the virus-laden drive (with USBnorisk running).

(Prior to the attempt to run Kaspersky's, I had gotten a Blue Screen while in IE, that said something like PAGE FAULT IN NON-PAGED AREA. I rebooted and it seemed better (but with lots of heavy disk activity at startup).
When I tried running Kaspersky's after that, it gave me a "starting Java applet failed. Go online to run." I rebooted, and got a "LSASS.EXE application failed to initialize properly (OXC000005)" on reboot. Seemed to hang on a black screen after I click OK to Terminate. I had to force-shut it down (power button).)

Thanks!
John
 
E:\ drive results (although maybe not complete)

OK, here's what it showed for the E:\ drive scan, but I suspect it's actually not a complete scan. I saw it as high as about 25% after 3-4 hours, and around that time I followed a link to a website, which, although it opened in a separate tab, coincided with the "completion" of the scan.
So unless the progress percentage is not accurate (3-4 hours for 25%, then mere minutes for the other 75%), I suspect it didn't actually complete the scan of the drive (although it says it did). I'm going to start the scan again to be sure, but thought I'd post the one item it found in the first scan --


KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, July 19, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, July 19, 2009 23:24:56
Records in database: 2496969


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Folder
E:\

Scan statistics
Files scanned 77494
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 03:48:57

File name Threat name Threats count
E:\Program Files\RecentFilesViewer\RecentFilesView.exe Infected: not-a-virus:PSWTool.Win32.WinPassViewer.k 1

The selected area was scanned.
 
Complete scan of E:\

Yeah, I think the progress meter is just not accurate as to time... It must have been just coincidence that it ended just when I opened that other webpage last night. I let it run again overnight, and it took almost the same time with same result --


KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, July 20, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, July 20, 2009 04:27:38
Records in database: 2498217


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Folder
E:\

Scan statistics
Files scanned 77494
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 03:54:00

File name Threat name Threats count
E:\Program Files\RecentFilesViewer\RecentFilesView.exe Infected: not-a-virus:PSWTool.Win32.WinPassViewer.k 1

The selected area was scanned.



P.S. I think I found the source of my laptop's recent instability -- I may have had a failing RAM memory module. I'd upgraded RAM months and months ago, with no problems, but the recent Bugchecks seemed to point to RAM. I downgraded back to the original sticks, and it's been running without incident for 15+ hours. Now I should be able to follow whatever instructions to clean out the virus/spyware... Thanks!
John
 
Nothing to worry about there, you can get your data off that drive safely and then delete the old system folders that aren't needed now :)

Are there any other problems or questions ?
 
Are there other detection programs I can run, because my Avira Anti-Vir had detected the Dr/Hupigon virus, and MalwareBytes had found some infected files (during a scan it could never complete, probably due to the failing RAM), and my Yahoo account password had been compromised and used to send spam.

Thanks!
John
 
You didn't mention any of this, I thought we were just checking the old drive !


Malwarebytes' Anti-Malware
I notice that you have MBAM installed, please do the following

  • Start MalwareBytes AntiMalware
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update
  • When the update is complete, select the Scanner tab
  • Select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Click to expand...
 
You must log in or register to reply here.
Back
Top