Can someone help me? Trojan

yummymsmummy

Hi guys,

When my AVG Free finished scanning a while ago it had found and removed an infection - backdoor hupigon5.kvh

I'm really nervous now as this morning i have logged onto my internet banking, and entered my card details into a site to purchase a netbook! Have googled hupigon and it sounds like a nasty trojan - can anyone help? Should i be doing anything else/any other scans or will AVG have got rid of it for good? Is there any risk to my bank details?

Thanks in advance, i'm really not up on this stuff

Brian_Bullocks

Have a read of this thread http://forums.moneysavingexpert.com/showthread.html?t=133269

Then post a HijackThis log here (post #4 of that thread)

Browntoa

start with this and post the log

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

yummymsmummy

Sorry guys, panicked and posted but should have read the sticky first!

Here's my log:

Malwarebytes' Anti-Malware 1.38
Database version: 2341
Windows 5.1.2600 Service Pack 3
27/06/2009 14:16:02
mbam-log-2009-06-27 (14-16-02).txt
Scan type: Quick Scan
Objects scanned: 113637
Time elapsed: 21 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0087a48 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

Browntoa

seeing it says Vundo then run this

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

more to be safe..

post that log as well

andy2004

just as a precaution I would download a Vundo remover just to make sure all leftovers have been deleted.
I see you had AVG installed. I would say that Avast would be better, and its also free, home edition.
http://www.softpedia.com/get/Antivirus/Trojan-Vundo-free-Removal-Tool.shtml < just as a double check, should find nothing as malware should have removed all.
IF you have your windows cd handy i would also recommend opening a DOS prompt / command window and type SFC /scannow to replace any files which may have been replaced, there is 1 space between the C and /.
then post your HIjack log here.

yummymsmummy

Browntoa - do i want to be running Combofix? There is a link at the top saying start download but i think its an ad

Will AVG be easy to completely uninstall? I remember having some problems in the past when trying to install a different anti-virus - with some files being left behind i think and me not knowing how to get rid of them!

I also don't have any of my photos backed up yet, and have just read through the Combofix instructions - sounds like scary stuff backing up the windows registry etc, yikes! Its not going to wipe anything is it? (Yes - complete novice!!)

Thanks for the help guys, i really appreciate it

aliEnRIK

mummy ~

Combofix is HERE

Personally id run a FULL scan with malwarebytes first, then run combofix

To remove AVG, simply uninstall it then use the 32bit removal tool ~
http://www.avg.com/download-tools

yummymsmummy

Am currently running a full scan with malwarebytes, and will then run combofix.

Once i'm sorted this evening i will uninstall AVG and install Avast instead.

Will post combofix log when done

yummymsmummy

Yikes!

Finished full MBAM scan and it had found one more infection. Said it needed to restart to complete removal - and then windows wouldn't load!

In the end it asked whether i wanted to start in safe mode (about 3 different options), last successful load point, or continue normally. I tried continue normally first with no success (turned itself off and started again) so next time i selected last successful load point - hope this was right

Here's the log:

Malwarebytes' Anti-Malware 1.38
Database version: 2341
Windows 5.1.2600 Service Pack 3
27/06/2009 16:58:05
mbam-log-2009-06-27 (16-58-05).txt
Scan type: Full Scan (C:\|)
Objects scanned: 189857
Time elapsed: 1 hour(s), 34 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\program files\motorola phone tools\MPT_TEST_Info.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Do i need to do anything else with this? Not sure if it has successfully deleted because windows didn't restart properly.

Shall i now run Combofix?

aliEnRIK

You did fine.

I think to be a little safer id suggest SAS first THEN combofix

Download SUPERANTISPYWARE (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_superantispyware/
UPDATE and PERFORM COMPLETE SCAN
(Then goto console and LOGS and post the log it created then untick it from STARTING UP WITH WINDOWS)

then run combofix as above