1 reply to this topic

[zelnaga]

I just got the following "Resident Shield alert" from AVG Free:

"Accessed file is infected" said:

Threat detected!

File name: D:\System Volume Information\_restore{AA8025BF-4B67-4F0C-A1BB-1B79773165E5}\RP14\A0004174.exe

Threat name: Trojan horse BackDoor.Hupigon2.KIS
Detected on open.

I clicked on Show details and got this:

Process Name: C:\WINDOWS\System32\svchost.exe
Process ID: 976

This leaves me with a few questions.

• Should I reformat? I just formatted this computer two days ago, have installed a fairly minimal set of applications, am running Windows XP SP3 with the latest updates, AVG Free, and Windows Defender. I haven't visited any website of a dubious nature and... I'm, all in all, confused as to why I'm getting this message.
  
  The only drive I formatted was the C drive. The D drive was untouched, so it's possible there's a virus on it, although it seems like a virus scan would have picked it up and it hasn't.
  
  Also, the fact that, if I'm interpreting this correctly, svchost.exe tried to call this virus'd file suggests that I'm already infected, does it not? It's like... I can move the file to a vault, but if some other program caused svchost.exe to call that file and AVG Free isn't detecting it, this computer is contaminated and really should be reformatted, imho.
  
  According to this KB article, "the System Volume Information folder is a hidden system folder that the System Restore tool uses to store its information and restore points". Maybe Windows XP was trying to auto-backup stuff and was about to delete that virus'd file, itself, because the hard drive, itself, no longer had it, or maybe Windows XP was trying to copy a file from the D:\ to D:\System Volume Information to auto-back it up? The later seems unlikely because a virus scan on the hard drive revealed no viruses and it's kinda hard to copy a virus that doesn't exist. As for the former... well, if I can't access the System Volume Information folder, I'm not sure the virus scanner could, either.
  
• What does the {AA8025BF-4B67-4F0C-A1BB-1B79773165E5} thing mean? It looks almost like a security identifier, as contained in the registry under HKEY_USERS, but it also doesn't start off with a string like S-1-5, either.
  
• I did a Google search for "BackDoor.Hupigon2.KIS" and got this back:
  
  http://spywareresources.com/threat_library...&srchmode=3
  
  BackDoor.Hupigon2.KIS isn't on it, but there are a ton of BackDoor.Hupigon.* entries on it. It almost makes me wonder... is BackDoor.Hupigon2 (and BackDoor.Hupigon) a polymorphic program? Maybe "KIS", in this case, is just some arbitrary junk added at the end of the *.exe, or something? If that's the case, though, why distinguish between each polymorphic version? That seems about as productive as classifying "hello, world!" programs differently than "hellow world!" programs.

[JeanInMontana]

Hi and welcome to Malwarebytes. D:\System Volume Information\_restore{AA8025BF-4B67-4F0C-A1BB-1B79773165E5}\RP14\A0004174.exe
That file was in System Restore, so it's is a past infection.

We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK.

Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.