Jump to content

BackDoor.Hupigon2.KIS detected

Recommended Posts

I just got the following "Resident Shield alert" from AVG Free:

Threat detected!

File name: D:\System Volume Information\_restore{AA8025BF-4B67-4F0C-A1BB-1B79773165E5}\RP14\A0004174.exe

Threat name: Trojan horse BackDoor.Hupigon2.KIS

Detected on open.

I clicked on Show details and got this:

Process Name: C:\WINDOWS\System32\svchost.exe

Process ID: 976

This leaves me with a few questions.

  1. Should I reformat? I just formatted this computer two days ago, have installed a fairly minimal set of applications, am running Windows XP SP3 with the latest updates, AVG Free, and Windows Defender. I haven't visited any website of a dubious nature and... I'm, all in all, confused as to why I'm getting this message.
    The only drive I formatted was the C drive. The D drive was untouched, so it's possible there's a virus on it, although it seems like a virus scan would have picked it up and it hasn't.
    Also, the fact that, if I'm interpreting this correctly, svchost.exe tried to call this virus'd file suggests that I'm already infected, does it not? It's like... I can move the file to a vault, but if some other program caused svchost.exe to call that file and AVG Free isn't detecting it, this computer is contaminated and really should be reformatted, imho.
    According to this KB article, "the System Volume Information folder is a hidden system folder that the System Restore tool uses to store its information and restore points". Maybe Windows XP was trying to auto-backup stuff and was about to delete that virus'd file, itself, because the hard drive, itself, no longer had it, or maybe Windows XP was trying to copy a file from the D:\ to D:\System Volume Information to auto-back it up? The later seems unlikely because a virus scan on the hard drive revealed no viruses and it's kinda hard to copy a virus that doesn't exist. As for the former... well, if I can't access the System Volume Information folder, I'm not sure the virus scanner could, either.
  2. What does the {AA8025BF-4B67-4F0C-A1BB-1B79773165E5} thing mean? It looks almost like a security identifier, as contained in the registry under HKEY_USERS, but it also doesn't start off with a string like S-1-5, either.
  3. I did a Google search for "BackDoor.Hupigon2.KIS" and got this back:
    BackDoor.Hupigon2.KIS isn't on it, but there are a ton of BackDoor.Hupigon.* entries on it. It almost makes me wonder... is BackDoor.Hupigon2 (and BackDoor.Hupigon) a polymorphic program? Maybe "KIS", in this case, is just some arbitrary junk added at the end of the *.exe, or something? If that's the case, though, why distinguish between each polymorphic version? That seems about as productive as classifying "hello, world!" programs differently than "hellow world!" programs.
Link to post
Share on other sites

Hi and welcome to Malwarebytes. D:\System Volume Information\_restore{AA8025BF-4B67-4F0C-A1BB-1B79773165E5}\RP14\A0004174.exe

That file was in System Restore, so it's is a past infection.

We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK.

Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.