Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Oct 13th, 2008, 11:54am
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   HUPIGON-15103 Removed then found again		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: HUPIGON-15103 Removed then found again  (Read 366 times)
blinxpro
Newbie
*





   
Email

Gender: male
 Posts: 3
HUPIGON-15103 Removed then found again
« on: Aug 5th, 2008, 10:56am »		 Quote Quote  Modify Modify
Every time I remove Hupigon-15103 it shows up again in another file or two.
 
TH doesn't see it.  It manages to find the THsec.dll.  I am aware of the AV falsely thinking that THsec.dll is a trojan BUT I think that there must be something to this.
 
One of the user accounts on my other computer which also is having this problem has become unusable!  When XP starts up I am presented with a dialog box with oriental characters, musical notes and other strange symbols.  There is an OK button and it must be clicked to proceed to the login screen.  
 
I would appreciate whatever help I could get.  This is now on three of computers at our family business.  
 
Here is my HJT log:
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:30 AM, on 8/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Icon Time Systems\Driver CD\ColoradoCommunicationsService.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Common Files\AOL\1151335320\ee\AOLSoftware.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~2\Ad-Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinFax\FAXMNG32.EXE
C:\Program Files\WinFax\wfxctl32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ClamWin\bin\ClamWin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1151335320\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~2\Ad-Watch.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt1_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht0_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1239/ftp.coupons.com/v6/brix6ie.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt 505/us/win/QuickTimeInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://summer.snowbird.com/plugins/Svideo.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX.cab?9,0,712,0
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.ca b
O16 - DPF: {9D0A9D98-5221-430A-A02D-76F0827C82D1} - http://www.dialer-shop.com/im2/hardissimo.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab36107.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://jjkeller.webex.com/client/T23L/event/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0111813-0E8E-452B-A055-917E7AD265DC} : NameServer = 209.210.176.8,209.210.176.9
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Icon Time Systems USB/Serial Web Proxy Server (WebProxyService) - Icon Time Systems - C:\Program Files\Icon Time Systems\Driver CD\ColoradoCommunicationsService.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE
 
--
End of file - 11450 bytes
 
Here is a sample of my Clamwin log:
 
Scan Started Tue Aug 05 01:04:07 2008
------------------------------------------------------------------------ -------
 
C:\Program Files\TrojanHunter 5.0\THSec.dll: Trojan.Hupigon-15103 FOUND
 
C:\System Volume Information\_restore{7EE18F21-174C-4285-86DD-2FF37636C12E}\RP911\A006048 8.dll: Trojan.Hupigon-15103 FOUND
 
Scanning aborted...
 
----------- SCAN SUMMARY -----------
Known viruses: 383511
Engine version: 0.93.1
Scanned directories: 55
Scanned files: 3550
Infected files: 2
Data scanned: 1883.26 MB
 
====================================
====================================
 
Thanks for looking!
 
 
« Last Edit: Aug 5th, 2008, 11:07am by blinxpro » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: HUPIGON-15103 Removed then found again
« Reply #1 on: Aug 5th, 2008, 12:43pm »		 Quote Quote  Modify Modify
I can assure you that TrojanHunter's file THSEC.dll is not a malicious file.  Yes, the TrojanHunter DLL THSec.dll uses the Madcode injection tool to inject code in memory programs for its own self protection.  The tool (MadCode) is not a malicious tool.  However, it is used by cybercriminals to inject code as well.  That is why the AntiVirus programs look for it.  
 
I just ran THSec.dll through jotti scan.  You can see that the big virus protection programs such as Avira, Kaspersky, Nod32, Avast, AVG, Bit Defender, and Panda do not flag THSec.dll.  The ones that do flag it are a False Positive detection.  
 
As a user of Clamwin, would you please submit THSec.dll to the technical support group of Clamwin and tell them that this is a false positive.  If they have any questions, they can contact the TH developer, Magnus, at Support@misec.net.  
 
Another option is to have Clamwin ignore THSEC.dll.  I assume that Clamwin has an option that permits users to "ignore" files from being scanned.  
 
Quote:
File:  THSec.dll  
Status:  INFECTED/MALWARE  
MD5:  0fbd5c3ea0b4166a680dc043456daec8  
Packers detected:  -  
 
Scanner results  
Scan taken on 05 Aug 2008 17:17:47 (GMT)  
A-Squared  Found nothing  
AntiVir  Found nothing  
ArcaVir  Found nothing  
Avast  Found nothing  
AVG Antivirus  Found nothing  
BitDefender  Found nothing  
ClamAV  Found Trojan.Hupigon-15103  
CPsecure  Found BackDoor.W32.Huigezi.E  
Dr.Web  Found nothing  
F-Prot Antivirus  Found nothing  
F-Secure Anti-Virus  Found nothing  
Fortinet  Found nothing  
Ikarus  Found Backdoor.Win32.Hupigon.cijc  
Kaspersky Anti-Virus  Found nothing  
NOD32  Found nothing  
Norman Virus Control  Found W32/Hupigon.DOCD  
Panda Antivirus  Found nothing  
Sophos Antivirus  Found Sus/Madcode-A (probable variant)  
VirusBuster  Found nothing  
VBA32  Found Backdoor.Win32.Hupigon.cijc  

 
Your Hijackthis log is not showing anything malicious.  However, there is some dress up work that you can do.
 
1.  Run another Hijackthis scan.
 
2.  When the scan is completed, place a check mark in the box next to the following items.  BE SURE that these are the only items checked.
 
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
 
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
 
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
 
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
 
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1239/ftp.coupons.com/v6/brix6ie.cab
 
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.ca b
 
O16 - DPF: {9D0A9D98-5221-430A-A02D-76F0827C82D1} - http://www.dialer-shop.com/im2/hardissimo.cab

 
3.  Close your Browser
 
4.  Click on Fix Checked located at the bottom left of your HJT window.  Confirm that you want HJT to fix these items and let it fix them.
 
5.  Close HJT.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
blinxpro
Newbie
*





   
Email

Gender: male
 Posts: 3
Re: HUPIGON-15103 Removed then found again
« Reply #2 on: Aug 5th, 2008, 2:22pm »		 Quote Quote  Modify Modify
Most of what you wrote makes sense to me.  I am unsure about what you said about madware.
 
"Yes, the TrojanHunter DLL THSec.dll uses the Madcode injection tool to inject code in memory programs for its own self protection.
 
Are you then saying that Trojan Hunter is responsible for this:
 
 C:\System Volume Information\_restore{7EE18F21-174C-4285-86DD-2FF37636C12E}\RP911\A006048  8.dll: Trojan.Hupigon-15103 FOUND
 
And that I don't need to worry about files that come up saying that they are infected with Trojan.Hupigon-15103 Huh
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: HUPIGON-15103 Removed then found again
« Reply #3 on: Aug 5th, 2008, 3:37pm »		 Quote Quote  Modify Modify
Quote:
Are you then saying that Trojan Hunter is responsible for this:  
 
 C:\System Volume Information\_restore{7EE18F21-174C-4285-86DD-2FF37636C12E}\RP911\A006048   8.dll: Trojan.Hupigon-15103 FOUND  
 
And that I don't need to worry about files that come up saying that they are infected with Trojan.Hupigon-15103

 
That is correct.  They are false positives and you do not need to worry about them being an infection on your computer.  They are not an infection...either one of them.
 
The file A0060488.dll in your System Volume Information folder is the same THSEC.dll file that Windows has put in your System Restore folder....one and the same.  
 
"False positive" means that your Clamwin antivirus is saying they are infections, but that is false.  They are not infections.  
« Last Edit: Aug 5th, 2008, 3:38pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
blinxpro
Newbie
*





   
Email

Gender: male
 Posts: 3
Re: HUPIGON-15103 Removed then found again
« Reply #4 on: Aug 6th, 2008, 2:55am »		 Quote Quote  Modify Modify
Thank you very much for clarifying.
 
Do you have any ideas about why I'm getting the dialog box with strange characters just before log in?
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: HUPIGON-15103 Removed then found again
« Reply #5 on: Aug 6th, 2008, 3:06am »		 Quote Quote  Modify Modify
Quote:
One of the user accounts on my other computer which also is having this problem has become unusable!  When XP starts up I am presented with a dialog box with oriental characters, musical notes and other strange symbols.  There is an OK button and it must be clicked to proceed to the login screen.

 
Please go to Control Panel>User Accounts and open User Accounts.  Do you recognize all the user accounts displayed?  In other words, is there a User account name being displayed that you never set up yourself (other than Guest)?
 
There may be an infection on this computer.  I recommend that you run a Remote Online Scan with Kaspersky to see if it finds any infections.
 
1.  Sign on with a User Account that has full Administrative Privileges.
 
2.  Using Internet Explorer, go to the link below for the Kaspersky online scanner.  It will need to download an ActiveX component.  Please let it download/install this ActiveX
 
http://www.kaspersky.com/virusscanner
 
3.  Before starting the scan, temporarily disable all your security programs except your software firewall.
 
4.  Close down as many programs as you can (the icons next to the taskbar clock).
 
5.  BE SURE to run a FULL SCAN of your computer.  Kaspersky will not quarantine any infections it finds; however, it will identify infections and log them.
 
6.  Post back here the scan results of the Kaspersky scan.  
 
Also, here is a webpage for Clamwin where you can report THSec.dll as a false positve.
 
http://cgi.clamav.net/sendvirus.cgi
« Last Edit: Aug 6th, 2008, 1:33pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register