Every night Windows Live One care reports finding and quarantining: Backdoor: Win32/hupigon.gen

All replies

• 

  

  0

  Sign in to vote

  Since you are able to start OneCare manually after the PC has booted, I suspect that it is running into a resource issue or delayed startup of a service.

  Have a look at this post: 

  http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=2523777&SiteID=2

   

  As for the recurring virus, you should open OneCare, click on Change Settings, go to the logging tab and create a support log. A report will open in your browser. Scroll to the Virus a Spyware section and look for the entry noting the quarantine of the threat to see the origin. It may be located in your System Restore points or it may be coming from the System Files. If it is the former, you might want to consider shutting off System Restore and then turning it back on. Note that this will eliminate any possibility of using System Restore to return to a time before you delete the Restore Points.

   

  You can also contact support for help with both issues or either one.

  How to reach support (FAQ) - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=2421771&SiteID=2

   

  -steve

  Thursday, May 15, 2008 5:53 PM

  Moderator
• 

  

  0

  Sign in to vote

   

  Here is what the log reports:

   

  Windows Live OneCare found potentially harmful or unwanted software on your computer Threat Name: Backdoor:Win32/Hupigon.gen Detection Date and Time: 5/15/2008 3:57 PM File Name: pid:1536 Threat Severity: Severe Threat Category: Backdoor Threat found by On Demand Scan: (ANTIVIRUS_ONDEMAND) Threat Status: Quarantined

  Virus and spyware scan was completed     Scanned Items: - Scan Type: Custom Scan Scan StartTime: 5/15/2008 2:53 PM Scan EndTime: 5/15/2008 2:59 PM Total Number of Files Scanned: 6454 Total Number of Files Not Scanned: 11 Total Number of Threats Found: 1 Total Number of Threats Cleaned: 0 Total Number of Threats Removed: 0 Total Number of Threats Quarantined: 1 Total Number of Threats Still Present But Suspended: 0   As you can see I do not have an obvious path to the file.  I previouslu scanned the computer and quarantined the virus Then I deleted ALL my restore points. With a now clean machine I set a new restore point. Then I rebooted and ran another scan.  My backdoor was there again. What do I do to get rid of this?

  Friday, May 16, 2008 4:43 AM
• 

  

  0

  Sign in to vote

  Ah, it looks like it grabbed it from a running process and not from a file. That would be the PID 1536 entry.

  Can you do a complete scan and see if it finds the threat? The scan entry is for the daily quick scan, not the full scan of all areas of the PC as in Tune-up.

  You can also contact support, per my previous reply, to get help with removal.

  -steve

   

  Saturday, May 17, 2008 12:40 AM

  Moderator
• 

  

  0

  Sign in to vote

  Hey

   

     It looks like after reboot this malware is getting executed or some other program is executing it.

   

  Since you qurantined this, it will be easy to know the path of this Binary(virus) which tries to get executed.

  Can you do the follwoing to get the path of this binary

   

   

  1. Open OneCare

  2. Click on Change Settings

  3. It will open a window "Windows LiveOne Care Settings"

  4. Click on the 4th  tab labelled as "Virus and Spyware"

  5. Click on "Quarantine" button in the end

  5. It will show you the virus it quarantined, location, name etc.

  6. 8. Can you send me that information at my  email id montyj@microsoft.com

   

  Please let me know if you face any problem with any of these steps.

   

  thanks

  Monty Jain[MSFT] montyj@microsoft.com

   

   

  Tuesday, May 20, 2008 5:21 PM