Clamwin quarantined Hupigon-33703, which was involved with a (presumed) copy of iexplore.exe, located in a place it had no right to be. It also quarantined the desktop icon for IE. So far, so good. It seems that simply deleting infected files is not the way to purge the malware. Reading archives, GuitarBob indicates that first one or more alternative antivirus scanners should be used on an XP machine, to confirm there was no false positive. Jotti and Virus Total were mentioned as cloud options. If I understand correctly, even when confirmed, some other antivirus software would have to be acquired, in order to remove the trojan. Excuse the ignorance, but after the quarantining, I ran the MS Malicious software Removal tool, and it found nothing on the PC (it lists this trojan and one that it detects). I also ran MS Security Essentials, with similar results. Are these tools blind to the quarantined files? Would, therefore, the cloud-based scanners not also fail to confirm the diagnosis? Thanks!

If you are pretty sure a file is infected with malware, you should let ClamWin quarantine it, of course. Once in quarantine, it can't do any harm, and you can check it out with other scanners and restore a false positive detection. At one time, ClamWin had more of a problem with false positives, especially on Windows system and Micorsoft program files, so my suggestion was to verify it before getting rid of it. Now ClamWin has false positive protection on digitally-signed Microsoft files, and will not let you quarantine/delete them, so there is less of a chance of a false positive toasting your system. I think you can safely set ClamWin to quarantine infected files now. False positives can still happen though.

Security Essentials is a pretty good AV, and it has a very low false positive rate. So if it says a file is clean, it probably is, but make sure it has current signatures. If you want need more assurance than one or two other AVs, use Jotti or Virus Total. No AV has a 100% detection rate with no false positives, but Jotti uses 20 AVs in all, and Virus Total uses over 40 AVs, so they are better than one or two AVs alone. I like to look at what AntiVir, Bitdefender, Kaspersky, Nod32, and Sophos say about a file. If at least 2 of them spot an infection, I usually believe it.

The sad fact is that many (if not most) new viruses will not be detected by most AVs until someone gives them a file from which they can get a signature, and that can take a period of one to several days. That's why I like to keep my signatures updated and verify all files.

Regards,

I have uploaded this iexplore.exe file to both on-line services you recommended. What they immediately reported - based on previous submittals - and before I requested a fresh scan, was not identical to the new scan, in all respects. I have screen captures of all of these results, which would be a lot easier to share, if there is a way to do it. Initially, Jotti reported 2 out of 20 scanners reported malware with - strangely - the file Winlogon (which was not the name of the file I submitted), and which is why I asked for another scan. On proper scan, 4 of 20, including ClamAV reported problems. None of the other "big names" identified malware. The three others that did reported: Troj.downloader.w32.Aphex.020 (CP Secure), Backdoor.Hupigo (VBA 32), and Generic.23.37425 (ArcaVir). Virus Total offered 12 of 43. They included PUA.PAcked.Pecompact-1 (a change in the ClamAV identification, strangely), and Troj_gen.R47C14 (Both forms of Trend Micro). Again, none of the other well-known players reported malware.
This sort of percentage is, of course, a nightmare, because it suggests something and proves nothing. The only supporting evidence is that I can see no reason why something called iexplore.exe would be at the end of a data path that I use for storing Excel files, even though the Excel file does call for stock info from via MS and the Internet.
I have a Seagate Replica backup system that is of no help in seeing if the iexplore file was there 20 days ago. I only plug that drive in after running ClamAV and others, about once a month. Problem is the drive cannot be examined unless connected and if connected will replicate anything it can! It also prohibits any manual file deletion!
Could you please comment on the question regarding whether, once quarantined, AV software would be unable to get at the file to scan it? I have scanned the computer with MSE, MS Malware Removal Tool, and Spybot, but this was done with the file in quarantine.

Hello rogerjan,


Yes, look for the 'Add image to post' link when replying. Or, just post the link to the VirusTotal scan. The VirusTotal page will show us MD5 and Sha1 file hashes which may reveal something in a Google or malware info site search.


Maybe. If you'll look in the quarantine folder, you will see that ClamWin adds a .infected extension to the suspect file name. This is what makes the file benign. Most antivirus programs ignore non-executable file extensions by default to quicken scan time and reduce system resources used. Therefore, the file may not be scanned. You can override this if your other antivirus program has a 'Scan all files' option, but this will likely drastically increase scan time.

Regards,
Lipper

Thanks for the reply. Here is the link to the Total Virus scan of iexplore.exe:
https://www.virustotal.com/file-scan/report.html?id=d9c3055b20a35051fd570e2961dc4df6104a6b73d83771ebe75516ab50397eb5-1315942312

Hupigon is an old backdoor that has had some resurgence lately. On Virus Total, Clam picks up that a frequently-used malware packer was used. Sophos (one of my favorites) says it is a Nirsoft product--Nirsoft makes commercial backdoor stuff that is usually recognized as a Potentially Unwanted Application (PUA), which is okay if the users wants it on their computer, but such stuff could be used to gain remote control over a computer. That may be why none of my other favorite AVs (AntiVir, Bitdefender, Kaspersky, and Nod 32 ) recognize anything.

If the file uploaded was Internet Explorer or some variant thereof, get rid of it on your computer.

See the MD5 hash number at the end of the Virus Total page? You can paint it and do a search for it on Google. Here is what you see: https://www.google.com/#hl=en&sugexp=gsis%2Ci18n%3Dtrue&cp=32&gs_id=2&xhr=t&q=25b4aebe25fe427f7ff7228786cf2526&pf=p&sclient=psy-ab&site=&source=hp&pbx=1&oq=25b4aebe25fe427f7ff7228786cf2526&aq=f&aqi=&aql=&gs_sm=&gs_upl=&bav=on.2,or.r_gc.r_pw.&fp=6bf2e0d7ff2e1027&biw=1024&bih=546 when you do that.

Regards,

You're welcome, rogerjan. (Hi Bob!)

The file you submitted to VirusTotal is rkill.exe (sound familiar?) renamed to
iExplore.exe. The program is legitimate and used by malware fighters to kill certain processes when cleaning up a system. The file is often renamed in order to fool malware:

https://www.bleepingcomputer.com/download/anti-virus/rkill
https://www.bleepingcomputer.com/forums/topic308364.html

Therefore, I believe the Hupigon detection is a false positive. You should submit the file to Clam AV as such for further examination:

https://cgi.clamav.net/sendvirus.cgi

Lipper

Much obliged for the information, as always, folks! There are still troubling questions: As Lipper recalled, I had dealings with R.Kill (and had forgotten about "iexplore.exe") when fighting a previous infection on this (XP) machine. The infection was apparently defeated months ago, since which time I have run ClamAV often, all without the iexplore detection. And I have not downloaded R.kill again. There is also the question of how it came to be in my Xcel data directory. Very strange.
But the important question now is: Is there any reason to worry that an infection persists that will not be entirely removed by simply deleting iexplore.exe?
I submitted the file to ClamAV as suggested, but it was rejected as having already been identified as Hupigon, so there didn't seem a way to have ClamAV look at the item again with the notion that 75% of AV scanners disagree, and that it might be a false +.
Could I have your recommendations / suggestions? Delete from quarantine and hope that there isn't a real and viable hupigon lurking somewhere? Or pursue finding out, for sure, whether this iexplore.exe is, in fact, R-kill (and if so, how)? Thanks!

Good job, Lipper! I should have followed up on the results of my MD5 hash search. As you said, doing so shows that it was developed by Bleeping Computer to stop AV processes. So if a malware author got hold of it (it's free), then he could stop the AVs and slip something in, or he could incorporate the rkill code into his own malware. I think the file should certainly be considered a potentially unwanted application (PUA) and therefore killed on his machine. Perhaps there is a backdoor component to it that can be activated.

There is probably nothing to worry about-beyond deleting the file, but if he needs some assurance, perhaps a comparison of the MD5 hash to this file and a MD5 hash to the Bleeping Computer rkill file will help (hashes should be the same). Virus Total will show the hashes. If they are the same, I wouldn't worry about it.

Some AV is always going to detect a file like rkill.

Regards,

OK guys, I think the consensus is to delete the file, which I will do - unless you need more information about it. Also, I learned something important about the way my external back-up drive (Seagate Replica) operates. Seagate expects the drive to be connected all the time, of course, and assumes that all malware defenses are perfect. But even backing up periodically and only after running every malware product in my collection, something can still exist on the PC and end up - irrevocably - on the back-up drive. Irrevocably, except that is, by starting all over again; getting a special re-up code from Seagate, downloading new software, reformatting and backing the entire hard drive up again. This brings an added cost to using a hot back-up, and an annoyance value to the malware. Something new to learn every day!
Thanks for the help, once again!

Thanks, Bob.


I'm afraid comparing hashes wouldn't work. Like Combofix and other anti-malware tools, rkill/iexplore changes often to reflect the latest threats. Here's today's rkill mix at VT:

https://www.virustotal.com/file-scan/report.html?id=acfec1ede06dea18a953d1e92ef1d9b8e35b2429e8b2d029d408efefab160792-1316035995

Lipper

You're welcome, rogerjan. Yes, just delete the file. It is outdated now, and useless.

Lipper